Installing to RHEL-8 with STIGs applied

[stevenjohnstone]

I'm leaving notes here on what went wrong for Corsec when trying to install MKE with launchpad. Corsec are writing a STIG for us and it's considered a very high priority for federal sales.

When installing to RHEL 8.4/8.5 with STIGs applied, I ran into the following problems which prevented installation of mke:

• podman was installed leading to conflicting package versions for containerd
• fapolicyd causes failures to start containers (approximately 50% of the time)¹
• firewalld is setup to default block connections between nodes
• SSH with RSA keys fails because "ssh-rsa" is deprecated by OpenSSH. I needed to use ECDSA ssh keys to get around this²

Footnotes

1. I can reproduce the failures with runc runc exec busybox /bin/echo hi runc: error while loading shared libraries: libpthread.so.0: cannot open shared object file: Operation not permitted ERRO[0000] exec failed: container_linux.go:380: starting container process caused: process_linux.go:722: waiting for init preliminary setup caused: read init-p: connection reset by peer. I think there's a race condition in detecting mount changes and opening libraries which triggers the failure. Disabling with systemctl stop fapolicyd allowed the installation to succeed. ↩

2. https://github.com/golang/go/issues/37278 addresses this in the golang crypto library. I think https://github.com/k0sproject/rig/blob/f998dc037e0e68b6dcdee5f9d296cba468acb287/go.mod#L15 would need to be bumped to the latest golang crypto to fix this. ↩

[stevenjohnstone]

https://bugzilla.redhat.com/show_bug.cgi?id=1907870 seems to suggest that fapolicyd breaks podman and there isn't a sensible solution other than turning it off.

[stevenjohnstone]

I've built a version with d67f353 for Corsec. I realise I could probably use configuration hooks to achieve some of this.

[james-nesbitt]

This seems resolved.