[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] Condor_master aborting because of FIPS mode

So I've finally had some time to get around to trying this. I downloaded many of the 8.8.9 RPMs from your link and extracted the files from them. After extraction I noticed that there /lib, /lib64, and /libexec subdirectories under the "usr"  subdirectory. However, on the tarball from the non-FIPS version that I initially began with, there were just /lib and /libexec subdirectories. Anyway, I copied the files under the "usr" subdirectory over to the NFS share location.

Before attempting to start condor_master I thought I'd give condor_config_val a test to see if the config files were being located and such. However, when I attempted to run condor_config_val it complained that it couldn't find some shared libraries (libclassadd.so & libcondor_utils_8_8_9.so). (I assume this would be true for most of the other executables as well). I looked and these libraries are present under the "NFS_path/condor-8.8.9_fips/lib64" directory. Comparing with the non-FIPS layout, these libraries are located under the /lib subdirectory (in the associated location where the tarball was extracted). If I do an ldd on the non-FIPS executable, it seems to located these libraries with a path something like "NFS_path/condor-8.8.9/bin/../lib/libclassadd.so". However, on the corresponding FIPS executable, when I do an ldd, it simply is unable to locate it. I'm guessing that is it trying to find in under /lib64 (or /usr/lib64) relative to the system root directory and not something like "NFS_path/condor-8.8.9_fips/bin/../lib64". (Note, I tried making symbolic links for those files in lib64 to lib in this NFS location but that didn't work.)

As a test, I set my LD_LIBRARY_PATH environment variable to include "NFS_path/condor-8.8.9_fips/lib64" and then was able to run condor_config_val. I don't really want to do this as every user and root would have to set this. I assume something could be done with /etc/ld.so.conf but I assume I would have to do this on each system that is added to the pool. Any other solutions? And, why does the non-FIPS version from the tarball know to look in a lib directory this is relative to executable location and the FIPS version does not?