Latest beta - chronyd / FIPS mode issue (resend to mail list)

Mon Apr 5 11:51:31 UTC 2021

I have confirmation of a carryover chronyd bug from SP2 into SP3 (bugzilla number 1173760).

Steps to reproduce;
- Built a new x86_64 SLES15 SP3 Beta box and updated.
- Setup an internal time source for chronyd on install both manually and with autoyast - no issues. Time is fine.
- Install FIPS pattern, and set grub bootloader kernel boot option 'fips=1' and restart
- chronyd fails to load with internal time source. If a public time source is used for chronyd, it seems to load fine (but of course, one can't use a public source if servers are not supposed to see the internet or are "air gapped").

We suspect there needs to be something else done on the internal time source, or a local configuration change not documented for FIPS systems; we've tried several different internal time clock sources and manual edits of chronyd configurations -- nothing seems to work. The issue does not exist on SLES 12 systems. Curious to know if others in FIPS environments have seen this behavior with SLE 15 and if there's a workaround...(it seems that we are missing something very simple, admittedly we are not experts with chronyd yet, but so far SUSE support can replicate the issue - but has no solution for us either).

This post is FYI only. This is a known issue, although not documented in the readme, it's going to limit deployment in many regulated environments... 

Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-beta/attachments/20210405/507227d1/attachment.htm>
-------------- next part --------------
NOTICE: This communication constitutes an electronic communication as defined within the Electronic Communication Privacy Act (ECPA). The entire contents of this email, including any attachments, are privileged, confidential and may contain technical data subject to Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR). This communication is for the intended viewer(s) only and may not be copied or disseminated without the written consent of TWIN MRO. If you are not the intended recipient, please contact the sender by return email and delete all copies of this communication.