Closed
Description
SUMMARY
Using zabbix_host module to create a host from RHEL 8 with FIPS mode enabled produces an error because MD5 is used hash the password before it's printed in the debug log.
(this is a re-post of issue ansible/ansible/issues/68351 as instructed)
ISSUE TYPE
- Bug Report
COMPONENT NAME
zabbix_host
ANSIBLE VERSION
ansible 2.9.6
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/username/.local/lib/python3.6/site-packages/ansible
executable location = /home/username/.local/bin/ansible
python version = 3.6.8 (default, Oct 11 2019, 15:04:54) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)]
CONFIGURATION
ANSIBLE_NOCOWS(/etc/ansible/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=no
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 4
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT
crypto.fips_enabled = 1
STEPS TO REPRODUCE
- Install RHEL8
- Enable FIPS mode
- Run playbook
- name: Create a new host or update an existing host's info
delegate_to: localhost
zabbix_host:
server_url: https://{{ zabbix_main_server }}
login_user: "{{ zabbix_user }}"
login_password: "{{ zabbix_password }}"
host_name: "{{ inventory_hostname }}"
visible_name: "{{ inventory_hostname }}"
host_groups:
- "{{ zabbix_host_groups }}"
link_templates:
- "{{ zabbix_link_template }}"
status: enabled
state: present
inventory_mode: automatic
interfaces:
- type: 1
main: 1
useip: 1
ip: "{{ ansible_default_ipv4.address }}"
dns: "{{ inventory_hostname }}"
port: "{{ zabbix_port | default(10050) }}"
tls_connect: 2
tls_accept: 2
tls_psk_identity: "PSK-{{ inventory_hostname }}"
tls_psk: "{{ zabbix_psk.stdout }}"
proxy: "{{ zabbix_proxy | default(omit) }}"
become: falseEXPECTED RESULTS
Sucessful execution
ACTUAL RESULTS
Error: Failed to connect to Zabbix server: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
The full traceback is:
File "/tmp/ansible_zabbix_host_payload_m45eq3kv/ansible_zabbix_host_payload.zip/ansible/modules/monitoring/zabbix/zabbix_host.py", line 767, in main
File "/home/username/.local/lib/python3.6/site-packages/zabbix_api.py", line 203, in login
hashed_pw_string = "md5(" + hashlib.md5(l_password.encode('utf-8')).hexdigest() + ")"
fatal: [host@domain.local -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"ca_cert": null,
"description": null,
"force": true,
"host_groups": [
"Default"
],
"host_name": "host@domain.local",
"http_login_password": null,
"http_login_user": null,
"interfaces": [
{
"dns": "host@domain.local",
"ip": "10.220.37.193",
"main": 1,
"port": "10050",
"type": 1,
"useip": 1
}
],
"inventory_mode": "automatic",
"inventory_zabbix": null,
"ipmi_authtype": null,
"ipmi_password": null,
"ipmi_privilege": null,
"ipmi_username": null,
"link_templates": [
"UFST - Linux OS"
],
"login_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"login_user": "zabbix_api",
"proxy": "zabproxy.domain.local",
"server_url": "https://zabbix.domain.local",
"state": "present",
"status": "enabled",
"timeout": 10,
"tls_accept": 2,
"tls_connect": 2,
"tls_psk": "86f9eaba1ed321758388348a2233daf2f6f9889dcbdbeaa913950ad21bb22f31",
"tls_psk_identity": "PSK-host@domain.local",
"tls_subject": null,
"validate_certs": true,
"visible_name": "host@domain.local"
}
},
"msg": "Failed to connect to Zabbix server: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS"
}
I've opened a PR for the upstream zabbix_api package here: gescheit/scripts#34
But until it's fixed the zabbix_host module doesn't work for me with above configuration, so I figured I'd log the issue here.