Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: 4.15.0
Affects Version/s: 4.15.0
Component/s: Logical Volume Manager Storage
Labels:
- ocpedge
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

FIPS compliance of LVMS is endangered and needs to be fixed.

Show
FIPS compliance of LVMS is endangered and needs to be fixed.
Story Points:
3
Severity:
Important
Regression:
No
Epic Link:
LVMS FIPS Build and Delivery Compliance

Target Backport Versions:
None
Target Version:

4.15.0
Release Blocker:
Proposed
Sprint:
OCPEDGE Sprint 248
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
In Progress
Release Note Type:
Release Note Not Required
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

FIPS build compliance check payload scan failed on below NVRs,

lvms-rhel9-operator
topolvm-rhel9

Version-Release number of selected component (if applicable):

LVMS 4.15.0-59

How reproducible:

Always

Steps to Reproduce:

1. Setup and install LVMS 4.15 latest build
2. Run check-payload scan operator on mentioned NVR images

Actual results:

[check-payload]# ./check-payload scan operator --spec brew.registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:972e9fe422e736bcc56ef385e640a712034030ddda22239972f81a436da5a49b
I0123 16:28:39.215698   55183 main.go:271] using config file: config.toml
I0123 16:28:39.215739   55183 types_config.go:12] using config &{Components:[] FailOnWarnings:false FilterFile: FromFile: FromURL: InsecurePull:false Limit:-1 ContainerImageComponent: ContainerImage: OutputFile: OutputFormat:table Parallelism:5 Java:false PrintExceptions:false PullSecret: TimeLimit:1h0m0s Verbose:false UseRPMScan:false ConfigFile:{FilterFiles:[] FilterDirs:[/lib/firmware /lib/modules /usr/lib/.build-id /usr/lib/firmware /usr/lib/grub /usr/lib/modules /usr/share/app-info /usr/share/doc /usr/share/fonts /usr/share/icons /usr/share/openshift /usr/src/plugins /rootfs /sysroot] FilterImages:[] JavaDisabledAlgorithms:[DH keySize < 2048 TLSv1.1 TLSv1 SSLv3 SSLv2 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 DHE_DSS RSA_EXPORT DHE_DSS_EXPORT DHE_RSA_EXPORT DH_DSS_EXPORT DH_RSA_EXPORT DH_anon ECDH_anon DH_RSA DH_DSS ECDH 3DES_EDE_CBC DES_CBC RC4_40 RC4_128 DES40_CBC RC2 HmacMD5] PayloadIgnores:map[openshift-enterprise-pod-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/pod] Dirs:[]}]} operator-lifecycle-manager-container:{FilterFiles:[/usr/bin/cpb /usr/bin/copy-content] FilterDirs:[] ErrIgnores:[]} ose-olm-rukpak-container:{FilterFiles:[/unpack] FilterDirs:[] ErrIgnores:[]}] TagIgnores:map[] RPMIgnores:map[containernetworking-plugins:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[] Dirs:[/usr/libexec/cni]}]} cri-o:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crio /usr/bin/crio-status] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/bin/pinns] Dirs:[]}]} cri-tools:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crictl] Dirs:[]}]} glibc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/ldconfig /sbin/ldconfig] Dirs:[]}]} glibc-common:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/build-locale-archive] Dirs:[]}]} ignition:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/lib/dracut/modules.d/30ignition/ignition] Dirs:[]}]} podman:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/podman /usr/libexec/podman/quadlet /usr/libexec/podman/rootlessport] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/libexec/podman/catatonit] Dirs:[]}]} podman-catatonit:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/libexec/catatonit/catatonit] Dirs:[]}]} runc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/runc] Dirs:[]}]} skopeo:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/skopeo] Dirs:[]}]}] ErrIgnores:[]}}
I0123 16:28:39.215807   55183 main.go:101] "scan" version="0.3.1-53-ge50c152a"
I0123 16:28:40.799135   55183 scan.go:325] "scanning failed" image="brew.registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:972e9fe422e736bcc56ef385e640a712034030ddda22239972f81a436da5a49b" path="/lvms" error="x_cgo_init not found" component="lvms-operator-container" tag="" rpm="" status="failed"

---- Failure Report
+-------------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------------+
| OPERATOR NAME           | EXECUTABLE NAME | STATUS               | IMAGE                                                                                                                     |
+-------------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------------+
| lvms-operator-container | /lvms           | x_cgo_init not found | brew.registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:972e9fe422e736bcc56ef385e640a712034030ddda22239972f81a436da5a49b |
+-------------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------------+
F0123 16:28:40.932712   55183 main.go:259] Error: run failed



[check-payload]# ./check-payload scan operator --spec brew.registry.redhat.io/lvms4/topolvm-rhel9@sha256:554cc0b3b86eb9176851e75f78ac78df75c0af50f55a338881932e8af79d5738
I0123 16:28:53.229103   55292 main.go:271] using config file: config.toml
I0123 16:28:53.229147   55292 types_config.go:12] using config &{Components:[] FailOnWarnings:false FilterFile: FromFile: FromURL: InsecurePull:false Limit:-1 ContainerImageComponent: ContainerImage: OutputFile: OutputFormat:table Parallelism:5 Java:false PrintExceptions:false PullSecret: TimeLimit:1h0m0s Verbose:false UseRPMScan:false ConfigFile:{FilterFiles:[] FilterDirs:[/lib/firmware /lib/modules /usr/lib/.build-id /usr/lib/firmware /usr/lib/grub /usr/lib/modules /usr/share/app-info /usr/share/doc /usr/share/fonts /usr/share/icons /usr/share/openshift /usr/src/plugins /rootfs /sysroot] FilterImages:[] JavaDisabledAlgorithms:[DH keySize < 2048 TLSv1.1 TLSv1 SSLv3 SSLv2 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 DHE_DSS RSA_EXPORT DHE_DSS_EXPORT DHE_RSA_EXPORT DH_DSS_EXPORT DH_RSA_EXPORT DH_anon ECDH_anon DH_RSA DH_DSS ECDH 3DES_EDE_CBC DES_CBC RC4_40 RC4_128 DES40_CBC RC2 HmacMD5] PayloadIgnores:map[openshift-enterprise-pod-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/pod] Dirs:[]}]} operator-lifecycle-manager-container:{FilterFiles:[/usr/bin/cpb /usr/bin/copy-content] FilterDirs:[] ErrIgnores:[]} ose-olm-rukpak-container:{FilterFiles:[/unpack] FilterDirs:[] ErrIgnores:[]}] TagIgnores:map[] RPMIgnores:map[containernetworking-plugins:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[] Dirs:[/usr/libexec/cni]}]} cri-o:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crio /usr/bin/crio-status] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/bin/pinns] Dirs:[]}]} cri-tools:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crictl] Dirs:[]}]} glibc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/ldconfig /sbin/ldconfig] Dirs:[]}]} glibc-common:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/build-locale-archive] Dirs:[]}]} ignition:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/lib/dracut/modules.d/30ignition/ignition] Dirs:[]}]} podman:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/podman /usr/libexec/podman/quadlet /usr/libexec/podman/rootlessport] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/libexec/podman/catatonit] Dirs:[]}]} podman-catatonit:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/libexec/catatonit/catatonit] Dirs:[]}]} runc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/runc] Dirs:[]}]} skopeo:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/skopeo] Dirs:[]}]}] ErrIgnores:[]}}
I0123 16:28:53.229223   55292 main.go:101] "scan" version="0.3.1-53-ge50c152a"
I0123 16:28:54.332522   55292 scan.go:325] "scanning failed" image="brew.registry.redhat.io/lvms4/topolvm-rhel9@sha256:554cc0b3b86eb9176851e75f78ac78df75c0af50f55a338881932e8af79d5738" path="/hypertopolvm" error="x_cgo_init not found" component="topolvm-container" tag="" rpm="" status="failed"
---- Failure Report
+-------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------+
| OPERATOR NAME     | EXECUTABLE NAME | STATUS               | IMAGE                                                                                                               |
+-------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------+
| topolvm-container | /hypertopolvm   | x_cgo_init not found | brew.registry.redhat.io/lvms4/topolvm-rhel9@sha256:554cc0b3b86eb9176851e75f78ac78df75c0af50f55a338881932e8af79d5738 |
+-------------------+-----------------+----------------------+---------------------------------------------------------------------------------------------------------------------+
F0123 16:28:54.513022   55292 main.go:259] Error: run failed

Expected results:

No errors present on check payload scan operator

Additional info:

links to

RHBA-2024:126443 LVMS 4.15 Bug Fix and Enhancement update

Assignee:: Jakob Moeller (Inactive)

Reporter:: Rahul Deore

Need Info From:: None

Contributors:: None

QA Contact:: Rahul Deore

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/01/23 9:33 PM

Updated:: 2025/07/23 11:57 PM

Resolved:: 2024/02/08 6:42 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates