requirefips build tag enabled in non-FIPS Windows build of v0.90.1-sumo-0

[eslavich]

When I install the collector from the following URL:

https://github.com/SumoLogic/sumologic-otel-collector/releases/download/v0.90.1-sumo-0/otelcol-sumo_0.90.1.0_en-US.x64.msi

the collector service fails to start with this output:

panic: cngcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/backend.init.0()
        crypto/internal/backend/cng_windows.go:34 +0x85

when I try again with GOFIPS=0, the output changes to this:

panic: the 'requirefips' build tag is enabled, but it conflicts with the detected env variable GOFIPS=0 which would disable FIPS mode

goroutine 1 [running]:
crypto/internal/backend.envGoFIPS()
        crypto/internal/backend/common.go:37 +0xf4
crypto/internal/backend.init.0()
        crypto/internal/backend/cng_windows.go:28 +0x17

does that mean the non-FIPS build was inadvertently compiled with requirefips enabled? Or am I doing something wrong?

[eslavich]

I confirmed that this issue is not present in v0.88.0-sumo-1.

[eslavich]

I'm not fluent in Makefile, but this line appears to be setting requirefips for all Windows builds:

https://github.com/SumoLogic/sumologic-otel-collector/blob/v0.90.1-sumo-0/otelcolbuilder/Makefile#L58

[sumo-drosiek]

I'm not fluent in Makefile, but this line appears to be setting requirefips for all Windows builds:

https://github.com/SumoLogic/sumologic-otel-collector/blob/v0.90.1-sumo-0/otelcolbuilder/Makefile#L58

It shouldn't as this is more readable version:

ifeq ($(FIPS_SUFFIX),"")
  GOEXPERIMENT=""
  LDFLAGS="-s -w"
  GOFIPS=1
# We want to use boringcrypto for fips setup
else
  ifeq ($(shell go env GOOS),windows)
    GOEXPERIMENT=systemcrypto
    GOTAGS := $(GOTAGS) requirefips
    LDFLAGS="-w"
  else
    GOEXPERIMENT=boringcrypto
    LDFLAGS="-w"
  endif
endif

does that mean the non-FIPS build was inadvertently compiled with requirefips enabled? Or am I doing something wrong?

I figured out that we always set GOFIPS=1, which may be the reason.

As quick solution I would recommend to run with GOFIPS=0
Long-term solution: #1388

[sumo-drosiek]

I tested both binaries (fips disabled on windows) and it behaves as expected

C:\Users\Dominik\Downloads>"otelcol-sumo-0.90.1-sumo-0-windows_amd64.exe"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
Error: at least one config flag must be provided
2023/12/14 09:00:57 collector server run finished with error: at least one config flag must be provided

C:\Users\Dominik\Downloads>"otelcol-sumo-0.90.1-sumo-0-fips-windows_amd64.exe"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
panic: cngcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/backend.init.0()
        crypto/internal/backend/cng_windows.go:34 +0x85

And with fips enabled on windows:

C:\Users\Dominik\Downloads>"otelcol-sumo-0.90.1-sumo-0-fips-windows_amd64.exe"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
2023/12/14 09:05:46 Using BoringSSL and running in FIPS mode
Error: at least one config flag must be provided
2023/12/14 09:05:46 collector server run finished with error: at least one config flag must be provided

C:\Users\Dominik\Downloads>"otelcol-sumo-0.90.1-sumo-0-windows_amd64.exe"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
Error: at least one config flag must be provided
2023/12/14 09:05:50 collector server run finished with error: at least one config flag must be provided

[eslavich]

Thanks @sumo-drosiek! This isn't urgent for me since v0.88 works fine.

[sumo-drosiek]

@eslavich Could you check latest release please? I was unable to reproduce the issue locally. Binaries work as expected 😕

[eslavich]

I gave this a try today, unfortunately I get the same result with v0.90.1-sumo-1:

PS C:\> $env:GOFIPS = '1'
PS C:\> . "C:\Program Files\Sumo Logic\OpenTelemetry Collector\bin\otelcol-sumo.exe"  --config "C:\ja\sumo\config\sumologic.yaml" --config "glob:C:\ja\sumo\config\conf.d\*.yaml"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
panic: cngcrypto: not in FIPS mode

goroutine 1 [running]:
crypto/internal/backend.init.0()
        crypto/internal/backend/cng_windows.go:34 +0x85
PS C:\> $env:GOFIPS = '0'
PS C:\> . "C:\Program Files\Sumo Logic\OpenTelemetry Collector\bin\otelcol-sumo.exe"  --config "C:\ja\sumo\config\sumologic.yaml" --config "glob:C:\ja\sumo\config\conf.d\*.yaml"
Failed to register k8sprocessor's views: otelsvc/k8s/pod_table_size: cannot register view "otelsvc/k8s/pod_table_size"; a different view with the same name is already registered
panic: the 'requirefips' build tag is enabled, but it conflicts with the detected env variable GOFIPS=0 which would disable FIPS mode

goroutine 1 [running]:
crypto/internal/backend.envGoFIPS()
        crypto/internal/backend/common.go:37 +0xf4
crypto/internal/backend.init.0()
        crypto/internal/backend/cng_windows.go:28 +0x17

[eslavich]

Not sure what's unusual about this VM, this is what winver displays:

[ccressent]

Same issue on Windows Server 2022, running in EC2.

[ccressent]

@eslavich Have you installed with the MSI files? If so, try to use the EXE files. It looks like there is a packaging issue and the FIPS build makes it to both versions of the MSI instead of the 2 versions carrying 2 different executables.

This affects 0.90.1.0, 0.90.1.1 and 0.91.0.0.

[ccressent]

The packaging issue has been fixed in 0.91.0.1.
Closing.