 |
On a fresh Rocky 9 install, the dependencies are different. I'm not sure they're 1:1 with RHEL anymore, since I don't see openssl-fips-provider being available anymore, which would make this more of a post-migrate2rocky issue. Rocky systemd (252-32.el9_4.6 ) doesn't require openssl-fips-provider, Doesn't look like openssl-fips-provider is even available in @baseos anymore. |
 |
>RHEL9 and OEL9 both yanked /usr/lib64/ossl-modules/fips.so out of the openssl-libs RPM, but Rocky still has it in there. This is correct. We are not FIPS certified, and they are. >Rocky systemd (252-32.el9_4.6 ) doesn't require openssl-fips-provider, It never has, directly. You can verify this in the spec file. https://git.rockylinux.org/staging/rpms/systemd/-/blob/r9/SPECS/systemd.spec The most it has ever required is openssl-libs and in the case of RHEL, openssl-fips-provider is brought in as a dependency of openssl-libs. >Doesn't look like openssl-fips-provider is even available in @baseos anymore. This is correct. openssl-libs and openssl-fips-provider conflict, and as such there is very little reason to have both. As we are not FIPS certified like our upstream (and likely oracle too), having openssl-fips-provider makes very little sense. In fact, let's look at the spec file and see why this conflict existed: https://git.rockylinux.org/staging/rpms/openssl/-/blob/r9/SPECS/openssl.spec?ref_type=heads#L244 - In this section, it states this: %if ( %{defined rhel} && (! %{defined centos}) ) Requires: openssl-fips-provider %endif This says that if the %rhel macro is defined *and* the %centos macro is NOT defined, then require openssl-fips-provider. https://git.rockylinux.org/staging/rpms/openssl/-/blob/r9/SPECS/openssl.spec?ref_type=heads#L399 %if ( %{defined rhel} && (! %{defined centos}) ) %define __spec_install_post \ rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ %{nil} %else %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ %{nil} %endif Same thing here. Notice how in the "else" the fips library is being generated? This is what happens for us as define both %rhel and %centos in rocky-release. This is by design and helps us maintain compatibility with CentOS Stream SIG's and other related package building efforts. ---- It does not make sense for us to have both openssl-fips-provider and openssl-libs provide the same library. openssl-fips-provider is for RHEL (and Oracle it seems). CentOS Stream does not provide this package either. I would imagine the reason why is because CentOS Stream is/cannot be FIPS certified. This is, however, a guess. With all of that said, the migrate2rocky9.sh script has been changed to detect FIPS mode being enabled. If it is enabled, the script will stop. If it is not enabled, openssl-fips-provider will be removed, which means openssl-libs reinstallation should work normally. --- If the updated script at https://github.com/rocky-linux/rocky-tools/blob/main/migrate2rocky/migrate2rocky9.sh is still not working for you, please open an issue there. |
|
|
Just trying to throw some extra notes in here.... FIPS mode wasn't enabled (verified by "fips-mode-setup --check", at least after the migrate2rocky9, but shouldn't have been set before either). Now, we do have a bunch of stuff set up for CIS hardening, so maybe we're triggering something. Things seem happy running this: rpm --erase --nodeps openssl-fips-provider yum update openssl-libs In my after-mgirate case, we had the old RHEL openssl-libs with the openssl-fips-provider dependency, but I could erase it and do the update, pulling in the Rockey openssl-libs that doesn't have that issue. If you've tweaked migrate2rocky9, then we'll never end up in this situation (great!). |
- Anonymous
