Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1066171 - Default bind_keyalgorithm setting of HMAC-SHA256 is not supported
Summary: Default bind_keyalgorithm setting of HMAC-SHA256 is not supported
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 2.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Miciah Dashiel Butler Masters
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-17 22:25 UTC by Miciah Dashiel Butler Masters
Modified: 2014-08-22 15:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-15 14:40:49 UTC


Attachments (Terms of Use)

Description Miciah Dashiel Butler Masters 2014-02-17 22:25:04 UTC
Description of problem:

By default, openshift.ks/openshift.sh now configures OpenShift with a BIND key generated using the HMAC-SHA256 algorithm.  However, we do not support any algorithm except HMAC-MD5 (creating records will succeed, but deleting records will fail, and oo-diagnostics will fail).  We need to revert the default setting in the installation scripts back to HMAC-MD5 until we ship an OpenShift release with oo-diagnostics and an dns-nsupdate plug-in that support HMAC-SHA256.


Steps to Reproduce:

1. Install a new all-in-one OpenShift PaaS using sh openshift.sh

2. Run oo-diagnostics

3. Create and delete an application.

4. Install a new all-in-one OpenShift PaaS using sh openshift.sh bind_keyalgorithm=HMAC-MD5

5. Run oo-diagnostics

6. Create and delete an application.


Actual results:

At Step 2, we get the following error:

oo-accept-broker had errors:
--BEGIN OUTPUT--
NOTICE: SELinux is Enforcing
NOTICE: SELinux is  Enforcing
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
FAIL: error adding txt record name testrecord.example.com to server [redacted]: this_is_a_test
        -- is the nameserver running, reachable, and key auth working?
FAIL: txt record testrecord.example.com does not resolve on server [redacted]
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)
FAIL: error deleteing txt record name testrecord.example.com to server [redacted]:
        -- is the nameserver running, reachable, and key auth working?
3 ERRORS

--END oo-accept-broker OUTPUT--

At Step 3, we will see an error like the following from rhc:

Error from the broker: Deleting application 'myapp' ... error deleting app record myapp.example.com

At Steps 5 and 6, we do not get these errors.


Expected results:

We should not get the above error messages at any of the steps.


Additional info:

Bug 1061941 concerns the absence of the feature.  This bug report concerns the fact that the installation scripts use this feature (and customers have hit it) even though the feature is not yet shipped.

I will issue a PR later this evening.

Comment 2 Miciah Dashiel Butler Masters 2014-02-18 04:48:09 UTC
PR: https://github.com/openshift/openshift-extras/pull/299

Comment 3 Anping Li 2014-02-18 11:53:41 UTC
Verified using puddle-2-0-2-2014-01-16 as following steps:
A) openshift.sh with defaut configure:
1. Install a new all-in-one OpenShift PaaS using sh openshift.sh
2. Check the named configure file.
[root@broker named]# cat ose202.example.com.key 
key ose202.example.com {
  algorithm "HMAC-MD5";
  secret "nrC9BSZl4fbTpWymc/fCAgn1yx6vs1jNmOxElsMFgb6cIzgHeV4BCTx+reETwVJviGJqpeRQIdA+tp1r6YngIQ==";
};
[root@broker plugins.d]# cat openshift-origin-dns-nsupdate.conf
BIND_SERVER="172.16.0.94"
BIND_PORT=53
BIND_ZONE="ose202.example.com"
BIND_KEYNAME="ose202.example.com"
BIND_KEYVALUE="nrC9BSZl4fbTpWymc/fCAgn1yx6vs1jNmOxElsMFgb6cIzgHeV4BCTx+reETwVJviGJqpeRQIdA+tp1r6YngIQ=="
BIND_KEYALGORITHM="HMAC-MD5"
3. Run oo-diagnostics
No error was reported
4. Create and delete an application.
rhc app create js jenkins-1
rhc app create sphp php-5 -s
rhc app delete sphp 
5. check the Zone after app was deleted, there isn't record for sphp
root@broker ~]# named-checkzone -Dj ose202.example.com /var/named/dynamic/ose202.example.com.db
zone ose202.example.com/IN: ose202.example.com/MX 'mail.ose202.example.com' has no address records (A or AAAA)
zone ose202.example.com/IN: loaded serial 2011112910
ose202.example.com.			      1	IN SOA		ns1.ose202.example.com. hostmaster.ose202.example.com. 2011112910 60 15 1800 10
ose202.example.com.			      1	IN NS		ns1.ose202.example.com.
ose202.example.com.			      1	IN MX		10 mail.ose202.example.com.
activemq.ose202.example.com.		      1	IN A		172.16.0.94
broker.ose202.example.com.		      1	IN A		172.16.0.94
datastore.ose202.example.com.		      1	IN A		172.16.0.94
node.ose202.example.com.		      1	IN A		172.16.0.94
ns1.ose202.example.com.			      1	IN A		172.16.0.94
OK
B) Openshift.sh with bind_keyalgorithm=HMAC-MD5
1. Install a new all-in-one OpenShift PaaS using sh openshift.sh bind_keyalgorithm=HMAC-MD5
2. Check named configure file
[root@broker ~]# cat /var/named/ose202.example.com.cn.key 
key ose202.example.com.cn {
  algorithm "HMAC-MD5";
  secret "m0hWMLNpLNfmhktCHSYgUxuStxdiwP28rxPYwLoF4JOLRwYOecpoo2TKt/DqLU/5oNPS4qosxq0l4QmKaawezA==";
};

[root@broker plugins.d]# cat openshift-origin-dns-nsupdate.conf
BIND_SERVER="172.16.0.94"
BIND_PORT=53
BIND_ZONE="ose202.example.com.cn"
BIND_KEYNAME="ose202.example.com.cn"
BIND_KEYVALUE="m0hWMLNpLNfmhktCHSYgUxuStxdiwP28rxPYwLoF4JOLRwYOecpoo2TKt/DqLU/5oNPS4qosxq0l4QmKaawezA=="
BIND_KEYALGORITHM="HMAC-MD5"

3. Run oo-diagnostics

4. Create and delete an application
rhc app create  sphp php-5.3
rhc app delete sphp
5. check the zone 
[root@broker ~]#  named-checkzone -Dj ose202.example.com.cn /var/named/dynamic/ose202.example.com.cn.db
zone ose202.example.com.cn/IN: ose202.example.com.cn/MX 'mail.ose202.example.com.cn' has no address records (A or AAAA)
zone ose202.example.com.cn/IN: loaded serial 2011112907
ose202.example.com.cn.			      1	IN SOA		ns1.ose202.example.com.cn. hostmaster.ose202.example.com.cn. 2011112907 60 15 1800 10
ose202.example.com.cn.			      1	IN NS		ns1.ose202.example.com.cn.
ose202.example.com.cn.			      1	IN MX		10 mail.ose202.example.com.cn.
activemq.ose202.example.com.cn.		      1	IN A		172.16.0.94
broker.ose202.example.com.cn.		      1	IN A		172.16.0.94
datastore.ose202.example.com.cn.	      1	IN A		172.16.0.94
node.ose202.example.com.cn.		      1	IN A		172.16.0.94
ns1.ose202.example.com.cn.		      1	IN A		172.16.0.94
sphp-hanli1dom.ose202.example.com.cn.	      60 IN CNAME	broker.ose202.example.com.cn.

Comment 4 Luke Meyer 2014-02-18 14:28:52 UTC
To be clear, once the feature is shipped in the product, we'll revert this reversion. The end goal *is* to use the HMAC-SHA256 algorithm.

Comment 5 Johnny Liu 2014-02-19 03:30:49 UTC
(In reply to Luke Meyer from comment #4)
> To be clear, once the feature is shipped in the product, we'll revert this
> reversion. The end goal *is* to use the HMAC-SHA256 algorithm.

Got it, We must wait 2.0.3 is released before enable the HMAC-SHA256 algorithm


Note You need to log in before you can comment on or make changes to this bug.