New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for FIPS-Mode backends #2031
Conversation
Need someone from @simo5 to confirm file/directory paths. |
@t8m PTAL |
@mjahoda PTAL |
LGTM. The paths in the patch look correct. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
If host is running in fips mode, then RHEL8.2 and beyond container images will come with a directory /usr/share/crypto-policies/back-ends/FIPS. This directory needs to be bind mounted over /etc/crypto-policies/back-ends in order to make all tools in the container follow the FIPS Mode rules. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Destination: secretsDir, | ||
Type: "bind", | ||
Options: []string{"bind", "rprivate"}, | ||
} | ||
*mounts = append(*mounts, m) | ||
} | ||
|
||
srcBackendDir := "/usr/share/crypto-policies/back-ends/FIPS" | ||
destDir := "/etc/crypto-policies/back-ends" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rhatdan would it make sense to add the above two variables into containers.conf at some point?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I'm not a big fan of having a directory defined like this in a middle of a function somewhere, but personal twitch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know if containers.conf is the right place. The place to extend would be mounts.conf I guess. but we would need some changes to how this is parsed.
Currently
SRC:DEST
But SRC is on the host and DEST is in the container
This patch basically does SRC in the container to DEST in the container.
Mounts.conf also copies SRC into container local storage and then mounts Container Local Storage at DEST.
The HPC guys want additional volumes "bind" mounted into automatically into the containers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just added
# List of additional volumes. Specified as
# "<directory-on-host>:<derectory-in-container>:<options>", for example:
# "/db:/var/lib/db:ro".
# If it is empty or commented out, no volumes will be added
# additional_volumes = []
To containers.conf, but this does not solve the issue we have here either.
Late to the party, couple small things for future consideration. |
If host is running in fips mode, then RHEL8.2 and beyond container images
will come with a directory /usr/share/crypto-policies/back-ends/FIPS.
This directory needs to be bind mounted over /etc/crypto-policies/back-ends in
order to make all tools in the container follow the FIPS Mode rules.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com