1804195 – Podman support for FIPS Mode requires a bind mount inside the container [stream-container-tools-rhel8-rhel-8.2.0/podman]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1804195 - Podman support for FIPS Mode requires a bind mount inside the container [stream-container-tools-rhel8-rhel-8.2.0/podman]

Summary: Podman support for FIPS Mode requires a bind mount inside the container [stre...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	podman
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.3
Assignee:	Lokesh Mandvekar
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1784950
TreeView+	depends on / blocked

Reported:	2020-02-18 12:33 UTC by Jindrich Novy
Modified:	2023-09-14 05:52 UTC (History)
CC List:	18 users (show)
Fixed In Version:	container-tools-rhel8-8030020200723183228.2a301c24 , podman-2.0.3-1.module+el8.3.0+7447+a5267fbb
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 03:05:10 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jindrich Novy 2020-02-18 12:33:29 UTC

This is a tracking bug assuring the fix for [bug 1784950] gets applied in stream-container-tools-rhel8-rhel-8.2.0 branch of podman.

Comment 6 Daniel Walsh 2020-03-23 17:20:03 UTC

We do not plan on updating this, so it is what it is at this point.

Jindrich, could you open an issue (or better yet a PR) to fix whatever issue they are seeing, and we can get it fixed in 8.2.1 or in 8.3?

Comment 10 Daniel Walsh 2020-05-06 15:55:23 UTC

I believe this should work now, and the issue was testing this with a container image less then 8.2.

Could you test this with a RHEL8.2 image and make sure the mount point gets created correctly.

Comment 11 Scott McCarty 2020-05-06 16:02:26 UTC

I believe this works in RHEL 8.2 with podman 1.6.4. I followed the instructions in the docs:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/security_hardening/index#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies

1. Put host in FIPS mode

2. Run the container: podman run -it --rm -v /etc/system-fips:/etc/system-fips ubi8

3. Set FIPS mode in the container: [root@1c04298e0768 /]# update-crypto-policies --set FIPS

4. Verified the policy chaange:

[root@1c04298e0768 /]# ls -lah /etc/crypto-policies/back-ends
total 4.0K
drwxr-xr-x. 1 root root 4.0K May  6 15:56 .
drwxr-xr-x. 1 root root   50 Oct 29  2019 ..
lrwxrwxrwx. 1 root root   40 May  6 15:56 bind.config -> /usr/share/crypto-policies/FIPS/bind.txt
lrwxrwxrwx. 1 root root   42 May  6 15:56 gnutls.config -> /usr/share/crypto-policies/FIPS/gnutls.txt
lrwxrwxrwx. 1 root root   40 May  6 15:56 java.config -> /usr/share/crypto-policies/FIPS/java.txt
lrwxrwxrwx. 1 root root   40 May  6 15:56 krb5.config -> /usr/share/crypto-policies/FIPS/krb5.txt
lrwxrwxrwx. 1 root root   45 May  6 15:56 libreswan.config -> /usr/share/crypto-policies/FIPS/libreswan.txt
lrwxrwxrwx. 1 root root   42 May  6 15:56 libssh.config -> /usr/share/crypto-policies/FIPS/libssh.txt
lrwxrwxrwx. 1 root root   39 May  6 15:56 nss.config -> /usr/share/crypto-policies/FIPS/nss.txt
lrwxrwxrwx. 1 root root   43 May  6 15:56 openssh.config -> /usr/share/crypto-policies/FIPS/openssh.txt
lrwxrwxrwx. 1 root root   49 May  6 15:56 opensshserver.config -> /usr/share/crypto-policies/FIPS/opensshserver.txt
lrwxrwxrwx. 1 root root   43 May  6 15:56 openssl.config -> /usr/share/crypto-policies/FIPS/openssl.txt
lrwxrwxrwx. 1 root root   46 May  6 15:56 opensslcnf.config -> /usr/share/crypto-policies/FIPS/opensslcnf.txt

Comment 12 Daniel Walsh 2020-05-13 20:42:38 UTC

I belive this is correct, Tomas could you verify?

Comment 13 Tomas Mraz 2020-05-14 07:46:15 UTC

I am not sure - the point of this bug was that podman should automatically do the bind mount so calling update-crypto-policies --set FIPS in the container would not be necessary. How does the same ls command output in the container looks like if the update-crypto-policies --set FIPS is not called?

Comment 14 Daniel Walsh 2020-06-03 14:26:57 UTC

Fixed in podman 2.0.

Comment 17 Joy Pu 2020-08-03 03:14:05 UTC

Test with podman-2.0.3-1.module+el8.3.0+7505+fe51f0c6.x86_64. Now the FIPS mode is passed into container. So set this to verified. Details:

# fips-mode-setup --check
FIPS mode is enabled.
# podman run -it ubi8
Trying to pull registry.access.redhat.com/ubi8...
Getting image source signatures
Copying blob 47db82df7f3f skipped: already exists  
Copying blob 77c58f19bd6e [--------------------------------------] 0.0b / 0.0b
Copying config a1f8c96997 done  
Writing manifest to image destination
Storing signatures
[root@a4d8d38c6f4a /]# yum install openssl
Updating Subscription Management repositories.
Unable to read consumer identity
Subscription Manager is operating in container mode.
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Red Hat Universal Base Image 8 (RPMs) - BaseOS  420 kB/s | 768 kB     00:01    
Red Hat Universal Base Image 8 (RPMs) - AppStre 947 kB/s | 3.9 MB     00:04    
Red Hat Universal Base Image 8 (RPMs) - CodeRea 7.4 kB/s |  11 kB     00:01    
Dependencies resolved.
================================================================================
 Package        Architecture  Version                 Repository           Size
================================================================================
Installing:
 openssl        x86_64        1:1.1.1c-15.el8         ubi-8-baseos        697 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 697 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
openssl-1.1.1c-15.el8.x86_64.rpm                843 kB/s | 697 kB     00:00    
--------------------------------------------------------------------------------
Total                                           841 kB/s | 697 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Running scriptlet: openssl-1:1.1.1c-15.el8.x86_64                         1/1 
  Verifying        : openssl-1:1.1.1c-15.el8.x86_64                         1/1 
Installed products updated.

Installed:
  openssl-1:1.1.1c-15.el8.x86_64                                                

Complete!
[root@a4d8d38c6f4a /]# touch fipstest
[root@a4d8d38c6f4a /]# openssl md5 fipstest 
Error setting digest
140422413911872:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:

Comment 20 errata-xmlrpc 2020-11-04 03:05:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4694

Comment 21 Red Hat Bugzilla 2023-09-14 05:52:51 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.