FIPS non compliance with hashing algorithm in 4.4.2

[DanWoodrichNOAA]

Container image name

rocker/rstudio:4.4.2

Container image digest

rocker/rstudio@sha256:050e232046d8a8681d84444498a48afadfa7900fa783be5ec3ed9f4eb9f3ceb0

What operating system are you seeing the problem on?

Linux

System information

Docker version 27.5.0, build a187fa5
kernel: linux-image-gcp-fips 5.4.0.1141.83

rocker/rstudio:4.4.2

Bug description

Rstudio/rocker 4.2.2 will error during run of prebuilt image with following error:

2025-01-18T23:02:27.936799Z [rserver] ERROR system error 74 (Bad message) [description: error:12800067:DSO support routines::could not load the shared library]; OCCURRED AT rstudio::core::Error rstudio::core::system::crypto::rsaInit() src/cpp/core/system/Crypto.cpp:471; LOGGED FROM: int main(int, char* const*) src/cpp/server/ServerMain.cpp:987

Testing:

1. Only present on 4.4.2, previous built images run without issue
2. Tested with multiple kernels and isolated issue to fips kernel.

Impact:

• Unsure if it is a widespread issue across FIPS hardened systems, or relevant only to GCP implementation
• My organization has hardening requirements including FIPS and the rocker image has been a valuable resource to deliver the Rstudio experience to scientific users. It is possible many projects across the US government could be adversely impacted.

Thanks,
Dan

How to reproduce this bug?

1. Start with Ubuntu instance (tested on linux-image-gcp-fips)
2. Install docker https://docs.docker.com/engine/install/ubuntu/
3. Run prebuilt rocker image (docker run --rm -d -p 8787:8787 -e PASSWORD=password rocker/rstudio)
4. Exec into container and run /init . Will see the Crypto error. Will get stuck here and no response will be returned from 8787

[benz0li]

This is caused by RStudio and

• if only present in the latest rocker/rstudio image
  • which uses RStudio version 2024.12.0+467

it is most likely related to

• use native browser APIs for RSA encryption where appropriate rstudio/rstudio#15487

@DanWoodrichNOAA Please open an issue over at https://github.com/rstudio/rstudio.
ℹ Also specify the browser and its version.

Thank you.

[benz0li]

FYI They already reverted:

• revert use of native encryption APIs rstudio/rstudio#15538

This might be resolved with the next RStudio release.

[eitsupi]

Thank you both. I too think that this should require a new release of RStudio IDE.

[gtritchie]

The change mentioned earlier as the presumed cause of this (rstudio/rstudio#15487), was not present in the 2024.12.0+467 release of RStudio. It was made after that version released, so it is not the cause of this problem.

[eitsupi]

Thanks!

As long as we don't know where the problem is, this seems unlikely to be resolved in the short term.
The current workaround seems to be to install and use your own version of RStudio of your choice as described in rstudio/rstudio#15636 (comment).

[benz0li]

It errors with description: error:12800067:DSO support routines::could not load the shared library.

Some differences between rocker/rstudio:4.4.1 (RStudio v2024.09.1+394) and rocker/rstudio:4.4.2 (RStudio v2024.12.0+467):

diff --git a/etc/os-release-4.4.1 b/etc/os-release-4.4.2
index 55acd69..18cf477 100644
--- a/etc/os-release-4.4.1
+++ b/etc/os-release-4.4.2
@@ -1,12 +1,13 @@
-PRETTY_NAME="Ubuntu 22.04.5 LTS"
+PRETTY_NAME="Ubuntu 24.04.1 LTS"
 NAME="Ubuntu"
-VERSION_ID="22.04"
-VERSION="22.04.5 LTS (Jammy Jellyfish)"
-VERSION_CODENAME=jammy
+VERSION_ID="24.04"
+VERSION="24.04.1 LTS (Noble Numbat)"
+VERSION_CODENAME=noble
 ID=ubuntu
 ID_LIKE=debian
 HOME_URL="https://www.ubuntu.com/"
 SUPPORT_URL="https://help.ubuntu.com/"
 BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
 PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
-UBUNTU_CODENAME=jammy
+UBUNTU_CODENAME=noble
+LOGO=ubuntu-logo

diff --git a/packages-4.4.1 b/packages-4.4.2
index 816f96e..0ecc511 100644
--- a/packages-4.4.1
+++ b/packages-4.4.2
@@ -10,7 +10,9 @@ binutils
 bsdutils
 ca-certificates
 coreutils
-cpp-11
+cpp-13-x86-64-linux-gnu
+cpp-13
+cpp-x86-64-linux-gnu
 cpp
 dash
 debconf
@@ -24,15 +26,21 @@ findutils
 fontconfig-config
 fontconfig
 fonts-texgyre
-freeglut3
-g++-11
+fonts-urw-base35
+g++-13-x86-64-linux-gnu
+g++-13
+g++-x86-64-linux-gnu
 g++
-gcc-11-base
-gcc-11
-gcc-12-base
+gcc-13-base
+gcc-13-x86-64-linux-gnu
+gcc-13
+gcc-14-base
+gcc-x86-64-linux-gnu
 gcc
 gdebi-core
-gfortran-11
+gfortran-13-x86-64-linux-gnu
+gfortran-13
+gfortran-x86-64-linux-gnu
 gfortran
 git-man
 git
@@ -42,11 +50,11 @@ gsfonts
 gzip
 hostname
 init-system-helpers
-lib32gcc-s1
-lib32stdc++6
 libacl1
-libapt-pkg6.0
-libasan6
+libapparmor1
+libapt-pkg6.0t64
+libasan8
+libassuan0
 libatomic1
 libattr1
 libaudit-common
@@ -62,25 +70,24 @@ libbz2-ocaml
 libc-bin
 libc-dev-bin
 libc6-dev
-libc6-i386
 libc6
 libcairo2
 libcap-ng0
 libcap2
 libcc1-0
-libclang-14-dev
-libclang-common-14-dev
+libclang-18-dev
+libclang-common-18-dev
 libclang-dev
-libclang1-14
+libclang1-18
 libcom-err2
 libcrypt-dev
 libcrypt1
 libctf-nobfd0
 libctf0
-libcurl3-gnutls
-libcurl4
+libcurl3t64-gnutls
+libcurl4t64
 libdatrie1
-libdb5.3
+libdb5.3t64
 libdebconfclient0
 libdeflate0
 libdrm-amdgpu1
@@ -90,77 +97,81 @@ libdrm-nouveau2
 libdrm-radeon1
 libdrm2
 libedit2
-libelf1
+libelf1t64
 liberror-perl
 libexpat1
-libext2fs2
+libext2fs2t64
 libffi8
 libfontconfig1
+libfontenc1
 libfreetype6
 libfribidi0
 libgc1
-libgcc-11-dev
+libgcc-13-dev
 libgcc-s1
 libgcrypt20
-libgdbm-compat4
-libgdbm6
-libgfortran-11-dev
+libgdbm-compat4t64
+libgdbm6t64
+libgfortran-13-dev
 libgfortran5
 libgl1-mesa-dri
 libgl1
 libglapi-mesa
-libglib2.0-0
+libglib2.0-0t64
 libglib2.0-data
+libglut3.12
 libglvnd0
 libglx-mesa0
 libglx0
 libgmp10
-libgnutls30
+libgnutls30t64
 libgomp1
 libgpg-error0
+libgprofng0
 libgraphite2-3
 libgssapi-krb5-2
 libharfbuzz0b
-libhogweed6
+libhogweed6t64
+libhwasan0
 libice6
-libicu70
+libicu74
 libidn2-0
 libisl23
 libitm1
+libjansson4
 libjbig0
 libjpeg-turbo-progs
-libjpeg-turbo-test
-libjpeg-turbo8-dbg
 libjpeg-turbo8-dev
 libjpeg-turbo8
 libjpeg8
+libjs-jquery
+libjs-sphinxdoc
+libjs-underscore
 libk5crypto3
 libkeyutils1
 libkrb5-3
 libkrb5support0
 liblapack-dev
 liblapack3
-libldap-2.5-0
-libllvm14
-libllvm15
+libldap2
+liblerc4
+libllvm17t64
+libllvm18
 liblsan0
 liblz4-1
 liblzma-doc
 liblzma5
 libmagic-mgc
-libmagic1
+libmagic1t64
 libmd0
 libmount1
 libmpc3
-libmpdec3
 libmpfr6
-libncurses6
 libncursesw6
-libnettle8
+libnettle8t64
 libnghttp2-14
-libnsl-dev
-libnsl2
-libobjc-11-dev
+libnpth0t64
+libobjc-13-dev
 libobjc4
 libopenblas-dev
 libopenblas-pthread-dev
@@ -178,18 +189,18 @@ libpciaccess0
 libpcre2-16-0
 libpcre2-32-0
 libpcre2-8-0
+libpcre2-ocaml
 libpcre2-posix3
-libpcre3
-libperl5.34
+libperl5.38t64
 libpixman-1-0
-libpng16-16
-libprocps8
-libpsl5
+libpng16-16t64
+libproc2-0
+libpsl5t64
 libpython3-stdlib
-libpython3.10-minimal
-libpython3.10-stdlib
+libpython3.12-minimal
+libpython3.12-stdlib
 libquadmath0
-libreadline8
+libreadline8t64
 librtmp1
 libsasl2-2
 libsasl2-modules-db
@@ -200,15 +211,18 @@ libsemanage2
 libsensors-config
 libsensors5
 libsepol2
+libsframe1
+libsharpyuv0
 libsm6
 libsmartcols1
 libsqlite3-0
 libss2
 libssh-4
 libssl-dev
-libssl3
-libstdc++-11-dev
+libssl3t64
+libstdc++-13-dev
 libstdc++6
+libstdlib-ocaml
 libsystemd0
 libtasn1-6
 libthai-data
@@ -216,18 +230,16 @@ libthai0
 libtiff-doc
 libtiff-opengl
 libtiff-tools
-libtiff5
-libtiffxx5
+libtiff6
+libtiffxx6
 libtinfo6
-libtirpc-common
-libtirpc-dev
-libtirpc3
-libtsan0
+libtsan2
 libturbojpeg
 libubsan1
 libudev1
-libunistring2
+libunistring5
 libuuid1
+libvulkan1
 libwebp7
 libx11-6
 libx11-data
@@ -250,7 +262,7 @@ libxi6
 libxml2
 libxrender1
 libxshmfence1
-libxt6
+libxt6t64
 libxxf86vm1
 libxxhash0
 libzstd1
@@ -258,7 +270,6 @@ linux-libc-dev
 locales
 login
 logsave
-lsb-base
 lsb-release
 make
 mawk
@@ -266,12 +277,13 @@ media-types
 mount
 ncurses-base
 ncurses-bin
+netbase
 ocaml-base
 openssl
 pandoc
 passwd
 perl-base
-perl-modules-5.34
+perl-modules-5.38
 perl
 procps
 psmisc
@@ -282,25 +294,26 @@ python3-chardet
 python3-debian
 python3-minimal
 python3-pkg-resources
-python3.10-minimal
-python3.10
+python3.12-minimal
+python3.12
 python3
 readline-common
 rpcsvc-proto
 rstudio-server
 sed
 sensible-utils
+shared-mime-info
 sudo
 sysvinit-utils
 tar
 tzdata
 ubuntu-keyring
-ucf
 unzip
-usrmerge
 util-linux
 wget
 x11-common
+xfonts-encodings
+xfonts-utils
 zip
 zlib1g
 zstd

[benz0li]

@eitsupi IMHO nothing wrong with the image (rocker/rstudio).

ubuntu:24.04 (OpenSSL?) seems to require kernel features that are not available in kernel linux-image-gcp-fips version 5.4.0.1141.83.

[eitsupi]

Thank you. This does not seem to be an issue with this repository, so I will close it.