[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] condor and FIPS issue

The only thing vaguely interesting in the system log in an sshd error of the following nature.

Jul  6 14:45:36  sshd[14537]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key

In condor MasterLog, here's what the stack dump log looks like

Stack dump for process 14412 at timestamp 1467830633 (17 frames)

Regarding the preliminary steps for FIPS and the prelink stuff you mentioned I have to ask the guy who installed it originally about what he did there.

There is no openssl-fips installed, only regular openssl.

Sure I plan to upgrade to 8.4 at some point, not sure that solves this immediate problem though. Also does one reap all the benefits of 8.4 if the condor central manager machine is also on 8.2?

Yes we test on various OS versions, this is RHEL6.6 because we have some customers using this, so need to test for their benefit also.

I will try your suggestion about with fips mode off to see if logging gives me anything useful.

From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> on behalf of Michael V Pelletier <Michael.V.Pelletier@xxxxxxxxxxxx>
Sent: Wednesday, July 6, 2016 1:05 PM
To: HTCondor-Users Mail List
Subject: Re: [HTCondor-users] condor and FIPS issue
From: ade kc <kcbobo@xxxxxxxxxxx>
Date: 07/06/2016 01:33 PM

> My team is currently doing some "FIPS" testing. king group to ...
> This effectively requires installation of the "dracut-fips" package. I
> installed condor 8.2.8 on an execute node and the condor_master daemon
> would immediately do a crash dump.

> I removed the "dracut-fips" package and all is well again with the world.

> This is a redhat 6.6 machine, seems there's a conflict between this
> package and condor. Anyone aware of this? I can try another condor version
> to see what happens, but wanted to check in here first.

Does anything show up in the system log about the HTCondor startup regarding
the FIPS status of the system? Perhaps the unprelink of the HTCondor
binaries wasn't successful or something like that, and maybe that would
be reflected in FIPS-related logging.

For instance, perhaps the prelink -u -a you ran before installing
dracut-fips overlooked the /usr/libexec/condor directory.

Also, do you have openssl-fips installed as well? That's going to be the
FIPS nexus for HTCondor, rather than Dracut. Maybe try running with
the FIPS mode turned off (fips=0 in the kernel args) and see if there's
any useful logging activity in "non-enforcing mode," as it were.

I'm surprised you've got RHEL 6.6 - the security standards I'm
conversant with require regular operating system security patches,
and there's been four moderate and two important kernel security errata
since the release of 6.7 about a year ago, among about 128 in total
over 6.6.

Also I highly recommend 8.4 over 8.2. The transition is easy as
long as you're mindful of the new packaging divisions (i.e., if you need
kbdd you have to install it separately, or install condor-all), and
there's a lot of good improvements. And thanks to the virtues of the
ClassAd system, 8.4 and 8.2 can coexist in the same pool, so an
incremental upgrade is feasible.

        -Michael Pelletier.