Description of problem: When engine and hosts have FIPS enabled, cloned VM from snapshot can't be started. Host is complaining about digital envelope routines:EVP_DigestInit_ex. Version-Release number of selected component (if applicable): ovirt-engine-4.3.5.4-0.1.el7.noarch How reproducible: always Steps to Reproduce: 1. install hosts with fips 2. deploy HE with fips 3. create VM with console type = SPICE, this VM can start 4. create snapshot on that VM 5. when snapshot is ready, clone VM from it, don't change any settings 6. start the cloned VM Actual results: VM did no start VM test3 is down with error. Exit message: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips. Expected results: VM starts without any problem Additional info: FIPS doesn't support md5.
Likely to be vdsm/lib/vdsm/mkimage.py#L99 using hashlib.md5() instead of hashlib.sha256()
it has nothing to do with snapshot, you're using cloud-init payload during the run that fails. That doesn't match what you described as reproduction steps, can you doublecheck what exactly it is doing? any vm run with cloud-init or sysprep floppy would fail
well, three bugs... - FIPS forbids md5 which we use for mkIsoFs a mkFloppyFs. IMO can be just dropped entirely. - md5 is used also in hooks. Needs to be removed/replaced, we can keep the reported key as md5 to not change api - clonevm from snapshot automatically enables cloudinit/sysprep, probably a frontend problem.
I've tested it again with Michal and steps did reproduce it, but because there is other problem in engine. When new VM is created, clound-init is not checked. But then when cloning from snapshot it is checked and should not. I've created new BZ 1739377 for that. Thanks Michal!
Verified with: - RHV 4.4.0-0.32.master.el8ev - Host with Red Hat Enterprise Linux 8.2 (Ootpa) - libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64 - vdsm-4.40.13-1.el8ev.x86_64 Verification steps: 1. Enable FIPS on a host and connect the host to RHV-M 2. Create a VM with console type = SPICE and make sure the VM can start 3. Create a snapshot 4. Clone a new VM from the snapshot 5. Start the cloned VM Result: - Cloned VM runs successfully on the FIPS host. PS> The clound-init wasn't checked on the new VM cloned from the snapshot.
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020. Since the problem described in this bug report should be resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE. If the solution does not work for you, please open a new bug report.