Skip to content

24.3.5 FIPS Pre-release #447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 24 commits into from
Aug 31, 2024
Merged

24.3.5 FIPS Pre-release #447

merged 24 commits into from
Aug 31, 2024

Conversation

@Enmk
Copy link
Member

@Enmk Enmk commented Aug 28, 2024
edited
Loading

Changelog category (leave one):

  • New Feature

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

BoringSSL ver fips-20210429 built in FIPS mode.

Documentation entry for user-facing changes

  • Building BoringSSL ver fips-20210429 (853ca1ea1168dff08011e5d42d94609cc0ca2e27) according to FIPS-140-2 Security Policy 4407, based on build scripts from Golang version go1.22.5.
  • Added FIPS_CLICKHOUSE to system.build_options
  • Modified ClickHosue keeper to use full range of openSSL options (same as ClickHouse does) for Raft connections
  • A bit of extra logging for FIPS mode at startup

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4407.pdf
https://boringssl.googlesource.com/boringssl/+/refs/tags/fips-20210429
https://github.com/golang/go/tree/go1.22.5

similar to #373 but for 24.3

Enmk added 13 commits August 15, 2024 15:25
@Enmk
Fixed arm64 build of CH with BoringSSL from go 1.22
bd0d38a 
Also set base image for keeper to be alpine 3:20, as now it has no CVEs
@Enmk
Not building arm64 binaries and don't execute tests arm64 tests
4a6661d
@Enmk
Fixed error with building server image
0d35c4e
@Enmk
Merge pull request #441 from Altinity/24.3_FIPS_fix_arm64_build
3b71c7c 
24.3. Fix arm64 build of CH with BoringSSL from go 1.22
@Enmk
Make sure that build reports that are downloaded belong to a certain PR
05d7ef0
@Enmk
A bit more loging
fbfad5b
@Enmk
Merge pull request #442 from Altinity/24.3_CI_CD_fix_downloading_buil…
624f7b9 
…d_reports

24.3 ci cd fix downloading build reports
@Enmk
Publishing server images created by PR
2d8888a
@Enmk
Pushing from docker_server.py
810f0dc
@Enmk
Attempt to fix pushing the image
d90c26c
@Enmk
Merge pull request #443 from Altinity/24.3.5-publish-server-images
50854f2 
24.3.5-FIPS Publishing server images created by PR
@Enmk
Changed base of the clickhouse-server package to be ubuntu:22.04
87e2e12
@Enmk
Merge pull request #437 from Altinity/24.3_ubuntu_22.04_as_base_docke…
17d6c26 
…r_image

24.3-FIPS `ubuntu:22.04` as base of the clickhouse-server docker image
@altinity-robot
Copy link
Collaborator

altinity-robot commented Aug 28, 2024
edited
Loading

This is an automated comment for commit 5978424 with description of existing statuses. It's updated for the latest CI running

❌ Click here to open a full report in a separate page

Check nameDescriptionStatus
CI runningA meta-check that indicates the running CI. Normally, it's in success or pending state. The failed status indicates some problems with the PR⏳ pending
ClickHouse build checkBuilds ClickHouse in various configurations for use in further steps. You have to fix the builds that fail. Build logs often has enough information to fix the error, but you might have to reproduce the failure locally. The cmake options can be found in the build log, grepping for cmake. Use these options and follow the general build process❌ failure
Integration testsThe integration tests report. In parenthesis the package type is given, and in square brackets are the optional part/total tests❌ failure
Mergeable CheckChecks if all other necessary checks are successful❌ failure
Stateful testsRuns stateful functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc❌ error
Stateless testsRuns stateless functional tests for ClickHouse binaries built in various configurations -- release, debug, with sanitizers, etc❌ error
Stress testRuns stateless functional tests concurrently from several clients to detect concurrency-related errors❌ failure
Successful checks
Check nameDescriptionStatus
Compatibility checkChecks that clickhouse binary runs on distributions with old libc versions. If it fails, ask a maintainer for help✅ success
Docker keeper imageThe check to build and optionally push the mentioned image to docker hub✅ success
Docker server imageThe check to build and optionally push the mentioned image to docker hub✅ success
Install packagesChecks that the built packages are installable in a clear environment✅ success

@Enmk Enmk merged commit f030c60 into releases/24.3.5-fips Aug 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Enmk @altinity-robot @MyroTk