Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Core] MD5 not supported as is for FIPS enabled machines #40534

Closed
KPostOffice opened this issue Oct 20, 2023 · 1 comment · Fixed by #40755
Closed

[Core] MD5 not supported as is for FIPS enabled machines #40534

KPostOffice opened this issue Oct 20, 2023 · 1 comment · Fixed by #40755
Labels
core Issues that should be addressed in Ray Core core-runtime-env Issues related to Ray environment dependencies enhancement Request for new feature and/or capability P1.5 Issues that will be fixed in a couple releases. It will be bumped once all P1s are cleared

Comments

@KPostOffice
Copy link
Contributor

KPostOffice commented Oct 20, 2023

Description

FIPS (Federal Information Processing Standards) is a series of security standards required for most government workflows. FIPS compliance requires packages to adhere to a certain level of security and comes with requirements for cryptographic libraries. One of my coworkers (@jbusche) was running into issues on a FIPS enabled machine when trying to submit jobs to a Ray Cluster. The key part of the linked issue is this:

File /opt/app-root/lib64/python3.8/site-packages/ray/_private/runtime_env/packaging.py:152, in _hash_directory.<locals>.handler(path)
    151 def handler(path: Path):
--> 152     md5 = hashlib.md5()
    153     md5.update(str(path.relative_to(relative_path)).encode())

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

MD5 is not supported for security related applications on a FIPS enabled machine

If the community is open to addressing this issue I see two options:

  • change hashlib.md5(...) to hashlib.md5(..., usedforsecurity=False) because, everywhere in the Ray library that I've found md5 being used it is being used only for calculating file hashes and not for security purposes
  • use a SHA-X for computing hashes since it is FIPS compliant

I'm happy to open a PR to solve this issue.

Use case

Using Ray in a FIPS enabled OpenShift cluster

@KPostOffice KPostOffice added enhancement Request for new feature and/or capability triage Needs triage (eg: priority, bug/not-bug, and owning component) labels Oct 20, 2023
@jjyao jjyao added core Issues that should be addressed in Ray Core core-runtime-env Issues related to Ray environment dependencies P1.5 Issues that will be fixed in a couple releases. It will be bumped once all P1s are cleared and removed triage Needs triage (eg: priority, bug/not-bug, and owning component) labels Oct 23, 2023
@jjyao
Copy link
Collaborator

jjyao commented Oct 23, 2023

@KPostOffice Contribution is very welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Issues that should be addressed in Ray Core core-runtime-env Issues related to Ray environment dependencies enhancement Request for new feature and/or capability P1.5 Issues that will be fixed in a couple releases. It will be bumped once all P1s are cleared
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants