Bug 1738861 - can't start VM that was cloned from snapshot when FIPS enabled
Summary: can't start VM that was cloned from snapshot when FIPS enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: General
Version: 4.3.5.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ovirt-4.4.0
: ---
Assignee: Tomasz Barański
QA Contact: Beni Pelled
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-08 10:10 UTC by Lucie Leistnerova
Modified: 2020-05-20 20:00 UTC (History)
3 users (show)

Fixed In Version: rhv-4.4.0-29
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-20 20:00:51 UTC
oVirt Team: Virt
Embargoed:
pm-rhel: ovirt-4.4+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 102590 0 'None' MERGED virt: MD5 hash can't be used in FIPS mode 2020-12-10 19:01:47 UTC
oVirt gerrit 102919 0 'None' MERGED core: Checksum key in hook info changed 2020-12-10 19:02:17 UTC

Description Lucie Leistnerova 2019-08-08 10:10:41 UTC 
Description of problem:
When engine and hosts have FIPS enabled, cloned VM from snapshot can't be started. Host is complaining about digital envelope routines:EVP_DigestInit_ex.

Version-Release number of selected component (if applicable):
ovirt-engine-4.3.5.4-0.1.el7.noarch

How reproducible: always


Steps to Reproduce:
1. install hosts with fips
2. deploy HE with fips
3. create VM with console type = SPICE, this VM can start
4. create snapshot on that VM
5. when snapshot is ready, clone VM from it, don't change any settings
6. start the cloned VM

Actual results: VM did no start
VM test3 is down with error. Exit message: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips.


Expected results: VM starts without any problem


Additional info:
FIPS doesn't support md5.
Comment 2 Ryan Barry 2019-08-09 00:25:46 UTC 
Likely to be vdsm/lib/vdsm/mkimage.py#L99 using hashlib.md5() instead of hashlib.sha256()
Comment 3 Michal Skrivanek 2019-08-09 07:08:12 UTC 
it has nothing to do with snapshot, you're using cloud-init payload during the run that fails. That doesn't match what you described as reproduction steps, can you doublecheck what exactly it is doing?

any vm run with cloud-init or sysprep floppy would fail
Comment 4 Michal Skrivanek 2019-08-09 07:42:49 UTC 
well, three bugs...
- FIPS forbids md5 which we use for mkIsoFs a mkFloppyFs. IMO can be just dropped entirely. 
- md5 is used also in hooks. Needs to be removed/replaced, we can keep the reported key as md5 to not change api
- clonevm from snapshot automatically enables cloudinit/sysprep, probably a frontend problem.
Comment 5 Lucie Leistnerova 2019-08-09 08:01:17 UTC 
I've tested it again with Michal and steps did reproduce it, but because there is other problem in engine. When new VM is created, clound-init is not checked. But then when cloning from snapshot it is checked and should not.
I've created new BZ 1739377 for that.

Thanks Michal!
Comment 7 Beni Pelled 2020-04-23 08:25:19 UTC 
Verified with:
- RHV 4.4.0-0.32.master.el8ev
- Host with Red Hat Enterprise Linux 8.2 (Ootpa)
- libvirt-6.0.0-17.module+el8.2.0+6257+0d066c28.x86_64
- vdsm-4.40.13-1.el8ev.x86_64

Verification steps:
1. Enable FIPS on a host and connect the host to RHV-M
2. Create a VM with console type = SPICE and make sure the VM can start
3. Create a snapshot
4. Clone a new VM from the snapshot
5. Start the cloned VM

Result:
- Cloned VM runs successfully on the FIPS host.


PS> The clound-init wasn't checked on the new VM cloned from the snapshot.
Comment 8 Sandro Bonazzola 2020-05-20 20:00:51 UTC 
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.