import OL ignition-2.23.0-2.el9_7

2025-12-22 06:34:24 +00:00 · 2025-12-22 06:34:24 +00:00 · a43ba77c21
commit a43ba77c21
parent 05d36ded40
4 changed files with 118 additions and 11 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/ignition-2.22.0.tar.gz
+SOURCES/ignition-2.23.0.tar.gz
 SOURCES/ignition-edge-b8d1b7a.tar.gz
--- a/.ignition.metadata
+++ b/.ignition.metadata
@ -1,2 +1,2 @@
-0e0e0229c4d32ca50d19df8c0adca27d28c4a9b9 SOURCES/ignition-2.22.0.tar.gz
+8ba7d5f2ecddde15159bde59e0ebca3553e03bb3 SOURCES/ignition-2.23.0.tar.gz
 0069b62bce8673f82ac6a4b9959ec8db4ffed8ad SOURCES/ignition-edge-b8d1b7a.tar.gz
--- a/SOURCES/0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch
+++ b/SOURCES/0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch
@ -0,0 +1,95 @@
+From a33a8402a215f008c22ac52c885606117adba6c5 Mon Sep 17 00:00:00 2001
+From: Tiago Bueno <tiago.bueno@gmail.com>
+Date: Mon, 17 Nov 2025 21:44:24 -0300
+Subject: [PATCH] OCPBUGS-65684: Fix invalid random source in FIPS 140-only
+ mode in FIPS mode
+
+When igntion is compiled with GOEXPERIMENT=strictfipsruntime and
+running in a computer with FIPS enabled, the random source is invalid.
+
+When FIPS is enabled, instead of use a custom random on TLS config,
+do not set a random source at all as it will use crypto/rand.Reader by
+default
+
+Co-authored-by: Steven Presti <47181335+prestist@users.noreply.github.com>
+Co-authored-by: Dusty Mabe <dusty@dustymabe.com>
+
+Signed-off-by: Tiago Bueno <tiago.bueno@gmail.com>
+---
+ internal/resource/http.go | 49 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 44 insertions(+), 6 deletions(-)
+
+diff --git a/internal/resource/http.go b/internal/resource/http.go
+index 197f5731..aae40e90 100644
+--- a/internal/resource/http.go
+++ b/internal/resource/http.go
+@@ -25,6 +25,7 @@ import (
+ 	"net"
+ 	"net/http"
+ 	"net/url"
+	"os"
+ 	"strings"
+ 	"time"
+ 
+@@ -218,16 +219,52 @@ func (f *Fetcher) RewriteCAsWithDataUrls(cas []types.Resource) error {
+ 	return nil
+ }
+ 
+-// DefaultHTTPClient builds the default `http.client` for Ignition.
+-func defaultHTTPClient() (*http.Client, error) {
+-	urand, err := earlyrand.UrandomReader()
+func isFIPSEnabled() bool {
+	data, err := os.ReadFile("/proc/sys/crypto/fips_enabled")
+ 	if err != nil {
+-		return nil, err
+		// If the file doesn't exist or can't be read, assume FIPS is not enabled
+		return false
+ 	}
+	// Check if the content is "1" (with or without trailing newline)
+	return len(data) > 0 && data[0] == '1'
+}
+ 
+-	tlsConfig := tls.Config{
+-		Rand: urand,
+// DefaultHTTPClient builds the default `http.client` for Ignition.
+func defaultHTTPClient() (*http.Client, error) {
+	var tlsConfig tls.Config
+
+	if isFIPSEnabled() {
+		// In FIPS mode (GOEXPERIMENT=strictfipsruntime), we can't set a random source.
+		// Setting a custom random source like /dev/urandom causes the error:
+		// "crypto/ecdh: invalid random source in FIPS 140-only mode"
+		tlsConfig = tls.Config{}
+	} else {
+		// In non-FIPS mode let's use the `earlyrand.UrandomReader()`
+		// this source reads from `/dev/urandom` (`man urandom`) rather
+		// than calling the `getrandom` API (`man getrandom`).
+		//
+		//   > When  read, the /dev/urandom device returns random bytes
+		//   > using a pseudorandom number generator seeded from the entropy
+		//   > pool. Reads from this device do not block (i.e., the CPU is
+		//   > not yielded)
+		//
+		// This is a tradeoff to not block early boot because:
+		//
+		//   > When read during early boot time, /dev/urandom may return
+		//   > data prior to the entropy pool being initialized. If this
+		//   > is of concern in your application, use getrandom(2) or
+		//   > /dev/random instead.
+		//
+		// See https://github.com/coreos/ignition/issues/645
+		urand, err := earlyrand.UrandomReader()
+		if err != nil {
+			return nil, err
+		}
+		tlsConfig = tls.Config{
+			Rand: urand,
+		}
+ 	}
+
+ 	transport := http.Transport{
+ 		ResponseHeaderTimeout: time.Duration(defaultHttpResponseHeaderTimeout) * time.Second,
+ 		Dial: (&net.Dialer{
+-- 
+2.50.1 (Apple Git-155)
+
--- a/SPECS/ignition.spec
+++ b/SPECS/ignition.spec
@ -13,7 +13,7 @@
 # https://github.com/coreos/ignition
 %global goipath         github.com/coreos/ignition
 %global gomodulesmode   GO111MODULE=on
-Version:                2.22.0
+Version:                2.23.0

 %gometa

@ -31,6 +31,10 @@ URL:            %{gourl}
 Source0:        %{gosource}
 Source1:        https://github.com/fedora-iot/ignition-edge/archive/%{ignedgecommit}/ignition-edge-%{ignedgeshortcommit}.tar.gz

+# Fix invalid random source in FIPS 140-only mode in FIPS mode
+# ([#2159](https://github.com/coreos/ignition/pull/2159))
+Patch1:      0001-OCPBUGS-65684-Fix-invalid-random-source-in-FIPS-140.patch
+
 BuildRequires: libblkid-devel
 BuildRequires: systemd-rpm-macros

@ -284,7 +288,7 @@ LDFLAGS+=' -compressdwarf=false '
 export GOFLAGS="-mod=vendor"

 echo "Building ignition..."
-%gobuild -o ./ignition internal/main.go
+GOEXPERIMENT=strictfipsruntime %gobuild -o ./ignition internal/main.go

 echo "Building ignition-validate..."
 %gobuild -o ./ignition-validate validate/main.go
@ -294,17 +298,17 @@ echo "Building ignition-validate..."

 %if 0%{?fedora}
 echo "Building statically-linked Linux ignition-validate..."
-CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go
-CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go
-CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go
-CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go
+GOEXPERIMENT= CGO_ENABLED=0 GOARCH=arm64 GOOS=linux %gocrossbuild -o ./ignition-validate-aarch64-unknown-linux-gnu-static validate/main.go
+GOEXPERIMENT= CGO_ENABLED=0 GOARCH=ppc64le GOOS=linux %gocrossbuild -o ./ignition-validate-ppc64le-unknown-linux-gnu-static validate/main.go
+GOEXPERIMENT= CGO_ENABLED=0 GOARCH=s390x GOOS=linux %gocrossbuild -o ./ignition-validate-s390x-unknown-linux-gnu-static validate/main.go
+GOEXPERIMENT= CGO_ENABLED=0 GOARCH=amd64 GOOS=linux %gocrossbuild -o ./ignition-validate-x86_64-unknown-linux-gnu-static validate/main.go

 echo "Building macOS ignition-validate..."
-GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go
-GOARCH=arm64 GOOS=darwin %gocrossbuild -o ./ignition-validate-aarch64-apple-darwin validate/main.go
+GOEXPERIMENT= GOARCH=amd64 GOOS=darwin %gocrossbuild -o ./ignition-validate-x86_64-apple-darwin validate/main.go
+GOEXPERIMENT= GOARCH=arm64 GOOS=darwin %gocrossbuild -o ./ignition-validate-aarch64-apple-darwin validate/main.go

 echo "Building Windows ignition-validate..."
-GOARCH=amd64 GOOS=windows %gocrossbuild -o ./ignition-validate-x86_64-pc-windows-gnu.exe validate/main.go
+GOEXPERIMENT= GOARCH=amd64 GOOS=windows %gocrossbuild -o ./ignition-validate-x86_64-pc-windows-gnu.exe validate/main.go
 %endif

 %install
@ -397,6 +401,14 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition
 %endif

 %changelog
+* Tue Nov 18 2025 Steven Presti <spresti@redhat.com> - 2.23.0-2
+- Build Ignition with GOEXPERIMENT=strictfipsruntime
+  Ignition-validate non-FIPS
+- Backport https://github.com/coreos/ignition/pull/2159
+
+* Wed Sep 17 2025 Yasmin Valim <ydesouza@redhat.com> - 2.23.0-1
+- New release
+
 * Wed Jul 16 2025 Tiago Bueno <tbueno@redhat.com> - 2.22.0-1
 - New release