Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-2819

FIPS compliance validation for must-gather container is failing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Blocker Blocker
    • OADP 1.3.0
    • OADP 1.3.0
    • fips
    • False
    • Hide

      None

      Show
      None
    • False
    • oadp-operator-bundle-container-1.3.0-115
    • ToDo
    • No
    • 0
    • 0
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown

      The FIPS validation for must-gather container is failing.

      Container image used:

      sudo ./check-payload scan operator --spec registry-proxy.engineering.redhat.com/rh-osbs/oadp-oadp-mustgather-rhel9@sha256:20d4b78ea119dddce5d1ab31ac75d063f0de4cba46b9bed4b10004efcb8d5c10

      $ sudo ./check-payload scan operator   --spec registry-proxy.engineering.redhat.com/rh-osbs/oadp-oadp-mustgather-rhel9@sha256:20d4b78ea119dddce5d1ab31ac75d063f0de4cba46b9bed4b10004efcb8d5c10
I1004 17:28:06.790320  317823 main.go:246] using config file: config.toml
I1004 17:28:06.790358  317823 types_config.go:12] using config &{Components:[] FailOnWarnings:false FilterFile: FromFile: FromURL: InsecurePull:false Limit:-1 ContainerImageComponent: ContainerImage: OutputFile: OutputFormat:table Parallelism:5 PrintExceptions:false PullSecret: TimeLimit:1h0m0s Verbose:false UseRPMScan:false ConfigFile:{FilterFiles:[] FilterDirs:[/lib/firmware /lib/modules /usr/lib/.build-id /usr/lib/firmware /usr/lib/grub /usr/lib/modules /usr/share/app-info /usr/share/doc /usr/share/fonts /usr/share/icons /usr/share/openshift /usr/src/plugins /rootfs /sysroot] FilterImages:[] PayloadIgnores:map[openshift-enterprise-pod-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/pod] Dirs:[]}]} operator-lifecycle-manager-container:{FilterFiles:[/usr/bin/cpb /usr/bin/copy-content] FilterDirs:[] ErrIgnores:[]} ose-olm-rukpak-container:{FilterFiles:[/unpack] FilterDirs:[] ErrIgnores:[]}] TagIgnores:map[] RPMIgnores:map[containernetworking-plugins:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[] Dirs:[/usr/libexec/cni]}]} cri-o:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crio /usr/bin/crio-status] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/bin/pinns] Dirs:[]}]} cri-tools:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crictl] Dirs:[]}]} glibc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/ldconfig /sbin/ldconfig] Dirs:[]}]} glibc-common:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/build-locale-archive] Dirs:[]}]} ignition:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/lib/dracut/modules.d/30ignition/ignition] Dirs:[]}]} podman:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/podman /usr/libexec/podman/quadlet /usr/libexec/podman/rootlessport] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/libexec/podman/catatonit] Dirs:[]}]} podman-catatonit:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/libexec/catatonit/catatonit] Dirs:[]}]} runc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/runc] Dirs:[]}]} skopeo:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/skopeo] Dirs:[]}]}] ErrIgnores:[]}}
I1004 17:28:06.790419  317823 main.go:100] "scan" version="0.3.1-16-ga1e7c784"
I1004 17:29:26.588005  317823 validations.go:357] rpm -qf error: exit status 1 (stderr=warning: Found SQLITE rpmdb.sqlite database while attempting bdb backend: using sqlite backend.)
I1004 17:29:26.588044  317823 scan.go:302] "scanning failed" image="registry-proxy.engineering.redhat.com/rh-osbs/oadp-oadp-mustgather-rhel9@sha256:20d4b78ea119dddce5d1ab31ac75d063f0de4cba46b9bed4b10004efcb8d5c10" path="/usr/bin/oc" error="could not find dependent openssl version within container image: libcrypto.so.1.1" component="oadp-mustgather-container" tag="" rpm="" status="failed"
---- Failure Report
+---------------------------+-----------------+-----------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| OPERATOR NAME             | EXECUTABLE NAME | STATUS                                                                            | IMAGE                                                                                                                                            |
+---------------------------+-----------------+-----------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| oadp-mustgather-container | /usr/bin/oc     | could not find dependent openssl version within container image: libcrypto.so.1.1 | registry-proxy.engineering.redhat.com/rh-osbs/oadp-oadp-mustgather-rhel9@sha256:20d4b78ea119dddce5d1ab31ac75d063f0de4cba46b9bed4b10004efcb8d5c10 |
+---------------------------+-----------------+-----------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
F1004 17:29:26.941559  317823 main.go:234] Error: run failed

            rjohnson@redhat.com Rayford Johnson
            rhn-support-ssingla Sachin Singla
            Sachin Singla Sachin Singla
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: