Description of problem: When running RHEL installer with kernel command line parameter fips=1, it crashes with traceback. Version-Release number of selected component (if applicable): RHEL-9.0.0-20211126.1 has anaconda-34.25.0.20-1.el9.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Try to provision RHEL 9 with fips=1 command line parameter Actual results: ERROR:root:code for hash md5 was not found. Traceback (most recent call last): File "/usr/lib64/python3.9/random.py", line 61, in <module> from _sha512 import sha512 as _sha512 ModuleNotFoundError: No module named '_sha512' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib64/python3.9/hashlib.py", line 137, in __get_openssl_constructor f(usedforsecurity=False) ValueError: [digital envelope routines] initialization error During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib64/python3.9/hashlib.py", line 255, in <module> globals()[__func_name] = __get_hash(__func_name) File "/usr/lib64/python3.9/hashlib.py", line 141, in __get_openssl_constructor return __get_builtin_constructor(name) File "/usr/lib64/python3.9/hashlib.py", line 123, in __get_builtin_constructor raise ValueError('unsupported hash type ' + name) ValueError: unsupported hash type md5 Starting installer, one moment... Traceback (most recent call last): File "/sbin/anaconda", line 183, in <module> from pyanaconda.core import util, constants File "/usr/lib64/python3.9/site-packages/pyanaconda/core/util.py", line 38, in <module> import requests File "/usr/lib/python3.9/site-packages/requests/__init__.py", line 43, in <module> import urllib3 File "/usr/lib/python3.9/site-packages/urllib3/__init__.py", line 13, in <module> from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, connection_from_url File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 11, in <module> from .connection import ( File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 15, in <module> from .util.proxy import create_proxy_ssl_context File "/usr/lib/python3.9/site-packages/urllib3/util/__init__.py", line 8, in <module> from .ssl_ import ( File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 8, in <module> from hashlib import md5, sha1, sha256 ImportError: cannot import name 'md5' from 'hashlib' (/usr/lib64/python3.9/hashlib.py) Pane is dead (status 1, Fri Nov 26 06:00:33 2021) [?25l File "/usr/lib/python3.9/site-packages/requests/__init__.py", line 43, in <module> import urllib3 File "/usr/lib/python3.9/site-packages/urllib3/__init__.py", line 13, in <module> from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, connection_from_url File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 11, in <module> from .connection import ( File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 15, in <module> from .util.proxy import create_proxy_ssl_context File "/usr/lib/python3.9/site-packages/urllib3/util/__init__.py", line 8, in <module> from .ssl_ import ( File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 8, in <module> from hashlib import md5, sha1, sha256 ImportError: cannot import name 'md5' from 'hashlib' (/usr/lib64/python3.9/hashlib.py) Expected results: No traceback, RHEL 9 installs just as with RHEL-9.0.0-20211121.7. Additional info:
It is possible that the problem is actually with python3-libs-3.9.9-1.el9 which is new in this compose, over the previous python3-libs-3.9.8-1.el9. Or something else. But it's weird that after the first traceback __get_openssl_constructor (and ValueError), anaconda continues with Starting installer, one moment and then fails with that ImportError.
[anaconda root@localhost ~]# /usr/libexec/platform-python Python 3.9.9 (main, Nov 16 2021, 00:00:00) [GCC 11.2.1 20211019 (Red Hat 11.2.1-6)] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import requests ERROR:root:code for hash md5 was not found. Traceback (most recent call last): File "<frozen importlib._bootstrap>", line 919, in _find_spec AttributeError: '_SixMetaPathImporter' object has no attribute 'find_spec' During handling of the above exception, another exception occurred: .... Reassigning to python.
This is very very weird. The _SixMetaPathImporter.find_spec method was added in six 1.16 https://github.com/benjaminp/six/pull/352 for Python 3.10 compatibility. It landed in Fedora after c9s has forked: https://src.fedoraproject.org/rpms/python-six/c/407e53ae2c4306fdc89a604c48594c78223e3c12?branch=rawhide However, this is on Python 3.9, not 3.10. It should not be needed. The omitted part of the log in "During handling of the above exception, another exception occurred: ...." is likely to contain the actual problem. Do you still have it?
To get some idea from where does md5 usage come from: >>> del hashlib.md5 >>> import requests Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.9/site-packages/requests/__init__.py", line 43, in <module> import urllib3 File "/usr/lib/python3.9/site-packages/urllib3/__init__.py", line 13, in <module> from .connectionpool import HTTPConnectionPool, HTTPSConnectionPool, connection_from_url File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 11, in <module> from .connection import ( File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 15, in <module> from .util.proxy import create_proxy_ssl_context File "/usr/lib/python3.9/site-packages/urllib3/util/__init__.py", line 8, in <module> from .ssl_ import ( File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 8, in <module> from hashlib import md5, sha1, sha256 ImportError: cannot import name 'md5' from 'hashlib' (/usr/lib64/python3.9/hashlib.py)
(In reply to Jan Pazdziora from comment #1) > It is possible that the problem is actually with python3-libs-3.9.9-1.el9 > which is new in this compose, over the previous python3-libs-3.9.8-1.el9. Or > something else. > > But it's weird that after the first traceback __get_openssl_constructor (and > ValueError), anaconda continues with Starting installer, one moment and then > fails with that ImportError. Were the fips tests running back then though? Python is still not FIPS ready at the moment as OpenSSL implemented the functionality quite recently.
FTR; I've seen this same error printed by dnf on an installed FIPS system via one of the systemd dnf timers, so this is indeed not an Anaconda-specific issue.
This is a duplicate of 1942527, which was only recently unblocked by openssl getting FIPS support. Yes, after Beta. Adapting Python (and other packages like Requests) will take some time.
Adapting other packages should not be necessary, hashlib should provide the same API in FIPS mode on RHEL-8 and RHEL-9: i.e. if you want to use MD5 in FIPS mode, the only thing you need to do is to call it with `usedforsecurity=False` (*if* and only if the use of a weak hash doesn't conflict with FIPS requirements, it should not be used at all if it does; as usual, contact rhel-crypto if you're unsure). And I agree with Petr, I'm 99.9% sure that it's a duplicate of bug 1942527.
Seeing bug 1942527 ON_QA, I tested beaker job with <recipe kernel_options="fips=1"> and anaconda run fine.
(In reply to Jan Pazdziora from comment #13) > Seeing bug 1942527 ON_QA, I tested beaker job with > > <recipe kernel_options="fips=1"> > > and anaconda run fine. Excellent! Can we close this as duplicate of bug 1942527 ?
I think we can. *** This bug has been marked as a duplicate of bug 1942527 ***