Bug 1784952
Summary: | Buildah needs to support FIPS Mode bind mount in RHEL8.2++ containers. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Daniel Walsh <dwalsh> |
Component: | buildah | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.1 | CC: | ajia, ddarrah, jnovy, lfriedma, pthomas, ssorce, tmraz, tsweeney |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | buildah-1.11.6-5.el8 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-28 15:52:11 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Walsh
2019-12-18 19:24:04 UTC
Here is the first phase of the fix. https://github.com/containers/buildah/pull/2031 Just a little correction: The source directory (inside the container) is: /usr/share/crypto-policies/back-ends/FIPS The destination (inside the container) is: /etc/crypto-policies/back-ends The buildah PR patch is fine in this regard. The PR noted in comment #1 is cleanly applicable to buildah 1.11.6. Does it make sense to have it there? I mean in RHEL-8.2.0 container-tools? Sure. lets add it. Assigning to Jindrich as this is now in Post. Set blocker+ because this is required for FIPs support in the new buildah container in 8.2. Confirmed by Tom Sweeney. @dwalsh the /usr/share/crypto-policies/DEFAULT(not FIPS sub-dir) in the host is mounted to /etc/crypto-policies/back-ends inside container, Is it a expected result? [root@hp-z240-01 ~]# dmesg|grep -i fips [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-183.el8.x86_64 root=/dev/mapper/rhel_hp--z240--01-root ro crashkernel=auto resume=/dev/mapper/rhel_hp--z240--01-swap rd.lvm.lv=rhel_hp-z240-01/root rd.lvm.lv=rhel_hp-z240-01/swap console=ttyS0,115200N81 fips=1 boot=UUID=177f2d89-c925-45d5-9ba9-b029e3be9e00 [ 0.000000] Kernel command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-183.el8.x86_64 root=/dev/mapper/rhel_hp--z240--01-root ro crashkernel=auto resume=/dev/mapper/rhel_hp--z240--01-swap rd.lvm.lv=rhel_hp-z240-01/root rd.lvm.lv=rhel_hp-z240-01/swap console=ttyS0,115200N81 fips=1 boot=UUID=177f2d89-c925-45d5-9ba9-b029e3be9e00 [ 0.000000] fips mode: enabled [root@hp-z240-01 ~]# rpm -q buildah buildah-1.11.6-5.module+el8.2.0+5770+b478fbe7.x86_64 [root@hp-z240-01 ~]# buildah from ubi8 Getting image source signatures Copying blob eae5d284042d done Copying blob ff6f434a470a done Copying config fd73e6738a done Writing manifest to image destination Storing signatures ubi8-working-container [root@hp-z240-01 ~]# buildah containers CONTAINER ID BUILDER IMAGE ID IMAGE NAME CONTAINER NAME 78a01a237179 * fd73e6738a95 registry.access.redhat.com/ub... ubi8-working-container [root@hp-z240-01 ~]# ll /usr/share/crypto-policies/ total 8 drwxr-xr-x. 6 root root 61 Feb 26 21:30 back-ends drwxr-xr-x. 2 root root 211 Feb 26 21:30 DEFAULT -rw-r--r--. 1 root root 688 Nov 29 08:57 default-config drwxr-xr-x. 2 root root 211 Feb 26 21:30 EMPTY drwxr-xr-x. 2 root root 211 Feb 26 21:30 FIPS drwxr-xr-x. 2 root root 211 Feb 26 21:30 FUTURE drwxr-xr-x. 2 root root 211 Feb 26 21:30 LEGACY drwxr-xr-x. 3 root root 109 Feb 26 21:30 policies drwxr-xr-x. 5 root root 136 Feb 26 21:30 python -rw-r--r--. 1 root root 167 Dec 16 13:10 reload-cmds.sh [root@hp-z240-01 ~]# diff /usr/share/crypto-policies/DEFAULT/bind.txt /usr/share/crypto-policies/FIPS/bind.txt 2a3,4 > RSASHA1; > NSEC3RSASHA1; 5a8 > SHA-1; [root@hp-z240-01 ~]# buildah run ubi8-working-container ls -lah /etc/crypto-policies/back-ends total 0 drwxr-xr-x. 2 root root 244 Jan 29 19:36 . drwxr-xr-x. 5 root root 65 Jan 29 19:36 .. lrwxrwxrwx. 1 root root 43 Jan 29 19:36 bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt lrwxrwxrwx. 1 root root 45 Jan 29 19:36 gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt lrwxrwxrwx. 1 root root 43 Jan 29 19:36 java.config -> /usr/share/crypto-policies/DEFAULT/java.txt lrwxrwxrwx. 1 root root 43 Jan 29 19:36 krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt lrwxrwxrwx. 1 root root 48 Jan 29 19:36 libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt lrwxrwxrwx. 1 root root 45 Jan 29 19:36 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt lrwxrwxrwx. 1 root root 42 Jan 29 19:36 nss.config -> /usr/share/crypto-policies/DEFAULT/nss.txt lrwxrwxrwx. 1 root root 46 Jan 29 19:36 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt lrwxrwxrwx. 1 root root 52 Jan 29 19:36 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt lrwxrwxrwx. 1 root root 46 Jan 29 19:36 openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt lrwxrwxrwx. 1 root root 49 Jan 29 19:36 opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt I believe that is correct. But should ask the crypto-policies guys to verify. This does not look correctly. Was the mount inside the container actually performed? This looks like a normal DEFAULT policy being applied in the container. (In reply to Tomas Mraz from comment #10) > This does not look correctly. Was the mount inside the container actually > performed? This looks like a normal DEFAULT policy being applied in the > container. You're right, I forgot to enable FIPS mode in the container. [root@9ce2b0f43192 /]# ls /etc/system-fips /etc/system-fips [root@9ce2b0f43192 /]# update-crypto-policies --set FIPS Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for FIPS compliance. Use 'fips-mode-setup --enable' command instead. Setting system policy to FIPS Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place. [root@9ce2b0f43192 /]# ls -lah /etc/crypto-policies/back-ends total 4.0K drwxr-xr-x. 1 root root 4.0K Mar 4 15:14 . drwxr-xr-x. 1 root root 50 Jan 29 19:36 .. lrwxrwxrwx. 1 root root 40 Mar 4 15:14 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt lrwxrwxrwx. 1 root root 42 Mar 4 15:14 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt lrwxrwxrwx. 1 root root 40 Mar 4 15:14 java.config -> /usr/share/crypto-policies/FIPS/java.txt lrwxrwxrwx. 1 root root 40 Mar 4 15:14 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt lrwxrwxrwx. 1 root root 45 Mar 4 15:14 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt lrwxrwxrwx. 1 root root 42 Mar 4 15:14 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt lrwxrwxrwx. 1 root root 39 Mar 4 15:14 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt lrwxrwxrwx. 1 root root 43 Mar 4 15:14 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt lrwxrwxrwx. 1 root root 49 Mar 4 15:14 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt lrwxrwxrwx. 1 root root 43 Mar 4 15:14 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt lrwxrwxrwx. 1 root root 46 Mar 4 15:14 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt BTW, it didn't work for directly mounting dir in the container, I guess a privilege container is required. [root@9ce2b0f43192 /]# mount --bind /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends mount: /etc/crypto-policies/back-ends: permission denied. [root@intel-sharkbay-mb-03 ~]# buildah version Version: 1.11.6 Go Version: go1.13.4 Image Spec: 1.0.1-dev Runtime Spec: 1.0.1-dev CNI Spec: 0.4.0 libcni Version: image Version: 5.0.0 Git Commit: Built: Wed Dec 31 19:00:00 1969 OS/Arch: linux/amd64 Alex, that looks wrong, please bring this bug back, you have only verified that this is not looking as it should so far. So probably you should actually FAIL QA and send it back to devel to check what is wrong. The whole point of this work is that the container will be in FIPS mode automatially if the HOST is in FIPS mode. Were the tests run on a host that is in FIPS mode? (In reply to Alex Jia from comment #11) > BTW, it didn't work for directly mounting dir in the container, I guess a > privilege container is required. > > [root@9ce2b0f43192 /]# mount --bind > /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends > mount: /etc/crypto-policies/back-ends: permission denied. > We have documentation about how to enable FIPS mode in a container - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies, but above cmdline is wrong, Daniel has explained this in https://bugzilla.redhat.com/show_bug.cgi?id=1804193#c16 (In reply to Simo Sorce from comment #12) > Alex, > that looks wrong, please bring this bug back, you have only verified that > this is not looking as it should so far. > So probably you should actually FAIL QA and send it back to devel to check > what is wrong. All of testing followed official documentation - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies, please also see https://bugzilla.redhat.com/show_bug.cgi?id=1784952#c13 > > The whole point of this work is that the container will be in FIPS mode > automatially if the HOST is in FIPS mode. > > Were the tests run on a host that is in FIPS mode? Yes absolutely. No, the cmdline is not wrong and Dan is mistaken! He is probably looking at some old crypto-policies package version. This is the right command for completeness: mount --bind /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends And the error message mount: /etc/crypto-policies/back-ends: permission denied. might be an indication on what is wrong. I.E. the source path is correct, but there is some permission problem. But does the same happen within podman? Doesn't it run with higher privileges? Thanks Tomas, so the code looks correct, the issue is testing with a non RHEL8.2 container image. Alex, could you update the container image and see if it works. Also the (In reply to Daniel Walsh from comment #16) > Thanks Tomas, so the code looks correct, the issue is testing with a non > RHEL8.2 container image. > > > Alex, could you update the container image and see if it works. > > Also the the ubi8-minimal-container-8.2-207 works on RHEL-8.2 w/ FIPS mode enabled, FIPS mode will be automatically enabled inside the container, and the contents are the same between directory /etc/crypto-policies/back-ends and /usr/share/crypto-policies/back-ends/FIPS, but I can't see any mount point, is is an expected result? [root@hp-dl360g9-03 ~]# buildah run --tty ubi8-working-container /bin/bash [root@b213066c8c16 /]# fips-mode-setup --check FIPS mode is enabled. [root@b213066c8c16 /]# ls -lah /etc/crypto-policies/back-ends total 44K drwxr-xr-x. 2 root root 244 Mar 10 13:37 . drwxr-xr-x. 6 root root 81 Mar 10 13:37 .. -rw-r--r--. 1 root root 105 Dec 16 18:10 bind.config -rw-r--r--. 1 root root 473 Dec 16 18:10 gnutls.config -rw-r--r--. 1 root root 587 Dec 16 18:10 java.config -rw-r--r--. 1 root root 137 Dec 16 18:10 krb5.config -rw-r--r--. 1 root root 359 Dec 16 18:10 libreswan.config -rw-r--r--. 1 root root 990 Dec 16 18:10 libssh.config -rw-r--r--. 1 root root 345 Dec 16 18:10 nss.config -rw-r--r--. 1 root root 854 Dec 16 18:10 openssh.config -rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config -rw-r--r--. 1 root root 162 Dec 16 18:10 openssl.config -rw-r--r--. 1 root root 306 Dec 16 18:10 opensslcnf.config [root@b213066c8c16 /]# ls -lah /usr/share/crypto-policies/back-ends/FIPS total 44K drwxr-xr-x. 2 root root 244 Mar 10 13:37 . drwxr-xr-x. 6 root root 61 Mar 10 13:37 .. -rw-r--r--. 1 root root 105 Dec 16 18:10 bind.config -rw-r--r--. 1 root root 473 Dec 16 18:10 gnutls.config -rw-r--r--. 1 root root 587 Dec 16 18:10 java.config -rw-r--r--. 1 root root 137 Dec 16 18:10 krb5.config -rw-r--r--. 1 root root 359 Dec 16 18:10 libreswan.config -rw-r--r--. 1 root root 990 Dec 16 18:10 libssh.config -rw-r--r--. 1 root root 345 Dec 16 18:10 nss.config -rw-r--r--. 1 root root 854 Dec 16 18:10 openssh.config -rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config -rw-r--r--. 1 root root 162 Dec 16 18:10 openssl.config -rw-r--r--. 1 root root 306 Dec 16 18:10 opensslcnf.config [root@b213066c8c16 /]# diff /usr/share/crypto-policies/back-ends/FIPS/bind.config /etc/crypto-policies/back-ends/bind.config [root@b213066c8c16 /]# echo $? 0 But I haven't seen any mount point like below, please help confirm if it's an expect behavior, thanks. [root@f807ec7d629e /]# ls -lah /etc/crypto-policies/back-ends total 4.0K drwxr-xr-x. 1 root root 4.0K Mar 20 10:24 . drwxr-xr-x. 1 root root 50 Mar 2 17:42 .. lrwxrwxrwx. 1 root root 40 Mar 20 10:24 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt lrwxrwxrwx. 1 root root 42 Mar 20 10:24 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt lrwxrwxrwx. 1 root root 40 Mar 20 10:24 java.config -> /usr/share/crypto-policies/FIPS/java.txt lrwxrwxrwx. 1 root root 40 Mar 20 10:24 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt lrwxrwxrwx. 1 root root 45 Mar 20 10:24 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt lrwxrwxrwx. 1 root root 42 Mar 20 10:24 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt lrwxrwxrwx. 1 root root 39 Mar 20 10:24 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt lrwxrwxrwx. 1 root root 43 Mar 20 10:24 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt lrwxrwxrwx. 1 root root 49 Mar 20 10:24 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt lrwxrwxrwx. 1 root root 43 Mar 20 10:24 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt lrwxrwxrwx. 1 root root 46 Mar 20 10:24 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt (In reply to Daniel Walsh from comment #16) > Thanks Tomas, so the code looks correct, the issue is testing with a non > RHEL8.2 container image. > > > Alex, could you update the container image and see if it works. > > Also the the ubi8-container-8.2-203 works on RHEL-8.2 w/ FIPS mode enabled, FIPS mode will be automatically enabled inside the container, and the contents are the same between directory /etc/crypto-policies/back-ends and /usr/share/crypto-policies/back-ends/FIPS, but I can't see any mount point, is is an expected result? [root@hp-dl360g9-03 ~]# buildah run --tty ubi8-working-container /bin/bash [root@b213066c8c16 /]# fips-mode-setup --check FIPS mode is enabled. [root@b213066c8c16 /]# ls -lah /etc/crypto-policies/back-ends total 44K drwxr-xr-x. 2 root root 244 Mar 10 13:37 . drwxr-xr-x. 6 root root 81 Mar 10 13:37 .. -rw-r--r--. 1 root root 105 Dec 16 18:10 bind.config -rw-r--r--. 1 root root 473 Dec 16 18:10 gnutls.config -rw-r--r--. 1 root root 587 Dec 16 18:10 java.config -rw-r--r--. 1 root root 137 Dec 16 18:10 krb5.config -rw-r--r--. 1 root root 359 Dec 16 18:10 libreswan.config -rw-r--r--. 1 root root 990 Dec 16 18:10 libssh.config -rw-r--r--. 1 root root 345 Dec 16 18:10 nss.config -rw-r--r--. 1 root root 854 Dec 16 18:10 openssh.config -rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config -rw-r--r--. 1 root root 162 Dec 16 18:10 openssl.config -rw-r--r--. 1 root root 306 Dec 16 18:10 opensslcnf.config [root@b213066c8c16 /]# ls -lah /usr/share/crypto-policies/back-ends/FIPS total 44K drwxr-xr-x. 2 root root 244 Mar 10 13:37 . drwxr-xr-x. 6 root root 61 Mar 10 13:37 .. -rw-r--r--. 1 root root 105 Dec 16 18:10 bind.config -rw-r--r--. 1 root root 473 Dec 16 18:10 gnutls.config -rw-r--r--. 1 root root 587 Dec 16 18:10 java.config -rw-r--r--. 1 root root 137 Dec 16 18:10 krb5.config -rw-r--r--. 1 root root 359 Dec 16 18:10 libreswan.config -rw-r--r--. 1 root root 990 Dec 16 18:10 libssh.config -rw-r--r--. 1 root root 345 Dec 16 18:10 nss.config -rw-r--r--. 1 root root 854 Dec 16 18:10 openssh.config -rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config -rw-r--r--. 1 root root 162 Dec 16 18:10 openssl.config -rw-r--r--. 1 root root 306 Dec 16 18:10 opensslcnf.config [root@b213066c8c16 /]# diff /usr/share/crypto-policies/back-ends/FIPS/bind.config /etc/crypto-policies/back-ends/bind.config [root@b213066c8c16 /]# echo $? 0 But I haven't seen any mount point like below, please help confirm if it's an expect behavior, thanks. [root@f807ec7d629e /]# ls -lah /etc/crypto-policies/back-ends total 4.0K drwxr-xr-x. 1 root root 4.0K Mar 20 10:24 . drwxr-xr-x. 1 root root 50 Mar 2 17:42 .. lrwxrwxrwx. 1 root root 40 Mar 20 10:24 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt lrwxrwxrwx. 1 root root 42 Mar 20 10:24 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt lrwxrwxrwx. 1 root root 40 Mar 20 10:24 java.config -> /usr/share/crypto-policies/FIPS/java.txt lrwxrwxrwx. 1 root root 40 Mar 20 10:24 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt lrwxrwxrwx. 1 root root 45 Mar 20 10:24 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt lrwxrwxrwx. 1 root root 42 Mar 20 10:24 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt lrwxrwxrwx. 1 root root 39 Mar 20 10:24 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt lrwxrwxrwx. 1 root root 43 Mar 20 10:24 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt lrwxrwxrwx. 1 root root 49 Mar 20 10:24 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt lrwxrwxrwx. 1 root root 43 Mar 20 10:24 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt lrwxrwxrwx. 1 root root 46 Mar 20 10:24 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt (In reply to Alex Jia from comment #17) > the ubi8-minimal-container-8.2-207 works on RHEL-8.2 w/ FIPS mode enabled, Also tested in ubi8-container-8.2-203. Yes, this is the correct result. The mount (not symlinks) should be visible in cat /proc/self/mountinfo. (In reply to Tomas Mraz from comment #20) > Yes, this is the correct result. The mount (not symlinks) should be visible > in cat /proc/self/mountinfo. Sure, thank you Tomas. [root@hp-dl360g9-03 ~]# buildah run ubi8-working-container grep -i fips /proc/self/mountinfo 506 504 0:46 /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends rw,relatime - overlay overlay rw,context="system_u:object_r:container_file_t:s0:c48,c469",lowerdir=/var/lib/containers/storage/overlay/l/V2UVWLVTQGKN75L4RQCDFWWOEW:/var/lib/containers/storage/overlay/l/ZEMRU7IJXNTJHQWXYD7IFEF3F5,upperdir=/var/lib/containers/storage/overlay/1a95b6e4aef17336b6b3b5ed8ad58317b857bd033b3d0654fbc05882f20213d1/diff,workdir=/var/lib/containers/storage/overlay/1a95b6e4aef17336b6b3b5ed8ad58317b857bd033b3d0654fbc05882f20213d1/work Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:1650 |