diff options
-rw-r--r-- | doc/release-notes/4.0.0.md | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/doc/release-notes/4.0.0.md b/doc/release-notes/4.0.0.md index 5b7211a12aa..61eb6d805ec 100644 --- a/doc/release-notes/4.0.0.md +++ b/doc/release-notes/4.0.0.md @@ -250,14 +250,24 @@ for these users while still keeping best performance for file accesses. #### 2. Replace MD5 usage to enable FIPS support **Notes for users:** - https://github.com/gluster/glusterfs/issues/230 -- Need a lot of context on options and versions before which this feature can be used -- Release notes: - - Need help from authors to complete -**Limitations:** +Previously, if gluster was run on a FIPS enabled system, it used to crash +because MD5 is not FIPS compliant and gluster consumes MD5 checksum in +various places like self-heal and geo-rep. This has been fixed by +replacing MD5 with SHA256 which is FIPS compliant. + However, in order for AFR self-heal to work correctly during rolling upgrade +to 4.0, we have tied this to a volume option called `fips-mode-rchecksum`. -**Known Issues:** +i.e. `gluster volume set <VOLNAME> fips-mode-rchecksum on` has to be performed +for the posix_rchecksum() FOP (which is called by self-heal logic) to use SHA256. +If it is 'off', it continues to use MD5 checksum, allowing hassle free upgrade. + +Once glusterfs 3.x is EOL'ed, we could make the 'fips-mode-rchecksum' +option a no-op and let posix_rchecksum use SHA256 unconditionally. + +In summary, if you want to be FIPS compliant for now, ensure all nodes are on +4.0 and then set this volume option. #### 3. Dentry fop serializer xlator on brick stack **Notes for users:** |