/srv/irclogs.ubuntu.com/2023/08/22/#cloud-init.txt

TassosHello,09:35
TassosIs it possible to enable the FIPS mode during the installation time with cloud-init ?09:35
Tassosfor example, something like :  fips: true09:36
Tassos?09:36
meenaTassos: no.09:44
TassosOh, it's not possible so far ?09:47
TassosI read here : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening09:49
Tassos"Add the `fips=1` option to the kernel command line during the system installation."09:49
TassosSo, I assumed there is a way to do this via cloud-init.. :-/09:50
meenai mean, if you want to modify a grub config file from cloud-init, yes, that's probably possible.09:52
TassosCould you give me an example please ?09:56
meenaTassos: i haven't touched grub in ten years. I mostly work on FreeBSD, and I'm the only person awake.09:58
meenabut basically, you could have a runcmd that does a sed on a grub config file, and then run whatever grub needs to run to update the config09:59
TassosOh! OK! Thank by the way! I will try to find something in documentation ( but doesn't help me to be honest )10:00
meenaTassos: basically, cloud-init reacts to FIPS being enabled, but doesn't do anything to enable it itself.10:01
meenaWhich would mean you'd need a second run… and I'm not sure how well that's gonna work10:01
TassosHm.. thanks for letting me know, yes it's a bit new and strange case10:04
Tassosor you need maybe an image with already enabled the FIPS mode ? ( if that works... :P )10:04
simpoircouldn't you just set something like `runcmd: ["fips-mode-setup --enable"]` ?10:06
TassosI don't know, I will try it now... :-. Let's see...10:09
simpoirI don't know enough about RHEL, but from the doc linked, it seems like that tool can be called directly.10:11
TassosHm.. reading again from official RHEL documentation :10:15
Tassos> Switching the system to FIPS mode by using the fips-mode-setup tool does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible.10:15
TassosSo, it's not the best idea10:16
TassosFor sure, I am able to do this ( I've done this ) after lunching a new VM, but I don't know enough about cloud-init so that's why I am asking here, I don't know if it is possible to add a kernel parameter10:17
simpoirWell, you could also use the write_files and power_state cloud-config to switch the grub config with your own and reboot once.10:23
minimalTassos: "during the installation time with cloud-init" - typically cloud-init is not run at installation time, it is run upon boot(s) of an already installed system.15:30

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!