Bug 1832743

Summary: Move update-crypto-policies and fips-mode-setup to a subpackage pulled via "Recommends" from the base package
Product: Red Hat Enterprise Linux 8 Reporter: Graham Bucknell <graham.bucknell>
Component: crypto-policiesAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.2CC: afield, asosedki, dornelas, jafiala, john, jwboyer, lmanasko, mjahoda, nmavrogi, omoris, pdwyer, smccarty, szidek, tmraz, vponcova
Target Milestone: rcKeywords: Triaged
Target Release: 8.3   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: crypto-policies-20200527-2.git0a29b28.el8 Doc Type: Enhancement
Doc Text:
.`update-crypto-policies` and `fips-mode-setup` moved into `crypto-policies-scripts` The `update-crypto-policies` and `fips-mode-setup` scripts, which were previously included in the `crypto-policies` package, are now moved into a separate RPM subpackage `crypto-policies-scripts`. The package is automatically installed through the Recommends dependency on regular installations. This enables the `ubi8/ubi-minimal` image to avoid the inclusion of the Python language interpreter and thus reduces the image size.
 Story Points: ---
Clone Of:
: 1841108 (view as bug list) Environment:
Last Closed: 2020-11-04 01:58:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1841108    
Bug Blocks:    

Description Graham Bucknell 2020-05-07 08:27:51 UTC 
Description of problem:
This might be very obvious and have a good reason, but I noticed that ubi-minimal:8.2 contains a "system" python 3.6 while ubi-minimal:8.1 doesn't have any python installed at all. 

Is this intended, given that the intention of microdnf is to not need an installed python ? 

This is a shame because I can't get ubi-minimal to pass JFrog Security scans any more with this bug that will not be fixed ever.

https://access.redhat.com/security/cve/cve-2019-9674

Version-Release number of selected component (if applicable): 8.2


How reproducible:
Very

Steps to Reproduce:
1. docker run -it registry.access.redhat.com/ubi8/ubi-minimal:8.2 /bin/bash
[root@805944d1c920 /]# rpm -qa | grep python
python3-setuptools-wheel-39.2.0-5.el8.noarch
platform-python-3.6.8-23.el8.x86_64
python3-pip-wheel-9.0.3-16.el8.noarch
platform-python-setuptools-39.2.0-5.el8.noarch
python3-libs-3.6.8-23.el8.x86_64
[root@805944d1c920 /]#


Actual results:
Python is installed

Expected results:
Python shouldn't be installed (?)

Additional info:

Thanks for the excellent base image.
Comment 1 Jindrich Novy 2020-05-07 09:54:13 UTC 
$ podman run -it --rm registry.access.redhat.com/ubi8/ubi-minimal:8.2 /bin/bash
[root@09fff225ff68 /]# rpm -qa | grep python
python3-setuptools-wheel-39.2.0-5.el8.noarch
platform-python-3.6.8-23.el8.x86_64
python3-pip-wheel-9.0.3-16.el8.noarch
platform-python-setuptools-39.2.0-5.el8.noarch
python3-libs-3.6.8-23.el8.x86_64

[root@09fff225ff68 /]# rpm -e platform-python
error: Failed dependencies:
	python(abi) = 3.6 is needed by (installed) platform-python-setuptools-39.2.0-5.el8.noarch
	python(abi) = 3.6 is needed by (installed) python3-libs-3.6.8-23.el8.x86_64
	/usr/libexec/platform-python is needed by (installed) crypto-policies-20191128-2.git23e1bf1.el8.noarch
	/usr/libexec/platform-python is needed by (installed) python3-libs-3.6.8-23.el8.x86_64

[root@09fff225ff68 /]# rpm -q --requires crypto-policies | grep python
/usr/libexec/platform-python

[root@09fff225ff68 /]# for P in `rpm -qa | grep python`; do rpm -qi $P | grep ^Size; done
Size        : 347695
Size        : 41094
Size        : 1255748
Size        : 2930163
Size        : 32376728

All the python bits adds ~36M deps into the minimal image.

Reassigning to crypto-policies as the requirements were added there likely via switching BuildRequires from python3 to python3-devel. Note it's not the full python stack but just a minimal set. Still a bit bulky.
Comment 2 Tomas Mraz 2020-05-07 16:31:17 UTC 
Unfortunately python is required for crypto-policies. We have a separate package for update-crypto-policies in Fedora now but it is very problematic to introduce that separate subpackage in RHEL.
Comment 3 Josh Boyer 2020-05-14 17:12:47 UTC 
(In reply to Tomas Mraz from comment #2)
> Unfortunately python is required for crypto-policies. We have a separate
> package for update-crypto-policies in Fedora now but it is very problematic
> to introduce that separate subpackage in RHEL.

Can you elaborate if this dependency was always true and was omitted in error for 8.0 and 8.1?

The issue at hand is that the ubi8-minimal container is much more popular with customers and developers because of the reduced size compared to the regular base image.  This change alone has significantly reduced that size savings.  Multiple reports from customers and users have now come in because of this and it would be very good if we could resolve this in some way.
Comment 4 Tomas Mraz 2020-05-15 07:23:58 UTC 
(In reply to Josh Boyer from comment #3)
> (In reply to Tomas Mraz from comment #2)
> > Unfortunately python is required for crypto-policies. We have a separate
> > package for update-crypto-policies in Fedora now but it is very problematic
> > to introduce that separate subpackage in RHEL.
> 
> Can you elaborate if this dependency was always true and was omitted in
> error for 8.0 and 8.1?

No, the dependency is new in RHEL-8.2 with the introduction of the Custom crypto policies support.

But we already decided within the team that in 8.3 we are going to do the package split similar to the one in current Fedora packages that makes the Python dependent script being pulled-in only via Recommends dependency. So it will be possible to build the minimal UBI container image without Python, although it of course will be without the update-crypto-policies script.
Comment 5 Scott McCarty 2020-05-18 13:11:58 UTC 
(In reply to Tomas Mraz from comment #4)
> (In reply to Josh Boyer from comment #3)
> > (In reply to Tomas Mraz from comment #2)
> > > Unfortunately python is required for crypto-policies. We have a separate
> > > package for update-crypto-policies in Fedora now but it is very problematic
> > > to introduce that separate subpackage in RHEL.
> > 
> > Can you elaborate if this dependency was always true and was omitted in
> > error for 8.0 and 8.1?
> 
> No, the dependency is new in RHEL-8.2 with the introduction of the Custom
> crypto policies support.
> 
> But we already decided within the team that in 8.3 we are going to do the
> package split similar to the one in current Fedora packages that makes the
> Python dependent script being pulled-in only via Recommends dependency. So
> it will be possible to build the minimal UBI container image without Python,
> although it of course will be without the update-crypto-policies script.

All, I wanted to provide some thoughts from the UBI side per an internal conversation that was not visible in the bug.

1. I like the long term idea of splitting up the dependencies into two packages and using Recommends. That has the advantage of providing FIPS capabilities consistently in all three UBI images (ubi8/ubi, ubi8/ubi-minimal, and ubi8/ubi-init).
2. I still wonder if we couldn't remove the policies, only for the ubi8/ubi-minimal image in a Z stream for RHEL 8.2? 

I ask about #2 because the ubi8/ubi-minimal image is already bigger than we would like it to be and we've also set the expectation that this image can be different than the standard image (ubi8/ubi) and multi-service image (ui8/ubi-init). For example, ubi8/ubi-minimal uses microdnf and and has language packages and other things removed by default. Stated another way, it is well understood that the ubi8/ubi-minimal image does not support everything that the standard and multi-services images support.

Thoughts on having a short term fix (#2) and a longer term fix (#1)?
Comment 6 Tomas Mraz 2020-05-18 13:47:04 UTC 
How would you remove the policies? There are hard dependencies from the crypto packages (openssl-libs, gnutls, openssh-clients, openssh-server) on the policies. So unless you can somehow drop these packages from the minimal image I don't see how you could remove the crypto-policies.
Comment 13 Ondrej Moriš 2020-06-03 14:44:08 UTC 
I can see /usr/share/crypto-policies/reload-cmds.sh packaged in crypto-policies even this script is used only by build-crypto-policies.py and update-crypto-policies.py packages in scripts subpackage. Is there a reason not to put this script into scripts subpackage?
Comment 14 Tomas Mraz 2020-06-03 15:04:47 UTC 
As this script is part of the generated policy data I left it in the base package along with the other data. It would not break anything if it was moved to -scripts but I do not see any particular need to do that either.

It does not make rpm to add any automatic /bin/sh requirement or anything like that so that is not a problem either.
Comment 15 Ondrej Moriš 2020-06-16 12:25:48 UTC 
Successfully verified.

 * BaseOS-8.3.0.GA
   * SRPMS   crypto-policies-20200610-1.git0ac8b1f.el8.src.rpm
   * noarch  crypto-policies-20200610-1.git0ac8b1f.el8.noarch.rpm
   * noarch  crypto-policies-scripts-20200610-1.git0ac8b1f.el8.noarch.rpm

# rpm -q crypto-policies
crypto-policies-20200610-1.git0ac8b1f.el8.noarch

# rpm -ql crypto-policies | grep bin/
# rpm -ql crypto-policies-scripts | grep bin/
/usr/bin/fips-finish-install
/usr/bin/fips-mode-setup
/usr/bin/update-crypto-policies
Comment 20 Josh Boyer 2020-07-16 11:22:24 UTC 
*** Bug 1857685 has been marked as a duplicate of this bug. ***
Comment 24 errata-xmlrpc 2020-11-04 01:58:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4536