Bug 1650512 - podman exec faile with "panic: boringcrypto: not in FIPS mode"
Summary: podman exec faile with "panic: boringcrypto: not in FIPS mode"
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: runc (Show other bugs)
(Show other bugs)
Version: 7.6
Hardware: Unspecified Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Keywords: Extras, TestBlocker
Depends On:
Blocks: 1652546
TreeView+ depends on / blocked
 
Reported: 2018-11-16 11:22 UTC by Joy Pu
Modified: 2018-11-30 12:49 UTC (History)
7 users (show)

Fixed In Version: runc-1.0.0-57.dev.git2abd837.el7_6
Doc Type: Bug Fix
Doc Text:
Cause: The runc package shipped in 7.6.1 Extras was built with an older version of golang which had a bug leading to a crash in certain FIPS modes. Consequence: podman exec failed. Fix: a new runc has been built with an updated golang dependency to take care of FIPS compliance. Result: podman exec works as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-11-30 12:49:11 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3755 None None None 2018-11-30 12:49 UTC

Description Joy Pu 2018-11-16 11:22:42 UTC
Description of problem:
podman exec failed to exec command in a container.

Version-Release number of selected component (if applicable):
runc-1.0.0-54.dev.git2abd837.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Start a running container
# podman run -d --name test docker.io/busybox top
2. Exec a command in the container
podman exec test ls
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
exit status 1


Actual results:
podman exec failed

Expected results:
podman exec can get results as expect

Additional info:
There is a similar bug for RHEL8: Bug 1615752 - podman exec crashes with 'panic: boringcrypto: not in FIPS mode'

And here is the debug logs from podman exec:

# podman --log-level debug exec 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls
DEBU[0000] Not configuring container store              
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] Creating new exec session in container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c with session id e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 
DEBU[0000] Starting runtime /usr/bin/runc with following arguments: [--log /var/lib/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/ctr.log exec --cwd / --pid-file /var/run/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/exec_pid_e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 --env TERM=xterm --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls] 
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
DEBU[0060] Timed out waiting for pidfile from runtime for container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c exec 
ERRO[0060] exit status 1

Comment 2 Joy Pu 2018-11-16 11:28:16 UTC
The same command line works fine with runc-1.0.0-37.rc5.dev.gitad0f525.el7.x86_64

Comment 16 errata-xmlrpc 2018-11-30 12:49:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3755


Note You need to log in before you can comment on or make changes to this bug.