fluent-bit: td-agent-bit won't install on RHEL 8 / FIPS
Bug Report
Describe the bug td-agent-bit won’t install on a Redhat/Centos 8 machine in FIPS mode, after following installations instructions at: https://docs.fluentbit.io/manual/installation/linux/redhat-centos
To Reproduce
- Install a Rehat/Centos 8 machine and update all packages to the current version (e.g. dnf update)
- Follow instructions for installation at https://docs.fluentbit.io/manual/installation/linux/redhat-centos
- The below is the output when you get to the step: yum install td-agent-bit
Dependencies resolved.
=============================================================================================================================================================================================================
Package Architecture Version Repository Size
=============================================================================================================================================================================================================
Installing:
td-agent-bit x86_64 1.7.8-1 td-agent-bit 7.0 M
Installing dependencies:
compat-openssl10 x86_64 1:1.0.2o-3.el8 appstream 1.1 M
libpq x86_64 13.2-1.el8 appstream 197 k
make x86_64 1:4.2.1-10.el8 baseos 498 k
Transaction Summary
=============================================================================================================================================================================================================
Install 4 Packages
Total download size: 8.8 M
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): libpq-13.2-1.el8.x86_64.rpm 1.6 MB/s | 197 kB 00:00
(2/4): make-4.2.1-10.el8.x86_64.rpm 3.2 MB/s | 498 kB 00:00
(3/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm 7.2 MB/s | 1.1 MB 00:00
(4/4): td-agent-bit-1.7.8-1.x86_64.rpm 11 MB/s | 7.0 MB 00:00
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 7.5 MB/s | 8.8 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
package td-agent-bit-1.7.8-1.x86_64 does not verify: no digest
Expected behavior td-agent-bit would install successfully, as reported by yum/dnf.
Your Environment
- Version used: Attempted to install 1.7.8-1.x86_64
- Configuration: Unconfigured, other than repo file as described in configuration instructions
- Operating System and version: RHEL 8.4 running in FIPS mode
- Filters and plugins: N/A
Additional context I suspect this is related to FIPS mode which requires strong hash checksums to be present to validate the packages before install. I suspect SHA256 signatures are not being provided for the packages. FIPS mode restricts weak checksums from being used to validate downloaded packages. FIPS mode cannot be disabled due to compliance reasons and is officially supported by Redhat.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 34 (13 by maintainers)
I’m actually looking at sorting this on https://github.com/fluent/fluent-bit/issues/3753 which is more general improvements to the release process and will include the GPG signing once fully complete.
@JungleGenius the old RPMs are all still there but just not indexed in the metadata for the repo - basically
createrepois running for just the latest RPM rather than the directory which is another thing I’m hoping to resolve. You can grab the RPM directly though for anyone trying to figure that out:wget https://packages.fluentbit.io/centos/7/x86_64/td-agent-bit-1.7.9-1.x86_64.rpmUnfortunately, I am unable to install
1.8.12onRHEL 8.3withFIPSenabled:With definition of repository
td-agent-bit-official:As defined here: https://docs.fluentbit.io/manual/installation/linux/redhat-centos#configure-yum
I am able to install 1.8.12 without warning about missing digest: