Bug 1792340
| Summary: | Unable to build disk images when FIPS is enabled on the build system | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | python-blivet | Assignee: | Vojtech Trefny <vtrefny> |
| Status: | CLOSED ERRATA | QA Contact: | Release Test Team <release-test-team-automation> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.1 | CC: | cbesson, pkotvan, vtrefny |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python-blivet-3.2.2-1.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-04 03:22:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1812825, 1812830 | ||
upstream PR: https://github.com/storaged-project/blivet/pull/825 Providing qe_ack. Reproducer without installing and using lorax-composer: 1. Install RHEL-8 with in fips mode (fips=1 on kernel command line). 2. Download and extract blivet sources (https://github.com/storaged-project/blivet/archive/blivet-3.1.0.tar.gz). 3. Run: $ sudo python3 tests/run_tests.py formats_test.fs_test.Ext2FSTestCase.test_mountpoint test_mountpoint (formats_test.fs_test.Ext2FSTestCase) ... ERROR ====================================================================== ERROR: test_mountpoint (formats_test.fs_test.Ext2FSTestCase) ---------------------------------------------------------------------- Traceback (most recent call last): File "/root/blivet/tests/formats_test/fstesting.py", line 181, in test_mountpoint an_fs.mount(mountpoint=mountpoint) File "/root/blivet/blivet/threads.py", line 53, in run_with_lock return m(*args, **kwargs) File "/root/blivet/blivet/formats/fs.py", line 765, in mount return self.setup(**kwargs) File "/root/blivet/blivet/threads.py", line 53, in run_with_lock return m(*args, **kwargs) File "/root/blivet/blivet/formats/__init__.py", line 602, in setup type=self.type, status=self.status) File "/root/blivet/blivet/threads.py", line 53, in run_with_lock return m(*args, **kwargs) File "/root/blivet/blivet/formats/fs.py", line 783, in status return self.system_mountpoint is not None File "/root/blivet/blivet/threads.py", line 53, in run_with_lock return m(*args, **kwargs) File "/root/blivet/blivet/formats/fs.py", line 487, in system_mountpoint getattr(self, "subvolspec", None))[-1] File "/root/blivet/blivet/mounts.py", line 109, in get_mountpoints self._cache_check() File "/root/blivet/blivet/mounts.py", line 171, in _cache_check md5hash = util.md5_file("/proc/mounts") File "/root/blivet/blivet/util.py", line 567, in md5_file md5 = hashlib.md5() ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS ---------------------------------------------------------------------- Ran 1 test in 0.823s FAILED (errors=1) Reproducer with lorax: 1. Install RHEL-8 with in fips mode (fips=1 on kernel command line). 2. Make sure that there are both BaseOS and AppStream repos enabled on the machine. 3. Run: $ dnf install -y composer-cli lorax-composer $ systemctl enable lorax-composer --now $ composer-cli compose start example-http-server qcow2 4. To check the status of the build: composer-cli compose status 5. The compose build failed. Log can be found at /var/log/lorax-composer/composer.log 2020-04-20 02:11:56,449 INFO pylorax: Configuring storage 2020-04-20 02:14:58,482 INFO pylorax: ..Error in atexit._run_exitfuncs: 2020-04-20 02:14:58,482 INFO pylorax: Traceback (most recent call last): 2020-04-20 02:14:58,482 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/threads.py", line 53, in run_with_lock 2020-04-20 02:14:58,483 INFO pylorax: return m(*args, **kwargs) 2020-04-20 02:14:58,483 INFO pylorax: File "/usr/lib64/python3.6/site-packages/pyanaconda/storage/osinstall.py", line 2063, in umount_filesystems 2020-04-20 02:14:58,483 INFO pylorax: self.fsset.umount_filesystems(swapoff=swapoff) 2020-04-20 02:14:58,483 INFO pylorax: File "/usr/lib64/python3.6/site-packages/pyanaconda/storage/osinstall.py", line 776, in umount_filesystems 2020-04-20 02:14:58,483 INFO pylorax: device.format.teardown() 2020-04-20 02:14:58,483 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/threads.py", line 53, in run_with_lock 2020-04-20 02:14:58,483 INFO pylorax: return m(*args, **kwargs) 2020-04-20 02:14:58,484 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/formats/__init__.py", line 645, in teardown 2020-04-20 02:14:58,484 INFO pylorax: type=self.type, status=self.status) 2020-04-20 02:14:58,484 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/threads.py", line 53, in run_with_lock 2020-04-20 02:14:58,484 INFO pylorax: return m(*args, **kwargs) 2020-04-20 02:14:58,484 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/formats/fs.py", line 779, in status 2020-04-20 02:14:58,484 INFO pylorax: return self.system_mountpoint is not None 2020-04-20 02:14:58,484 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/threads.py", line 53, in run_with_lock 2020-04-20 02:14:58,484 INFO pylorax: return m(*args, **kwargs) 2020-04-20 02:14:58,484 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/formats/fs.py", line 488, in system_mountpoint 2020-04-20 02:14:58,485 INFO pylorax: getattr(self, "subvolspec", None))[-1] 2020-04-20 02:14:58,485 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/mounts.py", line 109, in get_mountpoints 2020-04-20 02:14:58,485 INFO pylorax: self._cache_check() 2020-04-20 02:14:58,485 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/mounts.py", line 171, in _cache_check 2020-04-20 02:14:58,485 INFO pylorax: md5hash = util.md5_file("/proc/mounts") 2020-04-20 02:14:58,485 INFO pylorax: File "/usr/lib/python3.6/site-packages/blivet/util.py", line 574, in md5_file 2020-04-20 02:14:58,485 INFO pylorax: md5 = hashlib.md5() 2020-04-20 02:14:58,485 INFO pylorax: ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS *** Bug 1837853 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (python-blivet bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4728 |
Description of problem: When executing lorax-composer on a FIPS system to build a disk image, the tool fails when python3-blivet's md5_file() function is called: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- File "/usr/lib/python3.6/site-packages/blivet/mounts.py", line 109, in get_mountpoints self._cache_check() File "/usr/lib/python3.6/site-packages/blivet/mounts.py", line 171, in _cache_check md5hash = util.md5_file("/proc/mounts") File "/usr/lib/python3.6/site-packages/blivet/util.py", line 574, in md5_file md5 = hashlib.md5() ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This is due to MD5 being completely disabled in libcrypto library when FIPS is enabled. Example with FIPS enabled: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- $ python3 ... >>> import hashlib >>> hashlib.md5() Traceback (most recent call last): File "<stdin>", line 1, in <module> ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Internally, blivet should use a supported hash algorithm whatever FIPS mode is, e.g. "sha1". Version-Release number of selected component (if applicable): python3-blivet-3.1.0-17.el8.noarch How reproducible: Always