Skip to content

Fix order of enabling FIPS in try#4760

Merged
happz merged 1 commit intoteemtee:mainfrom
The-Mule:tmt-try-fips-order
Apr 13, 2026
Merged

Fix order of enabling FIPS in try#4760
happz merged 1 commit intoteemtee:mainfrom
The-Mule:tmt-try-fips-order

Conversation

@The-Mule
Copy link
Copy Markdown
Contributor

@The-Mule The-Mule commented Mar 27, 2026
edited
Loading

It is recommended to run FIPS prepare feature after all test dependencies are installed to prevent issues with packages using FIPS-incompatible digests. This only applies to tmt try but a note into FIPS prepare feature is added too.

Pull Request Checklist

  • implement the feature
  • write the documentation
  • extend the test coverage
  • update the specification
  • adjust plugin docstring
  • modify the json schema
  • mention the version
  • include a release note

@The-Mule The-Mule requested a review from falconizmi as a code owner March 27, 2026 18:02
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds an order parameter to the FIPS data preparation in tmt/trying.py. Feedback suggests documenting the magic number 99 to clarify its execution order relative to package installation.

Comment thread tmt/trying.py Outdated
@The-Mule The-Mule marked this pull request as draft March 30, 2026 11:50
@The-Mule The-Mule force-pushed the tmt-try-fips-order branch from e94b1c6 to 5d425ba Compare March 30, 2026 12:05
@The-Mule The-Mule marked this pull request as ready for review March 30, 2026 12:07
@The-Mule The-Mule marked this pull request as draft March 30, 2026 12:08
@The-Mule The-Mule force-pushed the tmt-try-fips-order branch from 5d425ba to 534df59 Compare March 30, 2026 12:12
@The-Mule The-Mule marked this pull request as ready for review March 30, 2026 12:13
happz
happz reviewed Mar 30, 2026
View reviewed changes
Comment thread tmt/steps/prepare/feature/fips.py Outdated
@The-Mule The-Mule force-pushed the tmt-try-fips-order branch from 534df59 to 83cffd0 Compare March 30, 2026 14:58
@The-Mule The-Mule changed the title Fix order of fips prepare step in tmt try Fix order of enabling FIPS in try Mar 30, 2026
@thrix thrix added step | prepare Stuff related to the prepare step plugin | feature The feature prepare plugin command | try tmt try command and removed step | prepare Stuff related to the prepare step labels Apr 1, 2026
@thrix thrix added this to planning Apr 1, 2026
@github-project-automation github-project-automation Bot moved this to backlog in planning Apr 1, 2026
@thrix thrix moved this from backlog to implement in planning Apr 1, 2026
@thrix thrix removed the status in planning Apr 1, 2026
@thrix thrix moved this to review in planning Apr 1, 2026
@LecrisUT
Copy link
Copy Markdown
Member

LecrisUT commented Apr 2, 2026

This only applies to tmt try but a note into FIPS prepare feature is added too.

Can you elaborate on why this is so?

@The-Mule
Copy link
Copy Markdown
Contributor Author

The-Mule commented Apr 8, 2026

Can you elaborate on why this is so?

It would be best to have the default order of fips prepare feature but it seems not possible at the moment (see #4760 (comment)). On the other hand one can make sure the order is just right be specifying it in the plan. This is not possible in tmt try though and hence we might want to have the default at least there.

I actually hit the problem with tmt try --fips - it first enabled FIPS mode and then proceeded to installing test dependencies and eventually failed to install some beakerlib library from beaker task library because its rpm had SHA1 digest that is rejected in FIPS mode.

@LecrisUT
Copy link
Copy Markdown
Member

LecrisUT commented Apr 8, 2026

Can you elaborate on why this is so?

It would be best to have the default order of fips prepare feature but it seems not possible at the moment (see #4760 (comment)). On the other hand one can make sure the order is just right be specifying it in the plan. This is not possible in tmt try though and hence we might want to have the default at least there.

I actually hit the problem with tmt try --fips - it first enabled FIPS mode and then proceeded to installing test dependencies and eventually failed to install some beakerlib library from beaker task library because its rpm had SHA1 digest that is rejected in FIPS mode.

My main question here is why is it only affecting tmt try? Even with the example, it sounds like it would affect tmt run as well. Ah, is it that it is indeed an issue but it cannot be addressed currently?

The failure does sound like it is doing what it is supposed to be doing (catching improperly signed packages?). Are there other opt-outs that can be provided to fips to say some repos should be checked? Or maybe just disabling gpgcheck on the beakerlib task library would also help?

@happz
Copy link
Copy Markdown
Contributor

happz commented Apr 8, 2026

My main question here is why is it only affecting tmt try? Even with the example, it sounds like it would affect tmt run as well. Ah, is it that it is indeed an issue but it cannot be addressed currently?

We can enforce order of phases we add, to install requirements, we could enforce order of prepare/feature phases easily, but not the prepare/feature-but-only-if-it's-fips. We can override PrepareFeatureData.order field and set it to something else then the default value, but that would affect all features owned by the prepare/feature plugin, not just FIPS. Programmatically distinguishing between various phases would be more work.

@The-Mule
Copy link
Copy Markdown
Contributor Author

The-Mule commented Apr 8, 2026

In modern infrastrucute it does not matter if FIPS is enabled before or after package installations because nobody should really use MD5 or SHA1 for rpm signatures. But we are dealing with old infractructure that uses these insecure algorithms and to work around it we need to postpone enabling FIPS mode. While tmt plans allow us to do this only when it's actually needed there is no way to do it in tmt try. It feels like this is a workaround, I see it as a way to make try a bit more robust.

@LecrisUT
Copy link
Copy Markdown
Member

LecrisUT commented Apr 8, 2026

Ah ok, I kinda understand it now. I will leave the how should fips be handled to those more familiar with it, but yeah, this makes sense enough to me now.

LecrisUT
LecrisUT approved these changes Apr 8, 2026
View reviewed changes
Comment thread tmt/steps/__init__.py Outdated
@The-Mule The-Mule force-pushed the tmt-try-fips-order branch from 83cffd0 to 0d23aa2 Compare April 9, 2026 08:11
@tcornell-bus tcornell-bus self-assigned this Apr 10, 2026
@tcornell-bus
Copy link
Copy Markdown
Contributor

tcornell-bus commented Apr 10, 2026

/packit build

tcornell-bus
tcornell-bus approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tcornell-bus tcornell-bus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, works as expected after fix

@tcornell-bus tcornell-bus added the ci | full test Pull request is ready for the full test execution label Apr 13, 2026
@The-Mule @happz
Fix order of enabling FIPS in try
bc29bbe 
To prevent issues with installation of packages signed by non-FIPS-compliant
algorithms it is recommended to run FIPS prepare feature after all prepare
package installation steps. This change only applies to to 'try' command but
a note about this is added to FIPS prepare feature documentation.

Signed-off-by: Ondrej Moris <omoris@redhat.com>
@happz happz force-pushed the tmt-try-fips-order branch from 0d23aa2 to bc29bbe Compare April 13, 2026 20:22
@happz
Copy link
Copy Markdown
Contributor

happz commented Apr 13, 2026

/packit build

@happz happz merged commit 66de140 into teemtee:main Apr 13, 2026
32 checks passed
@github-project-automation github-project-automation Bot moved this from review to done in planning Apr 13, 2026
@psss psss added this to the 1.72 milestone Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@happz happz happz left review comments

@LecrisUT LecrisUT LecrisUT approved these changes

@tcornell-bus tcornell-bus tcornell-bus approved these changes

@falconizmi falconizmi Awaiting requested review from falconizmi falconizmi is a code owner

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@tcornell-bus tcornell-bus

Labels

ci | full test Pull request is ready for the full test execution command | try tmt try command plugin | feature The feature prepare plugin

Projects

planning
Status: done

Milestone

1.72

Development

Successfully merging this pull request may close these issues.

6 participants

@The-Mule @LecrisUT @happz @tcornell-bus @thrix @psss