Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ER-444] Enable FIPS configuration at runtime via chef-server.rb #1061

Merged
merged 3 commits into from
Feb 2, 2017
Merged

[ER-444] Enable FIPS configuration at runtime via chef-server.rb #1061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6ebe6d5
[ER-444] Enable FIPS configuration at runtime via chef-server.rb
rmoshier Jan 25, 2017
68c340c
Specs for FIPS runtime enabling
tyler-ball Jan 25, 2017
6b2371f
Documenting fips flag in release notes
tyler-ball Feb 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,5 @@ NEW_CHANGELOG.md
version-manifest.json
MODIFIED_COMPONENTS_CHANGELOG.md
/dev/nodes
dev/*.deb
dev/*.deb
src/oc_erchef/log
13 changes: 13 additions & 0 deletions RELEASE_NOTES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,19 @@ This document contains release notes for the current major release and all patch
For prior releases, see
[PRIOR\_RELEASE\_NOTES.md](PRIOR_RELEASE_NOTES.md).

## Unreleased

### FIPS runtime flag exposed

We are updating the Chef Server package to expose a `fips` configuration flag
in the `chef-server.rb`. Setting `fips true` and reconfiguring will start the
server in FIPS mode. The default value of this flag is `false` except
on systems where FIPS is enabled at the Kernel where it defaults to `true`.

The only supported systems at this time for FIPS mode are RHEL. Package for
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to specify which versions of RHEL we support?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No - Chef Server is built for RHEL 5, 6 and 7. We support FIPS in all those versions.

other systems will be missing the required OpenSSL FIPS module and will fail
to start if reconfigured with `fips true`.

## 12.12.0 (2017-01-26)

This release addresses a number of bugs, the most notable are describe
Expand Down
6 changes: 2 additions & 4 deletions dev/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@ Requirements:
* VirtualBox 4.3+
* Vagrant 1.7+
* At least one recent Chef Server 12.0.9+ debian package download,
which you can grab from https://bintray.com/chef/current/chef-server. Note
that you should download the chef-server-core package, and not run the
installer. dvm will then look for the package in either the Downloads dir
which you can get using this command (if you have the most recent chefdk) `mixlib-install download chef-server -p ubuntu -a x86_64 -l 14`. dvm will then look for the package in either the Downloads dir
on your machine or the omnibus/pkg directory under the chef-server repo
where dvm is running. You can also set the INSTALLER environment variable
to tell dvm where to find the package if it is not in one of those locations.
Expand Down Expand Up @@ -57,7 +55,7 @@ knife config on your workstation.
vagrant ssh
sudo -i
# create a user to access chef with
chef-server-ctl user-create -f /tmp/admin.pem admin Admin User [email protected] password
chef-server-ctl user-create -f /tmp/admin.pem admin Admin User [email protected] password
# create an organization
chef-server-ctl org-create -f /tmp/test-validator.pem test Test
# associate the user with the organization
Expand Down
1 change: 0 additions & 1 deletion omnibus/config/software/private-chef-cookbooks.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@
block do
File.open("#{install_dir}/embedded/cookbooks/dna.json", "w") do |f|
run_list = Array.new.tap do |r|
r << 'recipe[private-chef::fips]' if fips_mode?
r << 'recipe[private-chef::default]'
end

Expand Down
6 changes: 1 addition & 5 deletions omnibus/files/private-chef-cookbooks/private-chef/attributes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,7 @@

default['private_chef']['default_orgname'] = nil

# Enable fips mode (openssl)
# This requires the chef-server-fips package. If you do not have this,
# your chef-server will probably not work. If you have to manually
# change this, you're doing it wrong.
default['private_chef']['fips_enabled'] = false
default['private_chef']['fips_enabled'] = ChefConfig.fips?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you come back for cleanup tasks, it would be good to add a preflight check that we're on a box that supports fips if it has been enabled in the config.


###
# Options for installing addons
Expand Down
2 changes: 2 additions & 0 deletions omnibus/files/private-chef-cookbooks/private-chef/libraries/private_chef.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ module PrivateChef
from_email nil
role nil
user Mash.new
fips nil

ldap Mash.new
disabled_plugins []
Expand Down Expand Up @@ -244,6 +245,7 @@ def generate_hash
results["private_chef"]["oc-chef-pedant"] = PrivateChef["oc_chef_pedant"]
results["private_chef"]["notification_email"] = PrivateChef["notification_email"]
results["private_chef"]["from_email"] = PrivateChef["from_email"]
results["private_chef"]["fips_enabled"] = PrivateChef["fips"]
results["private_chef"]["role"] = PrivateChef["role"]
results["private_chef"]["topology"] = PrivateChef["topology"]
results["private_chef"]["servers"] = PrivateChef["servers"]
Expand Down
4 changes: 4 additions & 0 deletions omnibus/files/private-chef-cookbooks/private-chef/recipes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@
include_recipe "private-chef::plugin_config_extensions"
include_recipe "private-chef::config"

if node['private_chef']['fips_enabled']
include_recipe "private-chef::fips"
end

# Warn about deprecated opscode_webui settings
opscode_webui_deprecation_notice = OpscodeWebuiDeprecationNotice.new(
PrivateChef['opscode_webui']
Expand Down
1 change: 0 additions & 1 deletion omnibus/files/private-chef-cookbooks/private-chef/recipes/fips.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
node.default['private_chef']['fips_enabled'] = true
node.default['private_chef']['nginx']['enable_non_ssl'] = true
node.default['private_chef']['nginx']['ssl_ciphers'] = "FIPS@STRENGTH:!aNULL:!eNULL"
11 changes: 11 additions & 0 deletions omnibus/files/private-chef-cookbooks/private-chef/spec/libraries/private_chef_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,17 @@ def config_for(hostname)
}
}

context "When FIPS is enabled at the kernel" do
let(:config) { <<-EOF
fips true
EOF
}
it "sets fips_enabled to true" do
rendered_config = config_for("api.chef.io")
expect(rendered_config["private_chef"]["fips_enabled"]).to eq(true)
end
end

context "in a standalone topology" do
let(:config) { <<-EOF
topology "standalone"
Expand Down