1784952 – Buildah needs to support FIPS Mode bind mount in RHEL8.2++ containers.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1784952 - Buildah needs to support FIPS Mode bind mount in RHEL8.2++ containers.

Summary: Buildah needs to support FIPS Mode bind mount in RHEL8.2++ containers.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	buildah
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-18 19:24 UTC by Daniel Walsh
Modified:	2022-05-02 01:24 UTC (History)
CC List:	8 users (show)
Fixed In Version:	buildah-1.11.6-5.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 15:52:11 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-37190	0	None	None	None	2022-05-02 01:24:25 UTC
Red Hat Product Errata	RHSA-2020:1650	0	None	None	None	2020-04-28 15:53:15 UTC

Description Daniel Walsh 2019-12-18 19:24:04 UTC

To set the crypto policy to FIPS the /usr/share/crypto-policies/FIPS directory inside the container must be bind mounted over /etc/crypto-policies/back-ends inside the container.

This means that INSIDE of the container, if the container has a directory /usr/share/crypto-policies/backend/FIPS and the container is running on a FIPS mode enabled machine, the container engine needs to setup a bind mount from

/usr/share/crypto-policies/backend/FIPS->/etc/crypto-policies/back-end

NOTE This has nothing to do with the host.   This bind mount is from one directory to the other inside of the container.

The directory name /usr/share/crypto-policies/FIPS might change in RHEL8.2 images before we ship, so we might need to change the search for the default directory.

If the source directory does not exists in the image, then we just do nothing.

Comment 1 Daniel Walsh 2019-12-18 19:30:29 UTC

Here is the first phase of the fix.

https://github.com/containers/buildah/pull/2031

Comment 2 Tomas Mraz 2019-12-19 08:33:01 UTC

Just a little correction:

The source directory (inside the container) is: /usr/share/crypto-policies/back-ends/FIPS

The destination (inside the container) is: /etc/crypto-policies/back-ends

The buildah PR patch is fine in this regard.

Comment 3 Jindrich Novy 2020-02-06 09:25:05 UTC

The PR noted in comment #1 is cleanly applicable to buildah 1.11.6. Does it make sense to have it there? I mean in RHEL-8.2.0 container-tools?

Comment 4 Daniel Walsh 2020-02-12 15:26:00 UTC

Sure. lets add it.

Comment 5 Tom Sweeney 2020-02-12 16:30:29 UTC

Assigning to Jindrich as this is now in Post.

Comment 6 Laurie Friedman 2020-02-12 19:35:19 UTC

Set blocker+ because this is required for FIPs support in the new buildah container in 8.2.  Confirmed by Tom Sweeney.

Comment 8 Alex Jia 2020-03-03 07:00:07 UTC

@dwalsh the /usr/share/crypto-policies/DEFAULT(not FIPS sub-dir) in the host is mounted to /etc/crypto-policies/back-ends inside container,
Is it a expected result?

[root@hp-z240-01 ~]# dmesg|grep -i fips
[    0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-183.el8.x86_64 root=/dev/mapper/rhel_hp--z240--01-root ro crashkernel=auto resume=/dev/mapper/rhel_hp--z240--01-swap rd.lvm.lv=rhel_hp-z240-01/root rd.lvm.lv=rhel_hp-z240-01/swap console=ttyS0,115200N81 fips=1 boot=UUID=177f2d89-c925-45d5-9ba9-b029e3be9e00
[    0.000000] Kernel command line: BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-183.el8.x86_64 root=/dev/mapper/rhel_hp--z240--01-root ro crashkernel=auto resume=/dev/mapper/rhel_hp--z240--01-swap rd.lvm.lv=rhel_hp-z240-01/root rd.lvm.lv=rhel_hp-z240-01/swap console=ttyS0,115200N81 fips=1 boot=UUID=177f2d89-c925-45d5-9ba9-b029e3be9e00
[    0.000000] fips mode: enabled

[root@hp-z240-01 ~]# rpm -q buildah
buildah-1.11.6-5.module+el8.2.0+5770+b478fbe7.x86_64

[root@hp-z240-01 ~]# buildah from ubi8
Getting image source signatures
Copying blob eae5d284042d done
Copying blob ff6f434a470a done
Copying config fd73e6738a done
Writing manifest to image destination
Storing signatures
ubi8-working-container

[root@hp-z240-01 ~]# buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
78a01a237179     *     fd73e6738a95 registry.access.redhat.com/ub... ubi8-working-container


[root@hp-z240-01 ~]# ll /usr/share/crypto-policies/
total 8
drwxr-xr-x. 6 root root  61 Feb 26 21:30 back-ends
drwxr-xr-x. 2 root root 211 Feb 26 21:30 DEFAULT
-rw-r--r--. 1 root root 688 Nov 29 08:57 default-config
drwxr-xr-x. 2 root root 211 Feb 26 21:30 EMPTY
drwxr-xr-x. 2 root root 211 Feb 26 21:30 FIPS
drwxr-xr-x. 2 root root 211 Feb 26 21:30 FUTURE
drwxr-xr-x. 2 root root 211 Feb 26 21:30 LEGACY
drwxr-xr-x. 3 root root 109 Feb 26 21:30 policies
drwxr-xr-x. 5 root root 136 Feb 26 21:30 python
-rw-r--r--. 1 root root 167 Dec 16 13:10 reload-cmds.sh

[root@hp-z240-01 ~]# diff /usr/share/crypto-policies/DEFAULT/bind.txt /usr/share/crypto-policies/FIPS/bind.txt
2a3,4
> RSASHA1;
> NSEC3RSASHA1;
5a8
> SHA-1;

[root@hp-z240-01 ~]# buildah run ubi8-working-container ls -lah /etc/crypto-policies/back-ends
total 0
drwxr-xr-x. 2 root root 244 Jan 29 19:36 .
drwxr-xr-x. 5 root root  65 Jan 29 19:36 ..
lrwxrwxrwx. 1 root root  43 Jan 29 19:36 bind.config -> /usr/share/crypto-policies/DEFAULT/bind.txt
lrwxrwxrwx. 1 root root  45 Jan 29 19:36 gnutls.config -> /usr/share/crypto-policies/DEFAULT/gnutls.txt
lrwxrwxrwx. 1 root root  43 Jan 29 19:36 java.config -> /usr/share/crypto-policies/DEFAULT/java.txt
lrwxrwxrwx. 1 root root  43 Jan 29 19:36 krb5.config -> /usr/share/crypto-policies/DEFAULT/krb5.txt
lrwxrwxrwx. 1 root root  48 Jan 29 19:36 libreswan.config -> /usr/share/crypto-policies/DEFAULT/libreswan.txt
lrwxrwxrwx. 1 root root  45 Jan 29 19:36 libssh.config -> /usr/share/crypto-policies/DEFAULT/libssh.txt
lrwxrwxrwx. 1 root root  42 Jan 29 19:36 nss.config -> /usr/share/crypto-policies/DEFAULT/nss.txt
lrwxrwxrwx. 1 root root  46 Jan 29 19:36 openssh.config -> /usr/share/crypto-policies/DEFAULT/openssh.txt
lrwxrwxrwx. 1 root root  52 Jan 29 19:36 opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
lrwxrwxrwx. 1 root root  46 Jan 29 19:36 openssl.config -> /usr/share/crypto-policies/DEFAULT/openssl.txt
lrwxrwxrwx. 1 root root  49 Jan 29 19:36 opensslcnf.config -> /usr/share/crypto-policies/DEFAULT/opensslcnf.txt

Comment 9 Daniel Walsh 2020-03-03 15:28:23 UTC

I believe that is correct.  But should ask the crypto-policies guys to verify.

Comment 10 Tomas Mraz 2020-03-03 15:35:58 UTC

This does not look correctly. Was the mount inside the container actually performed? This looks like a normal DEFAULT policy being applied in the container.

Comment 11 Alex Jia 2020-03-04 15:22:56 UTC

(In reply to Tomas Mraz from comment #10)
> This does not look correctly. Was the mount inside the container actually
> performed? This looks like a normal DEFAULT policy being applied in the
> container.

You're right, I forgot to enable FIPS mode in the container.

[root@9ce2b0f43192 /]# ls /etc/system-fips
/etc/system-fips

[root@9ce2b0f43192 /]# update-crypto-policies --set FIPS                                 
Warning: Using 'update-crypto-policies --set FIPS' is not sufficient for
         FIPS compliance.
         Use 'fips-mode-setup --enable' command instead.
Setting system policy to FIPS
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.

[root@9ce2b0f43192 /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K Mar  4 15:14 .
drwxr-xr-x. 1 root root   50 Jan 29 19:36 ..
lrwxrwxrwx. 1 root root   40 Mar  4 15:14 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 Mar  4 15:14 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 Mar  4 15:14 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 Mar  4 15:14 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 Mar  4 15:14 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 Mar  4 15:14 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 Mar  4 15:14 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 Mar  4 15:14 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 Mar  4 15:14 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 Mar  4 15:14 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 Mar  4 15:14 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt

BTW, it didn't work for directly mounting dir in the container, I guess a privilege container is required.  

[root@9ce2b0f43192 /]# mount --bind /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends
mount: /etc/crypto-policies/back-ends: permission denied.

[root@intel-sharkbay-mb-03 ~]# buildah version
Version:         1.11.6
Go Version:      go1.13.4
Image Spec:      1.0.1-dev
Runtime Spec:    1.0.1-dev
CNI Spec:        0.4.0
libcni Version:  
image Version:   5.0.0
Git Commit:      
Built:           Wed Dec 31 19:00:00 1969
OS/Arch:         linux/amd64

Comment 12 Simo Sorce 2020-03-04 16:02:29 UTC

Alex,
that looks wrong, please bring this bug back, you have only verified that this is not looking as it should so far.
So probably you should actually FAIL QA and send it back to devel to check what is wrong.

The whole point of this work is that the container will be in FIPS mode automatially if the HOST is in FIPS mode.

Were the tests run on a host that is in FIPS mode?

Comment 13 Alex Jia 2020-03-26 03:09:42 UTC

(In reply to Alex Jia from comment #11)

> BTW, it didn't work for directly mounting dir in the container, I guess a
> privilege container is required.  
> 
> [root@9ce2b0f43192 /]# mount --bind
> /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends
> mount: /etc/crypto-policies/back-ends: permission denied.
> 

We have documentation about how to enable FIPS mode in a container - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies, but above cmdline is wrong, Daniel has explained this in https://bugzilla.redhat.com/show_bug.cgi?id=1804193#c16

Comment 14 Alex Jia 2020-03-26 03:13:42 UTC

(In reply to Simo Sorce from comment #12)
> Alex,
> that looks wrong, please bring this bug back, you have only verified that
> this is not looking as it should so far.
> So probably you should actually FAIL QA and send it back to devel to check
> what is wrong.

All of testing followed official documentation - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies, please also see https://bugzilla.redhat.com/show_bug.cgi?id=1784952#c13

> 
> The whole point of this work is that the container will be in FIPS mode
> automatially if the HOST is in FIPS mode.
> 
> Were the tests run on a host that is in FIPS mode?

Yes absolutely.

Comment 15 Tomas Mraz 2020-03-26 09:07:13 UTC

No, the cmdline is not wrong and Dan is mistaken! He is probably looking at some old crypto-policies package version.

This is the right command for completeness:

mount --bind /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends

And the error message
mount: /etc/crypto-policies/back-ends: permission denied. 
might be an indication on what is wrong. I.E. the source path is correct, but there is some permission problem. But does the same happen within podman? Doesn't it run with higher privileges?

Comment 16 Daniel Walsh 2020-03-26 10:32:06 UTC

Thanks Tomas, so the code looks correct, the issue is testing with a non RHEL8.2 container image.


Alex, could you update the container image and see if it works.

Also the

Comment 17 Alex Jia 2020-03-27 04:01:09 UTC

(In reply to Daniel Walsh from comment #16)
> Thanks Tomas, so the code looks correct, the issue is testing with a non
> RHEL8.2 container image.
> 
> 
> Alex, could you update the container image and see if it works.
> 
> Also the

the ubi8-minimal-container-8.2-207 works on RHEL-8.2 w/ FIPS mode enabled, 
FIPS mode will be automatically enabled inside the container, and the contents
are the same between directory /etc/crypto-policies/back-ends and 
/usr/share/crypto-policies/back-ends/FIPS, but I can't see any mount point,
is is an expected result? 


[root@hp-dl360g9-03 ~]# buildah run --tty ubi8-working-container /bin/bash
[root@b213066c8c16 /]# fips-mode-setup --check
FIPS mode is enabled.

[root@b213066c8c16 /]# ls -lah /etc/crypto-policies/back-ends
total 44K
drwxr-xr-x. 2 root root  244 Mar 10 13:37 .
drwxr-xr-x. 6 root root   81 Mar 10 13:37 ..
-rw-r--r--. 1 root root  105 Dec 16 18:10 bind.config
-rw-r--r--. 1 root root  473 Dec 16 18:10 gnutls.config
-rw-r--r--. 1 root root  587 Dec 16 18:10 java.config
-rw-r--r--. 1 root root  137 Dec 16 18:10 krb5.config
-rw-r--r--. 1 root root  359 Dec 16 18:10 libreswan.config
-rw-r--r--. 1 root root  990 Dec 16 18:10 libssh.config
-rw-r--r--. 1 root root  345 Dec 16 18:10 nss.config
-rw-r--r--. 1 root root  854 Dec 16 18:10 openssh.config
-rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config
-rw-r--r--. 1 root root  162 Dec 16 18:10 openssl.config
-rw-r--r--. 1 root root  306 Dec 16 18:10 opensslcnf.config

[root@b213066c8c16 /]# ls -lah /usr/share/crypto-policies/back-ends/FIPS
total 44K
drwxr-xr-x. 2 root root  244 Mar 10 13:37 .
drwxr-xr-x. 6 root root   61 Mar 10 13:37 ..
-rw-r--r--. 1 root root  105 Dec 16 18:10 bind.config
-rw-r--r--. 1 root root  473 Dec 16 18:10 gnutls.config
-rw-r--r--. 1 root root  587 Dec 16 18:10 java.config
-rw-r--r--. 1 root root  137 Dec 16 18:10 krb5.config
-rw-r--r--. 1 root root  359 Dec 16 18:10 libreswan.config
-rw-r--r--. 1 root root  990 Dec 16 18:10 libssh.config
-rw-r--r--. 1 root root  345 Dec 16 18:10 nss.config
-rw-r--r--. 1 root root  854 Dec 16 18:10 openssh.config
-rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config
-rw-r--r--. 1 root root  162 Dec 16 18:10 openssl.config
-rw-r--r--. 1 root root  306 Dec 16 18:10 opensslcnf.config

[root@b213066c8c16 /]# diff  /usr/share/crypto-policies/back-ends/FIPS/bind.config /etc/crypto-policies/back-ends/bind.config
[root@b213066c8c16 /]# echo $?
0

But I haven't seen any mount point like below, please help confirm if it's an expect behavior, thanks.

[root@f807ec7d629e /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K Mar 20 10:24 .
drwxr-xr-x. 1 root root   50 Mar  2 17:42 ..
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 Mar 20 10:24 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 Mar 20 10:24 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 Mar 20 10:24 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 Mar 20 10:24 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt

Comment 18 Alex Jia 2020-03-27 04:02:45 UTC

(In reply to Daniel Walsh from comment #16)
> Thanks Tomas, so the code looks correct, the issue is testing with a non
> RHEL8.2 container image.
> 
> 
> Alex, could you update the container image and see if it works.
> 
> Also the

the ubi8-container-8.2-203 works on RHEL-8.2 w/ FIPS mode enabled, 
FIPS mode will be automatically enabled inside the container, and 
the contents are the same between directory /etc/crypto-policies/back-ends 
and /usr/share/crypto-policies/back-ends/FIPS, but I can't see any mount point,
is is an expected result? 


[root@hp-dl360g9-03 ~]# buildah run --tty ubi8-working-container /bin/bash
[root@b213066c8c16 /]# fips-mode-setup --check
FIPS mode is enabled.

[root@b213066c8c16 /]# ls -lah /etc/crypto-policies/back-ends
total 44K
drwxr-xr-x. 2 root root  244 Mar 10 13:37 .
drwxr-xr-x. 6 root root   81 Mar 10 13:37 ..
-rw-r--r--. 1 root root  105 Dec 16 18:10 bind.config
-rw-r--r--. 1 root root  473 Dec 16 18:10 gnutls.config
-rw-r--r--. 1 root root  587 Dec 16 18:10 java.config
-rw-r--r--. 1 root root  137 Dec 16 18:10 krb5.config
-rw-r--r--. 1 root root  359 Dec 16 18:10 libreswan.config
-rw-r--r--. 1 root root  990 Dec 16 18:10 libssh.config
-rw-r--r--. 1 root root  345 Dec 16 18:10 nss.config
-rw-r--r--. 1 root root  854 Dec 16 18:10 openssh.config
-rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config
-rw-r--r--. 1 root root  162 Dec 16 18:10 openssl.config
-rw-r--r--. 1 root root  306 Dec 16 18:10 opensslcnf.config

[root@b213066c8c16 /]# ls -lah /usr/share/crypto-policies/back-ends/FIPS
total 44K
drwxr-xr-x. 2 root root  244 Mar 10 13:37 .
drwxr-xr-x. 6 root root   61 Mar 10 13:37 ..
-rw-r--r--. 1 root root  105 Dec 16 18:10 bind.config
-rw-r--r--. 1 root root  473 Dec 16 18:10 gnutls.config
-rw-r--r--. 1 root root  587 Dec 16 18:10 java.config
-rw-r--r--. 1 root root  137 Dec 16 18:10 krb5.config
-rw-r--r--. 1 root root  359 Dec 16 18:10 libreswan.config
-rw-r--r--. 1 root root  990 Dec 16 18:10 libssh.config
-rw-r--r--. 1 root root  345 Dec 16 18:10 nss.config
-rw-r--r--. 1 root root  854 Dec 16 18:10 openssh.config
-rw-r--r--. 1 root root 1.2K Dec 16 18:10 opensshserver.config
-rw-r--r--. 1 root root  162 Dec 16 18:10 openssl.config
-rw-r--r--. 1 root root  306 Dec 16 18:10 opensslcnf.config

[root@b213066c8c16 /]# diff  /usr/share/crypto-policies/back-ends/FIPS/bind.config /etc/crypto-policies/back-ends/bind.config
[root@b213066c8c16 /]# echo $?
0

But I haven't seen any mount point like below, please help confirm if it's an expect behavior, thanks.

[root@f807ec7d629e /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K Mar 20 10:24 .
drwxr-xr-x. 1 root root   50 Mar  2 17:42 ..
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 Mar 20 10:24 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 Mar 20 10:24 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 Mar 20 10:24 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 Mar 20 10:24 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 Mar 20 10:24 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 Mar 20 10:24 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 Mar 20 10:24 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt

Comment 19 Alex Jia 2020-03-27 04:04:42 UTC

(In reply to Alex Jia from comment #17)

> the ubi8-minimal-container-8.2-207 works on RHEL-8.2 w/ FIPS mode enabled, 

Also tested in ubi8-container-8.2-203.

Comment 20 Tomas Mraz 2020-03-27 07:59:00 UTC

Yes, this is the correct result. The mount (not symlinks) should be visible in cat /proc/self/mountinfo.

Comment 21 Alex Jia 2020-03-27 11:09:40 UTC

(In reply to Tomas Mraz from comment #20)
> Yes, this is the correct result. The mount (not symlinks) should be visible
> in cat /proc/self/mountinfo.

Sure, thank you Tomas.

[root@hp-dl360g9-03 ~]# buildah run ubi8-working-container grep -i fips /proc/self/mountinfo
506 504 0:46 /usr/share/crypto-policies/back-ends/FIPS /etc/crypto-policies/back-ends rw,relatime - overlay overlay rw,context="system_u:object_r:container_file_t:s0:c48,c469",lowerdir=/var/lib/containers/storage/overlay/l/V2UVWLVTQGKN75L4RQCDFWWOEW:/var/lib/containers/storage/overlay/l/ZEMRU7IJXNTJHQWXYD7IFEF3F5,upperdir=/var/lib/containers/storage/overlay/1a95b6e4aef17336b6b3b5ed8ad58317b857bd033b3d0654fbc05882f20213d1/diff,workdir=/var/lib/containers/storage/overlay/1a95b6e4aef17336b6b3b5ed8ad58317b857bd033b3d0654fbc05882f20213d1/work

Comment 23 errata-xmlrpc 2020-04-28 15:52:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650

Note You need to log in before you can comment on or make changes to this bug.