Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

makedhcp fails with no error RHEL7.7/7.8 with FIPS enabled #6757

Open
kjhee43 opened this issue Jul 2, 2020 · 31 comments
Open

makedhcp fails with no error RHEL7.7/7.8 with FIPS enabled #6757

kjhee43 opened this issue Jul 2, 2020 · 31 comments
Assignees

Comments

@kjhee43
Copy link

kjhee43 commented Jul 2, 2020

RHEL7.6 with FIPS enabled:
makedhcp works as expected and dhcpd.conf is created/updated properly

RHEL7.7/7.8 with FIPS enabled:
makedhcp executes but fails silently. Nothing is populated/updated in dhcpd.conf

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

@kjhee43 , how did u enable the FIPS?

@kjhee43
Copy link
Author

kjhee43 commented Jul 6, 2020

https://access.redhat.com/solutions/137833

I follow this procedure. You can also install in FIPS mode by adding fips=1 to the install command line.

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

@kjhee43
Copy link
Author

kjhee43 commented Jul 6, 2020

I fixed the link. Try now.

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

Thanks.
need to check if I have account to access it.

@kjhee43
Copy link
Author

kjhee43 commented Jul 6, 2020


How can I make RHEL 6/7/8 FIPS 140-2 compliant?
Solution Verified - Updated June 19 2020 at 9:48 AM - English
Environment

    Red Hat Enterprise Linux 6
    Red Hat Enterprise Linux 7
    Red Hat Enterprise Linux 8

Issue

    How to configure Red Hat Enterprise Linux 6 for FIPS compliance?
    How to configure Red Hat Enterprise Linux 7 for FIPS compliance?
    How to configure Red Hat Enterprise Linux 8 for FIPS compliance?
    To configure RHEL 6 or RHEL 7 to be compliant with the Federal Information Processing Standard (FIPS) Publication 140-2 (ref) several changes need to be made to ensure that accredited cryptographic modules are used. How?

Resolution

See also: How to disable FIPS mode in RHEL 6 or RHEL 7

WARNING: Ideally, when aiming for FIPS compliance, new machines should be installed from scratch with the installer booted using the fips=1 kernel argument. This will ensure the OS is running continuous tests on the RNG input used for cryptographic functions (e.g., user password hashing, LUKS key generation). It's also worth noting that RHEL often performs one-time actions post-install at firstboot that use crypto (e.g., ssh host key generation). The following practical instructions are meant for situations where it's desirable/necessary to convert an existing system to FIPS mode.

    Determine and install appropriate package versions
    While virtually every version of RHEL supports FIPS-enforcing mode, specific package versions are required if strict FIPS compliance is desired
    Consult Package requirements for FIPS 140-2 compliance in RHEL

    If the prelink package is installed: disable prelinking (uninstalling the prelink package is optional)
    Run exactly:
    Raw

    rpm -q prelink && sed -i '/^PRELINKING/s,yes,no,' /etc/sysconfig/prelink
    rpm -q prelink && prelink -uav

    Red Hat Enterprise Linux 8 or newer
    Run:
    Raw

    fips-mode-setup --enable

    Red Hat Enterprise Linux 6/7: Install the dracut-fips package and any dependencies
    Run:
    Raw

    yum install dracut-fips

    Optional, Red Hat Enterprise Linux 6/7: Install the dracut-fips-aesni package for enhanced performance1
    Run the following command to determine if the system CPU supports AES-NI
    Raw

    grep -qw aes /proc/cpuinfo && echo YES || echo no

    If the above returns YES, it would be beneficial (but not required) to install dracut-fips-aesni, e.g.:
    Raw

    yum install dracut-fips-aesni

    In RHEL 6, the above command will return "No package dracut-fips-aesni available" if the optional server or workstation repo is not enabled
    In that case, enable the repo and try again, i.e.:
    Raw

    yum-config-manager --enable rhel-6-server-optional-rpms --enable rhel-6-workstation-optional-rpms
    yum install dracut-fips-aesni

    Red Hat Enterprise Linux 6/7: Backup existing initramfs
    Run exactly:
    Raw

    mv -v /boot/initramfs-$(uname -r).img{,.bak}

    Red Hat Enterprise Linux 6/7: Run dracut to rebuild initramfs
    Run exactly:
    Raw

    dracut

    Red Hat Enterprise Linux 6/7: Edit kernel command-line to include the fips=1 argument
    Run exactly:
    Raw

    grubby --update-kernel=$(grubby --default-kernel) --args=fips=1

    Footnote on --update-kernel=$(grubby --default-kernel) vs --update-kernel=DEFAULT2

    Red Hat Enterprise Linux 6/7: Edit kernel command-line to include the boot=UUID=XXXX or boot=LABEL=XXXX or boot=/dev/DEVICE argument when /boot is separate partition
    This is necessary whenever /boot is a filesystem separate from the rootfs and can be skipped when /boot is not a separate partition.
    Run exactly:
    Raw

    uuid=$(findmnt -no uuid /boot)
    [[ -n $uuid ]] && grubby --update-kernel=$(grubby --default-kernel) --args=boot=UUID=${uuid}

    Attempt a reboot
    Run:
    Raw

    reboot

    If the boot fails with a kernel panic, some of the above steps were missed -- most likely a problem with step #8
    See: Kernel panic after making Red Hat Enterprise Linux 6 FIPS 140-2 compliant

    Confirm that FIPS is in enforcing mode after a reboot
    The crypto.fips_enabled sysctl should report 1
    Run:
    Raw

    sysctl crypto.fips_enabled

    Optional RHEL 7 only: Configure GRUB2 kernel cmdline in /etc/default/grub for use with grub2-mkconfig
    Running through the above steps on RHEL 7 will ensure the current default and all future kernels will be setup for FIPS; however, if grub2-mkconfig is ever run manually, it will strip the fips=1 and boot= args from the kernel command-line
    If manual execution of grub2-mkconfig is a possibility, GRUB_CMDLINE_LINUX in /etc/default/grub needs to be fixed
    Run exactly:
    Raw

    sed -i '/^GRUB_CMDLINE_LINUX=/s/"$/ fips=1"/' /etc/default/grub
    uuid=$(findmnt -no uuid /boot)
    [[ -n $uuid ]] && sed -i "/^GRUB_CMDLINE_LINUX=/s/\"$/ boot=UUID=${uuid}\"/" /etc/default/grub

    Configure site-specific applications to FIPS requirements
    The key here is the term site-specific. Strictly speaking, steps 1-10 might be all that is required.

    Once the system is running in FIPS mode, the kernel will only provide FIPS-approved crypto features. Likewise, FIPS-aware distro-provided tools like openssl and cryptsetup will disallow use of non FIPS-approved ciphers/mac algos; however, certain applications may still require configuration tweaks to continue working in FIPS mode, for example:

        An application that has been explicitly configured to use non-FIPS-approved crypto features (as is sometimes the case with the Ciphers and MACs directives in OpenSSH's config files3)

        An application that uses non-FIPS-approved crypto features by default
        Two common examples:
            openssl enc fails in FIPS mode
            FIPS mode can't decrypt existing passphrase-protected ssh keys

    It's also possible for applications that implement their own crypto to effectively ignore FIPS mode altogether. The biggest offenders here are 3rd-party utilities not provied by Red Hat; however, applications that use NSS also require special attention -- for example: Openswan. The following quote is excerpted from the document Red Hat Enterprise Linux 6.2 Openswan Cryptographic Module v2.0, FIPS 140-2 Security Policy:

        Note that Openswan uses NSS for its cryptographic operations and NSS must explicitly be put into the approved mode with the modutil command.
        The database for the cryptographic keys used by the pluto daemon must be initialized after it has been created as documented in the README.nss documentation with the following command, assuming that the database is stored in the directory /etc/ipsec.d/

            modutil -fips true -dbdir /etc/ipsec.d

    See also: the Federal Information Processing Standard (FIPS) section of the RHEL 6 Security Guide.

    Most modern CPUs support the AES-NI; however, the aesni-intel kernel module must be loaded for applications to take advantage of the AES instructions. The dracut-fips package results in dracut building initramfs files that DO NOT include the aesni-intel kernel module, whereas the dracut-fips-aesni package results in initramfs files that ALWAYS include the aesni-intel module, whether the system CPU supports it or not. Installing dracut-fips-aesni (and building an initramfs file) on a machine lacking AES-NI support will lead to a kernel panic. ↩

    The command grubby --update-kernel=$(grubby --default-kernel) --args=xxxx is used instead of the simpler grubby --update-kernel=DEFAULT --args=xxxx because of a bug in the grubby package as shipped in RHEL 7.0 and RHEL 7.1; RHEL 7.2+ (as well as RHEL 6, RHEL 5) have no trouble using the simpler --update-kernel=DEFAULT as documented in the grubby man page. Also note that --update-kernel=ALL works even with grubby from RHEL 7.0/7.1, but of course that requires rebuilding initramfs files for all kernels (and not just the newest default one). ↩

    The default client and server config files for OpenSSH require no tweaks to work in FIPS mode; however, explicitly enabling Protocol 1 or addding improper Ciphers or MACs directives to /etc/ssh/sshd_config, /etc/ssh/ssh_config, or ~/.ssh/config can break ssh or sshd in FIPS mode. References: Red Hat Enterprise Linux 6.2 OpenSSH Server Cryptographic Module v2.1, FIPS 140-2 Security Policy and Red Hat Enterprise Linux 6.2 OpenSSH Client Cryptographic Module v2.1, FIPS 140-2 Security Policy. ↩

Diagnostic Steps

    Check that the FIPS mode is enabled in the kernel (0 means no; 1 means yes)
    Raw

    cat /proc/sys/crypto/fips_enabled
    sysctl crypto.fips_enabled

    (Red Hat Enterprise Linux 8 and newer) Check that FIPS crypto-policy is applied (should output FIPS)
    Raw

    update-crypto-policies --show

AES (Advanced Encryption Standard) and KVM virtual guests

    Verify that the CPU on the KVM host supports AES
    Raw

    grep -w aes /proc/cpuinfo

    Allow KVM guests to have access to AES instructions
        In virt-manager open a VM and on the menu navigate to View->Details.
        In the left pane select Processor.
        In the Processor detail pane on the right select Configuration.
        Click on the Copy host CPU configuration button.
        Click on the CPU Features item just below Copy host CPU configuration button.
        Scroll down the list to aes and select the appropriate option.
        Validation is the same as above.

    References:
        Section 4.3.4. Guest CPU models in the Virtualization Getting Started - Guide
        Section 15.13 Guest CPU model configuration in the Virtualization Administration Guide

    Product(s) Red Hat Enterprise Linux 

    Component kernel kvm 

    Category Secure 

    Tags configuration fips redhat red_hat_enterprise_linux rhel rhel_6 

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

ran the above process, here are outputs I got:

[root@c910f03c09k12 ~]# date
Mon Jul  6 14:52:15 EDT 2020
[root@c910f03c09k12 ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@c910f03c09k12 ~]# makedhcp -n
Renamed existing dhcp configuration file to  /etc/dhcp/dhcpd.conf.xcatbak
[root@c910f03c09k12 ~]# ls -ltr /etc/dhcp/dhcpd.conf
-rw------- 1 root root 5321 Jul  6 14:52 /etc/dhcp/dhcpd.conf
[root@c910f03c09k12 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 14:52:50 EDT; 44s ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
 Main PID: 5061 (dhcpd)
   Status: "Dispatching packets..."
   CGroup: /system.slice/dhcpd.service
           └─5061 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid
[root@c910f03c09k12 ~]# cat /etc/*release*
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.7"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.7 (Maipo)"

I didn't see failure for dhcpd service

@kjhee43
Copy link
Author

kjhee43 commented Jul 6, 2020

Its not dhcp service. The service is fine. If you add some hosts/networks and do a "makedhcp", the new hosts don't appear in the config file. Nothing is populated/updated in dhcpd.conf

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

right, I recreated now after I added new networks and new hosts.

@kjhee43
Copy link
Author

kjhee43 commented Jul 6, 2020

@cxhong you were able to reproduce the error?

@cxhong
Copy link
Contributor

cxhong commented Jul 6, 2020

yes, I can reproduce the error

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

@kjhee43 , I spent some time to debug this issue today. It appears makedhcp works as expect with FIPS enabled.
I am testing this on the rhel7.7 system:

[root@c910f03c09k12 ~]# cat /etc/*release*
NAME="Red Hat Enterprise Linux Server"
VERSION="7.7 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="7.7"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.7 (Maipo)"

Followed above steps to enable FIPS

[root@c910f03c09k12 ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1
[root@c910f03c09k12 ~]# cat /proc/sys/crypto/fips_enabled
1

Add a new network (60_0_0_0-255_0_0_0) to network table:

[root@c910f03c09k12 ~]# tabdump networks
#netname,net,mask,mgtifname,gateway,dhcpserver,tftpserver,nameservers,ntpservers,logservers,dynamicrange,staticrange,staticrangeincrement,nodehostname,ddnsdomain,vlanid,domain,mtu,comments,disable
"50_0_0_0-255_0_0_0","50.0.0.0","255.0.0.0","eth1","<xcatmaster>",,"<xcatmaster>",,,,,,,,,,,"1500",,
"10_0_0_0-255_0_0_0","10.0.0.0","255.0.0.0","eth0","10.0.0.102",,"<xcatmaster>",,,,,,,,,,,"1500",,
"60_0_0_0-255_0_0_0","60.0.0.0","255.255.255.0","eth2","<xcatmaster>",,,,,,,,,,,,,,,

Add IP add to the interface

[root@c910f03c09k12 ~]# ip addr add 60.3.9.12/8 broadcast 10.255.255.255 dev eth2 scope global
[root@c910f03c09k12 ~]# ip addr show eth2
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 42:c5:0a:03:09:0c brd ff:ff:ff:ff:ff:ff
    inet 60.3.9.12/8 brd 10.255.255.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fe80::40c5:aff:fe03:90c/64 scope link
       valid_lft forever preferred_lft forever

NOTE: make sure this new nic showed up in the route table. I think last time I didn't check the route, makedhcp command use the output of netstat -rn

[root@c910f03c09k12 ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.102      0.0.0.0         UG        0 0          0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 eth0
50.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 eth1
60.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 eth2
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1

after makedhcp -n, the eth2 entries are in the /etc/dhcp/dhcpd.conf

[root@c910f03c09k12 ~]# makedhcp -n
Renamed existing dhcp configuration file to  /etc/dhcp/dhcpd.conf.xcatbak

Warning: [c910f03c09k12]: No dynamic range specified for 10.0.0.0. If hardware discovery is being used, a dynamic range is required.
Warning: [c910f03c09k12]: No dynamic range specified for 50.0.0.0. If hardware discovery is being used, a dynamic range is required.
Warning: [c910f03c09k12]: No dynamic range specified for 60.0.0.0. If hardware discovery is being used, a dynamic range is required.
[root@c910f03c09k12 ~]# grep eth2 /etc/dhcp/dhcpd.conf
shared-network eth2 {
} # eth2 nic_end

Then I added a new node

[root@c910f03c09k12 ~]# mkdef -t node -o testnode1 groups=compute mac=11:22:33:55:66:88 arch=ppc64le
1 object definitions have been created or modified.
[root@c910f03c09k12 ~]# chdef -t node -o testnode1 ip=60.3.9.14 xcatmaster=60.3.9.12
1 object definitions have been created or modified.
[root@c910f03c09k12 ~]# makehosts testnode1
[root@c910f03c09k12 ~]# grep testnode1 /etc/hosts
60.3.9.14 testnode1 testnode1.pok.stglabs.ibm.com
[root@c910f03c09k12 ~]# makedhcp -a testnode1
[root@c910f03c09k12 ~]# grep testnode /etc/dhcp/dhcpd.conf
#definition for host testnode1 aka host testnode1 can be found in the dhcpd.leases file (typically /var/lib/dhcpd/dhcpd.leases)

@kjhee43
Copy link
Author

kjhee43 commented Jul 8, 2020

@cxhong Can you post the entire dhcpd.conf file? Are all the networks there and defined properly?

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

this is for eth2

shared-network eth2 {
  subnet 60.0.0.0 netmask 255.0.0.0 {
    authoritative;
    max-lease-time 43200;
    min-lease-time 43200;
    default-lease-time 43200;
    option routers  60.3.9.12;
    next-server  60.3.9.12;
    option log-servers 60.3.9.12;
    option ntp-servers 60.3.9.12;
    option domain-name "pok.stglabs.ibm.com";
    option domain-name-servers  60.3.9.12;
    option domain-search  "pok.stglabs.ibm.com";
    option cumulus-provision-url "http://60.3.9.12:80/install/postscripts/cumulusztp";
    zone pok.stglabs.ibm.com. {
       primary 60.3.9.12; key xcat_key;
    }
    zone 60.IN-ADDR.ARPA. {
       primary 60.3.9.12; key xcat_key;
    }
    if option user-class-identifier = "xNBA" and option client-architecture = 00:00 { #x86, xCAT Network Boot Agent
        always-broadcast on;
        filename = "http://60.3.9.12:80/tftpboot/xcat/xnba/nets/60.0.0.0_8";
    } else if option user-class-identifier = "xNBA" and option client-architecture = 00:09 { #x86, xCAT Network Boot Agent
        filename = "http://60.3.9.12:80/tftpboot/xcat/xnba/nets/60.0.0.0_8.uefi";
    } else if option client-architecture = 00:00  { #x86
        filename "xcat/xnba.kpxe";
    } else if option vendor-class-identifier = "Etherboot-5.4"  { #x86
        filename "xcat/xnba.kpxe";
    } else if option client-architecture = 00:07 { #x86_64 uefi
         filename "xcat/xnba.efi";
    } else if option client-architecture = 00:09 { #x86_64 uefi alternative id
         filename "xcat/xnba.efi";
    } else if option client-architecture = 00:02 { #ia64
         filename "elilo.efi";
    } else if option client-architecture = 00:0e { #OPAL-v3
         option conf-file = "http://60.3.9.12:80/tftpboot/pxelinux.cfg/p/60.0.0.0_8";
    } else if substring (option vendor-class-identifier,0,11) = "onie_vendor" { #for onie on cumulus switch
        option www-server = "http://60.3.9.12:80/install/onie/onie-installer";
    } else if substring(filename,0,1) = null { #otherwise, provide yaboot if the client isn't specific
         filename "/yaboot";
    }
  } # 60.0.0.0/255.0.0.0 subnet_end
} # eth2 nic_end

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

the /etc/dhcp/dhcpd.conf updated, but not the lease files

[root@c910f03c09k12 dhcpd]# grep testnode /etc/dhcp/dhcpd.conf
#definition for host testnode1 aka host testnode1 can be found in the dhcpd.leases file (typically /var/lib/dhcpd/dhcpd.leases)
[root@c910f03c09k12 dhcpd]# grep testnode1 /var/lib/dhcpd/dhcpd.leases
[root@c910f03c09k12 dhcpd]# makedhcp -q testnode1
[root@c910f03c09k12 dhcpd]#

let me look into more

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

named failed, something wrong with omapi key

[root@c910f03c09k12 dhcpd]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2020-07-08 16:48:54 EDT; 20min ago
  Process: 8656 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE)

Jul 08 16:48:54 c910f03c09k12 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Jul 08 16:48:54 c910f03c09k12 bash[8656]: /etc/named.conf:11: disabled algorithm 'hmac-md5'
Jul 08 16:48:54 c910f03c09k12 systemd[1]: named.service: control process exited, code=exited status=1
Jul 08 16:48:54 c910f03c09k12 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Jul 08 16:48:54 c910f03c09k12 systemd[1]: Unit named.service entered failed state.
Jul 08 16:48:54 c910f03c09k12 systemd[1]: named.service failed.

keys in the /etc/named.conf:

key xcat_key {
        algorithm hmac-md5;
        secret "amwyZTgxWW1wSTBJcVlacW5qS0hRUmpEbHp5SlY4dG4=";
};

also defined in the password table

[root@c910f03c09k12 dhcpd]# tabdump passwd
#key,username,password,cryptmethod,authdomain,comments,disable
"omapi","xcat_key","amwyZTgxWW1wSTBJcVlacW5qS0hRUmpEbHp5SlY4dG4=",,,,
"system","root","cluster",,,,

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

for the named, changed algorithm hmac-md5 to algorithm HMAC-SHA256 in the /etc/named.conf, and it's running

[root@c910f03c09k12 dhcpd]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-07-08 17:35:18 EDT; 5min ago
  Process: 11217 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 11214 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 11219 (named)
   CGroup: /system.slice/named.service
           └─11219 /usr/sbin/named -u named -c /etc/named.conf

Jul 08 17:35:18 c910f03c09k12 named[11219]: configuring command channel from '/etc/rndc.key'
Jul 08 17:35:18 c910f03c09k12 named[11219]: command channel listening on ::1#953
Jul 08 17:35:18 c910f03c09k12 named[11219]: managed-keys-zone: loaded serial 0
Jul 08 17:35:18 c910f03c09k12 named[11219]: zone 60.IN-ADDR.ARPA/IN: loaded serial 2020070800
Jul 08 17:35:18 c910f03c09k12 named[11219]: zone 50.IN-ADDR.ARPA/IN: loaded serial 2020070801
Jul 08 17:35:18 c910f03c09k12 named[11219]: zone 10.IN-ADDR.ARPA/IN: loaded serial 2020070803
Jul 08 17:35:18 c910f03c09k12 named[11219]: zone pok.stglabs.ibm.com/IN: loaded serial 2020070805
Jul 08 17:35:18 c910f03c09k12 named[11219]: all zones loaded
Jul 08 17:35:18 c910f03c09k12 named[11219]: running
Jul 08 17:35:18 c910f03c09k12 systemd[1]: Started Berkeley Internet Name Domain (DNS).

also made changes in the /etc/dhcp/dhcpd.conf, but makedhcp -q or makedhcp -a still not working

@cxhong
Copy link
Contributor

cxhong commented Jul 8, 2020

looks like omshell couldn't connect after FIPS enabled. Any suggestion how to debug this?

@kjhee43
Copy link
Author

kjhee43 commented Jul 9, 2020

@cxhong i do not know how to debug omshell....

@cxhong
Copy link
Contributor

cxhong commented Jul 9, 2020

with FIPS enabled,

  1. the algorithm hmac-md5 is disabled, and has to change to hmac-sha256 or hmac-sha512 in the /etc/named.conf
  2. with algorithm hmac-md5 in the /etc/dhcp/dhcpd.conf, omshell command failed at:
# omshell
> key xcat_key RTA3alhDRnVMUjFGOFdLZ3J6YThVWFJ3YWIyb1loUkI=
> connect
obj: <null>
> new control
obj: control
> open
can't open object: out of memory
obj: control
> ^C

  1. with algorithm HMAC-SHA512 in the /etc/dhcp/dhcpd.conf, omshell commanf failed at:
]# omshell
> key xcat_key RTA3alhDRnVMUjFGOFdLZ3J6YThVWFJ3YWIyb1loUkI=
> connect
dhcpctl_connect: not found

makedhcp -q returns nothing :(

@kjhee43
Copy link
Author

kjhee43 commented Jul 16, 2020

@cxhong anything else we can do to get this working?

@cxhong
Copy link
Contributor

cxhong commented Jul 16, 2020

I think some security setting needs to change, but I couldn't figure out what yet. I hope expert in this community will give us some hints.

@kjhee43
Copy link
Author

kjhee43 commented Aug 5, 2020

@cxhong any hope of getting this fixed?

@samveen
Copy link
Member

samveen commented Aug 7, 2020

@cxhong I was looking at the source for this, and as I see it, the changes need to happen in the following places(assuming hmac-sha512):

  • `xCAT-server/lib/xcat/plugins/dhcp.pm
    • adding in key-algorithm hmac-sha512 into the omshell pipe open (while updating dhcpd leases)
    • Adding the correct algorithm into the dhcpd.conf generated with makedhcp -n (and/or at first run)
  • xCAT-server/lib/xcat/plugins/ddns.pm
    • Adding the correct algorithm into the named.conf generated with makedns -n (and/or at first run).

@kjhee43 If your cluster is still in testing mode, can you try these code changes as they should be trivial changes, and then test? This should work even if FIPS isn't enabled. If you're not comfortable with making code changes, let me know, and I'll try and give you a patch to apply.

@cxhong
Copy link
Contributor

cxhong commented Aug 7, 2020

Thanks, @samveen.

adding in key-algorithm hmac-sha512 into the omshell pipe open (while updating dhcpd leases)

can u give me a example how to do that? I tried to modify on the dhcp.pm or command line, didn't work for me.

maybe easier if you can open a pull request for this?

@samveen
Copy link
Member

samveen commented Aug 8, 2020

@cxhong I'll create a WIP MR for this.

@kjhee43
Copy link
Author

kjhee43 commented Aug 10, 2020

@cxhong, I'm not following the exchange here....what is a WIP MR? Is there something that can be back ported into xcat 2.16.0?

@cxhong
Copy link
Contributor

cxhong commented Aug 10, 2020

maybe @samveen called it WIP MR. I assume it is same as xCAT pull Request. this is PR number #6797

@kjhee43
Copy link
Author

kjhee43 commented Aug 10, 2020

@cxhong so it will be part of the next release?

@cxhong
Copy link
Contributor

cxhong commented Aug 10, 2020

Once it passes our verification. I will merge it, it will be available in the daily build and next release.
I picked up @samveen code in the PR #6797, didn't work for my testing. maybe you can try it out and verify his changes

@kjhee43
Copy link
Author

kjhee43 commented Aug 19, 2020

@cxhong any word on the patch?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants