diff options
| author | Ravishankar N <ravishankar@redhat.com> | 2018-02-21 22:40:36 +0530 | 
|---|---|---|
| committer | Shyamsundar Ranganathan <srangana@redhat.com> | 2018-02-23 16:47:02 +0000 | 
| commit | 2f288060c852fb4ece4c7c955858c2041df1ef16 (patch) | |
| tree | 9155abc3a74afc0799c27c9a81914310f19f6248 /doc/release-notes/4.0.0.md | |
| parent | 11814c906a87fef59c371b9676c00edc387fe6eb (diff) | |
doc/release-notes: add information on FIPS compliance
Change-Id: Ib3d012c2b2a4a9281b9adb126a7d466086cc23f2
BUG: 1539842
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
Diffstat (limited to 'doc/release-notes/4.0.0.md')
| -rw-r--r-- | doc/release-notes/4.0.0.md | 20 | 
1 files changed, 15 insertions, 5 deletions
| diff --git a/doc/release-notes/4.0.0.md b/doc/release-notes/4.0.0.md index 5b7211a12aa..61eb6d805ec 100644 --- a/doc/release-notes/4.0.0.md +++ b/doc/release-notes/4.0.0.md @@ -250,14 +250,24 @@ for these users while still keeping best performance for file accesses.  #### 2. Replace MD5 usage to enable FIPS support  **Notes for users:**  - https://github.com/gluster/glusterfs/issues/230 -- Need a lot of context on options and versions before which this feature can be used -- Release notes: -    - Need help from authors to complete -**Limitations:** +Previously, if gluster was run on a FIPS enabled system, it used to crash +because MD5 is not FIPS compliant and gluster consumes MD5 checksum in +various places like self-heal and geo-rep. This has been fixed by +replacing MD5 with SHA256 which is FIPS compliant. +  However, in order for AFR self-heal to work correctly during rolling upgrade +to 4.0, we have tied this to a volume option called `fips-mode-rchecksum`. -**Known Issues:** +i.e. `gluster volume set <VOLNAME> fips-mode-rchecksum on` has to be performed +for the posix_rchecksum() FOP (which is called by self-heal logic) to use SHA256. +If it is 'off', it continues to use MD5 checksum, allowing hassle free upgrade. + +Once glusterfs 3.x is EOL'ed, we could make the 'fips-mode-rchecksum' +option a no-op and let posix_rchecksum use SHA256 unconditionally. + +In summary, if you want to be FIPS compliant for now, ensure all nodes are on  +4.0 and then set this volume option.  #### 3. Dentry fop serializer xlator on brick stack  **Notes for users:** | 
