HackMD
pulp-2to3-migration and FIPS
Executive Summary
If you are:
- running Pulp3 on a FIPS-enabled machine, and
- you have patched Django and Pulp3 with the correct patches, and
- you have "md5" and "sha1" included in your ALLOWED_CHECKSUMS, then :
No matter what's in your Pulp2 database, it will migrate successfully.
Issues:
https://pulp.plan.io/issues/7782
https://pulp.plan.io/issues/8453
Patches:
Django 3.2 patch:
https://github.com/theforeman/pulpcore-packaging/pull/272
Django 2.2 LTS :
https://github.com/theforeman/pulpcore-packaging/blob/rpm/3.7/packages/python-django/0001-FIPS-Mark-use-of-MD5-not-security-relevant.patch
wget https://raw.githubusercontent.com/theforeman/pulpcore-packaging/rpm/3.7/packages/python-django/0001-FIPS-Mark-use-of-MD5-not-security-relevant.patch
patch -d /usr/local/lib/pulp/lib/python3.6/site-packages/ -p1 <0001-FIPS-Mark-use-of-MD5-not-security-relevant.patch
Pulp3: https://gist.github.com/bmbouter/31c45dac7de68eeccc35a9f9564c0f28
wget https://gist.githubusercontent.com/bmbouter/31c45dac7de68eeccc35a9f9564c0f28/raw/de9bda4aed4dd6ed72ac38ead1d0db7629a0c13c/patch_pulp_md5_usedforsecurity.diff
patch -p1 -d /home/vagrant/devel/pulpcore/<patch_pulp_md5_usedforsecurity.diff
Without patching Django, you can't even restart Pulp services:
(pulp) [vagrant@pulp2-nightly-pulp3-source-fips-a ~]$ pclean
systemctl stop pulpcore-content pulpcore-worker@1 pulpcore-worker@2 pulpcore-resource-manager pulpcore-api
Traceback (most recent call last):
File "/usr/local/lib/pulp/bin/pulpcore-manager", line 33, in <module>
sys.exit(load_entry_point('pulpcore', 'console_scripts', 'pulpcore-manager')())
File "/home/vagrant/devel/pulpcore/pulpcore/app/manage.py", line 11, in manage
execute_from_command_line(sys.argv)
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/__init__.py", line 381, in execute_from_command_line
utility.execute()
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/core/management/__init__.py", line 357, in execute
django.setup()
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/__init__.py", line 24, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/apps/registry.py", line 114, in populate
app_config.import_models()
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/apps/config.py", line 211, in import_models
self.models_module = import_module(models_module_name)
File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 994, in _gcd_import
File "<frozen importlib._bootstrap>", line 971, in _find_and_load
File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 678, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/guardian/models/__init__.py", line 1, in <module>
from .models import (
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/guardian/models/models.py", line 69, in <module>
class UserObjectPermission(UserObjectPermissionAbstract):
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/db/models/base.py", line 315, in __new__
new_class._prepare()
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/db/models/base.py", line 367, in _prepare
index.set_name_with_model(cls)
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/db/models/indexes.py", line 116, in set_name_with_model
'%s_%s' % (names_digest(*hash_data, length=6), self.suffix),
File "/usr/local/lib/pulp/lib64/python3.6/site-packages/django/db/backends/utils.py", line 221, in names_digest
h = hashlib.md5()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
fips-a is a dev-box, and therefore comes pre-patched for the Django/MD5 issue (the patch touches the same code in a slightly-different way):
https://github.com/pulp/pulp_installer/commit/ae47f49ef9b79cd79851d0caa245559ceabbc7ce#diff-8332bf7262838ddb1ec95ae3a42460666336878f00cf2de7bbc5d5f39f466401R245
Variants:
Pulp3
- UNP: without pulp3 md5 patch
- PAT: with pulp3 md5 patch
- ALL: ACC includes md5/sha1
- SANE: ACC excludes md5/sha1
Combinations:
- UNP-ALL : no patch, all checksums
- UNP-SANE : no patch, sane checksums
- PAT-ALL : patched, all checksums
- PAT-SANE : patched, sane checksums
Pulp2
- +MD5: pulp2 data includes md5-only repo
- -MD5: pulp2 data excludes md5-only repo
- IM: pulp2 data sync'd immediate
- OD: pulp2 data sync'd on_demand
Combinations
- +MD5-IM : MD5 data, with content
- -MD5-IM : no MD5 data, with content
- +MD5-OD : MD5 data, no content
- -MD5-OD : no MD5 data, no content
Scripts
Pulp2 content
#Create MD5 repo, immediate
pulp-admin login -u admin -p admin
pulp-admin rpm repo create --repo-id md5 --feed https://fixtures.pulpproject.org/rpm-with-md5/ --download-policy immediate
pulp-admin rpm repo sync run --repo-id md5
#Create 'normal' repo, immediate
pulp-admin rpm repo create --repo-id rpm --feed https://fixtures.pulpproject.org/rpm-signed/ --download-policy immediate
pulp-admin rpm repo sync run --repo-id rpm
#Create MD5 repo, on-demand
pulp-admin login -u admin -p admin
pulp-admin rpm repo create --repo-id md5 --feed https://fixtures.pulpproject.org/rpm-with-md5/ --download-policy on_demand
pulp-admin rpm repo sync run --repo-id md5
#Create 'normal' repo, on-demand
pulp-admin rpm repo create --repo-id rpm --feed https://fixtures.pulpproject.org/rpm-signed/ --download-policy on_demand
pulp-admin rpm repo sync run --repo-id rpm
#CLEANUP
pulp-admin rpm repo delete --repo-id rpm
pulp-admin rpm repo delete --repo-id md5
pulp-admin orphan remove --all
Pulp3 migrate
# Create/run migration
export HREF=$(pulp migration plan create --plan '{"plugins": [{"type": "rpm"}]}' | jq -r '.pulp_href')
pulp migration plan run --href $HREF
Test Matrix
| UNP/ALL | UNP/SANE | PAT/ALL | PAT/SANE | |
|---|---|---|---|---|
| +MD5/IM | PASS | FAIL[0] | PASS | FAIL[0] |
| -MD5/IM | PASS | PASS | PASS | PASS |
| +MD5/OD | PASS | FAIL[1] | PASS | PASS |
| -MD5/OD | PASS | PASS | PASS | PASS |
Notes
https://pulp.plan.io/issues/8453 is the result of running unpatched-django in a FIPS environment.
[0] Migration fails, EXPECTED:
(pulp) [vagrant@pulp2-nightly-pulp3-source-fips-a site-packages]$ pulp migration plan run --href $HREF
Started background task /pulp/api/v3/tasks/f6735a2a-12db-4b6d-a227-e55423759250/
..Error: Task /pulp/api/v3/tasks/f6735a2a-12db-4b6d-a227-e55423759250/ failed: 'Checksum algorithm md5 forbidden for this Pulp instance.'
(pulp) [vagrant@pulp2-nightly-pulp3-source-fips-a site-packages]$
[1] Migration fails, EXPECTED:
(pulp) [vagrant@pulp2-nightly-pulp3-source-fips-a site-packages]$ pulp migration plan run --href $HREF
Started background task /pulp/api/v3/tasks/40394899-04c6-4dc3-b82a-1412dda2b335/
..Error: Task /pulp/api/v3/tasks/40394899-04c6-4dc3-b82a-1412dda2b335/ failed: 'On-demand content located at the url https://fixtures.pulpproject.org/rpm-with-md5/zebra-0.1-2.noarch.rpm contains forbidden checksum type,thus cannot be synced.You can allow checksum type with 'ALLOWED_CONTENT_CHECKSUMS' setting.'
What about 3.7?
If you want to run Pulp3.7 on a FIPS-enabled box, you will need to apply daviddavis' additional patch, that creates/enables the code for the pulp3-md5-patch above:
https://gist.github.com/daviddavis/9a819fae1b18595169c1ed38d1dc72df
In order, you will need to apply:
To get daviddavis' patch to apply cleanly under pulpcore-3.7, I used the following:
wget https://gist.githubusercontent.com/daviddavis/9a819fae1b18595169c1ed38d1dc72df/raw/eb26da1d34c8be69f25e75f083775c1f89ad28bd/hashlib.patch
patch --fuzz 3 -p1 -d /home/vagrant/devel/pulpcore/ -i patch_pulp_md5_usedforsecurity.diff
on a system running pulpcore-3.7, pulp-rpm-3.10, and pulp-2to3-migration-0.9.0.
These three patches enabled me to successfully migrate an MD5-repo from my Pulp2 box into my Pulp3.7 FIPS-enabled system.
