[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [HTCondor-users] condor and FIPS issue
From: ade kc <kcbobo@xxxxxxxxxxx>
Date: 07/06/2016 01:33 PM
> My team is currently doing some "FIPS"
testing. king group to ...
>
> This effectively requires installation of the "dracut-fips"
package. I
> installed condor 8.2.8 on an execute node and the condor_master daemon
> would immediately do a crash dump.
>
> I removed the "dracut-fips" package and all is well again
with the world.
>
> This is a redhat 6.6 machine, seems there's a conflict between this
> package and condor. Anyone aware of this? I can try another condor
version
> to see what happens, but wanted to check in here first.
Does anything show up in the system log about the
HTCondor startup regarding
the FIPS status of the system? Perhaps the unprelink
of the HTCondor
binaries wasn't successful or something like that,
and maybe that would
be reflected in FIPS-related logging.
For instance, perhaps the prelink -u -a you ran before
installing
dracut-fips overlooked the /usr/libexec/condor directory.
Also, do you have openssl-fips installed as well?
That's going to be the
FIPS nexus for HTCondor, rather than Dracut. Maybe
try running with
the FIPS mode turned off (fips=0 in the kernel args)
and see if there's
any useful logging activity in "non-enforcing
mode," as it were.
I'm surprised you've got RHEL 6.6 - the security standards
I'm
conversant with require regular operating system security
patches,
and there's been four moderate and two important kernel
security errata
since the release of 6.7 about a year ago, among about
128 in total
over 6.6.
Also I highly recommend 8.4 over 8.2. The transition
is easy as
long as you're mindful of the new packaging divisions
(i.e., if you need
kbdd you have to install it separately, or install
condor-all), and
there's a lot of good improvements. And thanks to
the virtues of the
ClassAd system, 8.4 and 8.2 can coexist in the same
pool, so an
incremental upgrade is feasible.
-Michael Pelletier.
_