Bug 1650512

Summary: podman exec faile with "panic: boringcrypto: not in FIPS mode"
Product: Red Hat Enterprise Linux 7 Reporter: Joy Pu <ypu>
Component: runcAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 7.6CC: ajia, ddarrah, deparker, fdeutsch, fkluknav, ncredi, qcai, weinliu
Target Milestone: rcKeywords: Extras, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: runc-1.0.0-57.dev.git2abd837.el7_6 Doc Type: Bug Fix
Doc Text:
Cause: The runc package shipped in 7.6.1 Extras was built with an older version of golang which had a bug leading to a crash in certain FIPS modes. Consequence: podman exec failed. Fix: a new runc has been built with an updated golang dependency to take care of FIPS compliance. Result: podman exec works as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-30 12:49:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1652546    

Description Joy Pu 2018-11-16 11:22:42 UTC 
Description of problem:
podman exec failed to exec command in a container.

Version-Release number of selected component (if applicable):
runc-1.0.0-54.dev.git2abd837.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Start a running container
# podman run -d --name test docker.io/busybox top
2. Exec a command in the container
podman exec test ls
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
exit status 1


Actual results:
podman exec failed

Expected results:
podman exec can get results as expect

Additional info:
There is a similar bug for RHEL8: Bug 1615752 - podman exec crashes with 'panic: boringcrypto: not in FIPS mode'

And here is the debug logs from podman exec:

# podman --log-level debug exec 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls
DEBU[0000] Not configuring container store              
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] Creating new exec session in container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c with session id e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 
DEBU[0000] Starting runtime /usr/bin/runc with following arguments: [--log /var/lib/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/ctr.log exec --cwd / --pid-file /var/run/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/exec_pid_e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 --env TERM=xterm --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls] 
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
DEBU[0060] Timed out waiting for pidfile from runtime for container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c exec 
ERRO[0060] exit status 1
Comment 2 Joy Pu 2018-11-16 11:28:16 UTC 
The same command line works fine with runc-1.0.0-37.rc5.dev.gitad0f525.el7.x86_64
Comment 9 Lokesh Mandvekar 2018-11-28 19:52:47 UTC 
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19308424
Comment 16 errata-xmlrpc 2018-11-30 12:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3755