RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1650512 - podman exec faile with "panic: boringcrypto: not in FIPS mode"
Summary: podman exec faile with "panic: boringcrypto: not in FIPS mode"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: runc
Version: 7.6
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Lokesh Mandvekar
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1652546
TreeView+ depends on / blocked
 
Reported: 2018-11-16 11:22 UTC by Joy Pu
Modified: 2020-07-20 07:23 UTC (History)
8 users (show)

Fixed In Version: runc-1.0.0-57.dev.git2abd837.el7_6
Doc Type: Bug Fix
Doc Text:
Cause: The runc package shipped in 7.6.1 Extras was built with an older version of golang which had a bug leading to a crash in certain FIPS modes. Consequence: podman exec failed. Fix: a new runc has been built with an updated golang dependency to take care of FIPS compliance. Result: podman exec works as expected.
Clone Of:
Environment:
Last Closed: 2018-11-30 12:49:11 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3755 0 None None None 2018-11-30 12:49:19 UTC

Description Joy Pu 2018-11-16 11:22:42 UTC 
Description of problem:
podman exec failed to exec command in a container.

Version-Release number of selected component (if applicable):
runc-1.0.0-54.dev.git2abd837.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Start a running container
# podman run -d --name test docker.io/busybox top
2. Exec a command in the container
podman exec test ls
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
exit status 1


Actual results:
podman exec failed

Expected results:
podman exec can get results as expect

Additional info:
There is a similar bug for RHEL8: Bug 1615752 - podman exec crashes with 'panic: boringcrypto: not in FIPS mode'

And here is the debug logs from podman exec:

# podman --log-level debug exec 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls
DEBU[0000] Not configuring container store              
INFO[0000] Found CNI network podman (type=bridge) at /etc/cni/net.d/87-podman-bridge.conflist 
DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db 
DEBU[0000] Set libpod namespace to ""                   
DEBU[0000] Creating new exec session in container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c with session id e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 
DEBU[0000] Starting runtime /usr/bin/runc with following arguments: [--log /var/lib/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/ctr.log exec --cwd / --pid-file /var/run/containers/storage/overlay-containers/93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c/userdata/exec_pid_e40b2454efa2e88cceca59eab3b715cee3fa0b76b3653af0bd943f1a16732a86 --env TERM=xterm --env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c ls] 
panic: boringcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/boring.init.0()
	/opt/rh/go-toolset-7/root/usr/lib/go-toolset-7-golang/src/crypto/internal/boring/boring.go:35 +0xd6
exec failed: container_linux.go:336: starting container process caused "read init-p: connection reset by peer"
DEBU[0060] Timed out waiting for pidfile from runtime for container 93c48f8b58e25ef5d721bcaf460a972e5f74d87f8e503fb6e94dba308cab646c exec 
ERRO[0060] exit status 1
Comment 2 Joy Pu 2018-11-16 11:28:16 UTC 
The same command line works fine with runc-1.0.0-37.rc5.dev.gitad0f525.el7.x86_64
Comment 9 Lokesh Mandvekar 2018-11-28 19:52:47 UTC 
https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=19308424
Comment 16 errata-xmlrpc 2018-11-30 12:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3755
Note You need to log in before you can comment on or make changes to this bug.