daemon: Refuse to disable FIPS mode

[cgwalters]

Our new thought around this is that really FIPS should be a "day 1"
operation, and we don't want to make it really easy to undo.
See also openshift/installer#2594
Anyone who wants to force this can change the MC flag, then
oc debug node and run the disable command by hand, then reboot.

Our MachineConfig merge semantics should make it hard for this
to happen unless the admin explicitly deletes the installer-generated MC,
but still.

Since we don't support it and don't want customers
to do it by accident, let's disable it and also stop wasting compute
hours testing it.

[ashcrow]

This makes sense to me. Should we refuse to let them change FIPS at all since Day 2 wouldn't be valid?

[runcom]

This makes sense to me. Should we refuse to let them change FIPS at all since Day 2 wouldn't be valid?

yeah, I was actually thinking if day2 isn't valid at all we might want to go the route to completely drop this FIPS from MC and either you install with fips or not. That would be the safest option to me w/o providing any way to disable it through the MCO

[ashcrow]

The change itself is 👍 though I still wonder if we should remove the flag (or make it 100% read only).

[cgwalters]

Should we refuse to let them change FIPS at all since Day 2 wouldn't be valid?

Possibly but we currently rely on this code since we haven't landed an initramfs replacement yet.

[ashcrow]

/retest

[kikisdeliveryservice]

/skip

[mrunalp]

/lgtm

[ashcrow]

/override ci/prow/e2e-gcp-op

I've been told there are currently some issues being looked at for the above job. Skipping.

[openshift-ci-robot]

@ashcrow: Overrode contexts on behalf of ashcrow: ci/prow/e2e-gcp-op

Details

In response to this:

/override ci/prow/e2e-gcp-op

I've been told there are currently some issues being looked at for the above job. Skipping.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ashcrow]

/hold

[cgwalters]

I just noticed this in the logs:

I1031 20:38:14.869340       1 node_controller.go:433] Pool worker: node ci-op--bgjrr-w-d-lpplg.c.openshift-gce-devel-ci.internal is now reporting unready: node ci-op--bgjrr-w-d-lpplg.c.openshift-gce-devel-ci.internal is reporting OutOfDisk

[kikisdeliveryservice]

in the failed run it took almost and hour to evict arouter pod:
https://storage.googleapis.com/origin-ci-test/pr-logs/pull/openshift_machine-config-operator/1233/pull-ci-openshift-machine-config-operator-master-e2e-gcp-op/231/artifacts/e2e-gcp-op/pods/openshift-machine-config-operator_machine-config-daemon-xsg8p_machine-config-daemon.log

[kikisdeliveryservice]

@cgwalters i noticed in the fips e2e they were hitting OOD on 2 nodes in the failed runs as well. sent you the link to chat convo

[crawford]

Are we concerned about transitions in the opposite direction? Going from non-FIPS compliant to (technically still not) FIPS compliant seems more dangerous.

[cgwalters]

@crawford Yes but see
#1233 (comment)
(We need this right now to test FIPS at all until we land the updated RHCOS)

[cgwalters]

@ashcrow You added a hold - can you explain why?

[ashcrow]

@cgwalters I added it as @kikisdeliveryservice wanted to review why the GCE job failed to ensure it was a flake.

[kikisdeliveryservice]

@ashcrow You added a hold - can you explain why?

held bc we saw the failed FIPs test and wanted to investigate it (ie the stuff we've been looking at)

@cgwalters If you are fine with merging it without it passing that job at all, I'm fine with removing hold. I dont know enough about FIPs to say so myself... just lmk

[cgwalters]

Hmm. I think this PR is quite safe, and will actually help our issues with the e2e-gcp-op test suite since it'll shorten it a bit.

But, it can also probably wait until we've figured out that suite.

[kikisdeliveryservice]

It's late for me, but I've figured out that our test is failing precisely bc FIPS day2 is broken. I have a PR here removing the test to unblock the PRs that have been stuck since Friday:
See #1244

Can someone in the morning just double check and then merge this (and then approve my PR)? We have features blocked so it would be great to get the test gone and things back to working.

[ashcrow]

/lgtm

[ashcrow]

/hold cancel

[ashcrow]

Needs a quick rebase

[cgwalters]

OK rebased 🏄‍♂️ and I also added some code to more cleanly handle the pending RHCOS change to drop rhcos-tools.

[ashcrow]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashcrow, cgwalters, mrunalp

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ashcrow,cgwalters]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ashcrow]

/override ci/prow/e2e-aws-scaleup-rhel7

My understanding is the above failing test is unrelated

[openshift-ci-robot]

@ashcrow: Overrode contexts on behalf of ashcrow: ci/prow/e2e-aws-scaleup-rhel7

Details

In response to this:

/override ci/prow/e2e-aws-scaleup-rhel7

My understanding is the above failing test is unrelated

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@cgwalters: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws-scaleup-rhel7	a42cb0c	link	/test e2e-aws-scaleup-rhel7

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[kikisdeliveryservice]

GCP errors

/test e2e-gcp-upgrade