daemon: Load current node FIPS state on firstboot #3074

cgwalters · 2022-04-08T22:29:23Z

On firstboot, we synthesize a machineConfig which represents
what we actually see on the node. We just fill this in with
what rpm-ostree says is osImageURL. However, FIPS is also
special in that it's handled by a special "FIPS boot" before what
we think of as firstboot.

It cleans up our later comparisons if we have the correct FIPS
state in here.

(In a layering future, I think what we'd do actually is just move
fips=1 into a kernel argument passed via MachineConfig, then
this code wouldn't need to special case it; it'd just be another
kernel argument)

openshift-ci · 2022-04-08T22:29:53Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [cgwalters]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

On firstboot, we synthesize a machineConfig which represents what we *actually see* on the node. We just fill this in with what rpm-ostree says is `osImageURL`. However, FIPS is also special in that it's handled by a special "FIPS boot" before what we think of as firstboot. It cleans up our later comparisons if we have the correct FIPS state in here. (In a layering future, I think what we'd do actually is just move `fips=1` into a kernel argument passed via MachineConfig, then this code wouldn't need to special case it; it'd just be another kernel argument)

mkenigs · 2022-04-11T14:29:20Z

pkg/daemon/daemon.go

+	// Also inject the current fips state, which was handled before we run.
+	content, err := ioutil.ReadFile(fipsFile)
+	if err != nil {
+		return nil, fmt.Errorf("Error reading FIPS file at %s: %w", fipsFile, err)


checkFIPS has

if os.IsNotExist(err) { // we just exit cleanly if we're not even on linux glog.Infof("no %s on this system, skipping FIPS check", fipsFile) return nil }

I think it would make more sense if we moved the FIPS code to a getFIPS() function so we handle cases like that consistently. And then maybe instead of my PR just have

if desired.Spec.FIPS != getFIPS() { return fmt.Errorf(...) }

Agree a factored out getFIPS() function would make sense, though I don't understand how we could reach that particular bit since the MCD only runs on Linux. (maybe somehow the unit tests reach it when run from MacOS e.g.?)

mkenigs · 2022-04-11T14:40:50Z

If mc from MachineConfigEncapsulatedPath has the wrong value of FIPS, do we want the call to update() to error?

mkenigs · 2022-04-11T14:48:18Z

lgtm - happy to make any of the changes I suggested in a followup PR

cgwalters · 2022-04-12T14:39:34Z

/retest

openshift-ci · 2022-04-12T16:18:14Z

@cgwalters: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

mkenigs · 2022-04-14T00:28:12Z

@cgwalters this is lower priority than anything we want to demo, but I'd like to rework my PR on top of this one. Do you think you'll want to merge as is or make more changes here?

cgwalters · 2022-04-14T00:34:23Z

Well I agree that getFIPS would be better, I just didn't get around to it. Probably makes sense to merge the two PRs, do you want to take this commit as a base and build on it, then close this PR?

mkenigs · 2022-04-14T14:13:26Z

I'd say merge this and then maybe I'll factor out getFIPS in my PR. Unless we're going to do a merge of master into layering, can you make this against layering and then we can cherry pick?

I am still curious about whether we want to error if MachineConfigEncapsulatedPath has the wrong value of FIPS. Is that even reachable?

mkenigs · 2022-04-14T14:48:17Z

Factored out getFIPS on my branch
bf0b4ec

kikisdeliveryservice · 2022-04-14T18:21:37Z

adding a hold as this uses the deprecated errors package removed in:
#2868

/hold

mkenigs · 2022-04-21T15:39:51Z

/hold cancel
#2868 merged
Do you want to merge this now @cgwalters ? And do you want this in layering or master?

openshift-bot · 2022-07-20T19:17:39Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot · 2022-08-20T08:30:33Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

openshift-bot · 2022-09-20T00:00:36Z

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci · 2022-09-20T00:01:30Z

@openshift-bot: Closed this PR.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

openshift-ci bot requested review from kikisdeliveryservice and mkenigs April 8, 2022 22:29

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 8, 2022

cgwalters force-pushed the firstboot-fips branch from 07515e3 to af77748 Compare April 8, 2022 22:32

mkenigs reviewed Apr 11, 2022

View reviewed changes

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 14, 2022

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 21, 2022

openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 20, 2022

openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 20, 2022

openshift-ci bot closed this Sep 20, 2022

daemon: Load current node FIPS state on firstboot #3074

daemon: Load current node FIPS state on firstboot #3074

Uh oh!

Conversation

cgwalters commented Apr 8, 2022

Uh oh!

openshift-ci bot commented Apr 8, 2022

Uh oh!

mkenigs Apr 11, 2022

Choose a reason for hiding this comment

Uh oh!

cgwalters Apr 14, 2022

Choose a reason for hiding this comment

Uh oh!

mkenigs commented Apr 11, 2022

Uh oh!

mkenigs commented Apr 11, 2022

Uh oh!

cgwalters commented Apr 12, 2022

Uh oh!

openshift-ci bot commented Apr 12, 2022

Uh oh!

mkenigs commented Apr 14, 2022

Uh oh!

cgwalters commented Apr 14, 2022

Uh oh!

mkenigs commented Apr 14, 2022

Uh oh!

mkenigs commented Apr 14, 2022

Uh oh!

kikisdeliveryservice commented Apr 14, 2022

Uh oh!

mkenigs commented Apr 21, 2022

Uh oh!

openshift-bot commented Jul 20, 2022

Uh oh!

openshift-bot commented Aug 20, 2022

Uh oh!

openshift-bot commented Sep 20, 2022

Uh oh!

openshift-ci bot commented Sep 20, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants