Bug 1724002
| Summary: | Cannot use cloud-init in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Germano Veit Michel <gveitmic> |
| Component: | vdsm | Assignee: | Nobody <nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Beni Pelled <bpelled> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.3.0 | CC: | bpelled, kevin.kadak, lsurette, lsvaty, mtessun, rdlugyhe, schandle, srevivo, tbaransk, ycui |
| Target Milestone: | ovirt-4.4.0 | Flags: | lsvaty:
testing_plan_complete-
|
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rhv-4.4.0-29 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, cloud-init could not be used on hosts with FIPS enabled. With this update, cloud-init can be used on hosts with FIPS enabled.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 13:27:06 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
sync2jira sync2jira The FIPS-uncompatible hash function has been removed with https://gerrit.ovirt.org/#/c/102698/. Does this fix the problem? (In reply to Tomasz Barański from comment #3) > The FIPS-uncompatible hash function has been removed with > https://gerrit.ovirt.org/#/c/102698/. > > Does this fix the problem? Looks like yes, maybe attach that Gerrit to this bug and ask QE to verify? (In reply to Germano Veit Michel from comment #4) > (In reply to Tomasz Barański from comment #3) > > The FIPS-uncompatible hash function has been removed with > > https://gerrit.ovirt.org/#/c/102698/. > > > > Does this fix the problem? > > Looks like yes, maybe attach that Gerrit to this bug and ask QE to verify? Will do, thanks! It seems that the linked patch fixed the problem. WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops: Bug status (ON_QA) wasn't changed but the folowing should be fixed:
[Found non-acked flags: '{}', ]
For more info please contact: rhv-devops
Verified with: - RHV 4.4.0-0.32.master.el8ev - Host with Red Hat Enterprise Linux 8.2 (Ootpa) - libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64 - vdsm-4.40.13-1.el8ev.x86_64 Verification steps: 1. Enable FIPS on a host. 2. Connect the host to an engine. 3. Create a new VM with cloud-init parameters. 4. Run the new VM on the FIPS host. Result: - VM ran successfully with the configured cloud-init parameters. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:3246 |
Description of problem: When the hypervisor is in FIPS mode, cannot run VM with cloud-init as mkisofs fails due to vdsm/mkimage.py getFileName() generating a hash to name the file. VDSM: 2019-06-26 10:41:42,248+1000 ERROR (vm/2807af4a) [virt.vm] (vmId='2807af4a-af34-43ba-8a0c-6d83fd35937f') The vm start process failed (vm:933) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 867, in _startUnderlyingVm self._run() File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2784, in _run self._devices = self._make_devices() File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2624, in _make_devices disk_objs = self._perform_host_local_adjustment() File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2697, in _perform_host_local_adjustment self._preparePathsForDrives(disk_params) File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 1026, in _preparePathsForDrives drive['path'] = self.cif.prepareVolumePath(drive, self.id) File "/usr/lib/python2.7/site-packages/vdsm/clientIF.py", line 469, in prepareVolumePath vmId, device, params['vmPayload']) File "/usr/lib/python2.7/site-packages/vdsm/clientIF.py", line 517, in _prepareVolumePathFromPayload return func(vmId, payload['file'], payload.get('volId')) File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 56, in __call__ return callMethod() File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 54, in <lambda> **kwargs) File "<string>", line 2, in mkIsoFs File "/usr/lib64/python2.7/multiprocessing/managers.py", line 773, in _callmethod raise convert_to_error(kind, result) ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips SUPERVDSM: MainProcess|vm/2807af4a::ERROR::2019-06-26 10:41:42,247::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper res = func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs isopath = getFileName(vmId, files) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName md5 = hashlib.md5(content).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips Version-Release number of selected component (if applicable): vdsm-4.30.17-1.el7ev.x86_64 openssl-1.0.2k-16.el7_6.1.x86_64 redhat-release-virtualization-host-4.3-0.8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install RHVH 4.3 with FIPS mode rhvh-4.3.0.8-0.20190610.0 2. Add to RHV-M 3. Create a VM 4. Run-once, pin to the host in [1] and enable cloud-init Actual results: VM fails to start Expected results: VM starts Additional info: I've tried replacing md5 with other algorithms, it fails the same way, which is weird? usedforsecurity=False also did not work. EVP_DigestInit_ex is from openssl. SHA3_512: MainProcess|vm/2807af4a::ERROR::2019-06-26 10:52:00,530::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper res = func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs isopath = getFileName(vmId, files) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName sha = hashlib.sha3_512(content).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips SHA1: MainProcess|vm/2807af4a::ERROR::2019-06-26 10:46:56,879::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper res = func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs isopath = getFileName(vmId, files) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName sha1 = hashlib.sha1(content).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips usedforsecurity=False: MainProcess|vm/2807af4a::ERROR::2019-06-26 11:05:05,607::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper res = func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs isopath = getFileName(vmId, files) File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName md5 = hashlib.md5(content, usedforsecurity=False).hexdigest() ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips