[FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Invalid
|
Undecided
|
Unassigned |
Bug Description
OS Rocky Linux 9.2
Kernel 5.14.0-
Kolla-Ansible: 16.1.0 (2023.1 Antelope)
Docker Version: Docker version 24.0.4, build 3713ee1
Docker image type: source
Docker images:
quay.io/
quay.io/
The image itself works just fine in a non-FIPS compliant environment, but when FIPS is enabled the keystone-ssh and nova_ssh containers will error out with the following message:
```
++ SSH_HOST_
++ for key_type in ${SSH_HOST_
++ KEY_PATH=
++ [[ ! -f /etc/ssh/
++ for key_type in ${SSH_HOST_
++ KEY_PATH=
++ [[ ! -f /etc/ssh/
++ ssh-keygen -q -t dsa -f /etc/ssh/
DSA keys are not allowed in FIPS mode
```
This is hardcoded into the image: https:/
https:/
Workaround:
Custom image changing the key type.
Reproduce:
Deploy Kolla in an environment with FIPS enabled `fips-mode-setup --enable`.
I should note that while this works in non-FIPS clouds, this should be taken into serious consideration as there are a number of end users with FIPS requirements ramping up that will eventually run into this as time progresses.
Suggested Fix:
nova:
#!/bin/bash
# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_
for key_type in ${SSH_HOST_
KEY_
# Check existing key lengths for RSA to ensure they are FIPS compliant
if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
if [[ "${key_length}" -lt 2048 ]]; then
echo "RSA key length is less than 2048 bits, regenerating..."
rm -f "${KEY_PATH}"
rm -f "${KEY_PATH}.pub"
fi
fi
# Generate keys
if [[ ! -f "${KEY_PATH}" ]]; then
if [[ "${key_type}" == "rsa" ]]; then
elif [[ "${key_type}" == "ecdsa" ]]; then
else
fi
fi
done
mkdir -p /var/lib/nova/.ssh
if [[ $(stat -c %U:%G /var/lib/nova/.ssh) != "nova:nova" ]]; then
chown nova: /var/lib/nova/.ssh
fi
keystone:
#!/bin/bash
# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_
for key_type in ${SSH_HOST_
KEY_
# Check existing key lengths for RSA to ensure they are FIPS compliant
if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
if [[ "${key_length}" -lt 2048 ]]; then
echo "RSA key length is less than 2048 bits, regenerating..."
rm -f "${KEY_PATH}"
rm -f "${KEY_PATH}.pub"
fi
fi
# Generate keys
if [[ ! -f "${KEY_PATH}" ]]; then
if [[ "${key_type}" == "rsa" ]]; then
elif [[ "${key_type}" == "ecdsa" ]]; then
else
fi
fi
done
mkdir -p /var/lib/
if [[ $(stat -c %U:%G /var/lib/
sudo chown keystone: /var/lib/
fi
description: | updated |
summary: |
- [FIPS] keystone_ssh image fails with ssh key limitation + [FIPS] keystone_ssh | nova_ssh image fails with ssh key limitation |
description: | updated |
summary: |
- [FIPS] keystone_ssh | nova_ssh image fails with ssh key limitation + [FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation |
description: | updated |
description: | updated |
Belongs in kolla, not kolla-ansible. Setting bug to invalid. /bugs.launchpad .net/kolla/ +bug/2032827
Moved to: https:/