RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1731370 - Pull image failed when enable fips on rhcos node
Summary: Pull image failed when enable fips on rhcos node
Keywords:
Status: CLOSED DUPLICATE of bug 1731550
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: golang
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Derek Parker
QA Contact: qe-baseos-tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-19 09:30 UTC by Chuan Yu
Modified: 2021-09-17 08:35 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-31 17:54:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Chuan Yu 2019-07-19 09:30:32 UTC
Description of problem:
Pull image failed with x509 error when enable fips on rhcos node server

Version-Release number of selected component (if applicable):
4.2.0-0.nightly-2019-07-18-235010

Red Hat Enterprise Linux CoreOS 420.8.20190718.1 (Ootpa)

How reproducible:
always

Steps to Reproduce:
1.enable fips mode on rhcos node server

2.pull image from quay, such as:
# crictl pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15481cb3cc1993b5e4d02ee5a7848690bf48373606590dc543eb671589b544b5


Actual results:
# crictl pull quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:15481cb3cc1993b5e4d02ee5a7848690bf48373606590dc543eb671589b544b5
FATA[0000] pulling image failed: rpc error: code = Unknown desc = pinging docker registry returned: Get https://quay.io/v2/: x509: certificate specifies an incompatible key usage 

Expected results:
pull successful with no error

Additional info:
image pull successful when disable fips on rhcos node

Comment 1 Micah Abbott 2019-07-19 13:55:24 UTC
This looks like another `cri-o` BZ similar to BZ#1731393; re-assigning to Node team

Let us know if there is something RHCOS can do for this BZ.

Comment 2 Seth Jennings 2019-07-19 20:52:16 UTC
This is something golang compiler needs to address

*** This bug has been marked as a duplicate of bug 1731550 ***

Comment 3 Chuan Yu 2019-07-22 03:26:34 UTC
Re-open it as track the OCP feature testing, will verify it when https://bugzilla.redhat.com/show_bug.cgi?id=1731550 on qa.

Also this is test blocker for our fips feature testing.

Comment 4 Seth Jennings 2019-07-22 15:30:45 UTC
Sending to Quay as they will have to change the cert on their side to be FIPS compliant.

FIPS support is smoke test for 4.2 (trying to find the issues) and something we might support in 4.3.  We do want to address this for 4.3.

Comment 5 Chuan Yu 2019-07-23 02:21:05 UTC
This is a test blocker for 4.2, even to the smoke test, it should be fixed ASAP to unblock the 4.2 testing.


Note You need to log in before you can comment on or make changes to this bug.