Has anyone seen this FIPS error trying to run any snap command (eg. snap help) on RHEL8 - with SELinux and FIPS enabled. (“yum install snapd” installed version 2.65.1)
“cannot check or enable FIPS mode: readlink /snap/snapd/current: no such file or directory”
Thanks for any ideas! - Rob
Thanks for reporting this. I’ll look into it. We only test on Ubuntu Pro with FIPS, as that’s available in the CI environment, but sadly we do not have access to RHEL subscription, so it’s uncharted territory.
I rigged the code locally to skip some checks, but I’m unable to reproduce this. Can you run the following commands and collect the output?
SNAPD_DEBUG=1 snap help
stat /snap
ls /var/lib/snapd/snap/
cat /etc/os-release
also would it be very useful if you could install strace and run:
strace -vf -e readlinkat snap help
Thanks! Here’s the debug:
$ SNAPD_DEBUG=1 snap help
2024/10/03 09:19:37.949892 logger.go:99: DEBUG: re-exec not supported on distro “rhel” yet 2024/10/03 09:19:37.950149 logger.go:99: DEBUG: FIPS mode enabled system wide
$ stat /snap
File: /snap → /var/lib/snapd/snap
Size: 19 Blocks: 0 IO Block: 4096 symbolic link
Device: fd00h/64768d Inode: 17231 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
Context: unconfined_u:object_r:root_t:s0
Access: 2024-10-03 09:19:25.151261564 -0600
Modify: 2024-10-02 09:18:11.160305130 -0600
Change: 2024-10-02 09:18:11.160305130 -0600
Birth: 2024-10-02 09:18:11.160305130 -0600
$ ls /var/lib/snapd/snap/
snap
$ cat /etc/os-release
NAME=“Red Hat Enterprise Linux”
VERSION=“8.10 (Ootpa)”
ID=“rhel”
ID_LIKE=“fedora”
VERSION_ID=“8.10”
PLATFORM_ID=“platform:el8”
PRETTY_NAME=“Red Hat Enterprise Linux 8.10 (Ootpa)”
ANSI_COLOR=“0;31”
CPE_NAME=“cpe:/o:redhat:enterprise_linux:8::baseos”
REDHAT_BUGZILLA_PRODUCT=“Red Hat Enterprise Linux 8”
REDHAT_BUGZILLA_PRODUCT_VERSION=8.10
REDHAT_SUPPORT_PRODUCT=“Red Hat Enterprise Linux”
REDHAT_SUPPORT_PRODUCT_VERSION=“8.10”
$ sudo strace -vf -e readlinkat snap help
strace: Process 15903 attached
strace: Process 15904 attached
strace: Process 15905 attached
strace: Process 15906 attached
strace: Process 15907 attached
strace: Process 15908 attached
[pid 15902] — SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=15902, si_uid=0} —
[pid 15902] readlinkat(AT_FDCWD, “/proc/self/exe”, “/usr/bin/snap”, 128) = 13
[pid 15902] readlinkat(AT_FDCWD, “/proc/self/exe”, “/usr/bin/snap”, 128) = 13
[pid 15902] readlinkat(AT_FDCWD, “/snap/snapd/current”, 0xc0000bae00, 128) = -1 ENOENT (No such file or directory)
cannot check or enable FIPS mode: readlink /snap/snapd/current: no such file or directory[pid 15908] +++ exited with 1 +++
[pid 15907] +++ exited with 1 +++
[pid 15906] +++ exited with 1 +++
[pid 15905] +++ exited with 1 +++
[pid 15904] +++ exited with 1 +++
[pid 15903] +++ exited with 1 +++
+++ exited with 1 +++
Thank you. The logs confirm my findings that this was fixed not long after 2.65.1 came out. We’re planning to release 2.66 this week/early next week, and so the fix will be included as I push out the package updates.
Great. I’ll wait for 2.66 and give it a try (and report back). Thank you!
Could you please give me a heads-up when 2.66 is released? I see a branch for it, but no release.
Should I expect it to automatically be pulled from RHEL EPEL repo? Or is there a RPM file somewhere.
Thanks so much!
Unfortunately we have had some delay with the release. 2.66 and 2.66.1 have been tagged, but the tarballs haven’t been made available yet.