This part of the release notes: https://puppet.com/docs/puppet/5.4/release_notes.html#fips-support
"When running Puppet 5.4.0 on a FIPS-enabled platform, Puppet modifies its default digest_algorithm and supported_checksum_types settings to exclude MD5, which is not a FIPS-compliant algorithm. By default, Puppet on FIPS uses SHA256 when managing file resources, including filebuckets. This behavior also affects values returned by the fqdn_rand function." I happened to read that as only affecting FIPS-enabled hosts given the start of the paragraph. NB, FIPS: https://en.wikipedia.org/wiki/Federal_Information_Processing_Standards At any rate, continuing. Nothing up the left sleeve, nothing up the right sleeve: [root@puppetmaster1 ~]# facter fips_enabled false [root@puppetmaster1 ~]# cat /tmp/x.pp $a = fqdn_rand(60, 'abcd') $b = fqdn_rand(60, 'bcde') $c = fqdn_rand(60, 'cdef') $d = fqdn_rand(60, 'defg') notice("a is ${a}") notice("b is ${b}") notice("c is ${c}") notice("d is ${d}") With every open source puppet version from 5.0.0 to 5.3.5 (I checked with each one): [root@puppetmaster1 ~]# puppet --version 5.3.5 [root@puppetmaster1 ~]# puppet apply /tmp/x.pp Notice: Scope(Class[main]): a is 59 Notice: Scope(Class[main]): b is 33 Notice: Scope(Class[main]): c is 44 Notice: Scope(Class[main]): d is 16 Notice: Compiled catalog for puppetmaster1.me.com in environment production in 0.06 seconds Notice: Applied catalog in 0.20 seconds And with the latest open source puppet: [root@puppetmaster1 ~]# puppet --version 5.4.0 [root@puppetmaster1 ~]# puppet apply /tmp/x.pp Notice: Scope(Class[main]): a is 43 Notice: Scope(Class[main]): b is 27 Notice: Scope(Class[main]): c is 8 Notice: Scope(Class[main]): d is 40 Notice: Compiled catalog for puppetmaster1.me.com in environment production in 0.05 seconds Notice: Applied catalog in 0.24 seconds Going down the list of PUP tickets mentioning fqdn_rand(), PUP-8141 jumped out at me. https://tickets.puppetlabs.com/browse/PUP-8141 https://github.com/puppetlabs/puppet/pull/6445/files >From the fqdn_rand.rb diff, lightly edited: - seed = Digest::MD5.hexdigest([self['::fqdn'],max,args].join(':')).hex + # We are consciously not using different hash algs based on fips mode here + # since the randomness is not guaranteed to be predictable for a given node + # It just needs to be unique for a given node + seed = Digest::SHA256.hexdigest([self['::fqdn'],max,args].join(':')).hex That handily explains that. We have no fqdn_rand() usage where this change would cause unexpected behaviour so I'm a bit more relaxed now. Those were not the usual resources modified during a puppet-agent rpm update. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20180226180407.6vi6ivrp4d72vbqn%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
