[09:35] <Tassos> Hello,
[09:35] <Tassos> Is it possible to enable the FIPS mode during the installation time with cloud-init ?
[09:36] <Tassos> for example, something like :  fips: true
[09:36] <Tassos> ?
[09:44] <meena> Tassos: no.
[09:47] <Tassos> Oh, it's not possible so far ?
[09:49] <Tassos> I read here : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/assembly_installing-a-rhel-8-system-with-fips-mode-enabled_security-hardening
[09:49] <Tassos> "Add the `fips=1` option to the kernel command line during the system installation."
[09:50] <Tassos> So, I assumed there is a way to do this via cloud-init.. :-/
[09:52] <meena> i mean, if you want to modify a grub config file from cloud-init, yes, that's probably possible.
[09:56] <Tassos> Could you give me an example please ?
[09:58] <meena> Tassos: i haven't touched grub in ten years. I mostly work on FreeBSD, and I'm the only person awake.
[09:59] <meena> but basically, you could have a runcmd that does a sed on a grub config file, and then run whatever grub needs to run to update the config
[10:00] <Tassos> Oh! OK! Thank by the way! I will try to find something in documentation ( but doesn't help me to be honest )
[10:01] <meena> Tassos: basically, cloud-init reacts to FIPS being enabled, but doesn't do anything to enable it itself.
[10:01] <meena> Which would mean you'd need a second run… and I'm not sure how well that's gonna work
[10:04] <Tassos> Hm.. thanks for letting me know, yes it's a bit new and strange case
[10:04] <Tassos> or you need maybe an image with already enabled the FIPS mode ? ( if that works... :P )
[10:06] <simpoir> couldn't you just set something like `runcmd: ["fips-mode-setup --enable"]` ?
[10:09] <Tassos> I don't know, I will try it now... :-. Let's see...
[10:11] <simpoir> I don't know enough about RHEL, but from the doc linked, it seems like that tool can be called directly.
[10:15] <Tassos> Hm.. reading again from official RHEL documentation :
[10:15] <Tassos> > Switching the system to FIPS mode by using the fips-mode-setup tool does not guarantee compliance with the FIPS 140 standard. Re-generating all cryptographic keys after setting the system to FIPS mode may not be possible.
[10:16] <Tassos> So, it's not the best idea
[10:17] <Tassos> For sure, I am able to do this ( I've done this ) after lunching a new VM, but I don't know enough about cloud-init so that's why I am asking here, I don't know if it is possible to add a kernel parameter
[10:23] <simpoir> Well, you could also use the write_files and power_state cloud-config to switch the grub config with your own and reboot once.
[15:30] <minimal> Tassos: "during the installation time with cloud-init" - typically cloud-init is not run at installation time, it is run upon boot(s) of an already installed system.