Thread: New buildfarm animals with FIPS mode enabled
I see that somebody decided to crank up some animals running
RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals
pass on v17 and master, but not older branches; the RHEL8
animals pass nowhere. This is unsurprising given that the
v17-era commits that allowed our regression tests to pass
under FIPS mode (795592865 and a bunch of others) explicitly
targeted only OpenSSL 3:
These new expected files currently cover the FIPS mode provided by
OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
Fedora 35). (The latter will have some error message wording
differences.)
I'm kind of disinclined to do all the work that'd be needed to turn
these animals completely green, especially when the reason to do it
seems to be that someone decided we should without any community
consultation. Perhaps others have different opinions though.
Thoughts?
regards, tom lane
> On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote: > I'm kind of disinclined to do all the work that'd be needed to turn > these animals completely green, especially when the reason to do it > seems to be that someone decided we should without any community > consultation. Perhaps others have different opinions though. If the owner of the BF animal shows up with a patch for providing alternative outputs for the backbranches I don't mind accepting it, I'm not volunteering myself to do more than review though. -- Daniel Gustafsson
On Fri, Feb 14, 2025 at 12:51 PM Daniel Gustafsson <daniel@yesql.se> wrote: > > > On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > I'm kind of disinclined to do all the work that'd be needed to turn > > these animals completely green, especially when the reason to do it > > seems to be that someone decided we should without any community > > consultation. Perhaps others have different opinions though. > > If the owner of the BF animal shows up with a patch for providing alternative > outputs for the backbranches I don't mind accepting it, I'm not volunteering > myself to do more than review though. I'm not buildfarm@, but these animals have now been stopped until we get them figured out. Sorry -- and thanks for the ping Tom! --Jacob
Jacob Champion <jacob.champion@enterprisedb.com> writes:
> I'm not buildfarm@, but these animals have now been stopped until we
> get them figured out. Sorry -- and thanks for the ping Tom!
Thanks for that. Just to be clear, I think it'd be great to run
those RHEL9 animals on v17 and later. I'm only questioning whether
it's worth the work to back-patch the regression changes to older
branches, and even more whether we'd learn anything by supporting
OpenSSL 1.x's variant spelling of the error messages.
Back-patching to make OpenSSL 3 green on all current branches would
at least be a one-time effort. The other thing would entail a new
set of variant expected-files that we'd have to maintain into the
future, so I'm feeling much more dubious about that one.
regards, tom lane
Hi Tom, On 2/14/25 10:01 AM, Tom Lane wrote: > I see that somebody decided to crank up some animals running > RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals > pass on v17 and master, but not older branches; the RHEL8 > animals pass nowhere. This is unsurprising given that the > v17-era commits that allowed our regression tests to pass > under FIPS mode (795592865 and a bunch of others) explicitly > targeted only OpenSSL 3: > > These new expected files currently cover the FIPS mode provided by > OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g., > Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g., > Fedora 35). (The latter will have some error message wording > differences.) > > I'm kind of disinclined to do all the work that'd be needed to turn > these animals completely green, especially when the reason to do it > seems to be that someone decided we should without any community > consultation. Perhaps others have different opinions though. That's my fault. I did a sloppy job copying configs etc from the s390x fips animals and forgot about the OS versions, branches, etc. Peter Eisentraut reminded me I think I cleaned that all up. Regards, Mark
Mark Wong <markwkm@gmail.com> writes:
> That's my fault. I did a sloppy job copying configs etc from the s390x
> fips animals and forgot about the OS versions, branches, etc. Peter
> Eisentraut reminded me I think I cleaned that all up.
Cool, thanks.
regards, tom lane
Hello,
So in light of this conversation, what to do about the following pending
requests?
pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
OS
---------------------------------------------
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140
As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
though of course OpenSSL 3 could be installed on them. Should I just
delete these requests?
Thanks
--
Álvaro Herrera 48°01'N 7°57'E — https://www.EnterpriseDB.com/
"Los dioses no protegen a los insensatos. Éstos reciben protección de
otros insensatos mejor dotados" (Luis Wu, Mundo Anillo)
> On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
> Hello,
>
> So in light of this conversation, what to do about the following pending
> requests?
>
> pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
> OS
> ---------------------------------------------
> Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
> Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
> Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140
>
> As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
> though of course OpenSSL 3 could be installed on them. Should I just
> delete these requests?
I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If someone
alreadyknows I’m ok with deleting them. Otherwise I will double check soon…
Regards,
Mark
Mark Wong <markwkm@gmail.com> writes:
> On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
>> As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
>> though of course OpenSSL 3 could be installed on them. Should I just
>> delete these requests?
> I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If
someonealready knows I’m ok with deleting them. Otherwise I will double check soon…
I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
platform.
regards, tom lane
> On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Mark Wong <markwkm@gmail.com> writes: >> On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote: >>> As I understand, both of these Ubuntu versions ship with OpenSSL 1.1, >>> though of course OpenSSL 3 could be installed on them. Should I just >>> delete these requests? > >> I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If someonealready knows I’m ok with deleting them. Otherwise I will double check soon… > > I believe the main concern is OpenSSL 1.x versus 3.x, not a specific > platform. Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS enabled machines by just not using anything that violates FIPS but I don't remember anything OpenSSL version specific. -- Daniel Gustafsson
Daniel Gustafsson <daniel@yesql.se> writes:
> On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
>> platform.
> Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS
> enabled machines by just not using anything that violates FIPS but I don't
> remember anything OpenSSL version specific.
No, there are two distinct problems:
1. We "support" FIPS in the regression tests by providing variant
expected-files that represent the error messages that you'll get in
FIPS mode. Currently, there's only one such variant file per test
and it shows the error message spelling you get from OpenSSL 3.x.
1.x has a different spelling, cf [1].
2. None of this support existed before PG v17.
It'd be practical to crank up FIPS-mode BF animals on OpenSSL 3.x
platforms so long as you make them test only branches >= v17.
Such animals on OpenSSL 1.x will fail on all branches.
Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.
regards, tom lane
[1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=cixiid&dt=2025-02-13%2009%3A27%3A17
> On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote: > Daniel Gustafsson <daniel@yesql.se> writes: > >> Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS >> enabled machines by just not using anything that violates FIPS but I don't >> remember anything OpenSSL version specific. > > No, there are two distinct problems: Ah, right, thanks. > Obviously, we could talk about extending the regression tests' > support for these cases, but I'm really dubious that it's worth > the work. Agreed. -- Daniel Gustafsson
On 2025-Feb-17, Daniel Gustafsson wrote: > On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > Obviously, we could talk about extending the regression tests' > > support for these cases, but I'm really dubious that it's worth > > the work. > > Agreed. This means that unless Mark is willing to install OpenSSL 3 from source, these buildfarm animals are not viable. I'll wait for Mark to confirm, but given the number of animals he maintains, I think it's not really feasible to have some which require individual patching work. -- Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/
On Tue, Feb 18, 2025 at 02:41:18PM +0100, Álvaro Herrera wrote: > On 2025-Feb-17, Daniel Gustafsson wrote: > > > On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote: > > > > Obviously, we could talk about extending the regression tests' > > > support for these cases, but I'm really dubious that it's worth > > > the work. > > > > Agreed. > > This means that unless Mark is willing to install OpenSSL 3 from source, > these buildfarm animals are not viable. I'll wait for Mark to confirm, > but given the number of animals he maintains, I think it's not really > feasible to have some which require individual patching work. Yeah, I can install OpenSSL 3 from source. I'm trying make better use of Ansible to help. Regards, Mark