+++ This bug was initially created as a clone of Bug #1709201 +++ Description of problem: In order to run on FIPS compliant system the checksum computation that's used for gluster hooks scripts should be changed to sha256 computation Version-Release number of selected component (if applicable): How reproducible: NA --- Additional comment from John Call on 2019-05-13 11:17:18 UTC --- From: Mike Flannery <mflanner> Date: Sat, May 11, 2019, 09:02 Subject: vdsmd errors with latest RHHI-V / RHV (4.3 downloaded from access.redhat.com) To: Ryan Barry <rbarry>, Yuval Turgeman <yturgema>, John Call <jcall>, Sandro Bonazzola <sbonazzo>, Sean Murphy - ISBU <seamurph>, Sahina Bose <sabose> Good morning! In preparation for our POC starting Monday, I downloaded from access and installed the latest RHV build (to install RHHI-V) with file named RHVH-4.3-20190410.3-RHVH-x86_64-dvd1.iso. I applied the DISA STIG security profile and now that I say that I wonder if I was supposed to pick a different security profile for this version of RHV... If I was, please let me know. The install went well but afterwards, I am getting this error from every Hypervisor node on a 2 hour interval: May 11 05:47:48 rhv1 vdsm[19063]: ERROR Internal server error Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/yajsonrpc/__init__.py", line 345, in _handle_request res = method(**params) File "/usr/lib/python2.7/site-packages/vdsm/rpc/Bridge.py", line 194, in _dynamicMethod result = fn(*methodArgs) File "/usr/lib/python2.7/site-packages/vdsm/gluster/apiwrapper.py", line 39, in list return self._gluster.hooksList() File "/usr/lib/python2.7/site-packages/vdsm/gluster/api.py", line 93, in wrapper rv = func(*args, **kwargs) File "/usr/lib/python2.7/site-packages/vdsm/gluster/api.py", line 460, in hooksList status = self.svdsmProxy.glusterHooksList() File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 56, in __call__ return callMethod() File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 54, in <lambda> **kwargs) File "<string>", line 2, in glusterHooksList File "/usr/lib64/python2.7/multiprocessing/managers.py", line 773, in _callmethod raise convert_to_error(kind, result) ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips From: Yuval Turgeman <yturgema> Date: Sun, May 12, 2019, 08:56 Subject: Re: vdsmd errors with latest RHHI-V / RHV (4.3 downloaded from access.redhat.com) To: Mike Flannery <mflanner> Cc: Ryan Barry <rbarry>, John Call <jcall>, Sandro Bonazzola <sbonazzo>, Sean Murphy - ISBU <seamurph>, Sahina Bose <sabose> Going over the vdsm code, it looks like they use md5 to verify integrity for the installed hooks --- Additional comment from Sahina Bose on 2019-06-18 15:15:27 UTC --- --- Additional comment from Sean Murphy on 2019-06-18 15:38:19 UTC --- @sahina / @sas - what is involved in making / proving this change?.. knock-ons elsewhere in the system from so doing? What do we believe needs to be done in terms of establishing test cases to 1) prove the fix with the sha256, and 2) assure other operations depending on hashing are not negatively effected? --- Additional comment from Sean Murphy on 2019-06-18 16:00:24 UTC --- @sahina / @sas - related, I now see this from OCS-land: https://bugzilla.redhat.com/show_bug.cgi?id=1652546, which among other things states: "OCS is not FIPS tolerant (yet), only recently RHGS-3.4 replaced non-FIPS approved hashing algorithms to prevent these kind of segfaults." So as this relates to RHHI-V, when do believe we'll have this fixed?
Tested with RHV 4.3.5.4 and RHGS 3.4.4 async ( glusterfs-3.12.2-47.2 ) Gluster Hooks are not available under the cluster for the first time, then later when syncing them, all the available and enabled hooks are listed promptly. But when trying to 'resolve conflicts' - the wizard shows 'MD5sum', but its actually the 'sha256sum' Its just the UI misdirection. The other major issue is that, when actually 'resolving conflicts' by copying the hook scripts to the missing host, null pointer exception is seen Based on the above reasons, marking this bug as failed verification
Created attachment 1591786 [details] engine.log.snip
Discussed with Sahina on this bug as it failed verification. As the fix is not complete, this bug have to be targeted for RHV 4.3.6
(In reply to SATHEESARAN from comment #3) > Discussed with Sahina on this bug as it failed verification. > > As the fix is not complete, this bug have to be targeted for RHV 4.3.6 Just to be clear - the md5 checksum change is implemented and part of 4.3.5. So the initial issue logged about errors seen on FIPS enabled system has been resolved. The bug is Failed QA due to the functionality being broken in "Resolve conflicts" where the hook script is copied to all servers - this feature is a seldom used feature. I would have preferred a separate bug for this one.
I still do see exception while copying the hooks. I will raise a separate bug for the same. This bug is specific about implementation of sha256sum for hook scripts instead of md5sum. That is done and verified with ovirt-engine-4.3.6.3
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2963