1784950 – Podman support for FIPS Mode requires a bind mount inside the container

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1784950 - Podman support for FIPS Mode requires a bind mount inside the container

Summary: Podman support for FIPS Mode requires a bind mount inside the container

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:	1804186 1804187 1804188 1804189 1804191 1804193 1804194 1804195 1804210 1804218 1804219 1804220 1804246
Blocks:	1793607
TreeView+	depends on / blocked

Reported:	2019-12-18 19:21 UTC by Daniel Walsh
Modified:	2022-05-02 01:23 UTC (History)
CC List:	14 users (show)
Fixed In Version:	podman-1.9.2-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-21 15:31:54 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-37189	0	None	None	None	2022-05-02 01:23:39 UTC
Red Hat Product Errata	RHSA-2020:3053	0	None	None	None	2020-07-21 15:32:28 UTC

Description Daniel Walsh 2019-12-18 19:21:49 UTC

To set the crypto policy to FIPS the /usr/share/crypto-policies/FIPS directory inside the container must be bind mounted over /etc/crypto-policies/back-ends inside the container.

This means that INSIDE of the container, if the container has a directory /usr/share/crypto-policies/backend/FIPS and the container is running on a FIPS mode enabled machine, the container engine needs to setup a bind mount from

/usr/share/crypto-policies/backend/FIPS->/etc/crypto-policies/back-end

NOTE This has nothing to do with the host.   This bind mount is from one directory to the other inside of the container.

The directory name /usr/share/crypto-policies/FIPS might change in RHEL8.2 images before we ship, so we might need to change the search for the default directory.

If the source directory does not exists in the image, then we just do nothing.

Comment 1 Daniel Walsh 2019-12-18 19:29:55 UTC

Here is the first phase of the fix.

https://github.com/containers/buildah/pull/2031

Comment 2 Tomas Mraz 2019-12-19 08:34:10 UTC

Just a little correction:

The source directory (inside the container) is: /usr/share/crypto-policies/back-ends/FIPS

The destination (inside the container) is: /etc/crypto-policies/back-ends

The buildah PR patch is fine in this regard.

Comment 3 Daniel Walsh 2020-02-12 15:24:59 UTC

Well we now have the buildah PR in.  Do we need to do anything else?

Comment 4 Jindrich Novy 2020-02-12 16:05:49 UTC

Setting needinfo on myself to not to forget to apply this.

Comment 5 Tom Sweeney 2020-02-12 16:28:30 UTC

As it's Post, assigning to Jindrich.

Comment 6 Laurie Friedman 2020-02-12 19:33:22 UTC

Set blocker+ because this is required for FIPs support in the new podman container in 8.2.  Confirmed by Tom Sweeney.

Comment 16 Joy Pu 2020-06-22 02:32:32 UTC

Test with podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64 and seems it works as expect.
When FIPS mode is enabled in host. It is also enabled inside the container. When it is disabled, it also disabled inside the container. So set this to verified. Details:
fips-mode-setup --enable
Kernel initramdisks are being regenerated. This might take some time.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be enabled.
Please reboot the system for the setting to take effect.
# reboot

# podman run -it ubi8
Trying to pull registry.access.redhat.com/ubi8...
Getting image source signatures
Copying blob fc5aa93e3b58 done  
Copying blob 1a6747857d79 done  
Copying config 54e2c74741 done  
Writing manifest to image destination
Storing signatures
[root@73305c82ea9b /]# yum install openssl
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS  216 kB/s | 766 kB     00:03    
Red Hat Universal Base Image 8 (RPMs) - AppStre 1.1 MB/s | 3.8 MB     00:03    
Red Hat Universal Base Image 8 (RPMs) - CodeRea 7.7 kB/s |  11 kB     00:01    
Dependencies resolved.
================================================================================
 Package        Architecture  Version                 Repository           Size
================================================================================
Installing:
 openssl        x86_64        1:1.1.1c-15.el8         ubi-8-baseos        697 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 697 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.1.1c-15.el8.x86_64.rpm                213 kB/s | 697 kB     00:03    
--------------------------------------------------------------------------------
Total                                           213 kB/s | 697 kB     00:03     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Verifying        : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
Installed products updated.

Installed:
  openssl-1:1.1.1c-15.el8.x86_64                                                

Complete!
[root@73305c82ea9b /]# touch fipstest
[root@73305c82ea9b /]# openssl md5 fipstest
Error setting digest
139829228353344:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:
[root@73305c82ea9b /]# openssl sha1 fipstest
SHA1(fipstest)= da39a3ee5e6b4b0d3255bfef95601890afd80709
[root@73305c82ea9b /]# exit
exit

# fips-mode-setup --disable
Setting system policy to DEFAULT
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
FIPS mode will be disabled.
Please reboot the system for the setting to take effect.
# reboot

# podman run -it ubi8
[root@e2140386a2d1 /]# ls
bin   dev  home  lib64	     media  opt   root	sbin  sys  usr
boot  etc  lib	 lost+found  mnt    proc  run	srv   tmp  var
[root@e2140386a2d1 /]# touch fipstest
[root@e2140386a2d1 /]# yum install openssl
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS  168 kB/s | 766 kB     00:04    
Red Hat Universal Base Image 8 (RPMs) - AppStre 543 kB/s | 3.8 MB     00:07    
Red Hat Universal Base Image 8 (RPMs) - CodeRea 4.9 kB/s |  11 kB     00:02    
Dependencies resolved.
================================================================================
 Package        Architecture  Version                 Repository           Size
================================================================================
Installing:
 openssl        x86_64        1:1.1.1c-15.el8         ubi-8-baseos        697 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 697 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.1.1c-15.el8.x86_64.rpm                545 kB/s | 697 kB     00:01    
--------------------------------------------------------------------------------
Total                                           544 kB/s | 697 kB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Verifying        : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
Installed products updated.

Installed:
  openssl-1:1.1.1c-15.el8.x86_64                                                

Complete!
[root@e2140386a2d1 /]# openssl fipstest 
Invalid command 'fipstest'; type "help" for a list.
[root@e2140386a2d1 /]# openssl md5 fipstest 
MD5(fipstest)= d41d8cd98f00b204e9800998ecf8427e

Comment 18 errata-xmlrpc 2020-07-21 15:31:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3053

Note You need to log in before you can comment on or make changes to this bug.