Docker容器CMAKE给出密码/ FIPS /fips.c:153: OpenSSL内部错误:致命的fips SELFTEST故障- dracut-fips crypto.fips_enabled =1
获取密码/ FIPS /FIPS/fips.c:153: OpenSSL内部错误:致命的FIPS SELFTEST故障何时
dracut-fips包安装在和 sysctl -a显示crypto.fips_enabled = 1
限制:在我的情况下,可以不能禁用dracut-fips包或crypto.fips_enable设置。
问题:
How我可以在容器内得到 cmake --version working吗?
这个主机是问题的来源,内部容器,而不是主机OS.
。
someLinuxUser@jenkins-project_team_rh ~]$ hostname -f; hostname -i
jenkins-project_team_rh.lewisville.us.company.com
10.20.20.10[someLinuxUser@jenkins-project_team_rh ~]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[someLinuxUser@jenkins-project_team_rh ~]$
[someLinuxUser@jenkins-project_team_rh ~]$ cmake --version
cmake version 3.18.2
CMake suite maintained and supported by Kitware (kitware.com/cmake).列表并启动OpenSuse 15.2容器
[someLinuxUser@jenkins-project_team_rh ~]$ sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
opensuse-image 15.2 618840498a55 3 hours ago 2.59GB运行码头容器
现在我在容器里。在这里运行“”会出错。
注意:如果您有任何主机操作系统,相同的坞映像将正常工作,其中"sysctl -a x grep fips“将在其输出中显示"crypto.fips_enabled = 0”。因此,我们可能需要将这个值设置为0。
[someLinuxUser@jenkins-project_team_rh ~]$ sudo docker run -it opensuse-image:15.2 bash
Active Directory Password:
WARNING: IPv4 forwarding is disabled. Networking will not work.
docker_nonroot_user@eaa40032f4d3:~/git>
docker_nonroot_user@eaa40032f4d3:~/git> which cmake; cmake --version
/usr/bin/cmake
crypto/fips/fips.c:153: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
docker_nonroot_user@eaa40032f4d3:~/git>
docker_nonroot_user@3e63938cf7e7:~/git> cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.2"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.2"
PRETTY_NAME="openSUSE Leap 15.2"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.2"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"在主机OS上(RH7.9)-在Docker容器(OpenSuse 15.2)内运行:
[someLinuxUser@jenkins-project_team_rh ~]$ sysctl -a | grep fips_enabled
crypto.fips_enabled = 1也就是说,它显示,fips是在这个主机上启用的。我认为如果这个(crypto.fips_enabled被设置为= 0),那么我们可能不会看到cmake的这个问题,但在我的例子中,我不能禁用这个设置。
On主机,一些相关的包是:
[someLinuxUser@jenkins-project_team_rh ~]$ sudo yum list installed | egrep "fips|openssl|dracut"
dracut-fips.x86_64 033-572.el7 @rhel-x86_64-server-7
fipscheck.x86_64 1.4.1-6.el7 @anaconda/7.6
fipscheck-lib.x86_64 1.4.1-6.el7 @anaconda/7.6
CentrifyDC-openssl.x86_64 5.7.1-347 installed
openssl.x86_64 1:1.0.2k-22.el7_9 @q1_rhel-x86_64-server-7
openssl-devel.x86_64 1:1.0.2k-22.el7_9 @q1_rhel-x86_64-server-7
openssl-libs.x86_64 1:1.0.2k-22.el7_9 @q1_rhel-x86_64-server-7
openssl098e.x86_64 0.9.8e-29.el7_2.3 @anaconda/7.6
xmlsec1-openssl.x86_64 1.2.20-7.el7_4 @anaconda/7.6
dracut.x86_64 033-572.el7 @rhel-x86_64-server-7
dracut-config-rescue.x86_64 033-572.el7 @rhel-x86_64-server-7
dracut-network.x86_64 033-572.el7 @rhel-x86_64-server-7
[someLinuxUser@jenkins-project_team_rh ~]$现在,证明上面使用的DOCKER映像/容器还不错.
在不同的机器上使用相同的Docker映像,使用相同的主机操作系统。
这是我拥有的另一台RH-7.9OS主机,具有相同的对接映像,当我启动与cmake容器相同的<#>cmake 15.2映像并运行<#>cmake-version时,一切都正常,我没有看到这个错误。
运行:
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ hostname -f; hostname -i
rh_7_9_os_machine.company.local
10.100.100.10
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
opensuse-image 15.2 618840498a55 3 hours ago 2.59GB这位主持人显示:
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sysctl -a 2>/dev/null | grep fips_enabled
crypto.fips_enabled = 0运行码头形象->容器和cmake --version在其中,工作!
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo docker run -it opensuse-image:15.2 bash
docker_nonroot_user@fb751d198066:~/git>
docker_nonroot_user@fb751d198066:~/git> sysctl -a 2>/dev/null | grep fips
crypto.fips_enabled = 0
docker_nonroot_user@fb751d198066:~/git>
docker_nonroot_user@fb751d198066:~/git> cmake --version
cmake version 3.17.0
CMake suite maintained and supported by Kitware (kitware.com/cmake).
docker_nonroot_user@fb751d198066:~/git> exit主机上的百胜包有:
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo yum list installed |grep fips
fipscheck.x86_64 1.4.1-6.el7 @anaconda/7.4
fipscheck-lib.x86_64 1.4.1-6.el7 @anaconda/7.4
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo yum list installed |grep openssl
openssl.x86_64 1:1.0.2k-22.el7_9 @rhel-7-server-rhui-rpms
openssl-devel.x86_64 1:1.0.2k-22.el7_9 @rhel-7-server-rhui-rpms
openssl-libs.x86_64 1:1.0.2k-22.el7_9 @rhel-7-server-rhui-rpms
openssl11-libs.x86_64 1:1.1.1g-2.el7 @epel
xmlsec1-openssl.x86_64 1.2.20-7.el7_4 @rhui-REGION-rhel-server-releases
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo yum list installed |grep dracut\-fips
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$
[gigauser@rh_7_9_os_machine opensuse-x-project_team_-mse]$ sudo yum list installed |grep dracut
dracut.x86_64 033-572.el7 @rhel-7-server-rhui-rpms
dracut-config-generic.x86_64 033-572.el7 @rhel-7-server-rhui-rpms
dracut-config-rescue.x86_64 033-572.el7 @rhel-7-server-rhui-rpms
dracut-network.x86_64 033-572.el7 @rhel-7-server-rhui-rpms正如您在上面看到的,在这台机器上安装了名为dracut-fips的NO包,假设这就是为什么crypto.fips_enabled = 0和"cmake -version“在这个主机上和容器中工作的原因!
问题:
How可以在容器内获得 cmake --version working吗?当我不能在第一个主机操作系统上卸载dracut-fips包并禁用crypto.fips_enabled = 0时,<#>working是否可以。
回答 1
Server Fault用户
发布于 2022-02-11 20:45:51
找到解决办法
为什么会出现这个问题: Docker build (创建映像)是在一台机器上运行的(另一台机器,cmake在码头容器中工作).即没有安装FIPS的地方。在构建步骤中,Docker文件正在运行zypper install cmake (或yum install cmake)。
因为FIPS是在构建坞映像的机器上禁用的,所以<>cmake安装在docker映像中,而不了解FIPS是否已启用/ dracut-fips正在安装。
然后,当您复制此映像并在实际启用FIPS的计算机上使用它时,cmake在错误mesg:crypto/fips/fips.c:153: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE中失败。
Actually有2种解决方案。
--
Solution #1:适当地标记您的对接者映像。
摘要:
PS:如果使用上述方法安装cmake,那么它将只在运行容器的目标机器上工作,如果在构建时禁用或启用了该机器的FIPS。也就是说,如果启用了FIPS,您可以安装cmake并在与主机不同的FIPS设置的机器上运行它,在那里生成映像,那么您将阅读这篇文章以获得帮助。
如果您想使用上面的包管理器安装cmake,更好的方法是在映像创建期间适当地标记您的停靠器映像,即:
如果启用FIPS,则为docker build -t -fips-enabled ...
和
如果该机器上的FIPS被禁用,则为docker build -t -fips-disabled ...。
这样,您就可以选择正确的停靠器图像imagename-fips启用的vs imagename-fips-禁用的acc。您的目标机器FIPS设置是什么(在这里,您将实际使用此映像执行docker run ... )。
--
Solution #2:如果您有RedHat容器,不要使用zypper (OpenSuse)或yum。this解决方案在某种意义上是灵活的,即在构建映像的主机上使用FIPS设置=0/ 1的independent。
我没有使用zypper/yum在Dockerfile中安装cmake,只是抓取了<#>cmak-3.18.2-Linux-x86_64.tar.gz包文件。
在Dockerfile中,我只是在某个目录中提取了这个.tar.gz文件。另外,我在RUN语句中的Dockerfile中设置了export PATH:/path/where/I/installed/cmake-3.18.2../bin:/..some_other_paths:/...:/....。
即RUN export PATH=/path/where/I/installed/cmake-3.18.2../bin:/...... && && && ... etc,因此它可以为任何buil时间(cmake操作)找到提取的cmake3.18.2,并且在运行时设置与ENV PATH=/.... same value used during RUN for PATH相同的PATH=/.变量,因此当容器运行时,$PATH都被设置为查找cmake (3.18.2版本),而不是使用任何现有的/usr/bin/cmake or some other shit)。
Dockerfile快照:
# curl -k -sSf -H "X-JFrog-Art-Api:dslfhjlieurqwihlj233lk2l4j6p9usdkajdfasddl809842iijhlkhflhafOHIHFLyeaGoodLuck" \
# -o /tmp/cmake.tar.gz https://artifactory.company.com/artifactory/some-Local/cmake/cmake-3.18.2-Linux-x86_64.tar.gz && \和
当我的umask设置设置为022时,我不需要在untar后执行任何鸡肉chmod操作:
# echo -e "\n-- Installing CMake ...\n" && \
# tar -xvzpf /tmp/cmake.tar.gz -C /home/docker_nonroot_user/tools/ && \在docker容器中,由于在Dockerfile中也为这个目标路径设置了ENV PATH=/...,所以在码头容器运行时操作中使用了正确的cmake 3.18.2。
cmake在我的例子中安装的位置是:
/home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin/cmake码头集装箱内的路径是:
/home/docker_nonroot_user/tools/cov-analysis/bin:/home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binRESULT:
使用上面使用SOLUTION #2构建的docker映像,即构建在机器上的where FIPS =0 aka禁用了,然后使用这个映像在完全不同的目标主机where FIPS =1 aka启用上创建一个容器,我看到:
87d8104d8c41:/home/docker_nonroot_user # sysctl -a|grep fips_en
crypto.fips_enabled = 1
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user # which cmake
/usr/bin/cmake
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user # cmake --version
crypto/fips/fips.c:153: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped)
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user # ls -l /home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin
total 75504
-rwxr-xr-x 1 root root 11908568 Aug 20 2020 ccmake
-rwxr-xr-x 1 root root 12096216 Aug 20 2020 cmake
-rwxr-xr-x 1 root root 27476480 Aug 20 2020 cmake-gui
-rwxr-xr-x 1 root root 12398808 Aug 20 2020 cpack
-rwxr-xr-x 1 root root 13318712 Aug 20 2020 ctest
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user # ls -l /home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin/cmake
-rwxr-xr-x 1 root root 12096216 Aug 20 2020 /home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin/cmake
87d8104d8c41:/home/docker_nonroot_user #
87d8104d8c41:/home/docker_nonroot_user # /home/docker_nonroot_user/tools/cmake-3.18.2-Linux-x86_64/bin/cmake --version
cmake version 3.18.2
CMake suite maintained and supported by Kitware (kitware.com/cmake).
87d8104d8c41:/home/docker_nonroot_user # : Merry X-mas Baaaaeeebyyy! - no more FIPS shit error now. Next I'll fix some chown on ~ and close my story.SOLUTION #3:只有在允许这样做的情况下,才能禁用FIPS <#>but,这样就不需要解决方案#1或解决方案2。
https://serverfault.com/questions/1093401
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号