Bug 1723676 - Change md5 checksum used in GlusterHooks calls
Summary: Change md5 checksum used in GlusterHooks calls
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat Storage
Component: rhhi
Version: rhhiv-1.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: RHHI-V 1.6.z Async Update
Assignee: Sahina Bose
QA Contact: SATHEESARAN
URL:
Whiteboard:
Depends On: 1709201
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-25 06:55 UTC by SATHEESARAN
Modified: 2019-10-03 12:24 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, gluster hook scripts were verified across multiple servers using an MD5 checksum. However, the MD5 checksum failed on FIPS enabled systems. SHA256 is now used instead of MD5 to checksum hook scripts.
Clone Of: 1709201
Environment:
Last Closed: 2019-10-03 12:24:01 UTC
Embargoed:

Attachments (Terms of Use)
engine.log.snip (95.30 KB, application/octet-stream)
2019-07-18 13:44 UTC, SATHEESARAN 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2963 0 None None None 2019-10-03 12:24:08 UTC

Description SATHEESARAN 2019-06-25 06:55:32 UTC 
+++ This bug was initially created as a clone of Bug #1709201 +++

Description of problem:

In order to run on FIPS compliant system the checksum computation that's used for gluster hooks scripts should be changed to sha256 computation

Version-Release number of selected component (if applicable):


How reproducible:
NA

--- Additional comment from John Call on 2019-05-13 11:17:18 UTC ---

From: Mike Flannery <mflanner>
Date: Sat, May 11, 2019, 09:02
Subject: vdsmd errors with latest RHHI-V / RHV (4.3 downloaded from access.redhat.com)
To: Ryan Barry <rbarry>, Yuval Turgeman <yturgema>, John Call <jcall>, Sandro Bonazzola <sbonazzo>, Sean Murphy - ISBU <seamurph>, Sahina Bose <sabose>


Good morning!

In preparation for our POC starting Monday, I downloaded from access and installed the latest RHV build (to install RHHI-V) with file named RHVH-4.3-20190410.3-RHVH-x86_64-dvd1.iso. I applied the DISA STIG security profile and now that I say that I wonder if I was supposed to pick a different security profile for this version of RHV...  If I was, please let me know.

The install went well but afterwards, I am getting this error from every Hypervisor node on a 2 hour interval:

May 11 05:47:48 rhv1 vdsm[19063]: ERROR Internal server error
                                  Traceback (most recent call last):
                                    File "/usr/lib/python2.7/site-packages/yajsonrpc/__init__.py", line 345, in _handle_request
                                      res = method(**params)
                                    File "/usr/lib/python2.7/site-packages/vdsm/rpc/Bridge.py", line 194, in _dynamicMethod
                                      result = fn(*methodArgs)
                                    File "/usr/lib/python2.7/site-packages/vdsm/gluster/apiwrapper.py", line 39, in list
                                      return self._gluster.hooksList()
                                    File "/usr/lib/python2.7/site-packages/vdsm/gluster/api.py", line 93, in wrapper
                                      rv = func(*args, **kwargs)
                                    File "/usr/lib/python2.7/site-packages/vdsm/gluster/api.py", line 460, in hooksList
                                      status = self.svdsmProxy.glusterHooksList()
                                    File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 56, in __call__
                                      return callMethod()
                                    File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 54, in <lambda>
                                      **kwargs)
                                    File "<string>", line 2, in glusterHooksList
                                    File "/usr/lib64/python2.7/multiprocessing/managers.py", line 773, in _callmethod
                                      raise convert_to_error(kind, result)
                                  ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips


From: Yuval Turgeman <yturgema>
Date: Sun, May 12, 2019, 08:56
Subject: Re: vdsmd errors with latest RHHI-V / RHV (4.3 downloaded from access.redhat.com)
To: Mike Flannery <mflanner>
Cc: Ryan Barry <rbarry>, John Call <jcall>, Sandro Bonazzola <sbonazzo>, Sean Murphy - ISBU <seamurph>, Sahina Bose <sabose>


Going over the vdsm code, it looks like they use md5 to verify integrity for the installed hooks

--- Additional comment from Sahina Bose on 2019-06-18 15:15:27 UTC ---



--- Additional comment from Sean Murphy on 2019-06-18 15:38:19 UTC ---

@sahina / @sas - what is involved in making / proving this change?.. knock-ons elsewhere in the system from so doing? What do we believe needs to be done in terms of establishing test cases to 1) prove the fix with the sha256, and 2) assure other operations depending on hashing are not negatively effected?

--- Additional comment from Sean Murphy on 2019-06-18 16:00:24 UTC ---

@sahina / @sas - related, I now see this from OCS-land: https://bugzilla.redhat.com/show_bug.cgi?id=1652546, which among other things states:

"OCS is not FIPS tolerant (yet), only recently RHGS-3.4 replaced non-FIPS approved hashing algorithms to prevent these kind of segfaults."


So as this relates to RHHI-V, when do believe we'll have this fixed?
Comment 1 SATHEESARAN 2019-07-18 13:42:39 UTC 
Tested with RHV 4.3.5.4 and RHGS 3.4.4 async ( glusterfs-3.12.2-47.2 )

Gluster Hooks are not available under the cluster for the first time, then later
when syncing them, all the available and enabled hooks are listed promptly.

But when trying to 'resolve conflicts' - the wizard shows 'MD5sum', but its actually the 'sha256sum'
Its just the UI misdirection.

The other major issue is that, when actually 'resolving conflicts' by copying the hook scripts to
the missing host, null pointer exception is seen

Based on the above reasons, marking this bug as failed verification
Comment 2 SATHEESARAN 2019-07-18 13:44:33 UTC 
Created attachment 1591786 [details]
engine.log.snip
Comment 3 SATHEESARAN 2019-07-18 18:40:29 UTC 
Discussed with Sahina on this bug as it failed verification.

As the fix is not complete, this bug have to be targeted for RHV 4.3.6
Comment 4 Sahina Bose 2019-07-19 05:53:17 UTC 
(In reply to SATHEESARAN from comment #3)
> Discussed with Sahina on this bug as it failed verification.
> 
> As the fix is not complete, this bug have to be targeted for RHV 4.3.6

Just to be clear - the md5 checksum change is implemented and part of 4.3.5. So the initial issue logged about errors seen on FIPS enabled system has been resolved.
The bug is Failed QA due to the functionality being broken in "Resolve conflicts" where the hook script is copied to all servers - this feature is a seldom used feature. I would have preferred a separate bug for this one.
Comment 5 SATHEESARAN 2019-09-04 00:19:52 UTC 
I still do see exception while copying the hooks. I will raise a separate bug for the same.
This bug is specific about implementation of sha256sum for hook scripts instead of md5sum.
That is done and verified with ovirt-engine-4.3.6.3
Comment 7 errata-xmlrpc 2019-10-03 12:24:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2963
Note You need to log in before you can comment on or make changes to this bug.