summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/release-notes/4.0.0.md20
1 files changed, 15 insertions, 5 deletions
diff --git a/doc/release-notes/4.0.0.md b/doc/release-notes/4.0.0.md
index 5b7211a12aa..61eb6d805ec 100644
--- a/doc/release-notes/4.0.0.md
+++ b/doc/release-notes/4.0.0.md
@@ -250,14 +250,24 @@ for these users while still keeping best performance for file accesses.
#### 2. Replace MD5 usage to enable FIPS support
**Notes for users:**
- https://github.com/gluster/glusterfs/issues/230
-- Need a lot of context on options and versions before which this feature can be used
-- Release notes:
- - Need help from authors to complete
-**Limitations:**
+Previously, if gluster was run on a FIPS enabled system, it used to crash
+because MD5 is not FIPS compliant and gluster consumes MD5 checksum in
+various places like self-heal and geo-rep. This has been fixed by
+replacing MD5 with SHA256 which is FIPS compliant.
+ However, in order for AFR self-heal to work correctly during rolling upgrade
+to 4.0, we have tied this to a volume option called `fips-mode-rchecksum`.
-**Known Issues:**
+i.e. `gluster volume set <VOLNAME> fips-mode-rchecksum on` has to be performed
+for the posix_rchecksum() FOP (which is called by self-heal logic) to use SHA256.
+If it is 'off', it continues to use MD5 checksum, allowing hassle free upgrade.
+
+Once glusterfs 3.x is EOL'ed, we could make the 'fips-mode-rchecksum'
+option a no-op and let posix_rchecksum use SHA256 unconditionally.
+
+In summary, if you want to be FIPS compliant for now, ensure all nodes are on
+4.0 and then set this volume option.
#### 3. Dentry fop serializer xlator on brick stack
**Notes for users:**