Git Fatal Error: PRNG is not seeded #19866
Comments
reggie-k
added
component:git
|
I'd like to take this up. |
|
Could it be a permutation of #19587? |
I saw that issue before posting this. I verified our credential for the repo is not scoped to a project. We have multiple projects that all share the same repo. But I doubled check it is not scoped incorrectly. |
|
For more context (not sure if it will help). The repo is an AWS code commit repo. We are using ssh keys in order to clone. |
|
I'm already working on couple of issues in Argo CD right now, so if anyone else would like to take this up, feel free to do that. Thanks! |
|
We got the same error when we did upgrade from 2.9.17 to 2.12.3 After we rollback, everything is back to normal. Is there any workaround? |
We have yet to find a work around, we simply rolled back and waiting to hear back on this issue. It isn't strictly urgent but we would like to be able to upgrade eventually. |
|
@j-wozniack can you post the application spec that's failing? along with the secret it's supposed to use? redacted where applicable |
For more reference, we are using the helmfile plugin: https://github.com/travisghansen/argo-cd-helmfile Here is the repo secret we are using: Application Spec: apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
creationTimestamp: "2024-09-24T09:40:00Z"
generation: 5
name: istio-base
namespace: argocd-system
resourceVersion: "6074450"
uid: b159c700-0861-4611-ba82-de2730cc1a64
spec:
destination:
namespace: istio-system
server: https://kubernetes.default.svc
project: default
source:
path: apps/istio-base/
plugin:
env:
- name: HELMFILE_GLOBAL_OPTIONS
value: -e personal
- name: HELMFILE_TEMPLATE_OPTIONS
value: --include-crds
name: helmfile
repoURL: ssh://<user>@git-codecommit.us-west-1.amazonaws.com/v1/repos/helmfile
targetRevision: main
syncPolicy:
automated:
prune: true
selfHeal: true
status:
conditions:
- lastTransitionTime: "2024-09-24T09:48:48Z"
message: "Failed to load target state: failed to generate manifest for source
1 of 1: rpc error: code = Unknown desc = failed to initialize repository resources:
rpc error: code = Internal desc = Failed to fetch default: `git fetch origin
--tags --force --prune` failed exit status 128: PRNG is not seeded\r\nfatal:
Could not read from remote repository.\n\nPlease make sure you have the correct
access rights\nand the repository exists."
type: ComparisonError
controllerNamespace: argocd-system
health:
status: Healthy
reconciledAt: "2024-09-24T09:48:48Z"
summary: {}
sync:
comparedTo:
destination:
namespace: istio-system
server: https://kubernetes.default.svc
source:
path: apps/istio-base/
plugin:
env:
- name: HELMFILE_GLOBAL_OPTIONS
value: -e personal
- name: HELMFILE_TEMPLATE_OPTIONS
value: --include-crds
name: helmfile
repoURL: ssh://<user>@git-codecommit.us-west-1.amazonaws.com/v1/repos/helmfile
targetRevision: main
status: Unknown |
|
the node is running the following if that helps with the investigation with a 5.4.0 aws fips kernel argocd version argocd-repo-server logs works fine after rolling back to |
|
We are experiencing the same issue on v2.12.3: |
|
It seems like this might only occur when running ArgoCD on FIPS-enabled hosts, and may be caused by the switch to Ubuntu 24.04 as a base image which was done in #18093. I built v2.12.4 with Ubuntu 22.04 as the base image, and that appears to have worked. |
|
We are experiencing this on FIPS-enabled hosts with ArgoCD v2.12.4. We didn't experience the issue on non-FIPS-ed hosts: |
|
tried upgrading to 2.12.6 and still have the same issue on fips-enabled hosts. |
|
It seems like OpenSSL 3 (which is bundled with Ubuntu 24.04) will not run with FIPS-enabled kernels unless OpenSSL has the FIPS provider library bundled with it. Canonical is nice enough to have that locked away in Ubuntu Pro (where we would need to mount a secret in order to install a FIPS-enabled OpenSSL). |
|
On Ubuntu 24, you can compile and install the fips module and install it into your openssl installation. |
|
@crenshaw-dev, how big are the downsides of reverting to Ubuntu 22? |
andrii-korotkov-verkada
added
the
version:2.12
There are basically two* options with Ubuntu 24
Both of those options implies FIPS-users would need to create a custom Dockerfile and build their own Argo CD Docker images. *there's a third option, which is that FIPS-users would pay some third-party vendor (there are a couple out there) that distributes pre-built "hardened Argo" images with FIPS-support |
|
How much do they charge for the pro version? |
|
TBH the subscribe page is really confusing. What I think is the case is that the subscription is free if the intent is to have <= 5 Argo instances running, otherwise there's a myriad of options. I guess the idea is to force potential users to contact sales. |
|
Can we create this custom Dockerfile for them and start distributing FIPS-compatible image as well? |
🤷, if there is a way to build the FIPS-module that still works for non-FIPS users, then I guess someone can take a stab at following the guide @nkalscheuer posted and submit a PR for that. If this is somehow not compatible with non-FIPS usages, I guess the other option would be to build a FIPS-version of Argo CD along with our normal images. |
Checklist:
argocd version.Describe the bug
Upgrading from
2.11.5to2.12.3I keep getting the same git error, that causes the repo server to fail to clone. When I go to check the repo in the list it shows as connected and healthy. However, when I roll back to2.11.5the applications sync and there is no issue with git.I have checked all the recent issues for
2.12.xand not seen any specific to this.To Reproduce
Upgrade from
2.11.5to2.12.3using the argocd-helm chart, with a repository secret.Expected behavior
I am able to upgrade from
2.11.5to2.12.3without getting any git errorsScreenshots
Version
Logs
Repo Server:
Server:
The text was updated successfully, but these errors were encountered: