Closed bryanh1969 closed 7 months ago
Are you able to determine which algorithms the STIGs will accept? It looks like the STIGs won’t take whatever libgcrypt is offering so step one is figuring out what it will accept
Dell Technologies | US Federal
@.***
Internal Use - Confidential
寄件者: bryanh1969 @.> 寄件日期: Wednesday, October 18, 2023 2:11:16 PM 收件者: dell/patches @.> 副本: Subscribed @.***> 主旨: [dell/patches] patches build fails on STIG build. (Issue #25)
[EXTERNAL EMAIL]
Patches build is now failing on a STIG build. At first I thought it was an import-repository problem but I built a new VM and had it build its own repo and am still getting the same fail.
023-10-18 14:07:15 - Removing any old containers... ################################################################################ [1/2] STEP 1/7: FROM python:3.12.0b4-slim-bookworm AS builder Resolved "python" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull docker.io/library/python:3.12.0b4-slim-bookworm... Getting image source signatures Copying blob ff2d16ae376f done Copying blob 81f178b24f84 done Copying blob f27b3611278c done Copying blob 648e0aadf75a done Copying blob 25f2a8f8ee8d done Copying config 0e1506284f done Writing manifest to image destination Storing signatures [1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR [1/2] STEP 3/7: WORKDIR /app [1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev Get:1 http://deb.debian.org/debian [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVnLXT4-g$ bookworm InRelease [151 kB] Get:2 http://deb.debian.org/debian [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVnLXT4-g$ bookworm-updates InRelease [52.1 kB] Get:3 http://deb.debian.org/debian-security [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian-security__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVzknOCqg$ bookworm-security InRelease [48.0 kB] Get:4 http://deb.debian.org/debian [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVnLXT4-g$ bookworm/main amd64 Packages [8780 kB] Get:5 http://deb.debian.org/debian [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVnLXT4-g$ bookworm-updates/main amd64 Packages [6408 B] Get:6 http://deb.debian.org/debian-security [deb.debian.org]https://urldefense.com/v3/__http://deb.debian.org/debian-security__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVVzknOCqg$ bookworm-security/main amd64 Packages [86.2 kB] Fetched 9124 kB in 2s (4955 kB/s) Reading package lists...fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context Aborted (core dumped) Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 134
— Reply to this email directly, view it on GitHub [github.com]https://urldefense.com/v3/__https://github.com/dell/patches/issues/25__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVXSCOBJtw$, or unsubscribe [github.com]https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AIMKHTRWUKLLFHDTMK427LLYAALUJAVCNFSM6AAAAAA6F56WJOVHI2DSMVQWIX3LMV43ASLTON2WKOZRHE2TAMZVHA4DAMQ__;!!LpKI!mb42Ilhz2eCo5c5juawzbgrsuVxWyJIzDF398B_oF7IXDJFOrEAftuYrR9ieY0Af5GAPGWF5-7CL_A4zpVUFTp5VtQ$. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Disabled FIPS and got past that. YAY.
Now it is failing a little further and its sorta obvious...but I am gonna need a code update to fix it. I included a bunch of the rest of it for context. But the last line is the failure.
2023-11-01 06:56:13 - Running patches-frontend ################################################################################ 4f2620a85e4734f9adec2f51f141c609ff311746df3f4129dffe6d745562bfcf ################################################################################ In order to run Patches on ports 80 (redirects to 443) and 443 you will need to change the unprivileged ports on your host to start at port 80. This allows non-root users to bind to any port 80 and higher. You can continue without sudo privileges in which case nginx will run on a high port of your choosing. Users will have to explicitly add the port to all URLs when doing this. Do you want to run as sudo? (yes/no): ################################################################################ yes ################################################################################ 2023-11-01 06:56:18 - Enter your password NOTE: on STIGed servers you will have to do enter the password multiple times: ################################################################################ [sudo] password for user: ################################################################################ 2023-11-01 06:56:25 - Current user is a sudo user ################################################################################ ################################################################################ 2023-11-01 06:56:25 - Setting unprivileged ports to start at port 80... ################################################################################ [sudo] password for user: net.ipv4.ip_unprivileged_port_start = 80 [sudo] password for user: [sudo] password for user: net.ipv4.ip_unprivileged_port_start=80 ################################################################################ 2023-11-01 06:56:43 - Starting nginx. nginx will listen on ports 80 and
The interesting part is its up and running...I just don't know what else didn't run
Something is wrong with a bash variable at that step. The path has a double // and that’s what is causing the problem.
My guess is either a variable didn’t populate or something is appending an extra / that shouldn’t be there
Internal Use - Confidential
Fra: bryanh1969 @.> Sendt: Wednesday, November 1, 2023 7:26:11 AM Til: dell/patches @.> Kopi: Curell, Grant @.>; Comment @.> Emne: Re: [dell/patches] patches build fails on STIG build. (Issue #25)
[EXTERNAL EMAIL]
The interesting part is its up and running...I just don't know what else didn't run
— Reply to this email directly, view it on GitHub [github.com]https://urldefense.com/v3/__https://github.com/dell/patches/issues/25*issuecomment-1788798571__;Iw!!LpKI!lw2Ay42KrmFyJFAG9cw5L1ZMvKILsGTmUH8dK5LQx7F5Ce7K4UlaY8Qm4W0F4G8ReeW53A1vj5VxLB34NNx5Kc-0Dg$, or unsubscribe [github.com]https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AIMKHTUDEPHPRS4DTQRMF6TYCIWVHAVCNFSM6AAAAAA6F56WJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBYG44TQNJXGE__;!!LpKI!lw2Ay42KrmFyJFAG9cw5L1ZMvKILsGTmUH8dK5LQx7F5Ce7K4UlaY8Qm4W0F4G8ReeW53A1vj5VxLB34NNzu8lMAQg$. You are receiving this because you commented.Message ID: @.***>
navigated to opt/patches/podman-build and ran the setup from there so it didn't have to worry about the variable screwing up. It completed,
Hopefully we can add a repo in a month.
Change line 864 to chmod +x "${SCRIPT_DIR}/$(basename "$0")"
and try it as you originally did
re-installed with change and seems to have worked. Now to see if I can add a second repo
If you get the chance can you PR that into the code vase?
Internal Use - Confidential
Fra: bryanh1969 @.> Sendt: Thursday, November 2, 2023 11:24:23 AM Til: dell/patches @.> Kopi: Curell, Grant @.>; State change @.> Emne: Re: [dell/patches] patches build fails on STIG build. (Issue #25)
[EXTERNAL EMAIL]
re-installed with change and seems to have worked. Now to see if I can add a second repo
— Reply to this email directly, view it on GitHub [github.com]https://urldefense.com/v3/__https://github.com/dell/patches/issues/25*issuecomment-1790950960__;Iw!!LpKI!ljuNQklslbL19sJ6bvRZzVMjD5a3bXD-u0Vila6Qo946a0XNTejBZUMQnrFpUQFihZbh96_h4rM7aafL45KX4h7ErQ$, or unsubscribe [github.com]https://urldefense.com/v3/__https://github.com/notifications/unsubscribe-auth/AIMKHTTGS5Q4BS2XXMU3TUTYCO3KPAVCNFSM6AAAAAA6F56WJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOJQHE2TAOJWGA__;!!LpKI!ljuNQklslbL19sJ6bvRZzVMjD5a3bXD-u0Vila6Qo946a0XNTejBZUMQnrFpUQFihZbh96_h4rM7aafL45JLmvXMfA$. You are receiving this because you modified the open/close state.Message ID: @.***>
How do I merge the code change in here?
Patches build is now failing on a STIG build. At first I thought it was an import-repository problem but I built a new VM and had it build its own repo and am still getting the same fail.
023-10-18 14:07:15 - Removing any old containers... ################################################################################ [1/2] STEP 1/7: FROM python:3.12.0b4-slim-bookworm AS builder Resolved "python" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf) Trying to pull docker.io/library/python:3.12.0b4-slim-bookworm... Getting image source signatures Copying blob ff2d16ae376f done
Copying blob 81f178b24f84 done
Copying blob f27b3611278c done
Copying blob 648e0aadf75a done
Copying blob 25f2a8f8ee8d done
Copying config 0e1506284f done
Writing manifest to image destination Storing signatures [1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR [1/2] STEP 3/7: WORKDIR /app [1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB] Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8780 kB] Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [6408 B] Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [86.2 kB] Fetched 9124 kB in 2s (4955 kB/s) Reading package lists...fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context
Fatal error: requested algo not in md context Aborted (core dumped) Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 134