Go 1.21 / FIPS
53 views
Skip to first unread message
Damien A
11:45 AM (10 hours ago) 11:45 AM
to golang-nuts
I have been building Grafana packages previously using Go 1.20.5 on Oracle Enterprise Linux 9 with the following settings:
export IMPORTPATH=%{_builddir}/grafana-%{version}
export BUILDFLAGS="-v -p 4 -x -buildmode=pie -mod=vendor"
export GOPATH=%{_builddir}/go:%{_builddir}/contrib
export GOBIN=/usr/local/go/bin
export GOEXPERIMENT=opensslcrypto
export GOFIPS=1
wire gen -tags 'oss' ./pkg/server ./pkg/cmd/grafana-cli/runner
# see grafana-X.Y.Z/pkg/build/cmd.go
export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
for cmd in grafana grafana-cli grafana-server; do
%gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
done
export IMPORTPATH=%{_builddir}/grafana-%{version}
export BUILDFLAGS="-v -p 4 -x -buildmode=pie -mod=vendor"
export GOPATH=%{_builddir}/go:%{_builddir}/contrib
export GOBIN=/usr/local/go/bin
export GOEXPERIMENT=opensslcrypto
export GOFIPS=1
wire gen -tags 'oss' ./pkg/server ./pkg/cmd/grafana-cli/runner
# see grafana-X.Y.Z/pkg/build/cmd.go
export LDFLAGS="-X main.version=%{version} -X main.buildstamp=${SOURCE_DATE_EPOCH}"
for cmd in grafana grafana-cli grafana-server; do
%gobuild -o %{_builddir}/bin/${cmd} ./pkg/cmd/${cmd}
done
However, we are now needing to upgrade to Grafana 10.4, which uses the newer Go version 1.21.10, and it appears the instructions around FIPS has changed a bit.
Reading the article: https://github.com/microsoft/go/blob/microsoft/main/eng/doc/fips/README.md
From what I gather, i should use
GOEXPERIMENT=systemcrypto
and it seems that I shouldn't need to use GOFIPS=1, however if I leave that flag enabled, the compilation fails with:
+ cd /root/rpmbuild/BUILD/grafana-10.2.3
+ export IMPORTPATH=/root/rpmbuild/BUILD/grafana-10.2.3
+ IMPORTPATH=/root/rpmbuild/BUILD/grafana-10.2.3
+ export 'BUILDFLAGS=-v -p 4 -x -buildmode=pie -mod=vendor'
+ BUILDFLAGS='-v -p 4 -x -buildmode=pie -mod=vendor'
+ export GOPATH=/root/rpmbuild/BUILD/go:/root/rpmbuild/BUILD/contrib
+ GOPATH=/root/rpmbuild/BUILD/go:/root/rpmbuild/BUILD/contrib
+ export GOBIN=/usr/local/go/bin
+ GOBIN=/usr/local/go/bin
+ export GOEXPERIMENT=systemcrypto
+ GOEXPERIMENT=systemcrypto
+ export GOOS=linux
+ GOOS=linux
+ export GOFIPS=1
+ GOFIPS=1
+ wire gen -tags oss ./pkg/server ./pkg/cmd/grafana-cli/runner
wire: err: exit status 2: stderr: panic: FIPS mode requested (environment variable GOFIPS=1) but no supported crypto backend is enabled
goroutine 1 [running]:
crypto/internal/backend.init.0()
crypto/internal/backend/common.go:21 +0x65
wire: generate failed
error: Bad exit status from /var/tmp/rpm-tmp.eIFDsO (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.eIFDsO (%build)
+ cd /root/rpmbuild/BUILD/grafana-10.2.3
+ export IMPORTPATH=/root/rpmbuild/BUILD/grafana-10.2.3
+ IMPORTPATH=/root/rpmbuild/BUILD/grafana-10.2.3
+ export 'BUILDFLAGS=-v -p 4 -x -buildmode=pie -mod=vendor'
+ BUILDFLAGS='-v -p 4 -x -buildmode=pie -mod=vendor'
+ export GOPATH=/root/rpmbuild/BUILD/go:/root/rpmbuild/BUILD/contrib
+ GOPATH=/root/rpmbuild/BUILD/go:/root/rpmbuild/BUILD/contrib
+ export GOBIN=/usr/local/go/bin
+ GOBIN=/usr/local/go/bin
+ export GOEXPERIMENT=systemcrypto
+ GOEXPERIMENT=systemcrypto
+ export GOOS=linux
+ GOOS=linux
+ export GOFIPS=1
+ GOFIPS=1
+ wire gen -tags oss ./pkg/server ./pkg/cmd/grafana-cli/runner
wire: err: exit status 2: stderr: panic: FIPS mode requested (environment variable GOFIPS=1) but no supported crypto backend is enabled
goroutine 1 [running]:
crypto/internal/backend.init.0()
crypto/internal/backend/common.go:21 +0x65
wire: generate failed
error: Bad exit status from /var/tmp/rpm-tmp.eIFDsO (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.eIFDsO (%build)
Just curious if anyone can assist me here, using GOFIPS=1 worked just fine on Go 1.20.5, however appears not to be the case anymore.
Devin
Michael Oguidan
1:42 PM (8 hours ago) 1:42 PM
to golang-nuts
Hi,
Please can we dig the "crypto backend" first to see?
Damien A
7:06 PM (2 hours ago) 7:06 PM
to golang-nuts
Michael,
I am not fully sure what you mean? Can you elaborate on what you are asking me? I am not really a Go Developer just a Linux Admin who often gets tasked with trying to build packages.
Reply all
Reply to author
Forward
0 new messages