T K Chandra Hasan
T K Chandra Hasan
@haircommander are we deliberately not loading the symbols in crio during build time?
``` [root@chasan-rhel8-testing bin]# go version go version go1.19.6 linux/amd64 [root@chasan-rhel8-testing bin]# which go /root/fips/go/go/bin/go [root@chasan-rhel8-testing bin]# go tool nm /root/fips/go/go/bin/go | grep FIPS 962e40 T _cgo_5019e8d6299c_Cfunc__goboringcrypto_FIPS_mode 10ace18 d _g_FIPS_mode 102f0b0...
> If it's a fedora build or something from the kubic repos, it's very likely not fips compliant. > > > > What does `rpm -q cri-o-$WHATEVER_VERSION` look like on...
Initially i tried to build crio using fips go1.18 version on RHEL8 but it failed. So i had to build fips go 1.19 version from this branch https://github.com/golang-fips/go/tree/go1.19-fips-release And regarding...
Btw, @haircommander how often are we bumping the go version. Reason being is for fips the go version always lacks behind and if we use new go feature in our...
> hmm, don't know if any of the RHEL builds have easily accessible public links, but let me provide you a podman example: > > See: https://github.com/containers/podman/blob/main/podman.spec.rpkg#L23 > > So,...
@shashipratap Though i wait for others to acknowledge, I think crio & other components on OKE must be FIPS compliant. You need to check this file in your node "/proc/sys/crypto/fips_enabled"....
@lsm5 Back to @shashipratap query, how to verify that OKE components are FIPS compliant? Seems we aren't loading symbols in our runtimes and in that case what is the alternate...
> OKE is Oracle Kubernetes Engine. So it must be either vanilla or customized Kubernetes but not Openshift.
Observing same behavior with runc too. I'm not really sure whether its cri-o issue or runtime, since the process isn't exiting. If i rerun the same command, it shows ```...