Open bviviano opened 2 years ago
For completeness, here is the procedure I used to install ISC DHCPd onto my RHEL8 FIPS enabled system in /opt
and use it with xCAT:
dhcp-server
RPM like normal (since it's an xCAT dependency)yum-utils
onto the systemsyum-builddep
to make sure all -devel
packages needed to compile DHCP are installed /bin/yum-builddep dhcp
tar.gz
from ISC./configure --prefix=/opt/dhcp
and do make
/ make install
dhcpd
service, so the ISC DHCPd starts in its place.
/bin/install --directory --mode=0755 --owner=root --group=root /etc/systemd/system/dhcpd.service.d
/bin/cat << 'EOF' > /etc/systemd/system/dhcpd.service.d/override.conf
[Service]
Type=forking
ExecStart=
ExecStart=/opt/dhcp/sbin/dhcpd -cf /etc/dhcp/dhcpd.conf -lf /var/lib/dhcpd/dhcpd.leases --no-pid $DHCPDARGS
EOF
/bin/systemctl daemon-reload
At this point, systemd
and xCAT will start/stop/restart the dhcpd
service using the ISC install dhcpd
daemon in /opt/dhcp/sbin
.
You can confirm operations by
[root@smtools ~]# systemctl stop dhcpd
[root@smtools ~]# echo > /var/lib/dhcpd/dhcpd.leases
[root@smtools ~]# ls -l /var/lib/dhcpd/dhcpd.leases
-rw-r--r-- 1 root root 1 May 23 08:31 /var/lib/dhcpd/dhcpd.leases
[root@smtools ~]# systemctl start dhcpd
[root@smtools ~]# makedhcp -a
[root@smtools ~]# ls -l /var/lib/dhcpd/dhcpd.leases
-rw-r--r-- 1 root root 12463 May 23 08:31 /var/lib/dhcpd/dhcpd.leases
[root@smtools ~]#
I am providing a patch against xCAT 2.16.3's
dhcp.pm
that will allow you to specify the path toomshell
and the key algorithm used by OMAPI by setting values in the site table accordingly:If the site table entries do not exist, then the service will default to
/usr/bin/omshell
and HMAC-MD5, to maintain backwards compatibility.This change is needed to support FIPS with xCAT when doing
makedhcp -a
.Per this solutions article from Red Hat, the
dhcp-server
RPM in RHEL8 does not support FIPS. However, the most recent stock ISC DHCPd does support FIPS with levels up to SHA512.With this patch, you can install the DHCPd from isc.org into an alternate location, like
/opt
and tell xCAT where to find omshell and what key algorithm to use when talking to omshell, so thatmakedhcp -a
will work on a MN with FIPS enabled.