| opendevreview | Merged openstack/project-config master: gerrit/acl : check for function/s-r in normalize https://review.opendev.org/c/openstack/project-config/+/875997 | 00:08 |
|---|---|---|
| opendevreview | Merged openstack/project-config master: gerrit/acl : check for capital booleans in normalize https://review.opendev.org/c/openstack/project-config/+/877571 | 00:09 |
| *** jpena|off is now known as jpena | 08:22 | |
| ade_lee | fungi, clarkb , coreycb - hey - I had sent you guys an email about issues with fips and ubuntu. | 17:17 |
| clarkb | ya I'm not sure I hve any answers. The issues seem related to the build of the software itself | 17:18 |
| ade_lee | coreycb, I was hoping you might be able to help - or at least point me in the right direction. its hard for me to believe that you guys didn't fix iscsid to work under fips | 17:18 |
| clarkb | I think there is a userspace iscsi implementation in libvirt | 17:19 |
| ade_lee | clarkb, yeah - I was hoping one of the canonical guys would chime in -- do we know of any others that I can sync with? | 17:19 |
| clarkb | this was a workaround for running nova in containers or something a few years back? That might be a workaround | 17:19 |
| ade_lee | clarkb, yeah - I'd think iscsid is something thats pretty core to things - and they would have an update for it | 17:21 |
| *** jpena is now known as jpena|off | 17:21 | |
| ade_lee | anyways I may join the weekly meeting at the end to see if anyone has suggestions or contacts | 17:22 |
| opendevreview | Jeremy Stanley proposed openstack/project-config master: Replace old Antelope cycle key with 2023.2/Bobcat https://review.opendev.org/c/openstack/project-config/+/878144 | 17:44 |
| fungi | ade_lee: maybe tinwood knows who to talk to, or jamespage | 17:45 |
| jamespage | ade_lee: let me find out | 17:51 |
| jamespage | ade_lee: can you forward me on the email so I have the context - james.page@ubuntu.com | 17:58 |
| jamespage | ade_lee: have the context understand the issue will endeavour to find an answer with tinwood | 18:34 |
| jamespage | tl;dr the versions of both the kernel and open-iscsi at focal don't support anything better than MD5 | 18:35 |
| jamespage | so really need a jammy baseline for a FIPS compliant solution | 18:35 |
| fungi | jamespage: the other half of the problem, sounds like, is that for whatever reason we can't use the ua token we got from tinwood on jammy | 18:47 |
| fungi | ade_lee was getting an error trying to activate it if the job ran on a jammy node | 18:48 |
| fungi | so while the preference would be to run on jammy, focal seemed to be the only place the fips ua token worked | 18:49 |
| fungi | not sure if that's a problem with how the account/subscription is set up, or some change in the commands needed to do that on jammy vs focal | 18:49 |
| fungi | as best i can infer from his e-mail, `ua status` on jammy indicates "fips" and "fips-updates" are both entitled, but enabling "fips-updates" results in no ubuntu-fips package | 18:58 |
| jamespage | fungi, ade_lee: its not a problem with the token - FIPs certification of jammy is still inprogress so its just not actually a consumable option right now | 20:04 |
| jamespage | although I do agree that the UX experience is misleading - will feed that back | 20:08 |
| opendevreview | Merged openstack/project-config master: Temporarily remove release docs semaphores https://review.opendev.org/c/openstack/project-config/+/877552 | 20:15 |
| fungi | thanks for clarifying jamespage! | 21:11 |
| fungi | so in summary, iscsi on focal isn't fips-compatible, jammy fips compliance is still a work in progress | 21:12 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!