Bug 1832743
Summary: | Move update-crypto-policies and fips-mode-setup to a subpackage pulled via "Recommends" from the base package | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Graham Bucknell <graham.bucknell> | |
Component: | crypto-policies | Assignee: | Tomas Mraz <tmraz> | |
Status: | CLOSED ERRATA | QA Contact: | Ondrej Moriš <omoris> | |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> | |
Priority: | medium | |||
Version: | 8.2 | CC: | afield, asosedki, dornelas, jafiala, john, jwboyer, lmanasko, mjahoda, nmavrogi, omoris, pdwyer, smccarty, szidek, tmraz, vponcova | |
Target Milestone: | rc | Keywords: | Triaged | |
Target Release: | 8.3 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | crypto-policies-20200527-2.git0a29b28.el8 | Doc Type: | Enhancement | |
Doc Text: |
.`update-crypto-policies` and `fips-mode-setup` moved into `crypto-policies-scripts`
The `update-crypto-policies` and `fips-mode-setup` scripts, which were previously included in the `crypto-policies` package, are now moved into a separate RPM subpackage `crypto-policies-scripts`. The package is automatically installed through the Recommends dependency on regular installations. This enables the `ubi8/ubi-minimal` image to avoid the inclusion of the Python language interpreter and thus reduces the image size.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1841108 (view as bug list) | Environment: | ||
Last Closed: | 2020-11-04 01:58:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1841108 | |||
Bug Blocks: |
Description
Graham Bucknell
2020-05-07 08:27:51 UTC
$ podman run -it --rm registry.access.redhat.com/ubi8/ubi-minimal:8.2 /bin/bash [root@09fff225ff68 /]# rpm -qa | grep python python3-setuptools-wheel-39.2.0-5.el8.noarch platform-python-3.6.8-23.el8.x86_64 python3-pip-wheel-9.0.3-16.el8.noarch platform-python-setuptools-39.2.0-5.el8.noarch python3-libs-3.6.8-23.el8.x86_64 [root@09fff225ff68 /]# rpm -e platform-python error: Failed dependencies: python(abi) = 3.6 is needed by (installed) platform-python-setuptools-39.2.0-5.el8.noarch python(abi) = 3.6 is needed by (installed) python3-libs-3.6.8-23.el8.x86_64 /usr/libexec/platform-python is needed by (installed) crypto-policies-20191128-2.git23e1bf1.el8.noarch /usr/libexec/platform-python is needed by (installed) python3-libs-3.6.8-23.el8.x86_64 [root@09fff225ff68 /]# rpm -q --requires crypto-policies | grep python /usr/libexec/platform-python [root@09fff225ff68 /]# for P in `rpm -qa | grep python`; do rpm -qi $P | grep ^Size; done Size : 347695 Size : 41094 Size : 1255748 Size : 2930163 Size : 32376728 All the python bits adds ~36M deps into the minimal image. Reassigning to crypto-policies as the requirements were added there likely via switching BuildRequires from python3 to python3-devel. Note it's not the full python stack but just a minimal set. Still a bit bulky. Unfortunately python is required for crypto-policies. We have a separate package for update-crypto-policies in Fedora now but it is very problematic to introduce that separate subpackage in RHEL. (In reply to Tomas Mraz from comment #2) > Unfortunately python is required for crypto-policies. We have a separate > package for update-crypto-policies in Fedora now but it is very problematic > to introduce that separate subpackage in RHEL. Can you elaborate if this dependency was always true and was omitted in error for 8.0 and 8.1? The issue at hand is that the ubi8-minimal container is much more popular with customers and developers because of the reduced size compared to the regular base image. This change alone has significantly reduced that size savings. Multiple reports from customers and users have now come in because of this and it would be very good if we could resolve this in some way. (In reply to Josh Boyer from comment #3) > (In reply to Tomas Mraz from comment #2) > > Unfortunately python is required for crypto-policies. We have a separate > > package for update-crypto-policies in Fedora now but it is very problematic > > to introduce that separate subpackage in RHEL. > > Can you elaborate if this dependency was always true and was omitted in > error for 8.0 and 8.1? No, the dependency is new in RHEL-8.2 with the introduction of the Custom crypto policies support. But we already decided within the team that in 8.3 we are going to do the package split similar to the one in current Fedora packages that makes the Python dependent script being pulled-in only via Recommends dependency. So it will be possible to build the minimal UBI container image without Python, although it of course will be without the update-crypto-policies script. (In reply to Tomas Mraz from comment #4) > (In reply to Josh Boyer from comment #3) > > (In reply to Tomas Mraz from comment #2) > > > Unfortunately python is required for crypto-policies. We have a separate > > > package for update-crypto-policies in Fedora now but it is very problematic > > > to introduce that separate subpackage in RHEL. > > > > Can you elaborate if this dependency was always true and was omitted in > > error for 8.0 and 8.1? > > No, the dependency is new in RHEL-8.2 with the introduction of the Custom > crypto policies support. > > But we already decided within the team that in 8.3 we are going to do the > package split similar to the one in current Fedora packages that makes the > Python dependent script being pulled-in only via Recommends dependency. So > it will be possible to build the minimal UBI container image without Python, > although it of course will be without the update-crypto-policies script. All, I wanted to provide some thoughts from the UBI side per an internal conversation that was not visible in the bug. 1. I like the long term idea of splitting up the dependencies into two packages and using Recommends. That has the advantage of providing FIPS capabilities consistently in all three UBI images (ubi8/ubi, ubi8/ubi-minimal, and ubi8/ubi-init). 2. I still wonder if we couldn't remove the policies, only for the ubi8/ubi-minimal image in a Z stream for RHEL 8.2? I ask about #2 because the ubi8/ubi-minimal image is already bigger than we would like it to be and we've also set the expectation that this image can be different than the standard image (ubi8/ubi) and multi-service image (ui8/ubi-init). For example, ubi8/ubi-minimal uses microdnf and and has language packages and other things removed by default. Stated another way, it is well understood that the ubi8/ubi-minimal image does not support everything that the standard and multi-services images support. Thoughts on having a short term fix (#2) and a longer term fix (#1)? How would you remove the policies? There are hard dependencies from the crypto packages (openssl-libs, gnutls, openssh-clients, openssh-server) on the policies. So unless you can somehow drop these packages from the minimal image I don't see how you could remove the crypto-policies. I can see /usr/share/crypto-policies/reload-cmds.sh packaged in crypto-policies even this script is used only by build-crypto-policies.py and update-crypto-policies.py packages in scripts subpackage. Is there a reason not to put this script into scripts subpackage? As this script is part of the generated policy data I left it in the base package along with the other data. It would not break anything if it was moved to -scripts but I do not see any particular need to do that either. It does not make rpm to add any automatic /bin/sh requirement or anything like that so that is not a problem either. Successfully verified. * BaseOS-8.3.0.GA * SRPMS crypto-policies-20200610-1.git0ac8b1f.el8.src.rpm * noarch crypto-policies-20200610-1.git0ac8b1f.el8.noarch.rpm * noarch crypto-policies-scripts-20200610-1.git0ac8b1f.el8.noarch.rpm # rpm -q crypto-policies crypto-policies-20200610-1.git0ac8b1f.el8.noarch # rpm -ql crypto-policies | grep bin/ # rpm -ql crypto-policies-scripts | grep bin/ /usr/bin/fips-finish-install /usr/bin/fips-mode-setup /usr/bin/update-crypto-policies *** Bug 1857685 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (crypto-policies bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4536 |