FIPS Compatibility on EL 7

Trying to install GitLab onto a FIPS-enabled host. Ran into FIPS errors. Did a Google search and found a reference that Ruby >= 2.2 should provide FIPS compatibility. The Ruby that is stock with EL7 is 2.0.0p648. The EL Software Collections contains Ruby 2.3, so I installed the rh-ruby23 from SCL and permanently enabled it:

# more /etc/profile.d/
source /opt/rh/rh-ruby23/enable
export X_SCLS="rh-ruby23"

However, it looks like the current GitLab comes with an embedded Chef gem that is not FIPS compatible:

# gitlab-ctl reconfigure
/opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-config-12.12.15/lib/chef-config/config.rb:1012:in `fips_mode=': This version of OpenSSL does not support FIPS mode (OpenSSL::OpenSSLError)
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-config-12.12.15/lib/chef-config/config.rb:1012:in `enable_fips_mode'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-config-12.12.15/lib/chef-config/config.rb:537:in `init_openssl'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-12.12.15/lib/chef/application.rb:88:in `configure_chef'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-12.12.15/lib/chef/application.rb:48:in `reconfigure'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-12.12.15/lib/chef/application/client.rb:304:in `reconfigure'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-12.12.15/lib/chef/application.rb:57:in `run'
        from /opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/chef-12.12.15/bin/chef-client:26:in `<top (required)>'
        from /opt/gitlab/embedded/bin/chef-client:22:in `load'
        from /opt/gitlab/embedded/bin/chef-client:22:in `<main>'

Is there any way around this issue? Is the emeded Chef gem going to be updated, soon? If so, will it fix the issue I’ve run into.

The reconfigure job bails on the embedded Chef gem, so, don’t know if there’s any other embedded Gems that are not FIPS compatible or if there are further FIPS-related issues. So, this may be the first of a series. of posts as I surmount issues.

1 Like

Alright… Helps if you read the comments on other threads that mention FIPS even if they don’t immediately appear related. Looks like exporting CHEF_FIPS= gets past the most immediate issue.

Go ahead, ill just bump the threads I guess

1 Like