-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to build FIPS compliant envoy proxy. #36081
Comments
Another concern i have is with the documentation provided here.
|
llvm used by our ci when building/testing this is currently 14.0.0 (same in 1.28) - did you try using the envoy build container - ie its not immediately obvious from the posted logs/error what the issue is re arm support i believe this should be doable - altho may require some arm-specific setup for building the boringssl module there is a ticket here related to arm/fips support #27620 cc @ggreenway |
for ref these are the flags that we currently test the fips build with Lines 352 to 370 in ce53be3
|
run_envoy_docker.sh requires docker support on VM. We do not have access to docker on ol8. |
ol8? you most likely can use the envoy build container with podman - without using the script |
Sorry for the confusion, let me give some more details. |
are you referring to redhat or somesuch - pretty sure Linux 7 doesnt exist we provide a build container both to allow building in a variety of environments and as a canonical source of build requirements
iiuc this will not build a fips-compliant binary
the flags posted above are what we test with - unfortunately more than just the fips build are being tested there so most may not be necessary |
Yes its Rhel based linux distribution. |
Can we customize run_envoy_docker to pull which base linux image we want to pull and run the build on ? |
you can - atm its not ideally set up for this - but the build image is set by this line Line 91 in 89f0328
not sure how that helps tho - the official build image guarantees tested host versions and that script requires docker rather than podman |
The FIPS build is always a bit fragile because the FIPS components require a specific compiler and toolchain, which is different from what the rest of Envoy is compiled with. One thing that may help is trying to compile Envoy with the FIPS-required compiler (https://github.com/envoyproxy/envoy/blob/release/v1.28/bazel/external/boringssl_fips.genrule_cmd#L35). |
But documentation says to use clang version 14+ ? |
FIPS determines that the crypto lib must be built with clang 14.0.0 (afaiaa) Envoy currently uses clang 14.0.0 for the rest of the build in my testing of trying to update clang elsewhere it has failed - iirc when it tries to link the built crypto libs - so for the avoidance of issues best thing is to make sure you are building with clang 14.0.0 everywhere |
It seems to have passed the stage where it used to fail after changing value to 12.0.0. Lets see if the envoy-static gets generated and what is the version. |
It failed with same error. It is still showing version of clang used as 15. |
i believe this would make the binary non-FIPs compliant i think you need to leave the genrule_cmd alone and just make sure you have llvm 14 installed on your host/build system this is the known good setup, if you still have problems with this, at least we can compare to the known working baseline |
Can you please suggest me what can I do to fix my build. I want to pick up patches applied in 1.20.x because of which I had picked 1.28.5 envoy. |
I had tried to use ci/run_envoy_docker.sh and ran into multiple issues while trying to change the base container image. |
the point about using the container is specifically not to use your own container image - its to start with an environment that is tested and known to work - im struggling to understand why you would want to do that |
In production we are using only RHEL based oracle linux containers. |
but you dont need to build with that - certainly at least while testing your build setup |
I had executed again with --sandbox_debug how do we configure the correct boring ssl version/path.
|
if you dont follow the steps i suggested im not sure i can help |
how do we leave out the genrule_cmd? I had tried with llvm 14 as well. I can revert back to 14. |
start with what works - use the build container, dont change any versions and use ~the same flags as tested in our ci once you have a working build, you can start to change things |
re genrule_cmd - that is what ~guarantees the FIPS-compliance - unless you really know what you are doing you should not change anything there |
Stated even more directly: if you change anything in the FIPS genrule, it is unlikely you'll get a FIPS-compliant build. |
I have 2 question here. 2024-10-01T12:46:48.506236Z critical envoy assert source/common/version/version.cc:45 assert failure: FIPS_mode() == 1. Details: FIPS mode must be enabled in Envoy FIPS configuration. thread=43 if this flag doesnt generate a fips compliant image, than why does the version.cc expects it to be fips compliant image?
|
That's not how you make a FIPS build, and that's not a flag you should ever specify manually. Build with |
I have a question here (probably naive as I havent read lot of documentation) , why doesnt envoyproxy support metadata_exchange filter? |
That's way off-topic for this issue. Please find a better place to ask. |
Issue #29681 tracks upstreaming of Istio Proxy back to Envoy. The reason is Istio invented new protocols that do not work with anything besides Istio. |
I am trying to build envoy proxy from release v1.28.5.
I am running into issues when working with following flags.
If I pass the flag DENVOY_SSL_FIPS , build completes but it does not generate a fips compliant image.
bazel build -c opt envoy --define boringssl=fips --define tcmalloc=gperftools --config=clang --copt=-DENVOY_SSL_FIPS
If I use this flag --define boringssl=fips, I get below error.
I have tried to use clang 14+ and 15+
linux ninja version is 1.12.1
The text was updated successfully, but these errors were encountered: