Jira (PUP-9500) Puppet assumes client cert issuer is in the ca bundle downloaded from the server
Title: Message Title Jayant Sane commented on PUP-9500 Re: Puppet assumes client cert issuer is in the ca bundle downloaded from the server yeah I was going to ask the same - do we even support such configurations of agents and servers having different certificate chains. How would that work in terms of certification flows? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2354) agent is confused about cert state
Title: Message Title Jayant Sane assigned an issue to Unassigned Puppet / PUP-2354 agent is confused about cert state Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2354) agent is confused about cert state
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-2354 agent is confused about cert state Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Jayant Sane commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load You are right - I too was indicating MarshalLoad has been implicitly enabled and hence had mistakenly wondered about cipher_test-v3.rb. My bad on cipher_test-v3.rb - for some reason these had ended up in my local puppet repo which I forgot to do a git status on. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7834) Change all calls to YAML.load into YAML.safe_load
Title: Message Title Jayant Sane commented on PUP-7834 Re: Change all calls to YAML.load into YAML.safe_load Wonder if we need to either disable Marshal.Load cop/rule or exclude cipher_test-v3.rb file (two instances that are not under any of the excluded folders) Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8722) Agent Functions - Spike research Vault integration
Title: Message Title Jayant Sane commented on PUP-8722 Re: Agent Functions - Spike research Vault integration Henrik, you bring up a good point and while it has been on back of my mind had not given much thought due to bit of reluctance about this approach. To answer your question: unless the original identity used to authenticate to Vault is different, all tokens obtained with same identity would be equivalent in terms of access even though they are not bitwise same. My guess is that happens due to different timestamps and validity periods depending on when they are obtained. So unfortunately since master does not have access to individual node/agent's keys (or any other form of Vault acceptable authentication information) all tokens would be 'same'. Am not sure how customers would take this as it might amount to reducing Vault solution to hiera/eyaml model. One can play with making token validity fairly short but may not be able to entirely avoid overlaps. Had tokens been agent unique, as you indicated, that should have been ok as organizations can trust master to behave correctly. If we are to engineer provisioning agent specific Vault authentication credentials on server then we might as well do that directly to agents. Here is my thinking: We introduce a new agent side config parameter something like VaultAuthMethod. 1. Rev1 (baby step) - We implement/support certificate based authentication to Vault where agents would be responsible for getting their tokens from Vault directly. If customers have an existing PKI it should still be possible for agents to use their Puppet CA issued certificates so long as Puppet CA is chained to their PKI. 2. Rev 2 - We support authenticating using any of the other 'similar' authentication methods with the expectation that user (customer) would be responsible for making those credentials available on the agent/node. Like for eg. LDAP, Okta, RADIUS, simple username/password use same form of credentials. We certainly can take up Puppet-izing of these credential provisioning as a next step in future but needs careful thought and may require inputs from customers as the approaches/preferences are likely to vary. Thinking it can provided as a PS. 3. Rev 3 - Either we provide support for other exotic forms of authentication methods or offer PS to do it. Add Comment
Jira (PUP-8722) Agent Functions - Spike research Vault integration
Title: Message Title Jayant Sane commented on PUP-8722 Re: Agent Functions - Spike research Vault integration Me and Henrik were discussing these very same issues in PUP-8723. I have some questions (concerns) around having PuppetServer obtaining tokens from Vault and letting agents grab them from it (one of the options proposed) as it kinda defeats the purpose customers want to use Vault for (where you want to keep access to secrets to intended parties only). I have some thoughts on what we (Puppet) can/should do about agents authenticating to Vault and/or obtaining tokens that I noted in above ticket (but will add some more soon). And same q's around whether to use our HTTP Client or their ruby client. My somewhat uninformed and gut feeling was to use the former (else it would be one more http client to manage etc). Of course the later has some advantages and it provides some abstracted level of functionality and can keep up with changing Vault API specs. No strong preferences. I did verify that Vault can work with Puppet CA issued certificates fine. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Jayant Sane commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Indeed and I already have tested Vault configured to use PuppetCA and its issued certificates. And yes setting up appropriate authorizations in Vault would need to be done separately (am guessing outside of Puppet or maybe whoever could write a module etc. to automate it via Puppet). Coming to the question of provisioning the individual nodes (agents) with necessary credentials (if/when using anything other than Puppet certificates) to be able to authenticate to Vault, I am wondering if it should be left as an exercise to the user. I was just concerned since there are & could be multitude of ways/options and whatever we try to provide is not likely to satisfy a good portion of users/customers. Creating an intermediary potentially having access to all secrets seems to go against the paradigm/model that users/customers try to go for secret management solutions like Vault (else why not just use hiera/e-yaml). But that was just my personal opinion. All said, I don't have any strong feelings against we providing/implementing either a mechanism to provision some other form of vault credentials on agents or hosting a rest endpoint on puppetserver to get tokens etc. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this
Jira (PUP-8723) Agent Functions - Create Vault deferred evaluation
Title: Message Title Jayant Sane commented on PUP-8723 Re: Agent Functions - Create Vault deferred evaluation Fair - we cannot dictate any particular authentication methods customers should use with Vault. On the second bullet point, I recall some discussion earlier (think in the RichData and Late Binding document) where I wanted to know if we might take this approach where PuppetServer (or any Puppet entity) would act as an intermediary brokering requests to Vault which is what this seems like. As a side effect it would have access to all secrets and that time we seemed to prefer the other alternative - where only the intended recipients (nodes) would have access to their secrets (where they would authenticate to Vault or whichever secret store directly) and no one else. I realize that the agents/nodes need to be provisioned with the necessary credentials to be able to authenticate to Vault and depending on the form of authentication used, this intermediary model seems un-avoidable (where PuppetServer would inherently end up having access to all secrets) except in cases like certificate auth. And if we chose to support one, as you suggest, then certificate looked like a natural choice. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit
Jira (PUP-8722) Agent Functions - Spike research Vault integration
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8722 Agent Functions - Spike research Vault integration Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1688) When applying a mode of 0466 on Windows, a mode of 0666 is applied instead
Title: Message Title Jayant Sane commented on PUP-1688 Re: When applying a mode of 0466 on Windows, a mode of 0666 is applied instead Disregard if this is off but based on my limited review qualified take is - this looks ok particularly for this mode mapping. I would be less concerned with owner ending up with a write access (when group/others have that access). Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8663) http_keepalive_timeout setting doesn't work correctly under Ruby 2.x
Title: Message Title Jayant Sane commented on PUP-8663 Re: http_keepalive_timeout setting doesn't work correctly under Ruby 2.x Disregard if you were already planning to do the needful ... but per Sean's email we might see a CI on 1.10.x PA and neither automatic merge-ups. You may want to merge this to 5.5.x assuming it is meeting the criteria to go to 1.10.x or 5.3.x. thx Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8558) Remove ability to enable non-strict mode in PMT
Title: Message Title Jayant Sane commented on PUP-8558 Re: Remove ability to enable non-strict mode in PMT Jorie Tappa Could you pl either add release notes or say not needed as may be the case? The QA tab says "Needs Assessment"; pl let know if it can be moved to Done since it has passed CI once you take care of the release notes? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1504) Uptime resolver fact for Windows uses unreliable metric for uptime
Title: Message Title Jayant Sane updated an issue Facter / FACT-1504 Uptime resolver fact for Windows uses unreliable metric for uptime Change By: Jayant Sane Release Notes Summary: Windows uptime fact now uses GetTickCount64 which is more reliable, minimizes clock skews, and offers better resolution than the earlier method of computing using WMI BootUptime which has proved to be error prone. Release Notes: Bug Fix Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8469) fqdn_rand should use md5 on non-fips enabled hosts
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts It also restores the behavior of fqdn_rand to that in versions before 5.4.0 when running on non-fips enabled hosts. Change By: Jayant Sane Release Notes Summary: fqdn_rand uses SHA256 to compute seed/rand when running on FIPS enabled hosts which is a change from using MD5 on non-fips enabled hosts. So a given host will yield different fqdn_rand values when in fips mode and when not in fips mode. Release Notes: New Feature Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Jira (PUP-8469) fqdn_rand should use md5 on non-fips enabled hosts
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1504) Uptime resolver fact for Windows uses unreliable metric for uptime
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Facter / FACT-1504 Uptime resolver fact for Windows uses unreliable metric for uptime Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8469) fqdn_rand should use md5 on non-fips enabled hosts
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8469 fqdn_rand should use md5 on non-fips enabled hosts Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8021) Puppet needs to support all FIPS approved hash algs
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8021 Puppet needs to support all FIPS approved hash algs Change By: Jayant Sane Release Notes Summary: Puppet now supports SHA 224, 256, 384, 512 hash algorithms for file checksums and digital signatures . Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8141) Replace hardcoded use of md5 for FIPS compliance
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8141 Replace hardcoded use of md5 for FIPS compliance Change By: Jayant Sane QA Risk Assessment: Needs Assessment No Action Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8356) Replace use of facter for detecting fips mode with a local method
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8356 Replace use of facter for detecting fips mode with a local method Change By: Jayant Sane QA Risk Assessment: Needs Assessment No Action Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (HI-587) Enable testing hiera acceptance tests on platforms in FIPS mode
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Hiera / HI-587 Enable testing hiera acceptance tests on platforms in FIPS mode Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8378) Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages
Title: Message Title Jayant Sane commented on PUP-8378 Re: Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Submitted PR: https://github.com/puppetlabs/puppet/pull/6581 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8378) Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages
Title: Message Title Jayant Sane created an issue Puppet / PUP-8378 Intercept use of any prohibited algorithms/operations in FIPS mode to provide graceful error messages Issue Type: Task Assignee: Jayant Sane Components: Platform Created: 2018/01/23 9:09 AM Fix Versions: PUP 5.4.0 Priority: Normal Reporter: Jayant Sane Puppet 5.4.0: N/A: Redhat7- FIPS mode: FIPS mode prohibits use of certain algorithms e.g. MD5 (as applicable to puppet currently) and any attempt to use them results in abrupt program termination or abort. While customers using Puppet agents on FIPS mode platforms should be aware of such limitations there might be un-intentional usages which will result in user un-friendly errors. We need to intercept any such prohibited usages at runtime and provide graceful error messages. Create a manifest with a file resource while setting its checksum attribute to md5 and attempt applying it on agent in fips mode. Expected: Provide a graceful error while disallowing the operation. Actual: Error "md5_dgst.c(82): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode! Aborted"
Jira (FACT-1504) Uptime resolver fact for Windows uses unreliable metric for uptime
Title: Message Title Jayant Sane commented on FACT-1504 Re: Uptime resolver fact for Windows uses unreliable metric for uptime So i changed the uptime fact windows implementation to return GetTickCount64()/1000 and it seems to pass adhoc PA CI (https://jenkins-master-prod-1.delivery.puppetlabs.net/view/puppet-agent/view/ad-hoc/job/platform_puppet-agent-extra_puppet-agent-integration-suite_adhoc-ad_hoc/58/). It is passing all facter tests on all windows versions. There are pxp-agent failures on all targets, incl non-windows, due to what looks like env issues or transiences and not related to uptime fact. If that is reasonable I can put up a PR. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8356) Replace use of facter for detecting fips mode with a local method
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8356 Replace use of facter for detecting fips mode with a local method Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8356) Replace use of facter for detecting fips mode with a local method
Title: Message Title Jayant Sane commented on PUP-8356 Re: Replace use of facter for detecting fips mode with a local method PR: https://github.com/puppetlabs/puppet/pull/6532 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8356) Replace use of facter for detecting fips mode with a local method
Title: Message Title Jayant Sane created an issue Puppet / PUP-8356 Replace use of facter for detecting fips mode with a local method Issue Type: Task Assignee: Jayant Sane Created: 2018/01/16 8:57 AM Fix Versions: PUP 5.4.0 Priority: Normal Reporter: Jayant Sane *Puppet Version: master branch (going into 5.4.0 release) Puppet Server Version:5.1.x OS Name/Version: N/A PUP-8141 adjusts use of md5 based on whether fips mode is enabled or not. Some of these changes in Puppet settings. FIPS mode detection was done using facter. However since Puppet is also used by Puppet Server and it does not have ability to load facter due to some missing dependencies and its use of an older version of facter (which do not have support for FIPS fact). It be noted that this is not an issue in production but on dev systems when running puppet server from sources. This ticket is to replace the use of facter to detect FIPS mode with a local method, which will duplicate the functionality in facter, to do the same. Temporarily a workaround was created in puppetserver per this PR: https://github.com/puppetlabs/puppetserver/pull/1597
Jira (PUP-4963) "puppet module build" fails on FIPS-enabled system
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-4963 "puppet module build" fails on FIPS-enabled system Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7513) Explore puppet-server and PE service FIPS compliance options
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7513 Explore puppet-server and PE service FIPS compliance options Change By: Jayant Sane Fix Version/s: PUP 5.4.0 Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1445) Certificate generation makes poor fingerprint digest alogrithm selection
Title: Message Title Jayant Sane updated an issue Puppet / PUP-1445 Certificate generation makes poor fingerprint digest alogrithm selection Change By: Jayant Sane Fix Version/s: PUP 5.4.0 Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1146) Allow control over the digest used to create CA certificates
Title: Message Title Jayant Sane updated an issue Puppet / PUP-1146 Allow control over the digest used to create CA certificates Change By: Jayant Sane Fix Version/s: PUP 5.4.0 Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7512) Explore FIPS certification of our openssl
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7512 Explore FIPS certification of our openssl Change By: Jayant Sane Fix Version/s: PUP 5.4.0 Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8141) Replace hardcoded use of md5 for FIPS compliance
Title: Message Title Jayant Sane commented on PUP-8141 Re: Replace hardcoded use of md5 for FIPS compliance Submitted PR: https://github.com/puppetlabs/puppet/pull/6445 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane commented on PUP-8066 Re: Failing acceptance tests in FIPS mode submitted PR: https://github.com/puppetlabs/puppet/pull/6445 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8021) Puppet needs to support all FIPS approved hash algs
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8021 Puppet needs to support all FIPS approved hash algs Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8148) Puppet acceptance tests fail when using sha256 hash alg
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8148 Puppet acceptance tests fail when using sha256 hash alg Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1802) Add support for FIPS fact on Linux/RHEL
Title: Message Title Jayant Sane commented on FACT-1802 Re: Add support for FIPS fact on Linux/RHEL Submitted PR: https://github.com/puppetlabs/facter/pull/1677 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1802) Add support for FIPS fact on Linux/RHEL
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Facter / FACT-1802 Add support for FIPS fact on Linux/RHEL Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1802) Add support for FIPS fact on Linux/RHEL
Title: Message Title Jayant Sane updated an issue Facter / FACT-1802 Add support for FIPS fact on Linux/RHEL Change By: Jayant Sane Story Points: 2 Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1802) Add support for FIPS fact on Linux/RHEL
Title: Message Title Jayant Sane updated an issue Facter / FACT-1802 Add support for FIPS fact on Linux/RHEL Change By: Jayant Sane Summary: Add support for FIPS fact on Linux/RHEL Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1802) Add support FIPS fact on Linux/RHEL
Title: Message Title Jayant Sane created an issue Facter / FACT-1802 Add support FIPS fact on Linux/RHEL Issue Type: New Feature Assignee: Unassigned Created: 2017/12/01 4:09 PM Priority: Normal Reporter: Jayant Sane This fact will enable checking for platforms running in FIPS mode. It could be used to adjust certain agent or acceptance test behaviors at run time. Presently this would only return a boolean indicating whether the platform is running in FIPS mode or not. Additional FIPS relevant information may be added in future. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8066 Failing acceptance tests in FIPS mode Change By: Jayant Sane Team: Security Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-5831) Add a Binary type and runtime object
Title: Message Title Jayant Sane commented on PUP-5831 Re: Add a Binary type and runtime object Pardon the vague nature of my q but sometime back I had heard PDB does not have necessary support for binary types in this context. Is that still the case? Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8148) Puppet acceptance tests fail when using sha256 hash alg
Title: Message Title Jayant Sane commented on PUP-8148 Re: Puppet acceptance tests fail when using sha256 hash alg We plan to list "file bucket incompatibility" in release notes for FIPS enabled agents. This should be re-tested in CI where both agent and master hosts have their digest algorithm adjusted prior to running any tests. Running it in CI should hopefully make the issue of not starting on clean slate a non-issue. We are aware of some acceptance tests hardcoding md5 based checks - those need to be changed so they pay heed to the currently configured digest algorithm. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8141) Replace hardcoded use of md5 for FIPS compliance
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8141 Replace hardcoded use of md5 for FIPS compliance Change By: Jayant Sane Acceptance Criteria: All puppet flows, except any module flows, should work in a mixed environment:Current puppet agents (not running in FIPS) w/ and without FIPS agents. Specifically: - Master's global digest_algorithm can be default md5- FIPS versions of agents should be provisioned using file resource with different source attributes of http, puppet and from within a module. - If possible case of upgrading existing agent to FIPS version Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8141) Replace hardcoded use of md5 for FIPS compliance
Title: Message Title Jayant Sane created an issue Puppet / PUP-8141 Replace hardcoded use of md5 for FIPS compliance Issue Type: Task Assignee: Jayant Sane Created: 2017/11/09 11:47 AM Priority: Normal Reporter: Jayant Sane There are a couple of instances where MD5 is being hard coded in puppet. FIPS compliant versions of agents need to use one of the FIPS approved algorithms instead. Following places need to be changed: 1. Agents processing file resources specifying http as their source need to be able to accept checksums computed using hash alg other than md5. 2. fqdn_rand 3. Files synched to agents via the plugin-sync mechanism are checksummed using md5. That needs to be overridden to use a FIPS approved alg. Add Comment This message was sent by Atlassian JIRA
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane commented on PUP-8066 Re: Failing acceptance tests in FIPS mode Once there is proper platform support for FIPS the above set of passing tests would need to be adjusted to have their fips mode of operation based on the platform. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8110) Certificate signing request using sha384, sha512 spec test fail
Title: Message Title Jayant Sane created an issue Puppet / PUP-8110 Certificate signing request using sha384, sha512 spec test fail Issue Type: Bug Assignee: Unassigned Created: 2017/10/31 1:39 PM Priority: Minor Reporter: Jayant Sane We recently added support for following FIPS approved hash algorithms: SHA384, SHA512, SHA224. See PUP-8021 Relevant spec tests were updated to exercise these new algorithms. However it was found that tests for signing certificate requests using either of sha384 or sha512 fail when run from within spec. Equivalent code when run as a ruby script works fine. This currently is not an issue or is blocking any functionality or flows. However should be investigated and resolved. Add Comment
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane commented on PUP-8066 Re: Failing acceptance tests in FIPS mode Update: Below tests pass when executing in FIPS mode - acceptance/tests/puppet_apply_a_file_should_create_a_file_and_report_the_md5.rb acceptance/tests/ticket_1334_clientbucket_corrupted.rb acceptance/tests/ticket_6541_invalid_filebucket_files.rb All module related tests (under tests/modules/) cannot be really fixed or executed w/o requiring changes to forge and how module checksums are managed. That is because all module checksums use md5 in a hardcoded manner. It is not enough for us to just change the hardcoded use of md5 to something FIPS friendly because forge has already published modules with md5 checksums. Two things need to happen: a) Forge needs to re-publish all modules with two checksums md5 and sha256. (this is primarily for not mandating all agents to use sha256 for handling module checksums) b) agents need to be able handle and maintain module with more than one checksums for each supported hash alg. File resources using http urls and their handlers need to be updated to recognize a different hash alg than the currently hard coded md5. It is not clear what needs to change more on agent side when requesting files so as to use/send a non-md5 hash. File bucket feature in general may not be available for FIPS enabled agents unless the file bucket code is updated to handle any hash alg on the fly. Currently there exists a setting which updates the digest_algorithm used by file bucket on master but setting it something other then the default md5 will likely break agents configured to use md5. fqdn_rand is another place needing some change so as to support additional algs than md5. It is used to produce a unique agent fingerprint based on its fqdn. It is not clear who invokes this functionality and how which also is likely to require corresponding changes to use/specify a fips friendly hash alg. None of the above identified tests quite correspond to this but is something needed to change. Separate epic + tickets would be created to track above work. Add Comment
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8066 Failing acceptance tests in FIPS mode Change By: Jayant Sane Story Points: 4 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-8066 Failing acceptance tests in FIPS mode Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-3114 Puppet needs to use default keylength 2048 on FIPS enabled systems Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8066) Failing acceptance tests in FIPS mode
Title: Message Title Jayant Sane created an issue Puppet / PUP-8066 Failing acceptance tests in FIPS mode Issue Type: Bug Assignee: Unassigned Created: 2017/10/17 3:19 PM Environment: redhat-7 Priority: Normal Reporter: Jayant Sane Following acceptance tests fail when running in FIPS mode using PA linked against system openssl. acceptance/tests/face/loadable_from_modules.rb acceptance/tests/loader/func4x_loadable_from_modules.rb acceptance/tests/modules/build/build_agent.rb acceptance/tests/modules/build/build_should_not_create_changes.rb acceptance/tests/modules/install/basic_install.rb acceptance/tests/modules/install/with_version.rb
Jira (HI-587) Enable testing hiera acceptance tests on platforms in FIPS mode
Title: Message Title Jayant Sane commented on HI-587 Re: Enable testing hiera acceptance tests on platforms in FIPS mode Valid question but it was indicated to me that there be a clean run through all PA CI pipeline tests (that happen to also include hiera tests) with agent hosts configured in FIPS mode for whoever to be able to accept the other FIPS related changes in all other affected repos plus I guess it is good to have our CI enabled to be able to test PA for FIPS on demand. All hiera changes would hopefully be confined to the acceptance test scripts - mainly the install step as against actual code. FIPS compliant PA is very desirable to some (potential) customers if it does not get mandated sometime in future, at least so am told, and it is an important deliverable on my plate. So the short answer is - Am doing it since PA 5.x uses whatever version(s) of hiera and has its own set of acceptance tests that are exercised in current CI which now need to run in FIPS mode. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (HI-587) Enable testing hiera acceptance tests on platforms in FIPS mode
Title: Message Title Jayant Sane created an issue Hiera / HI-587 Enable testing hiera acceptance tests on platforms in FIPS mode Issue Type: Task Assignee: Unassigned Created: 2017/10/14 2:28 PM Priority: Normal Reporter: Jayant Sane It should be possible to run hiera acceptance tests on platforms in FIPS mode. That translates into updating the install script to enable FIPS mode on agent's target platform. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (FACT-1780) Enable testing PA on FIPS enabled systems
Title: Message Title Jayant Sane created an issue Facter / FACT-1780 Enable testing PA on FIPS enabled systems Issue Type: Task Assignee: Unassigned Created: 2017/10/14 2:20 PM Priority: Normal Reporter: Jayant Sane In order to run facter acceptance tests on platforms running in FIPS the acceptance install script needs to be updated to enable FIPS mode on agent host Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-8044) Enable testing PA built for FIPS on platforms in FIPS mode
Title: Message Title Jayant Sane commented on PUP-8044 Re: Enable testing PA built for FIPS on platforms in FIPS mode PR: https://github.com/puppetlabs/puppet/pull/6271 Note - the changes are piggybacking the other changes in PA-7983 to upgrade openssl version on rhel7 which is a pre-requisite for this to work. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8049) Adjust or skip FIPS incompatible acceptance tests when running in FIPS mode
Title: Message Title Jayant Sane created an issue Puppet / PUP-8049 Adjust or skip FIPS incompatible acceptance tests when running in FIPS mode Issue Type: Task Assignee: Unassigned Created: 2017/10/13 12:25 PM Priority: Normal Reporter: Jayant Sane Following tests were identified to be incompatible with FIPS mode of operation due to their use of md5. They need to be either skipped or adjusted to use one of the fips approved hash algorithms. tests.puppet_apply_a_file_should_create_a_file_and_report_the_md5.rb tests.ticket_1334_clientbucket_corrupted.rb tests.ticket_6541_invalid_filebucket_files.rb tests/face.loadable_from_modules.rb tests/loader.func4x_loadable_from_modules.rb tests/parser_functions.calling_all_functions.rb tests/modules/build.build_agent.rb
Jira (PUP-8044) Enable testing PA built for FIPS on platforms in FIPS mode
Title: Message Title Jayant Sane created an issue Puppet / PUP-8044 Enable testing PA built for FIPS on platforms in FIPS mode Issue Type: Task Assignee: Jayant Sane Created: 2017/10/11 9:19 AM Priority: Normal Reporter: Jayant Sane Set the agent host node prior to running acceptance tests into FIPS mode on following platforms: rhel7, rhel6, fedora24, fedora25 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-7983) Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes
Title: Message Title Jayant Sane commented on PUP-7983 Re: Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes PR: https://github.com/puppetlabs/puppet/pull/6271 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-7983 Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (HI-585) Test PA built against system openssl in CI test pipelines
Title: Message Title Jayant Sane commented on HI-585 Re: Test PA built against system openssl in CI test pipelines PR: https://github.com/puppetlabs/hiera/pull/408 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1774) Enable testing PA built against system openssl in CI test pipelines on RHEL platform
Title: Message Title Jayant Sane commented on FACT-1774 Re: Enable testing PA built against system openssl in CI test pipelines on RHEL platform PR: https://github.com/puppetlabs/facter/pull/1659 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes
Title: Message Title Jayant Sane commented on PUP-7983 Re: Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes As noted in the linked epic, the following was done to facilitate testing PA linked against openssl on RHEL platforms. 1. RHEL7: Openssl lib patch revision on rhel7 is lower than what is on centos7. PA is built on centos7 but tested on rhel7. This causes failures. Workaround: Upgrade openssl to a patch revision that is >= that on Centos7 on all RHEL7 platforms (including agent and master hosts) that get used by CI during any testing. 2. RHEL 6: It was observed that PA built against system openssl on Centos 6 works fine on RHEL6 w/o needing any openssl adjustments. Latest status : All steps till 9 in the adhoc PA CI pipeline succeed on RHEL 6 and 7 platforms for PA linked against system openssl. Cause of the failure of "Create PEZ build" step in CI is being investigated. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7983 Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes Change By: Jayant Sane Testing PA built against system openssl thru CI has turned into quite a non-trivial exercise. First attempt resulted in some tests failing on the master host that CI sets up. Ironically, such agents have been able to get their certificate signed by the master fine when setup manually. That led to reproducing the failure using beaker locally. Testing using beaker led to a different failure during the pre-suite/setup step of PA acceptance tests.Managed to overcome that by customizing pre-suite scripts in puppet. Now need to use this custom version of puppet when launching CI. Lets see how long this goes on... All to get a PA CI test passing certificate to be able to submit PR in puppet to enable building against system openssl. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Managed to get past that after adjusting some setup scripts to bump up openssl versions when running on RHEL (the specific patch revision on RHEL images we use causes failures when running agent). Though there still are some other unrelated hiccups in our CI past. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8021) Puppet needs to support all FIPS approved hash algs
Title: Message Title Jayant Sane updated an issue Puppet / PUP-8021 Puppet needs to support all FIPS approved hash algs Change By: Jayant Sane Summary: Puppet needs to support SHA384 for use in all FIPS approved hash algs Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8021) Puppet needs to support SHA384 for use in FIPS
Title: Message Title Jayant Sane commented on PUP-8021 Re: Puppet needs to support SHA384 for use in FIPS PR: https://github.com/puppetlabs/puppet/pull/6268 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-8021) Puppet needs to support SHA384 for use in FIPS
Title: Message Title Jayant Sane created an issue Puppet / PUP-8021 Puppet needs to support SHA384 for use in FIPS Issue Type: New Feature Assignee: Jayant Sane Created: 2017/10/03 3:10 PM Priority: Normal Reporter: Jayant Sane FIPS requires supporting sha384 besides sha256 (and sha512) and Puppet needs to have support for it to enable its use in FIPS enabled environments. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time Is this the latest status or any changes since? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7983 Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes Change By: Jayant Sane Summary: Test Enable testing puppet-agent built against system openssl on RHEL in PA CI pipes Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1774) Enable testing PA built against system openssl in CI test pipelines on RHEL platform
Title: Message Title Jayant Sane created an issue Facter / FACT-1774 Enable testing PA built against system openssl in CI test pipelines on RHEL platform Issue Type: Task Assignee: Jayant Sane Created: 2017/10/02 9:11 PM Priority: Normal Reporter: Jayant Sane There are some failures when testing PA, built against openssl, in CI pipe lines on RHEL targets. The issue is due to the rhel images having older patch version of openssl package. The install scripts in various project specific acceptance setup needs to be changed to upgrade the openssl lib versions. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (HI-585) Test PA built against system openssl in CI test pipelines
Title: Message Title Jayant Sane created an issue Hiera / HI-585 Test PA built against system openssl in CI test pipelines Issue Type: Task Assignee: Jayant Sane Created: 2017/10/02 4:38 PM Priority: Normal Reporter: Jayant Sane There are some failures when testing PA, built against openssl, in CI pipe lines on RHEL targets. The issue is due to the rhel images having older patch version of openssl package. The install scripts in various project specific acceptance setup needs to be changed to upgrade the openssl lib versions. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Thanks. That is good news as well as interesting. I have stumbled upon some strange failures when attempting to use PA on RHEL 7 which was built on Centos 7 (against system openssl). This was w/o even enabling FIPS mode. I looked at some plausible reasons but nothing obvious turns up. Both centos7 and rhel7 have 1.0.1e version of system openssl libs. Based on the failures the behavior appears to originate from ruby (openssl.so) and libcurl.so. I wrote a test C application using openssl to do somethings on SSL context, including generating rsa keys etc. Followed same sequence as above - compiled on centos7 and executed on rhel7. It works fine and so does vice versa - compiled on rhel7 and executed on centos7. Even if I figure out the exact cause in the above suspect components, I would be concerned if we might see any such or unexpected behaviors down the line across different versions of openssl and/or platforms. Not to mention the maintenance overhead it might introduce as we may need to maintain 'fixed' versions of ruby and/or curl. One obvious/logical workaround for the above issue seemed like - compile PA on RHEL when targeting RHEL. I tried that but it actually gets worse. Installing openssl development package on RHEL bumps the versions of system openssl libraries. It moved from 1.0.1e to 1.0.2k. Since only only minor version changed, thought it might not been that bad - all relevant PA, including ruby, curl etc., binaries link against libssl.so.10 & libcrypto.so.10 (SONAMEs). But despite that openssl.so (ruby) and libcurl.so.xxx latch to version 1.0.2 of openssl libs. So now if you attempt to use the PA compiled on RHEL7 on another RHEL 7 system w/o openssl development package installed, it would not work since the openssl libs version would be still at 1.0.1e. All said, though, since it seems to work for you (PA compiled on Centos runs on RHEL), I wonder if there is any difference across the RHEL images you use compared to what we use. I think I just answered myself: I tried using Centos7 compiled PA on a RHEL7 that was provisioned on different infrastructure (openstack). That seems to work fine - at least the specific failure seen above is not seen. Encouraging it sounds but also worrisome as it just could be one of those waiting to fail type of issues depending on what our customers might have. I would also like to request you to test Puppet agent 5.x to see if it still works in case there is anything different from PA 4.x that you have (though it just might be a data point w/o necessarily providing anything helpful to triage it). This is not urgent now that I may be able to do some testing using the 'right kind' of RHEL systems Add Comment
Jira (PUP-7983) Test puppet-agent built against system openssl in PA CI pipes
Title: Message Title Jayant Sane commented on PUP-7983 Re: Test puppet-agent built against system openssl in PA CI pipes Update/Observations. C programs compiled against system openssl on centos platforms work fine on redhat platform. Specifically can generate RSA keypairs which was seen as a failure (below) when running puppet agent on redhat-7: [root@kas2k1tny7z5nxw bin]# puppet agent -t Info: Creating a new SSL key for kas2k1tny7z5nxw.delivery.puppetlabs.net Error: Could not request certificate: SSL_CTX_set_ecdh_auto Exiting; failed to retrieve certificate and waitforcert is disabled Native ruby scripts when run on redhat can generate a RSA keypair. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Test puppet-agent built against system openssl in PA CI pipes
Title: Message Title Jayant Sane commented on PUP-7983 Re: Test puppet-agent built against system openssl in PA CI pipes After some investigation, and after wrong leads, it was narrowed to redhat platforms. Any binary linked to system openssl on redhat systems caused failures on things like SSL_CTX_set_ecdh_auto. Some additional experimentation, using a test C application using the same API functions, indicates the problem to be peculiar to puppet binaries. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems I seem to be able to generate & use 4k key/cert fine on Centos 6 in fips mode. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor Vaughan Q: Which platform & version specifically did you test the system openssl linked agent on? Like centos, redhat, ?? thx Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7983) Test puppet-agent built against system openssl in PA CI pipes
Title: Message Title Jayant Sane created an issue Puppet / PUP-7983 Test puppet-agent built against system openssl in PA CI pipes Issue Type: Bug Assignee: Jayant Sane Created: 2017/09/22 1:43 PM Priority: Normal Reporter: Jayant Sane Testing PA built against system openssl thru CI has turned into quite a non-trivial exercise. First attempt resulted in some tests failing on the master host that CI sets up. Ironically, such agents have been able to get their certificate signed by the master fine when setup manually. That led to reproducing the failure using beaker locally. Testing using beaker led to a different failure during the pre-suite/setup step of PA acceptance tests. Managed to overcome that by customizing pre-suite scripts in puppet. Now need to use this custom version of puppet when launching CI. Lets see how long this goes on... All to get a PA CI test passing certificate to be able to submit PR in puppet to enable building against system openssl. Add Comment
Jira (PUP-3114) Puppet needs to use default keylength 2048 on FIPS enabled systems
Title: Message Title Jayant Sane commented on PUP-3114 Re: Puppet needs to use default keylength 2048 on FIPS enabled systems Hi Trevor Vaughan Could you pl point me to the FIPS 140-2 spec you are referring to that lists the allowed & approved RSA key (modulus) sizes - 2048, 3072 and 15360? It seems to me anything equal or above 2048 bit would be allowed. Approved is a different story as the modulus sizes appear to depend on things when using auxiliary primes or size of AES key being transport using the RSA key. I am likely not very informed here so may be confusing things. On a side note, I noticed agent is able to do signature verification of CA certificate of 4096 bit key size when running in FIPS mode. Am assuming you may have observed the same. I was also able to generate a 4096 bit (default size) key/certificate for an agent running on a centos7 in FIPs mode. It appeared to be in FIPS (sysctl crypto.fips_enabled comes back true|1) as it disallowed use of md5. So wanted to clarify allowed and approved key sizes. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor, My turn to apologize for the delay. Thanks for testing it. Am assuming that being the case but wanted to confirm whether your testing was done on systems in FIPs mode. And unless this included all the testing you typically do, for FIPS, pl let us know as/when you get that done. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1730) Enable DEP support in Windows version of facter binaries
Title: Message Title Jayant Sane updated an issue Facter / FACT-1730 Enable DEP support in Windows version of facter binaries Change By: Jayant Sane Release Notes Summary: As part of security robustness measure, this change enables data execution prevention (aka /NX) and address space layout randomization in windows version of the facter binaries. There was no specific known vulnerability but it minimizes chances of anyone exploiting any unknown vulnerabilities while taking advantage of above things. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1730) Enable DEP support in Windows version of facter binaries
Title: Message Title Jayant Sane updated an issue Facter / FACT-1730 Enable DEP support in Windows version of facter binaries Change By: Jayant Sane Release Notes Summary: As part of security robustness measure, this change enables data execution prevention (aka /NX) and address space layout randomization in the binaries. There was no specific known vulnerability but it minimizes chances of anyone exploiting any unknown vulnerabilities while taking advantage of above things. Release Notes: Security Fix Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1730) Enable DEP support in Windows version of facter binaries
Title: Message Title Jayant Sane commented on FACT-1730 Re: Enable DEP support in Windows version of facter binaries PR: https://github.com/puppetlabs/facter/pull/1624 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (FACT-1730) Enable DEP support in Windows version of facter binaries
Title: Message Title Jayant Sane created an issue Facter / FACT-1730 Enable DEP support in Windows version of facter binaries Issue Type: Task Assignee: Unassigned Components: Windows Created: 2017/08/14 9:55 AM Priority: Normal Reporter: Jayant Sane Enable NXCOMPAT and ASLR settings in windows binaries (exe/dlls) of facter. This is per a customer requirement to meet their security audit requirements. Presenting targeting v3.6.x (branch); might be propagated to other/later versions. Add Comment
Jira (PUP-7519) Enable rubocop security cop scan on ruby projects
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7519 Enable rubocop security cop scan on ruby projects Change By: Jayant Sane Team: Systems Engineering Security Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane updated an issue Puppet / PUP-7511 Test puppet-agent against FIPS-compliant system openssl library Change By: Jayant Sane Team: Platform Core Security Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library Trevor Vaughan I managed to generate PA AIO built against system openssl libs. However have not done the two adjustments to use SHA and adjusting key lengths yet. I have not tested this package (beside using the hacky ways I did earlier) but plan to check it soon. I would like to check out simp-beaker but an not familiar (am relatively newcomer even to beaker). Could you share your email address? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7510) FIPS-Enabled Puppet
Title: Message Title Jayant Sane commented on PUP-7510 Re: FIPS-Enabled Puppet Agree about use of native vs bouncy castle. I spoke to Jeremy Barlow. Last time, a few years ago, they had found Puppet Server performance with bouncy castle was quite unacceptable. Don't know if things have improved since. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library When would this be like in any upcoming sprint planning meeting? I did some testing, in some hacky way and was/am looking into adjusting openssl builds that can/will allow us to test PA against any system installed openssl more easily. I have not had much luck with it yet but plan to try more things. Though any additional help would be welcome if anyone is more familiar with it. thanks Jayant On Wed, Jun 21, 2017 at 1:39 PM, Geoff Nichols (JIRA) < Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7511) Test puppet-agent against FIPS-compliant system openssl library
Title: Message Title Jayant Sane commented on PUP-7511 Re: Test puppet-agent against FIPS-compliant system openssl library After some poking around I tend to agree with you above that it would be easier to compile our OpenSSL, or rather necessary as I found out, to support FIPS. I had kind of anticipated this issue earlier of course not knowing the below then... That is because we are not following correct convention of using proper SONAMEs for the openssl libs that the various PA components link against ==> creates hard dependencies on the exact version of the lib even if another ABI compatible version of the relevant libs exist on the system. Ironically we do create symlinks libcrypto.so --> libcrypto.so.1.0.0 which of course are useless. As it happened on the centos7 I was playing on, the system installed openssl libs had different minor versions and PA components would not "move over" easily to these system versions. I will be creating new tickets to have this addressed. I tried a bad/quick hack of creating copies of the system versions of the relevant libs with exact same names as those of puppet versions. And while some preliminary quick checks passed ok but my beaker run of acceptance tests mysteriously hung somewhere and when I killed the process it took away the log file that I was recording Will attempt it again to see if I have any better luck. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7510) FIPS-Enabled Puppet
Title: Message Title Jayant Sane commented on PUP-7510 Re: FIPS-Enabled Puppet Our Java based components use crypto libs in Java and not from Bouncy Castle. We could try testing with Java's FIPS compliant crypto provider. Need to understand if SunPKCS11-NSS, which appears to be FIPS certified crypto provider, would be acceptable. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (HI-575) Enable rubocop/securitycop scans
Title: Message Title Jayant Sane created an issue Hiera / HI-575 Enable rubocop/securitycop scans Issue Type: Task Assignee: Jayant Sane Created: 2017/06/13 2:52 PM Priority: Normal Reporter: Jayant Sane As part of enabling static security code scans, we would like to enable securitycop scans for this project. This is to flag and avoid any inadvertent usage of potentially insecure constructs in ruby. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-7610) Remove bundled openssl from puppet agent for FIPS testing
Title: Message Title Jayant Sane created an issue Puppet / PUP-7610 Remove bundled openssl from puppet agent for FIPS testing Issue Type: Task Assignee: Unassigned Components: AIO Created: 2017/05/31 2:28 PM Priority: Normal Reporter: Jayant Sane In order to do FIPS compliance testing, one of the steps needed is removing the bundled openssl from puppet agent so the system installed openssl (FIPS enabled) gets used. This ticket is to track the work for removing openssl from AIO package. Add Comment
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time Also, if not redundant, some qualification on the severity. If the attacker (insider) is in a position to manipulate DNS and bring up a server on the same network then the environment is already sufficiently compromised and attacker would be in a position to mount more serious attacks. This still does not justify agent not verifying master's certificate when it is in a position to do so. I will check with Adrien on what he had attempted and will look into it but as mentioned might take me a while. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-1935) puppetd ignores local ca.pem when connecting to master for the first time
Title: Message Title Jayant Sane commented on PUP-1935 Re: puppetd ignores local ca.pem when connecting to master for the first time The concern/issue is valid. As some others have noted, this has existed for some time and had also come up independently during threat modeling + security review of SSL certificates boot strapping flow. Unlike the case of the very first connection attempt to retrieve CA certificate which could be insecure in some cases, there is no good reason for the puppet agent to NOT verify master's certificate when it has a CA certificate downloaded/established. There are some ways to reduce the risk for downloading arbitrary (malicious) CA certificates by making the expected CA certificate fingerprint available during agent install. Adrien had attempted resolving this a couple of weeks back but it seems he was not successful given the intricacies and peculiarities of the openssl's workings. However I am not sure if I should be assigned to this as I am not a developer per se and am not very familiar with the mechanics of the implementation and can take me inordinately long given some other priorities/tasks on my plate. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7519) Enable rubocop security cop scan on ruby projects
Title: Message Title Jayant Sane assigned an issue to Jayant Sane Puppet / PUP-7519 Enable rubocop security cop scan on ruby projects Change By: Jayant Sane Assignee: Jayant Sane Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7519) Enable rubocop security cop scan on ruby projects
Title: Message Title Jayant Sane commented on PUP-7519 Re: Enable rubocop security cop scan on ruby projects Submitted PR for puppet: https://github.com/puppetlabs/puppet/pull/5855 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
