New buildfarm animals with FIPS mode enabled

On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I'm kind of disinclined to do all the work that'd be needed to turn
these animals completely green, especially when the reason to do it
seems to be that someone decided we should without any community
consultation. Perhaps others have different opinions though.

If the owner of the BF animal shows up with a patch for providing alternative
outputs for the backbranches I don't mind accepting it, I'm not volunteering
myself to do more than review though.

--
Daniel Gustafsson

On Fri, Feb 14, 2025 at 12:51 PM Daniel Gustafsson <daniel@yesql.se> wrote:

On 14 Feb 2025, at 19:01, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I'm kind of disinclined to do all the work that'd be needed to turn
these animals completely green, especially when the reason to do it
seems to be that someone decided we should without any community
consultation. Perhaps others have different opinions though.

If the owner of the BF animal shows up with a patch for providing alternative
outputs for the backbranches I don't mind accepting it, I'm not volunteering
myself to do more than review though.

I'm not buildfarm@, but these animals have now been stopped until we
get them figured out. Sorry -- and thanks for the ping Tom!

--Jacob

Jacob Champion <jacob.champion@enterprisedb.com> writes:

I'm not buildfarm@, but these animals have now been stopped until we
get them figured out. Sorry -- and thanks for the ping Tom!

Thanks for that. Just to be clear, I think it'd be great to run
those RHEL9 animals on v17 and later. I'm only questioning whether
it's worth the work to back-patch the regression changes to older
branches, and even more whether we'd learn anything by supporting
OpenSSL 1.x's variant spelling of the error messages.

Back-patching to make OpenSSL 3 green on all current branches would
at least be a one-time effort. The other thing would entail a new
set of variant expected-files that we'd have to maintain into the
future, so I'm feeling much more dubious about that one.

regards, tom lane

Hi Tom,

On 2/14/25 10:01 AM, Tom Lane wrote:

I see that somebody decided to crank up some animals running
RHEL8 and RHEL9 with FIPS mode turned on. The RHEL9 animals
pass on v17 and master, but not older branches; the RHEL8
animals pass nowhere. This is unsurprising given that the
v17-era commits that allowed our regression tests to pass
under FIPS mode (795592865 and a bunch of others) explicitly
targeted only OpenSSL 3:

These new expected files currently cover the FIPS mode provided by
OpenSSL 3.x as well as the modified OpenSSL 3.x from Red Hat (e.g.,
Fedora 38), but not the modified OpenSSL 1.x from Red Hat (e.g.,
Fedora 35). (The latter will have some error message wording
differences.)

I'm kind of disinclined to do all the work that'd be needed to turn
these animals completely green, especially when the reason to do it
seems to be that someone decided we should without any community
consultation. Perhaps others have different opinions though.

That's my fault. I did a sloppy job copying configs etc from the s390x
fips animals and forgot about the OS versions, branches, etc. Peter
Eisentraut reminded me I think I cleaned that all up.

Regards,
Mark

Mark Wong <markwkm@gmail.com> writes:

That's my fault. I did a sloppy job copying configs etc from the s390x
fips animals and forgot about the OS versions, branches, etc. Peter
Eisentraut reminded me I think I cleaned that all up.

Cool, thanks.

regards, tom lane

Hello,

So in light of this conversation, what to do about the following pending
requests?

pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
OS
---------------------------------------------
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140

As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
though of course OpenSSL 3 could be installed on them. Should I just
delete these requests?

Thanks

--
Álvaro Herrera 48°01'N 7°57'E — https://www.EnterpriseDB.com/
"Los dioses no protegen a los insensatos. Éstos reciben protección de
otros insensatos mejor dotados" (Luis Wu, Mundo Anillo)

On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:
Hello,

So in light of this conversation, what to do about the following pending
requests?

pgbfprod=> select format('%s %s', operating_system, os_version) as "OS" from pending();
OS
---------------------------------------------
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 20.04.6 LTS (Focal Fossa) FIPS-140
Ubuntu 18.04.6 LTS (Bionic Beaver) FIPS-140

As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
though of course OpenSSL 3 could be installed on them. Should I just
delete these requests?

I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If someone already knows I’m ok with deleting them. Otherwise I will double check soon…

Regards,
Mark

Mark Wong <markwkm@gmail.com> writes:

On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:

As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
though of course OpenSSL 3 could be installed on them. Should I just
delete these requests?

I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If someone already knows I’m ok with deleting them. Otherwise I will double check soon…

I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
platform.

regards, tom lane

On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Mark Wong <markwkm@gmail.com> writes:

On Feb 17, 2025, at 2:36 AM, Álvaro Herrera <alvherre@alvh.no-ip.org> wrote:

As I understand, both of these Ubuntu versions ship with OpenSSL 1.1,
though of course OpenSSL 3 could be installed on them. Should I just
delete these requests?

I’m away from my desk until later this week so I don’t recall whether Ubuntu with FIPS is supposed to work. If someone already knows I’m ok with deleting them. Otherwise I will double check soon…

I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
platform.

Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS
enabled machines by just not using anything that violates FIPS but I don't
remember anything OpenSSL version specific.

--
Daniel Gustafsson

Daniel Gustafsson <daniel@yesql.se> writes:

On 17 Feb 2025, at 17:26, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I believe the main concern is OpenSSL 1.x versus 3.x, not a specific
platform.

Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS
enabled machines by just not using anything that violates FIPS but I don't
remember anything OpenSSL version specific.

No, there are two distinct problems:

1. We "support" FIPS in the regression tests by providing variant
expected-files that represent the error messages that you'll get in
FIPS mode. Currently, there's only one such variant file per test
and it shows the error message spelling you get from OpenSSL 3.x.
1.x has a different spelling, cf [1]https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=cixiid&amp;dt=2025-02-13%2009%3A27%3A17.

2. None of this support existed before PG v17.

It'd be practical to crank up FIPS-mode BF animals on OpenSSL 3.x
platforms so long as you make them test only branches >= v17.
Such animals on OpenSSL 1.x will fail on all branches.

Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.

regards, tom lane

[1]: https://buildfarm.postgresql.org/cgi-bin/show_log.pl?nm=cixiid&amp;dt=2025-02-13%2009%3A27%3A17

On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Daniel Gustafsson <daniel@yesql.se> writes:

Isn't it postgres version mostly? We fixed so the testsuite passed on FIPS
enabled machines by just not using anything that violates FIPS but I don't
remember anything OpenSSL version specific.

No, there are two distinct problems:

Ah, right, thanks.

Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.

Agreed.

--
Daniel Gustafsson

On 2025-Feb-17, Daniel Gustafsson wrote:

On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.

Agreed.

This means that unless Mark is willing to install OpenSSL 3 from source,
these buildfarm animals are not viable. I'll wait for Mark to confirm,
but given the number of animals he maintains, I think it's not really
feasible to have some which require individual patching work.

--
Álvaro Herrera Breisgau, Deutschland — https://www.EnterpriseDB.com/

On Tue, Feb 18, 2025 at 02:41:18PM +0100, �lvaro Herrera wrote:

On 2025-Feb-17, Daniel Gustafsson wrote:

On 17 Feb 2025, at 20:23, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Obviously, we could talk about extending the regression tests'
support for these cases, but I'm really dubious that it's worth
the work.

Agreed.

This means that unless Mark is willing to install OpenSSL 3 from source,
these buildfarm animals are not viable. I'll wait for Mark to confirm,
but given the number of animals he maintains, I think it's not really
feasible to have some which require individual patching work.

Yeah, I can install OpenSSL 3 from source. I'm trying make better use
of Ansible to help.

Regards,
Mark