Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
packaging: setup: remote_engine: Fix for FIPS
In fips mode, we fail with: File "/usr/lib/python3.6/site-packages/otopi/context.py", line 132, in _executeMethod method['method']() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-setup/ovirt-engine-dwh/core/remote_engine.py", line 83, in _remote_engine_customization oenginecons.ConfigEnv.ENGINE_FQDN File "/usr/share/ovirt-engine/setup/ovirt_engine_setup/remote_engine.py", line 146, in configure self._style.configure(fqdn=fqdn) File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 177, in configure self._ssh_connect() File "/usr/share/ovirt-engine/setup/bin/../plugins/ovirt-engine-common/base/remote_engine/remote_engine_root_ssh.py", line 153, in _ssh_connect osetupcons.ConfigEnv.REMOTE_ENGINE_HOST_CLIENT_KEY File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 416, in connect self, server_hostkey_name, server_key File "/usr/lib/python3.6/site-packages/paramiko/client.py", line 837, in missing_host_key key.get_name(), hostname, hexlify(key.get_fingerprint()) File "/usr/lib/python3.6/site-packages/paramiko/pkey.py", line 180, in get_fingerprint return md5(self.asbytes()).digest() This is because we use paramiko.WarningPolicy, which uses get_fingerprint to show the missing key, which uses hashlib.md5 [1], which is disabled in fips mode. Create our own policy instead, that does not show the key. Please note that this isn't a complete fix for [1] - e.g. if you have any keys in normal locations, such as ~/.ssh/id_rsa, paramiko will fail later, when mentioning that it's going to try loading them. [1] paramiko/paramiko#1103 Change-Id: I99a934ceefc707cdff127229d1bebf196aac4140 Signed-off-by: Yedidyah Bar David <didi@redhat.com>
- Loading branch information