> My team is currently doing some "FIPS"
testing. king group to ... >
> This effectively requires installation of the "dracut-fips"
package. I
> installed condor 8.2.8 on an execute node and the condor_master daemon
> would immediately do a crash dump. >
> I removed the "dracut-fips" package and all is well again
with the world. >
> This is a redhat 6.6 machine, seems there's a conflict between this
> package and condor. Anyone aware of this? I can try another condor
version
> to see what happens, but wanted to check in here first.
Does anything show up in the system log about the
HTCondor startup regarding the FIPS status of the system? Perhaps the unprelink
of the HTCondor binaries wasn't successful or something like that,
and maybe that would be reflected in FIPS-related logging.
For instance, perhaps the prelink -u -a you ran before
installing dracut-fips overlooked the /usr/libexec/condor directory.
Also, do you have openssl-fips installed as well?
That's going to be the FIPS nexus for HTCondor, rather than Dracut. Maybe
try running with the FIPS mode turned off (fips=0 in the kernel args)
and see if there's any useful logging activity in "non-enforcing
mode," as it were.
I'm surprised you've got RHEL 6.6 - the security standards
I'm conversant with require regular operating system security
patches, and there's been four moderate and two important kernel
security errata since the release of 6.7 about a year ago, among about
128 in total over 6.6.
Also I highly recommend 8.4 over 8.2. The transition
is easy as long as you're mindful of the new packaging divisions
(i.e., if you need kbdd you have to install it separately, or install
condor-all), and there's a lot of good improvements. And thanks to
the virtues of the ClassAd system, 8.4 and 8.2 can coexist in the same
pool, so an incremental upgrade is feasible.
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}