Bug 1784950
| Summary: | Podman support for FIPS Mode requires a bind mount inside the container | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Daniel Walsh <dwalsh> |
| Component: | podman | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | bbaude, ddarrah, dornelas, dwalsh, jligon, jnovy, kanderso, lfriedma, lsm5, mheon, pthomas, tmraz, tsweeney, ypu |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | podman-1.9.2-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-21 15:31:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804186, 1804187, 1804188, 1804189, 1804191, 1804193, 1804194, 1804195, 1804210, 1804218, 1804219, 1804220, 1804246 | ||
| Bug Blocks: | 1793607 | ||
|
Description
Daniel Walsh
2019-12-18 19:21:49 UTC
Here is the first phase of the fix. https://github.com/containers/buildah/pull/2031 Just a little correction: The source directory (inside the container) is: /usr/share/crypto-policies/back-ends/FIPS The destination (inside the container) is: /etc/crypto-policies/back-ends The buildah PR patch is fine in this regard. Well we now have the buildah PR in. Do we need to do anything else? Setting needinfo on myself to not to forget to apply this. As it's Post, assigning to Jindrich. Set blocker+ because this is required for FIPs support in the new podman container in 8.2. Confirmed by Tom Sweeney. Test with podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64 and seems it works as expect. When FIPS mode is enabled in host. It is also enabled inside the container. When it is disabled, it also disabled inside the container. So set this to verified. Details: fips-mode-setup --enable Kernel initramdisks are being regenerated. This might take some time. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be enabled. Please reboot the system for the setting to take effect. # reboot # podman run -it ubi8 Trying to pull registry.access.redhat.com/ubi8... Getting image source signatures Copying blob fc5aa93e3b58 done Copying blob 1a6747857d79 done Copying config 54e2c74741 done Writing manifest to image destination Storing signatures [root@73305c82ea9b /]# yum install openssl Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Red Hat Universal Base Image 8 (RPMs) - BaseOS 216 kB/s | 766 kB 00:03 Red Hat Universal Base Image 8 (RPMs) - AppStre 1.1 MB/s | 3.8 MB 00:03 Red Hat Universal Base Image 8 (RPMs) - CodeRea 7.7 kB/s | 11 kB 00:01 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: openssl x86_64 1:1.1.1c-15.el8 ubi-8-baseos 697 k Transaction Summary ================================================================================ Install 1 Package Total download size: 697 k Installed size: 1.1 M Is this ok [y/N]: y Downloading Packages: openssl-1.1.1c-15.el8.x86_64.rpm 213 kB/s | 697 kB 00:03 -------------------------------------------------------------------------------- Total 213 kB/s | 697 kB 00:03 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openssl-1:1.1.1c-15.el8.x86_64 1/1 Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64 1/1 Verifying : openssl-1:1.1.1c-15.el8.x86_64 1/1 Installed products updated. Installed: openssl-1:1.1.1c-15.el8.x86_64 Complete! [root@73305c82ea9b /]# touch fipstest [root@73305c82ea9b /]# openssl md5 fipstest Error setting digest 139829228353344:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135: [root@73305c82ea9b /]# openssl sha1 fipstest SHA1(fipstest)= da39a3ee5e6b4b0d3255bfef95601890afd80709 [root@73305c82ea9b /]# exit exit # fips-mode-setup --disable Setting system policy to DEFAULT Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. FIPS mode will be disabled. Please reboot the system for the setting to take effect. # reboot # podman run -it ubi8 [root@e2140386a2d1 /]# ls bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var [root@e2140386a2d1 /]# touch fipstest [root@e2140386a2d1 /]# yum install openssl Updating Subscription Management repositories. Unable to read consumer identity Subscription Manager is operating in container mode. This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Red Hat Universal Base Image 8 (RPMs) - BaseOS 168 kB/s | 766 kB 00:04 Red Hat Universal Base Image 8 (RPMs) - AppStre 543 kB/s | 3.8 MB 00:07 Red Hat Universal Base Image 8 (RPMs) - CodeRea 4.9 kB/s | 11 kB 00:02 Dependencies resolved. ================================================================================ Package Architecture Version Repository Size ================================================================================ Installing: openssl x86_64 1:1.1.1c-15.el8 ubi-8-baseos 697 k Transaction Summary ================================================================================ Install 1 Package Total download size: 697 k Installed size: 1.1 M Is this ok [y/N]: y Downloading Packages: openssl-1.1.1c-15.el8.x86_64.rpm 545 kB/s | 697 kB 00:01 -------------------------------------------------------------------------------- Total 544 kB/s | 697 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installing : openssl-1:1.1.1c-15.el8.x86_64 1/1 Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64 1/1 Verifying : openssl-1:1.1.1c-15.el8.x86_64 1/1 Installed products updated. Installed: openssl-1:1.1.1c-15.el8.x86_64 Complete! [root@e2140386a2d1 /]# openssl fipstest Invalid command 'fipstest'; type "help" for a list. [root@e2140386a2d1 /]# openssl md5 fipstest MD5(fipstest)= d41d8cd98f00b204e9800998ecf8427e Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3053 |