Bug 1804195

Summary: Podman support for FIPS Mode requires a bind mount inside the container [stream-container-tools-rhel8-rhel-8.2.0/podman]
Product: Red Hat Enterprise Linux 8 Reporter: Jindrich Novy <jnovy>
Component: podmanAssignee: Lokesh Mandvekar <lsm5>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.3CC: bbaude, ddarrah, dornelas, dwalsh, imcleod, jligon, jnovy, kangell, kelmmatt, knewcome, lsm5, mheon, mpatel, smccarty, tmraz, tsweeney, weshen, ypu
Target Milestone: rc   
Target Release: 8.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: container-tools-rhel8-8030020200723183228.2a301c24 , podman-2.0.3-1.module+el8.3.0+7447+a5267fbb Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 03:05:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1784950    

Description Jindrich Novy 2020-02-18 12:33:29 UTC 
This is a tracking bug assuring the fix for [bug 1784950] gets applied in stream-container-tools-rhel8-rhel-8.2.0 branch of podman.
Comment 6 Daniel Walsh 2020-03-23 17:20:03 UTC 
We do not plan on updating this, so it is what it is at this point.

Jindrich, could you open an issue (or better yet a PR) to fix whatever issue they are seeing, and we can get it fixed in 8.2.1 or in 8.3?
Comment 10 Daniel Walsh 2020-05-06 15:55:23 UTC 
I believe this should work now, and the issue was testing this with a container image less then 8.2.

Could you test this with a RHEL8.2 image and make sure the mount point gets created correctly.
Comment 11 Scott McCarty 2020-05-06 16:02:26 UTC 
I believe this works in RHEL 8.2 with podman 1.6.4. I followed the instructions in the docs:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies

1. Put host in FIPS mode

2. Run the container: podman run -it --rm -v /etc/system-fips:/etc/system-fips ubi8

3. Set FIPS mode in the container: [root@1c04298e0768 /]# update-crypto-policies --set FIPS

4. Verified the policy chaange:

[root@1c04298e0768 /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K May  6 15:56 .
drwxr-xr-x. 1 root root   50 Oct 29  2019 ..
lrwxrwxrwx. 1 root root   40 May  6 15:56 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 May  6 15:56 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 May  6 15:56 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 May  6 15:56 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 May  6 15:56 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 May  6 15:56 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 May  6 15:56 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 May  6 15:56 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 May  6 15:56 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 May  6 15:56 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 May  6 15:56 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt
Comment 12 Daniel Walsh 2020-05-13 20:42:38 UTC 
I belive this is correct, Tomas could you verify?
Comment 13 Tomas Mraz 2020-05-14 07:46:15 UTC 
I am not sure - the point of this bug was that podman should automatically do the bind mount so calling update-crypto-policies --set FIPS in the container would not be necessary. How does the same ls command output in the container looks like if the update-crypto-policies --set FIPS is not called?
Comment 14 Daniel Walsh 2020-06-03 14:26:57 UTC 
Fixed in podman 2.0.
Comment 17 Joy Pu 2020-08-03 03:14:05 UTC 
Test with podman-2.0.3-1.module+el8.3.0+7505+fe51f0c6.x86_64. Now the FIPS mode is passed into container. So set this to verified. Details:

# fips-mode-setup --check
FIPS mode is enabled.
# podman run -it ubi8
Trying to pull registry.access.redhat.com/ubi8...
Getting image source signatures
Copying blob 47db82df7f3f skipped: already exists  
Copying blob 77c58f19bd6e [--------------------------------------] 0.0b / 0.0b
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures
[root@a4d8d38c6f4a /]# yum install openssl
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS  420 kB/s | 768 kB     00:01    
Red Hat Universal Base Image 8 (RPMs) - AppStre 947 kB/s | 3.9 MB     00:04    
Red Hat Universal Base Image 8 (RPMs) - CodeRea 7.4 kB/s |  11 kB     00:01    
Dependencies resolved.
================================================================================
 Package        Architecture  Version                 Repository           Size
================================================================================
Installing:
 openssl        x86_64        1:1.1.1c-15.el8         ubi-8-baseos        697 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 697 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.1.1c-15.el8.x86_64.rpm                843 kB/s | 697 kB     00:00    
--------------------------------------------------------------------------------
Total                                           841 kB/s | 697 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Verifying        : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
Installed products updated.

Installed:
  openssl-1:1.1.1c-15.el8.x86_64                                                

Complete!
[root@a4d8d38c6f4a /]# touch fipstest
[root@a4d8d38c6f4a /]# openssl md5 fipstest 
Error setting digest
140422413911872:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
Comment 20 errata-xmlrpc 2020-11-04 03:05:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4694
Comment 21 Red Hat Bugzilla 2023-09-14 05:52:51 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days