| clarkb | re the fips issue is the command already removed from centos 10 stream? | 15:27 |
|---|---|---|
| fungi | sounds like that's how it came to our attention | 15:28 |
| fungi | i.e. trying to directly port the fips jobs from centos 9 to 10 | 15:28 |
| clarkb | reading the justification for the change I honestly don't think those things matter too much for our use case. But considering this is a "security" stance feature I can understand why taking a stronger stance makes sense | 15:30 |
| clarkb | specifically we only care about whether our workload can work and don't care about existing luks keys or ssh keys being generated properly according to fips | 15:30 |
| fungi | yeah, it's possible the job could just adjust the kernel cli arguments | 15:31 |
| fungi | though i'm increasingly unconvinced of the usefulness of that testing upstream, it's a very specific set of requirements for one particular country's government and military systems | 15:33 |
| clarkb | yes I definitely don't think we should build custom images just for that functioanlity. But if people can reboot into something that works well enough I won't stop them | 15:33 |
| fungi | requirements that by even objective standards are not particularly more secure, just ones that have been approved for use | 15:34 |
| fungi | (e.g. quick to forbid certain weak primitives even when used outside a security context, but *very* slow to accept newer algorithms) | 15:36 |
| opendevreview | Merged openstack/governance master: Mark "Migrate from wsgi scripts" goal as completed https://review.opendev.org/c/openstack/governance/+/958817 | 19:01 |
| opendevreview | Merged openstack/governance master: Show inactive project status in project.yaml https://review.opendev.org/c/openstack/governance/+/958229 | 19:01 |
| spotz[m] | Because I forgot while Matrix was down last week... Jonathan Wright from Alma will join us tomorrow | 21:14 |
| fungi | very cool! | 21:16 |
| spotz[m] | That's Jonathan:) | 21:17 |
| JonathanWright[m] | hello world | 21:17 |
| fungi | ahoy! | 21:17 |
| JonathanWright[m] | Ok cool, the matrix bridge has a constant spinny-wheel for me in this channel but messages seem to work (just no history). | 21:18 |
| fungi | if you're talking about oftc's matrix bridge specifically, yeah i understand it's not super great | 21:19 |
| spotz[m] | Works for me:) | 21:22 |
| sean-k-mooney | fungi: hum even in out downstream distop we do the fips enabling post install | 21:56 |
| sean-k-mooney | i thikn we can enable it durign the install if and only if you have the install image your servers | 21:57 |
| sean-k-mooney | https://github.com/openstack-k8s-operators/edpm-ansible/blob/da4023cb996a2804da88bef1d88ccd31db89ff4a/roles/edpm_bootstrap/tasks/fips.yml#L19 | 21:59 |
| sean-k-mooney | i know in image mode i.e. bootc they are going to do that a bit diffently but im not sure how you get form a non bootc install to a bootc one | 22:00 |
| sean-k-mooney | i.e. for anyoen upgrading | 22:00 |
| sean-k-mooney | i dont actully know how that is ment ot work with c10s or rocky or alma but given thsoe all branched for fedora 40 and that is targeted to fedroa 42 im not sure if that will impact the 10 based release | 22:05 |
| clarkb | sean-k-mooney: it sounds like c10s is already affected. Probably because it is somewhat forward looking too? | 22:06 |
| sean-k-mooney | fun well it after fedroa and before rhel but our downstream ci is mostly rhel/centos 9 based. we have some usage of 10 but i dont think we have any 10 + fips yet | 22:07 |
| sean-k-mooney | clarkb: currently we use dib to build our hardened images for installer provisioned nodes | 22:10 |
| sean-k-mooney | but there are also experimetn to move that to using bootc in the future https://github.com/openstack-k8s-operators/edpm-image-builder/blob/0753302c26bc3123be82afa517c6ddc74b50a966/bootc/Containerfile#L145 | 22:10 |
| sean-k-mooney | i guess that the plan for 10 but i have not been invoved in any of that | 22:12 |
| clarkb | sean-k-mooney: I suspect that both dib and bootc will require that the builds also happen in a fips environment based on the fedora post list of issues | 22:15 |
| sean-k-mooney | maybe it will likely depend on how well the isolation between the two envs is. | 22:16 |
| clarkb | I guess openssh-server will generate host keys on first start if not present (this way you don't have the asme host key everywhere) but other things may need similar treatment if they don't already do it | 22:17 |
| sean-k-mooney | both are effectivly runing in a chroot of a form so as long as you dont mix any host executable into that env it might be ok | 22:17 |
| clarkb | sean-k-mooney: the problem is its a kernel setting | 22:17 |
| clarkb | currently I think that only affects the kernel behavior but the proposed change in the fedora post has everything keying off of that | 22:18 |
| clarkb | so you basically need the kernel to be in fips mode to have anything else in fips mode which creates a fun bootstrapping problem for tools like bootc and dib | 22:18 |
| sean-k-mooney | you mena fips=1 | 22:19 |
| sean-k-mooney | but that not actully a kernel parmater for the kernel to use | 22:19 |
| sean-k-mooney | its a kernal paramter that is sued by the installer i think | 22:19 |
| JayF | it signals dracut, I'm guessing? | 22:19 |
| JayF | anaconda, sure, makes sense | 22:19 |
| JayF | kernel command line parameters are great way to sneak config in :D | 22:19 |
| clarkb | "Instead, we will turn the fips=1 kernel command line flag into the single source of truth for whether FIPS mode is enabled. We have already removed or will remove some of the separate knobs and instead automate them to follow the single source of truth" | 22:19 |
| sean-k-mooney | so the problem thye are tryign to solve i think is makeing sure when the intall isntall is happeing you dont install anyting that is not fips compatiable at any point | 22:20 |
| JayF | depends on the context that quote comes from; lots of distros control userspace tooling across the entire distro by respecting something in /proc/cmdline | 22:20 |
| clarkb | I read that as openssl, openssh, etc etc etc need to check the kernel fips mode to know if they are in fips mode | 22:20 |
| JayF | oh I see what you mean | 22:21 |
| JayF | and I suppose they weren't as nice as IPA to provide an override :( | 22:21 |
| sean-k-mooney | maybe | 22:21 |
| clarkb | "The system-wide cryptographic policy will automatically follow the fips=1 kernel command line flag to remove the need for the manual switch previously performed by fips-mode-setup" | 22:21 |
| clarkb | anyway my point is mostly that this goes beyond "just build a fips image from scratch" because I suspect to bootstrap that we may already need some amount of fips enablement | 22:22 |
| JayF | which IRL might just be someone inserting a fips-y installer cd | 22:22 |
| clarkb | at least to do it properly and avoid the problems listed in that post like generating keys using non fips mode | 22:22 |
| JayF | but in the cloud when you wanna get an image is a tough bootstrap problem | 22:22 |
| sean-k-mooney | what would be ideal woudl be if centos/rocky/alma had a fips cloud image | 22:23 |
| sean-k-mooney | that dib could just use as a base | 22:23 |
| clarkb | oh ok there is some fancy bind mount thing going on too that maybe dib/bootc could also provide to address that problem | 22:23 |
| JonathanWright[m] | sean-k-mooney: That's doable ya know ;) | 22:23 |
| clarkb | for the record I do not want to have fips images in opendev | 22:23 |
| JayF | Problem successfully delegated, run before JonathanWright[m] changes his mind! ;) | 22:24 |
| JayF | clarkb: tbh I think I agree with fungi's stance that it's ... weird that we test fips mode | 22:24 |
| sean-k-mooney | clarkb: ya it is a bit of a weird edgecase | 22:24 |
| JonathanWright[m] | haha. seems like spotz should've invited me here sooner | 22:24 |
| JayF | given it's a US-specific requirement in an international community | 22:24 |
| JonathanWright[m] | I can see a FIPS image being quite useful so I bet there's other demand as well | 22:24 |
| sean-k-mooney | since if we add a fips oen then whatever the eu one is will be next ectra | 22:24 |
| JayF | bingo | 22:24 |
| clarkb | I'm more than happy to have people enable fips inside of the test environment however that makes sense. But its a lot of work to manage the images we already have and doubling their number for one feature is not reasonable imo | 22:25 |
| sean-k-mooney | JonathanWright[m]: is almalinux joining the list of images in opendev ci? | 22:26 |
| sean-k-mooney | the x86_64 v2 build target is a very interesting capablity that alma has over both c10s and rocky 10 | 22:27 |
| JonathanWright[m] | Honestly that's been on my list for...a long time. I've been away from openstack for quite some time and I need to get re-familiar with things or ideally, find someone within the alma community that'd be willing to step up to the plate to help with alma/openstack stuff. | 22:28 |
| JonathanWright[m] | v2 has been far more popular than even we expected, it's been very fun to see the fanfare around it when people realize they can upgrade to 10 on their old hardware. | 22:29 |
| sean-k-mooney | ya i belive most of my dev hardware cant actully run v3. | 22:30 |
| clarkb | my personal fileserver cannot v3 | 22:30 |
| JonathanWright[m] | Well, you now have a solution to get to 10, including EPEL :) | 22:30 |
| sean-k-mooney | i mean i normally use debian/ubuntu but ill need to retrie that hardwar or use alma or debian going forward | 22:30 |
| spotz[m] | Jonathan Wright: Hey you never asked:) And I just assume all my friends know each other:) | 22:55 |
| spotz[m] | You should come to Summit, there I invited you some place:) | 22:56 |
| JonathanWright[m] | Summit is so $$$ | 22:56 |
| JonathanWright[m] | Wait, what summit? | 22:57 |
| spotz[m] | No the travel to Paris and hotel are $$$, tickets are $:) | 22:57 |
| JonathanWright[m] | My brain immediately when to RH summit, but I'm thinking there must be an openstack summit or something | 22:57 |
| spotz[m] | Welcome to an OpenStack channel, Summit means OpenInfra Summit:) | 22:57 |
| JonathanWright[m] | Oh that one! I think my wife my murder me if I go to Paris without her | 22:58 |
| JonathanWright[m] | Oct 17-19! Ooof bit late now but maybe next year! | 22:58 |
| spotz[m] | Not sure where/when we'll be next year but will let you know | 22:58 |
| JonathanWright[m] | If it's in the US I can almost guarantee I could swing it. Europe just let me know and it will depend on what other travel we have booked up. | 22:59 |
| JayF | Where in US are you if you don't mind the ask? | 23:04 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!