Comments (9)
frenzymadness
commented on July 3, 2024
Could you please share more details? What package it needs causes this? Or is this because we use some disabled hash function?
from django-ex.
frenzymadness
commented on July 3, 2024
Before I start with an investigation, could you please tell me where the problem you see lays? Is the Django example source code not compatible with FIPS or is the problem in the S2I Python container or in its OpenShift configuration?
from django-ex.
mbach04
commented on July 3, 2024
As soon as I can get another FIPS enabled cluster up I'll dig in deeper. I suspect it's not just the Django code, bc I saw this with other examples as well later on. If you have the time, prompting RHPDS to host FIPS enabled clusters as an option would help. I've requested this one line variable change, but have yet to see any traction.
from django-ex.
frenzymadness
commented on July 3, 2024
I'm able to reproduce the problem, hopefully. When I start an RHEL 8 machine in FIPS mode, generate a Dockerfile by s2i build --as-dockerfile for django-ex and ubi8/python-36 and then I try to build it, it fails with:
# podman build -t django .
STEP 1: FROM ubi8/python-36
STEP 2: LABEL "io.openshift.s2i.build.image"="ubi8/python-36" "io.openshift.s2i.build.commit.author"="Lumír 'Frenzy' Balhar <[email protected]>" "io.openshift.s2i.build.commit.date"="Mon Apr 19 08:01:14 2021 +0200" "io.openshift.s2i.build.commit.id"="7cbc59619cb3ad23d32a06a398592da3eb34388c" "io.openshift.s2i.build.commit.ref"="master" "io.openshift.s2i.build.commit.message"="Merge pull request #181 from sclorg/dependabot/pip/django-debug-toolbar-1.11.1" "io.openshift.s2i.build.source-location"="https://github.com/sclorg/django-ex"
c992fe3f88d8de5eae045c4ec25ef1fb08fd53e039a2d71bccb1a62eeec5daea
STEP 3: USER root
9323a30d0ce52e1458bea92a08c080c34aadff447a6724415016c7ed65e08cdd
STEP 4: COPY upload/src /tmp/src
d676f40c7eac0963ad42f7b0ff8e34caae7e5fb135c2e9081b18f4512b9169bb
STEP 5: RUN chown -R 1001:0 /tmp/src
1d093a35238d8fb677c2ca151fe7868e8423451df8b0d20f4d292b45485f9761
STEP 6: USER 1001
b9b7384faeff29c57578c3abac6a9c32321793d9237e2621f1a60c3b783d1df5
STEP 7: RUN /usr/libexec/s2i/assemble
---> Installing application source ...
---> Upgrading pip to version 19.3.1 ...
Collecting pip==19.3.1
Downloading https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl (1.4MB)
100% |████████████████████████████████| 1.4MB 94.4MB/s
Installing collected packages: pip
Found existing installation: pip 9.0.3
Uninstalling pip-9.0.3:
Successfully uninstalled pip-9.0.3
Successfully installed pip-19.3.1
You are using pip version 19.3.1, however version 21.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
---> Installing dependencies ...
Collecting django<1.12,>=1.11
Downloading https://files.pythonhosted.org/packages/49/49/178daa8725d29c475216259eb19e90b2aa0b8c0431af8c7e9b490ae6481d/Django-1.11.29-py2.py3-none-any.whl (6.9MB)
|████████████████████████████████| 7.0MB 5.1MB/s
Collecting django-debug-toolbar==1.11.1
Downloading https://files.pythonhosted.org/packages/6f/66/21218e91f67d1e005388b1c87ae3283cd7b7835145c72f5efe721b51c628/django_debug_toolbar-1.11.1-py2.py3-none-any.whl (203kB)
|████████████████████████████████| 204kB 71.3MB/s
Collecting gunicorn==19.5.0
Downloading https://files.pythonhosted.org/packages/f9/4e/f4076a1a57fc1e75edc0828db365cfa9005f9f6b4a51b489ae39a91eb4be/gunicorn-19.5.0-py2.py3-none-any.whl (113kB)
|████████████████████████████████| 122kB 75.7MB/s
Collecting psycopg2-binary==2.8.5
Downloading https://files.pythonhosted.org/packages/d3/8a/a7ed55c2c55bd4f5844d72734fedc0cef8a74518a0a19105a21c15628f1e/psycopg2_binary-2.8.5-cp36-cp36m-manylinux1_x86_64.whl (2.9MB)
|████████████████████████████████| 2.9MB 69.7MB/s
Collecting whitenoise==3.3.1
Downloading https://files.pythonhosted.org/packages/0c/58/0f309a821b9161d0e3a73336a187d1541c2127aff7fdf3bf7293f9979d1d/whitenoise-3.3.1-py2.py3-none-any.whl
Collecting pytz
Downloading https://files.pythonhosted.org/packages/70/94/784178ca5dd892a98f113cdd923372024dc04b8d40abe77ca76b5fb90ca6/pytz-2021.1-py2.py3-none-any.whl (510kB)
|████████████████████████████████| 512kB 74.3MB/s
Collecting sqlparse>=0.2.0
Downloading https://files.pythonhosted.org/packages/14/05/6e8eb62ca685b10e34051a80d7ea94b7137369d8c0be5c3b9d9b6e3f5dae/sqlparse-0.4.1-py3-none-any.whl (42kB)
|████████████████████████████████| 51kB 63.5MB/s
Installing collected packages: pytz, django, sqlparse, django-debug-toolbar, gunicorn, psycopg2-binary, whitenoise
Successfully installed django-1.11.29 django-debug-toolbar-1.11.1 gunicorn-19.5.0 psycopg2-binary-2.8.5 pytz-2021.1 sqlparse-0.4.1 whitenoise-3.3.1
WARNING: You are using pip version 19.3.1; however, version 21.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
---> Collecting Django static files ...
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/base.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/changelists.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/dashboard.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/fonts.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/forms.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/login.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/rtl.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/css/widgets.css'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/fonts/LICENSE.txt'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/fonts/README.txt'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/fonts/Roboto-Bold-webfont.woff'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/fonts/Roboto-Light-webfont.woff'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/fonts/Roboto-Regular-webfont.woff'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/LICENSE'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/README.txt'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/calendar-icons.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-addlink.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-alert.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-calendar.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-changelink.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-clock.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-deletelink.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-no.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-unknown-alt.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-unknown.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/icon-yes.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/inline-delete.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/search.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/selector-icons.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/sorting-icons.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/tooltag-add.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/tooltag-arrowright.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/gis/move_vertex_off.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/img/gis/move_vertex_on.svg'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/SelectBox.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/SelectFilter2.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/actions.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/actions.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/calendar.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/cancel.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/change_form.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/collapse.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/collapse.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/core.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/inlines.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/inlines.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/jquery.init.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/popup_response.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/prepopulate.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/prepopulate.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/prepopulate_init.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/timeparse.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/urlify.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/admin/DateTimeShortcuts.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/admin/RelatedObjectLookups.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/LICENSE-JQUERY.txt'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/jquery.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/xregexp/LICENSE-XREGEXP.txt'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/xregexp/xregexp.js'
Copying '/opt/app-root/lib/python3.6/site-packages/django/contrib/admin/static/admin/js/vendor/xregexp/xregexp.min.js'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/css/print.css'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/css/toolbar.css'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/ajax-loader.gif'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/back.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/back_hover.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/close.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/close_hover.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/djdt_vertical.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/img/indicator.png'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/js/redirect.js'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/js/toolbar.js'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/js/toolbar.profiling.js'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/js/toolbar.sql.js'
Copying '/opt/app-root/lib/python3.6/site-packages/debug_toolbar/static/debug_toolbar/js/toolbar.timer.js'
Traceback (most recent call last):
File "./manage.py", line 10, in <module>
execute_from_command_line(sys.argv)
File "/opt/app-root/lib/python3.6/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
utility.execute()
File "/opt/app-root/lib/python3.6/site-packages/django/core/management/__init__.py", line 356, in execute
self.fetch_command(subcommand).run_from_argv(self.argv)
File "/opt/app-root/lib/python3.6/site-packages/django/core/management/base.py", line 283, in run_from_argv
self.execute(*args, **cmd_options)
File "/opt/app-root/lib/python3.6/site-packages/django/core/management/base.py", line 330, in execute
output = self.handle(*args, **options)
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 199, in handle
collected = self.collect()
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/management/commands/collectstatic.py", line 139, in collect
for original_path, processed_path, processed in processor:
File "/opt/app-root/lib/python3.6/site-packages/whitenoise/storage.py", line 67, in post_process
for name, hashed_name, processed in files:
File "/opt/app-root/lib/python3.6/site-packages/whitenoise/storage.py", line 29, in post_process_with_compression
for name, hashed_name, processed in files:
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 414, in post_process
for post_processed in all_post_processed:
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 246, in post_process
for name, hashed_name, processed, _ in self._post_process(paths, adjustable_paths, hashed_files):
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 283, in _post_process
hashed_name = self.hashed_name(name, original_file)
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 109, in hashed_name
file_hash = self.file_hash(clean_name, content)
File "/opt/app-root/lib/python3.6/site-packages/django/contrib/staticfiles/storage.py", line 85, in file_hash
md5 = hashlib.md5()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
Error: error building at STEP "RUN /usr/libexec/s2i/assemble": error while running runtime: exit status 1
It seems that md5 is used for hashing files also in the newest Django: https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/contrib/staticfiles/storage.py#L77
I have to discuss with my colleagues what is the proper way how to make an upstream application compatible with FIPS.
from django-ex.
frenzymadness
commented on July 3, 2024
It seems to me that there are only two possible ways to fix this problem: we can either fix Django upstream to be FIPS-compatible or use something else as an example project.
Fixing Django upstream might be possible thanks to the new usedforsecurity keyword argument for constructors in hashlib but it's available only in Python 3.9+ and it's hard to predict whether Django developers would be interested in such change.
Using some other project might need a lot of work and time. We already have some of them in s2i python container and some others available as standalone projects on Github like https://github.com/renefs/flask-ex
The point is that we check FIPS-compatibility on RPM level so everything provided as RPM in the images should be compatible. I don't think we have the resources to also make upstream projects FIPS-compatible.
Is this a big issue for you?
from django-ex.
mbach04
commented on July 3, 2024
If it were merely a project sitting on Github serving as an application example, I would consider this trivial. But, the fact is, upstream or not, we reference this in every cluster as the "Easy Button" for users to get started with applications on OpenShift. Creating something that does not work with FIPS enabled on the cluster blocks a very significant number of users from using it. It turns their first "Easy button" experience with OpenShift into a point of frustration.
from django-ex.
frenzymadness
commented on July 3, 2024
I completely understand. However, the example is there for quite some time and nobody complained ever since which makes me think about the number of people using FIPS on OpenShift.
But yes, we have to find a solution. Fixing Django is not the way because we can do it only for Python 3.9+ and we also don't know whether they are interested in something like this. Another possibility is to come with a different example.
All I can promise right now is that we will discuss it and I'll let you know. Cc @hhorak
from django-ex.
pkubatrh
commented on July 3, 2024
Hi @mbach04, sorry for the wait, it a took a while before we were able to discuss this issue inside our team.
The way we see things this example application should be used as demo-material, or intro to how Python applications are used on Openshift. A FIPS-enabled cluster however seems like something that would make more sense to use in production, rather than when just looking at how to set up your application in Openshift using the "easy button".
As a result of this we decided that it does not make much sense to spend time making this example application work on FIPS-enabled clusters and will be closing this issue.
from django-ex.
mbach04
commented on July 3, 2024
All I would say is that if we support deploying the cluster with a feature turned on, we should support the things that run on top of it with said feature turned on. Usually security controls nerf functionality and there's nothing to be done. In this case, we're setting a standard of security and choosing when to meet it. The concept is shift security left, not kick it down the road.
from django-ex.
Related Issues (20)
- Contribution: Flask-ex (based on this repo) HOT 2
- Update example in readme to Python to 3.6 HOT 1
- upgrade psycopg2 to 2.7.7 HOT 1
- Changes for django 2.1 support HOT 1
- Unable to start django HOT 2
- add new build environment variable to allow this template to be easily deployed in air gapped environments HOT 1
- Update unicorn to 19.10.0
- Upgrade to Django 2.2 HOT 1
- Dead links HOT 1
- Different database password in Django and PostgreSQL containers HOT 2
- Branch 2.2.x sqlite version problem HOT 2
- Master branch suggest old Django version HOT 3
- module_path, class_name = dotted_path.rsplit('.', 1) ValueError: not enough values to unpack (expected 2, got 1) HOT 4
- Django 3.2 LTS
- ImproperlyConfigured HOT 1
- Testing issue creation for samples operator HOT 1
- No Action Required !! Testing automation workflow HOT 1
- Django 4.2 LTS is out HOT 2
- Adding a template for using css HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ex.