[PUP-4963] "puppet module build" fails on FIPS-enabled system Created: 2015/07/30 Updated: 2018/02/15 Resolved: 2018/01/29
|Affects Version/s:||PUP 3.7.4|
|Fix Version/s:||PUP 5.4.0|
|Reporter:||Jared Jennings||Assignee:||Jayant Sane|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
RHEL Workstation 6.6, configured for FIPS compliance.
It appears you can trip this bug without the toil of complete compliance by setting OPENSSL_FORCE_FIPS_MODE=foo in your environment. Any value set for this variable turns on the behavior; to turn it off you must unset the variable. You should also be able to replicate the behavior on CentOS or Fedora.
|Template:||PUP Bug Template customfield_10700 91330|
|Epic Link:||FIPS-Enabled Puppet|
|Sprint:||Platform Core KANBAN|
|Release Notes:||Bug Fix|
|Release Notes Summary:||Puppet will now gracefully exit when running the puppet module tool on a FIPS-enabled system as MD5 checksums are not allowed.|
When I try to run puppet module build . to package up my module, the following messages happen:
And it doesn't make the tar.gz I wanted it to.
The Ruby code that causes the crash is the checksum method of the Puppet::ModuleTool::Checksums module, in lib/puppet/module_tool/checksums.rb. I looked in the source of 3.7.4, in my oldest copy of Puppet (2.7.something), and in the trunk on GitHub, and found in all places that the module_tool/checksums.rb solely uses MD5, which does not work in FIPS mode.
In the case of Puppet itself (
Aside: My Ruby interpreter (126.96.36.1994-4.el6_6), like all Ruby interpreters, has the bug reported at https://bugs.ruby-lang.org/issues/9659, which makes the Ruby interpreter crash when Digest::MD5 is used in FIPS mode, instead of raising an exception. You may note that the issue has languished, even though a patch has been provided. If anyone else, who worked for a company that uses Ruby a lot, were to want this rough edge of Ruby filed off, they may want to tell the Ruby folks.
To get the Ruby backtrace, I ran `puppet module build` inside gdb, and used the trick from http://weblog.jamisbuck.org/2006/9/22/inspecting-a-live-ruby-process to get the Ruby backtrace. On a 64-bit system, I had to use "long" instead of "int", 16 instead of 8, and 24 instead of 12.
|Comment by Ben Ford [ 2017/01/18 ]|
puppet module install also fails in Puppet 3.8. Is this ticket still an issue on current Puppet?
|Comment by Josh Cooper [ 2017/11/21 ]|
|Comment by Josh Cooper [ 2018/01/18 ]|