Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1092840

Summary: Glusterd crashes and core-dumps when starting a volume in FIPS mode.
Product: [Community] GlusterFS Reporter: Kaushal <kaushal>
Component: coreAssignee: Kaushal <kaushal>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: mainlineCC: bugs, casmith, dahorak, kaushal, nigelb, smohan
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://supercolony.gluster.org/pipermail/gluster-users/2014-April/040060.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1459708 1459709 (view as bug list) Environment:
Last Closed: 2018-10-08 03:26:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1459708, 1459709    

Description Kaushal 2014-04-30 05:30:45 UTC 
Description of problem:
When a system is running in FIPS mode, attempting to start volume will cause glusterd to crash and coredump. This is the backtrace that was obtained when I tried this on FIPS enabled rhel-6.5 machine.

(gdb) bt
#0  0x00007f8741f2a925 in raise () from /lib64/libc.so.6
#1  0x00007f8741f2c105 in abort () from /lib64/libc.so.6
#2  0x00007f87422f3ebf in OpenSSLDie () from /usr/lib64/libcrypto.so.10
#3  0x00007f87422fa619 in MD5_Init () from /usr/lib64/libcrypto.so.10
#4  0x00007f87422fa9ea in MD5 () from /usr/lib64/libcrypto.so.10
#5  0x00007f874391c91c in md5_wrapper (data=<value optimized out>, len=<value optimized out>, md5=0x23057d0 "") at common-utils.c:68
#6  0x00007f873e8beb72 in glusterd_set_socket_filepath (sock_filepath=0x2306860 "/var/lib/glusterd/vols/test/run/10.70.42.171-export-test", sockpath=0x230c9d0 "", len=4096) at glusterd-utils.c:1222
#7  0x00007f873e8bedf8 in glusterd_set_brick_socket_filepath (volinfo=0xfffffffffdcf87a1, brickinfo=0x7f8728003400, sockpath=0x230c9d0 "", len=4096) at glusterd-utils.c:1251
#8  0x00007f873e8c54a9 in glusterd_volume_start_glusterfs (volinfo=0x7f8728000f70, brickinfo=0x7f870000c000, wait=_gf_true) at glusterd-utils.c:1417
#9  0x00007f873e8c6f29 in glusterd_brick_start (volinfo=0x7f8728000f70, brickinfo=0x7f8728003400, wait=_gf_true) at glusterd-utils.c:4698
#10 0x00007f873e901a8d in glusterd_op_start_volume (dict=<value optimized out>, op_errstr=<value optimized out>) at glusterd-volume-ops.c:1746
#11 0x00007f873e8b071b in glusterd_op_commit_perform (op=GD_OP_START_VOLUME, dict=0x7f8740b3025c, op_errstr=0x2311868, rsp_dict=0x7f8740b3048c) at glusterd-op-sm.c:4170
#12 0x00007f873e90d93e in gd_commit_op_phase (peers=0x210e6e0, op=GD_OP_START_VOLUME, op_ctx=0x7f8740b301d0, req_dict=0x7f8740b3025c, op_errstr=0x2311868, npeers=0) at glusterd-syncop.c:980
#13 0x00007f873e90f632 in gd_sync_task_begin (op_ctx=0x7f8740b301d0, req=0x2101c6c) at glusterd-syncop.c:1260
#14 0x00007f873e90f76b in glusterd_op_begin_synctask (req=0x2101c6c, op=<value optimized out>, dict=0x7f8740b301d0) at glusterd-syncop.c:1294
#15 0x00007f873e902cc6 in __glusterd_handle_cli_start_volume (req=0x2101c6c) at glusterd-volume-ops.c:255
#16 0x00007f873e896f7f in glusterd_big_locked_handler (req=0x2101c6c, actor_fn=0x7f873e902b10 <__glusterd_handle_cli_start_volume>) at glusterd-handler.c:77
#17 0x00007f874393d8e2 in synctask_wrap (old_task=<value optimized out>) at syncop.c:293
#18 0x00007f8741f3bbf0 in ?? () from /lib64/libc.so.6
#19 0x0000000000000000 in ?? ()


Version-Release number of selected component (if applicable):
glusterfs-v3.5.0

How reproducible:
Always.

Steps to Reproduce:
1. Start up the system in FIPS mode
2. Create and try to start a volume.

Actual results:
Glusterd crashes with the above backtrace.

Expected results:
Glusterd shouldn't be crashing.

Additional info:
This is happening because glusterd is using MD5 to calculate a hash when building brick socket file path. MD5 is not a FIPS compliant hash algorithm, and openssl will die when an attempt to use MD5 is made in FIPS mode.

This was originally observed and reported on the gluster-users mailing list. The mail thread can be viewed at http://supercolony.gluster.org/pipermail/gluster-users/2014-April/040060.html.
Comment 1 Yaniv Kaul 2018-07-23 12:19:23 UTC 
That code should have been removed by:
commit 5aca4cf569f19d235662c4fbaa04df21e5fd46c2
Author: Kotresh HR <khiremat>
Date:   Tue Dec 19 00:05:05 2017 -0500

    fips: Replace md5sum usage to enable fips support
    
    md5sum is not fips compliant. Using xxhash64 instead of
    md5sum for socket file generation in glusterd and
    changelog to enable fips support.
    
    NOTE: md5sum is 128 bit hash. xxhash used is 64 bit.
    
    Updates: #230
    Change-Id: I1bf2ea05905b9151cd29fa951f903685ab0dc84c
    Signed-off-by: Kotresh HR <khiremat>


Is it still an issue?
Comment 2 Nigel Babu 2018-10-08 03:26:02 UTC 
I believe Glusterd no-longer crashes with FIPS mode turned on, however, there are a couple of bugs with the implementation we're working through to solve.

I am going to close this bug in the belief that all is well now. This was tracked as a Github issue and the patches are all in this issue: https://github.com/gluster/glusterfs/issues/230