Thread

  1. New buildfarm animals with FIPS mode enabled

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-02-14T18:01:32Z

    I see that somebody decided to crank up some animals running
    RHEL8 and RHEL9 with FIPS mode turned on.  The RHEL9 animals
    pass on v17 and master, but not older branches; the RHEL8
    animals pass nowhere.  This is unsurprising given that the
    v17-era commits that allowed our regression tests to pass
    under FIPS mode (795592865 and a bunch of others) explicitly
    targeted only OpenSSL 3:
    
        These new expected files currently cover the FIPS mode provided by
        OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
        Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
        Fedora 35).  (The latter will have some error message wording
        differences.)
    
    I'm kind of disinclined to do all the work that'd be needed to turn
    these animals completely green, especially when the reason to do it
    seems to be that someone decided we should without any community
    consultation.  Perhaps others have different opinions though.
    
    Thoughts?
    
    			regards, tom lane
    
    
    
    
  2. Re: New buildfarm animals with FIPS mode enabled

    Daniel Gustafsson <daniel@yesql.se> — 2025-02-14T20:51:37Z

    > On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    
    > I'm kind of disinclined to do all the work that'd be needed to turn
    > these animals completely green, especially when the reason to do it
    > seems to be that someone decided we should without any community
    > consultation.  Perhaps others have different opinions though.
    
    If the owner of the BF animal shows up with a patch for providing alternative
    outputs for the backbranches I don't mind accepting it, I'm not volunteering
    myself to do more than review though.
    
    --
    Daniel Gustafsson
    
    
    
    
    
  3. Re: New buildfarm animals with FIPS mode enabled

    Jacob Champion <jacob.champion@enterprisedb.com> — 2025-02-14T22:28:15Z

    On Fri, Feb 14, 2025 at 12:51 PM Daniel Gustafsson <daniel@yesql.se> wrote:
    >
    > > On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >
    > > I'm kind of disinclined to do all the work that'd be needed to turn
    > > these animals completely green, especially when the reason to do it
    > > seems to be that someone decided we should without any community
    > > consultation.  Perhaps others have different opinions though.
    >
    > If the owner of the BF animal shows up with a patch for providing alternative
    > outputs for the backbranches I don't mind accepting it, I'm not volunteering
    > myself to do more than review though.
    
    I'm not buildfarm@, but these animals have now been stopped until we
    get them figured out. Sorry -- and thanks for the ping Tom!
    
    --Jacob
    
    
    
    
  4. Re: New buildfarm animals with FIPS mode enabled

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-02-14T22:44:40Z

    Jacob Champion <jacob.champion@enterprisedb.com> writes:
    > I'm not buildfarm@, but these animals have now been stopped until we
    > get them figured out. Sorry -- and thanks for the ping Tom!
    
    Thanks for that.  Just to be clear, I think it'd be great to run
    those RHEL9 animals on v17 and later.  I'm only questioning whether
    it's worth the work to back-patch the regression changes to older
    branches, and even more whether we'd learn anything by supporting
    OpenSSL 1.x's variant spelling of the error messages.
    
    Back-patching to make OpenSSL 3 green on all current branches would
    at least be a one-time effort.  The other thing would entail a new
    set of variant expected-files that we'd have to maintain into the
    future, so I'm feeling much more dubious about that one.
    
    			regards, tom lane
    
    
    
    
  5. Re: New buildfarm animals with FIPS mode enabled

    Mark Wong <markwkm@gmail.com> — 2025-02-15T16:55:32Z

    Hi Tom,
    
    On 2/14/25 10:01 AM, Tom Lane wrote:
    > I see that somebody decided to crank up some animals running
    > RHEL8 and RHEL9 with FIPS mode turned on.  The RHEL9 animals
    > pass on v17 and master, but not older branches; the RHEL8
    > animals pass nowhere.  This is unsurprising given that the
    > v17-era commits that allowed our regression tests to pass
    > under FIPS mode (795592865 and a bunch of others) explicitly
    > targeted only OpenSSL 3:
    > 
    >      These new expected files currently cover the FIPS mode provided by
    >      OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
    >      Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
    >      Fedora 35).  (The latter will have some error message wording
    >      differences.)
    > 
    > I'm kind of disinclined to do all the work that'd be needed to turn
    > these animals completely green, especially when the reason to do it
    > seems to be that someone decided we should without any community
    > consultation.  Perhaps others have different opinions though.	
    
    That's my fault.  I did a sloppy job copying configs etc from the s390x 
    fips animals and forgot about the OS versions, branches, etc.  Peter 
    Eisentraut reminded me I think I cleaned that all up.
    
    Regards,
    Mark
    
    
    
    
  6. Re: New buildfarm animals with FIPS mode enabled

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-02-15T16:57:40Z

    Mark Wong <markwkm@gmail.com> writes:
    > That's my fault.  I did a sloppy job copying configs etc from the s390x 
    > fips animals and forgot about the OS versions, branches, etc.  Peter 
    > Eisentraut reminded me I think I cleaned that all up.
    
    Cool, thanks.
    
    			regards, tom lane
    
    
    
    
  7. Re: New buildfarm animals with FIPS mode enabled

    Álvaro Herrera <alvherre@alvh.no-ip.org> — 2025-02-17T10:36:29Z

    Hello,
    
    So in light of this conversation, what to do about the following pending
    requests?
    
    pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
                         OS                      
    ---------------------------------------------
     Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
     Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
     Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140
    
    As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
    though of course OpenSSL 3 could be installed on them.  Should I just
    delete these requests?
    
    Thanks
    
    -- 
    Álvaro Herrera               48°01'N 7°57'E  —  https://www.EnterpriseDB.com/
    "Los dioses no protegen a los insensatos.  Éstos reciben protección de
    otros insensatos mejor dotados" (Luis Wu, Mundo Anillo)
    
    
    
    
  8. Re: New buildfarm animals with FIPS mode enabled

    Mark Wong <markwkm@gmail.com> — 2025-02-17T16:10:32Z

    > On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
    > Hello,
    > 
    > So in light of this conversation, what to do about the following pending
    > requests?
    > 
    > pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
    >                     OS                      
    > ---------------------------------------------
    > Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
    > Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
    > Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140
    > 
    > As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
    > though of course OpenSSL 3 could be installed on them.  Should I just
    > delete these requests?
    
    I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work.  If someone already knows I’m ok with deleting them. Otherwise I will double check soon…
    
    Regards,
    Mark
    
    
    
  9. Re: New buildfarm animals with FIPS mode enabled

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-02-17T16:26:53Z

    Mark Wong <markwkm@gmail.com> writes:
    > On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
    >> As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
    >> though of course OpenSSL 3 could be installed on them.  Should I just
    >> delete these requests?
    
    > I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work.  If someone already knows I’m ok with deleting them. Otherwise I will double check soon…
    
    I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
    platform.
    
    			regards, tom lane
    
    
    
    
  10. Re: New buildfarm animals with FIPS mode enabled

    Daniel Gustafsson <daniel@yesql.se> — 2025-02-17T19:03:39Z

    > On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > 
    > Mark Wong <markwkm@gmail.com> writes:
    >> On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
    >>> As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
    >>> though of course OpenSSL 3 could be installed on them.  Should I just
    >>> delete these requests?
    > 
    >> I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work.  If someone already knows I’m ok with deleting them. Otherwise I will double check soon…
    > 
    > I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
    > platform.
    
    Isn't it postgres version mostly?  We fixed so the testsuite passed on FIPS
    enabled machines by just not using anything that violates FIPS but I don't
    remember anything OpenSSL version specific.
    
    --
    Daniel Gustafsson
    
    
    
    
    
  11. Re: New buildfarm animals with FIPS mode enabled

    Tom Lane <tgl@sss.pgh.pa.us> — 2025-02-17T19:23:55Z

    Daniel Gustafsson <daniel@yesql.se> writes:
    > On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    >> I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
    >> platform.
    
    > Isn't it postgres version mostly?  We fixed so the testsuite passed on FIPS
    > enabled machines by just not using anything that violates FIPS but I don't
    > remember anything OpenSSL version specific.
    
    No, there are two distinct problems:
    
    1. We "support" FIPS in the regression tests by providing variant
    expected-files that represent the error messages that you'll get in
    FIPS mode.  Currently, there's only one such variant file per test
    and it shows the error message spelling you get from OpenSSL 3.x.
    1.x has a different spelling, cf [1].
    
    2. None of this support existed before PG v17.
    
    It'd be practical to crank up FIPS-mode BF animals on OpenSSL 3.x
    platforms so long as you make them test only branches >= v17.
    Such animals on OpenSSL 1.x will fail on all branches.
    
    Obviously, we could talk about extending the regression tests'
    support for these cases, but I'm really dubious that it's worth
    the work.
    
    			regards, tom lane
    
    [1] https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=cixiid&dt=2025-02-13%2009%3A27%3A17
    
    
    
    
  12. Re: New buildfarm animals with FIPS mode enabled

    Daniel Gustafsson <daniel@yesql.se> — 2025-02-17T19:45:12Z

    > On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > Daniel Gustafsson <daniel@yesql.se> writes:
    > 
    >> Isn't it postgres version mostly?  We fixed so the testsuite passed on FIPS
    >> enabled machines by just not using anything that violates FIPS but I don't
    >> remember anything OpenSSL version specific.
    > 
    > No, there are two distinct problems:
    
    Ah, right, thanks.
    
    > Obviously, we could talk about extending the regression tests'
    > support for these cases, but I'm really dubious that it's worth
    > the work.
    
    Agreed.
    
    --
    Daniel Gustafsson
    
    
    
    
    
  13. Re: New buildfarm animals with FIPS mode enabled

    Álvaro Herrera <alvherre@alvh.no-ip.org> — 2025-02-18T13:41:18Z

    On 2025-Feb-17, Daniel Gustafsson wrote:
    
    > On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    
    > > Obviously, we could talk about extending the regression tests'
    > > support for these cases, but I'm really dubious that it's worth
    > > the work.
    > 
    > Agreed.
    
    This means that unless Mark is willing to install OpenSSL 3 from source,
    these buildfarm animals are not viable.  I'll wait for Mark to confirm,
    but given the number of animals he maintains, I think it's not really
    feasible to have some which require individual patching work.
    
    -- 
    Álvaro Herrera        Breisgau, Deutschland  —  https://www.EnterpriseDB.com/
    
    
    
    
  14. Re: New buildfarm animals with FIPS mode enabled

    Mark Wong <markwkm@gmail.com> — 2025-02-20T18:45:21Z

    On Tue, Feb 18, 2025 at 02:41:18PM +0100, Álvaro Herrera wrote:
    > On 2025-Feb-17, Daniel Gustafsson wrote:
    > 
    > > On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
    > 
    > > > Obviously, we could talk about extending the regression tests'
    > > > support for these cases, but I'm really dubious that it's worth
    > > > the work.
    > > 
    > > Agreed.
    > 
    > This means that unless Mark is willing to install OpenSSL 3 from source,
    > these buildfarm animals are not viable.  I'll wait for Mark to confirm,
    > but given the number of animals he maintains, I think it's not really
    > feasible to have some which require individual patching work.
    
    Yeah, I can install OpenSSL 3 from source.  I'm trying make better use
    of Ansible to help.
    
    Regards,
    Mark