From 2f288060c852fb4ece4c7c955858c2041df1ef16 Mon Sep 17 00:00:00 2001 From: Ravishankar N Date: Wed, 21 Feb 2018 22:40:36 +0530 Subject: doc/release-notes: add information on FIPS compliance Change-Id: Ib3d012c2b2a4a9281b9adb126a7d466086cc23f2 BUG: 1539842 Signed-off-by: Ravishankar N --- doc/release-notes/4.0.0.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/doc/release-notes/4.0.0.md b/doc/release-notes/4.0.0.md index 5b7211a12aa..61eb6d805ec 100644 --- a/doc/release-notes/4.0.0.md +++ b/doc/release-notes/4.0.0.md @@ -250,14 +250,24 @@ for these users while still keeping best performance for file accesses. #### 2. Replace MD5 usage to enable FIPS support **Notes for users:** - https://github.com/gluster/glusterfs/issues/230 -- Need a lot of context on options and versions before which this feature can be used -- Release notes: - - Need help from authors to complete -**Limitations:** +Previously, if gluster was run on a FIPS enabled system, it used to crash +because MD5 is not FIPS compliant and gluster consumes MD5 checksum in +various places like self-heal and geo-rep. This has been fixed by +replacing MD5 with SHA256 which is FIPS compliant. + However, in order for AFR self-heal to work correctly during rolling upgrade +to 4.0, we have tied this to a volume option called `fips-mode-rchecksum`. -**Known Issues:** +i.e. `gluster volume set fips-mode-rchecksum on` has to be performed +for the posix_rchecksum() FOP (which is called by self-heal logic) to use SHA256. +If it is 'off', it continues to use MD5 checksum, allowing hassle free upgrade. + +Once glusterfs 3.x is EOL'ed, we could make the 'fips-mode-rchecksum' +option a no-op and let posix_rchecksum use SHA256 unconditionally. + +In summary, if you want to be FIPS compliant for now, ensure all nodes are on +4.0 and then set this volume option. #### 3. Dentry fop serializer xlator on brick stack **Notes for users:** -- cgit