Bug 1804188

Summary: Podman support for FIPS Mode requires a bind mount inside the container [stream-container-tools-rhel8-rhel-8.1.1/buildah]
Product: Red Hat Enterprise Linux 8 Reporter: Jindrich Novy <jnovy>
Component: buildahAssignee: Jindrich Novy <jnovy>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: ajia, ddarrah, lfriedma, tsweeney
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: buildah-1.11.6-5.el8_1_1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-26 02:43:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1784950    

Description Jindrich Novy 2020-02-18 12:31:38 UTC 
This is a tracking bug assuring the fix for [bug 1784950] gets applied in stream-container-tools-rhel8-rhel-8.1.1 branch of buildah.
Comment 2 Laurie Friedman 2020-02-19 15:08:34 UTC 
Setting exception+ because all 8.1.1 changes (including bug fixes) require exception+.
Comment 3 Laurie Friedman 2020-02-19 15:31:27 UTC 
zstream+ is required for 8.1.1.z commit.
Comment 6 Alex Jia 2020-03-20 10:26:19 UTC 
Verified in buildah-1.11.6-6.module+el8.1.1+5865+cc793d95.x86_64.

[root@hp-dl360g9-03 ~]# fips-mode-setup --check
FIPS mode is enabled.

[root@hp-dl360g9-03 ~]# cat /etc/system-fips
# FIPS module installation complete

[root@hp-dl360g9-03 ~]# buildah from ubi8
Getting image source signatures
Copying blob 0bb54aa5e977 done
Copying blob 941e1e2b31a8 done
Copying config 0c46e5c7a8 done
Writing manifest to image destination
Storing signatures
ubi8-working-container

[root@hp-dl360g9-03 ~]# buildah run ubi8-working-container ls -lah /etc/crypto-policies/back-ends
total 0
drwxr-xr-x. 2 root root 244 Mar  2 17:42 .
drwxr-xr-x. 5 root root  65 Mar  2 17:42 ..
lrwxrwxrwx. 1 root root  43 Mar  2 17:42 bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt
lrwxrwxrwx. 1 root root  45 Mar  2 17:42 gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt
lrwxrwxrwx. 1 root root  43 Mar  2 17:42 java.config -> /usr/share/crypto-policies/DEFAULT/java.txt
lrwxrwxrwx. 1 root root  43 Mar  2 17:42 krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
lrwxrwxrwx. 1 root root  48 Mar  2 17:42 libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt
lrwxrwxrwx. 1 root root  45 Mar  2 17:42 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt
lrwxrwxrwx. 1 root root  42 Mar  2 17:42 nss.config -> /usr/share/crypto-policies/DEFAULT/nss.txt
lrwxrwxrwx. 1 root root  46 Mar  2 17:42 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
lrwxrwxrwx. 1 root root  52 Mar  2 17:42 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
lrwxrwxrwx. 1 root root  46 Mar  2 17:42 openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
lrwxrwxrwx. 1 root root  49 Mar  2 17:42 opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

[root@hp-dl360g9-03 ~]# buildah run --volume /etc/system-fips:/etc/system-fips --tty ubi8-working-container /bin/bash
[root@f807ec7d629e /]# update-crypto-policies --set FIPS
Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for
         FIPS compliance.
         Use 'fips-mode-setup --enable' command instead.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[root@f807ec7d629e /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K Mar 20 10:24 .
drwxr-xr-x. 1 root root   50 Mar  2 17:42 ..
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 Mar 20 10:24 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 Mar 20 10:24 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 Mar 20 10:24 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 Mar 20 10:24 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt
Comment 7 Alex Jia 2020-03-26 02:43:52 UTC 
FIPS mode support is first targeted for RHEL 8.2 and is not supported nor was it promised for RHEL 8.1
please see https://bugzilla.redhat.com/show_bug.cgi?id=1804194#c9