Bug 1724002 - Cannot use cloud-init in FIPS mode
Summary: Cannot use cloud-init in FIPS mode
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: vdsm
Version: 4.3.0
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ovirt-4.4.0
: ---
Assignee: Nobody
QA Contact: Beni Pelled
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-26 01:13 UTC by Germano Veit Michel
Modified: 2020-08-04 13:27 UTC (History)
10 users (show)

Fixed In Version: rhv-4.4.0-29
Doc Type: Bug Fix
Doc Text:
Previously, cloud-init could not be used on hosts with FIPS enabled. With this update, cloud-init can be used on hosts with FIPS enabled.
Clone Of:
Environment:
Last Closed: 2020-08-04 13:27:06 UTC
oVirt Team: Virt
Target Upstream Version:
lsvaty: testing_plan_complete-


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4247141 0 None None None 2019-06-26 01:24:46 UTC
Red Hat Product Errata RHEA-2020:3246 0 None None None 2020-08-04 13:27:38 UTC
oVirt gerrit 102698 0 'None' MERGED py3: mkimage: Remove md5 part in getFileName 2020-10-09 16:45:11 UTC

Description Germano Veit Michel 2019-06-26 01:13:34 UTC
Description of problem:

When the hypervisor is in FIPS mode, cannot run VM with cloud-init as mkisofs fails due to vdsm/mkimage.py getFileName() generating a hash to name the file.

VDSM:
2019-06-26 10:41:42,248+1000 ERROR (vm/2807af4a) [virt.vm] (vmId='2807af4a-af34-43ba-8a0c-6d83fd35937f') The vm start process failed (vm:933)
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 867, in _startUnderlyingVm
    self._run()
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2784, in _run
    self._devices = self._make_devices()
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2624, in _make_devices
    disk_objs = self._perform_host_local_adjustment()
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 2697, in _perform_host_local_adjustment
    self._preparePathsForDrives(disk_params)
  File "/usr/lib/python2.7/site-packages/vdsm/virt/vm.py", line 1026, in _preparePathsForDrives
    drive['path'] = self.cif.prepareVolumePath(drive, self.id)
  File "/usr/lib/python2.7/site-packages/vdsm/clientIF.py", line 469, in prepareVolumePath
    vmId, device, params['vmPayload'])
  File "/usr/lib/python2.7/site-packages/vdsm/clientIF.py", line 517, in _prepareVolumePathFromPayload
    return func(vmId, payload['file'], payload.get('volId'))
  File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 56, in __call__
    return callMethod()
  File "/usr/lib/python2.7/site-packages/vdsm/common/supervdsm.py", line 54, in <lambda>
    **kwargs)
  File "<string>", line 2, in mkIsoFs
  File "/usr/lib64/python2.7/multiprocessing/managers.py", line 773, in _callmethod
    raise convert_to_error(kind, result)
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

SUPERVDSM:
MainProcess|vm/2807af4a::ERROR::2019-06-26 10:41:42,247::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper
    res = func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs
    isopath = getFileName(vmId, files)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName
    md5 = hashlib.md5(content).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Version-Release number of selected component (if applicable):
vdsm-4.30.17-1.el7ev.x86_64
openssl-1.0.2k-16.el7_6.1.x86_64
redhat-release-virtualization-host-4.3-0.8.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHVH 4.3 with FIPS mode
   rhvh-4.3.0.8-0.20190610.0
2. Add to RHV-M
3. Create a VM
4. Run-once, pin to the host in [1] and enable cloud-init

Actual results:
VM fails to start

Expected results:
VM starts

Additional info:
I've tried replacing md5 with other algorithms, it fails the same way, which is weird? usedforsecurity=False also did not work.
EVP_DigestInit_ex is from openssl.

SHA3_512:
MainProcess|vm/2807af4a::ERROR::2019-06-26 10:52:00,530::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper
    res = func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs
    isopath = getFileName(vmId, files)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName
    sha = hashlib.sha3_512(content).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

SHA1:
MainProcess|vm/2807af4a::ERROR::2019-06-26 10:46:56,879::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper
    res = func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs
    isopath = getFileName(vmId, files)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName
    sha1 = hashlib.sha1(content).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

usedforsecurity=False:
MainProcess|vm/2807af4a::ERROR::2019-06-26 11:05:05,607::supervdsm_server::103::SuperVdsm.ServerCallback::(wrapper) Error in mkIsoFs
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/vdsm/supervdsm_server.py", line 101, in wrapper
    res = func(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 149, in mkIsoFs
    isopath = getFileName(vmId, files)
  File "/usr/lib/python2.7/site-packages/vdsm/mkimage.py", line 99, in getFileName
    md5 = hashlib.md5(content, usedforsecurity=False).hexdigest()
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Comment 1 Daniel Gur 2019-08-28 13:12:33 UTC
sync2jira

Comment 2 Daniel Gur 2019-08-28 13:16:46 UTC
sync2jira

Comment 3 Tomasz Barański 2019-11-05 12:13:09 UTC
The FIPS-uncompatible hash function has been removed with https://gerrit.ovirt.org/#/c/102698/.

Does this fix the problem?

Comment 4 Germano Veit Michel 2019-11-06 23:14:19 UTC
(In reply to Tomasz Barański from comment #3)
> The FIPS-uncompatible hash function has been removed with
> https://gerrit.ovirt.org/#/c/102698/.
> 
> Does this fix the problem?

Looks like yes, maybe attach that Gerrit to this bug and ask QE to verify?

Comment 5 Tomasz Barański 2019-11-07 08:24:42 UTC
(In reply to Germano Veit Michel from comment #4)
> (In reply to Tomasz Barański from comment #3)
> > The FIPS-uncompatible hash function has been removed with
> > https://gerrit.ovirt.org/#/c/102698/.
> > 
> > Does this fix the problem?
> 
> Looks like yes, maybe attach that Gerrit to this bug and ask QE to verify?

Will do, thanks!

Comment 6 Tomasz Barański 2019-11-07 08:31:53 UTC
It seems that the linked patch fixed the problem.

Comment 7 RHV bug bot 2019-11-19 11:52:49 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 8 RHV bug bot 2019-11-19 12:02:52 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 9 RHV bug bot 2019-12-13 13:17:15 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 10 RHV bug bot 2019-12-20 17:46:28 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 11 RHV bug bot 2020-01-08 14:49:59 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 12 RHV bug bot 2020-01-08 15:19:46 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 13 RHV bug bot 2020-01-24 19:51:44 UTC
WARN: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.comINFO: Bug status (ON_QA) wasn't changed but the folowing should be fixed:

[Found non-acked flags: '{}', ]

For more info please contact: rhv-devops@redhat.com

Comment 16 Beni Pelled 2020-04-22 16:16:22 UTC
Verified with:
- RHV 4.4.0-0.32.master.el8ev
- Host with Red Hat Enterprise Linux 8.2 (Ootpa)
- libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64
- vdsm-4.40.13-1.el8ev.x86_64

Verification steps:
1. Enable FIPS on a host.
2. Connect the host to an engine.
3. Create a new VM with cloud-init parameters.
4. Run the new VM on the FIPS host.

Result:
- VM ran successfully with the configured cloud-init parameters.

Comment 22 errata-xmlrpc 2020-08-04 13:27:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (RHV RHEL Host (ovirt-host) 4.4), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3246


Note You need to log in before you can comment on or make changes to this bug.