[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [HTCondor-users] [External] - Re: Condor_master aborting because of FIPS mode

This may or may not help you, but for RHEL7 compatible systems I just have a
manually written yum config file like following that I put on one machine
(htcondorFIPS.repo) in /etc/yum.repos.d/:
name=HTCondor Stable fips RPM Repository for Redhat Enterprise Linux 7

Then I do a yum update to refresh all my repos, then I run:
"reposync /path/to/directory/with/lots/of/space" (you can also disable your
other repos first if you don't want to waste all the disk space with a
centos mirror)

Following that I use rsync to copy that directory
(/path/to/directory/with/lots/of/space) to my NFS Share where I keep all my
RHEL7 repos. 

Then I run "createrepo /path/to/htcondor/on/NFS/Share"

Then I can put the following htcondor.repo file in /etc/yum.repos.d/ on all
the machines I want to install HTCondor on.

name=HTCondor Stable fips RPM Repository for Redhat Enterprise Linux 7

Then on the machines I want to install HTCondor on I run "yum clean all &&
yum update --nogpg && yum install condor --nogpg" (you can get around the
nogpg if you sign the repomd.xml with literally any gpg key, I am just
always too lazy to do so)

Personally I always have rotten luck with manually installing software from
tarball like you have, so that's how I do it with yum. I know that doesn't
answer your question, but if the goal is to get HTCondor FIPS installed and
working, I hope that helps!


Public Content

-----Original Message-----
From: HTCondor-users <htcondor-users-bounces@xxxxxxxxxxx> On Behalf Of
Vechinski, Douglas
Sent: Friday, July 31, 2020 7:44 AM
To: htcondor-users@xxxxxxxxxxx
Subject: [External] - Re: [HTCondor-users] Condor_master aborting because of
FIPS mode

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

So I've finally had some time to get around to trying this. I downloaded
many of the 8.8.9 RPMs from your link and extracted the files from them.
After extraction I noticed that there /lib, /lib64, and /libexec
subdirectories under the "usr"  subdirectory. However, on the tarball from
the non-FIPS version that I initially began with, there were just /lib and
/libexec subdirectories. Anyway, I copied the files under the "usr"
subdirectory over to the NFS share location.

Before attempting to start condor_master I thought I'd give
condor_config_val a test to see if the config files were being located and
such. However, when I attempted to run condor_config_val it complained that
it couldn't find some shared libraries (libclassadd.so &
libcondor_utils_8_8_9.so). (I assume this would be true for most of the
other executables as well). I looked and these libraries are present under
the "NFS_path/condor-8.8.9_fips/lib64" directory. Comparing with the
non-FIPS layout, these libraries are located under the /lib subdirectory (in
the associated location where the tarball was extracted). If I do an ldd on
the non-FIPS executable, it seems to located these libraries with a path
something like "NFS_path/condor-8.8.9/bin/../lib/libclassadd.so". However,
on the corresponding FIPS executable, when I do an ldd, it simply is unable
to locate it. I'm guessing that is it trying to find in under /lib64 (or
/usr/lib64) relative to the system root directory and n!
 ot something like "NFS_path/condor-8.8.9_fips/bin/../lib64". (Note, I tried
making symbolic links for those files in lib64 to lib in this NFS location
but that didn't work.)

As a test, I set my LD_LIBRARY_PATH environment variable to include
"NFS_path/condor-8.8.9_fips/lib64" and then was able to run
condor_config_val. I don't really want to do this as every user and root
would have to set this. I assume something could be done with
/etc/ld.so.conf but I assume I would have to do this on each system that is
added to the pool. Any other solutions? And, why does the non-FIPS version
from the tarball know to look in a lib directory this is relative to
executable location and the FIPS version does not?

HTCondor-users mailing list
To unsubscribe, send a message to htcondor-users-request@xxxxxxxxxxx with a
subject: Unsubscribe
You can also unsubscribe by visiting

The archives can be found at:

Attachment: smime.p7s
Description: S/MIME cryptographic signature