7.5. Testing on FIPS Systems¶
Since we try to eat our own dog food, we try to develop on SIMP as much is as practical and have the following advice that works at the time of writing this document.
Many of the tools that we use are getting better, and we have been diligent about filing bugs with projects that fail to meet the requirements set out by FIPS or which simply crash due to being run on a FIPS enabled system. We do understand that not all operations require FIPS security but, unfortunately, the underlying software simply can’t tell whether an algorithm is being used for security or convenience.
Bundler is probably the first hurdle that you will encounter.
There is an original bug that we filed that has a fix released in Bundler 1.14.X. While this has worked for us (and is what we recommend), apparently there were some issues with the patch and it was reverted. Likewise, a new bug has been filed that is tracking current progress and we have faith that the team will get it fully fixed in the near future.
To pin your runs to a FIPS-compatible Bundler, you will need to both install a non-crashing version, as well as ensure that you always use that version during your runs.
A simple method for doing this would be to do the following:
gem install bundler -v 1.14.6 alias bundle='bundle _1.14.6_'
There is one change that you need to make to your
to ensure that
rspec does not attempt to use MD5 checksums.
You simply need to add something like the following to your
RSpec.configure do |c| c.before(:each) do Puppet[:digest_algorithm] = 'sha256' end end