Description
Building the Nautobot images with poetry run invoke build fails on hosts enforcing FIPS mode. During apt-get update/upgrade, libgcrypt aborts with “requested algo not in md context,” which indicates apt/GnuPG hit a non‑FIPS digest path (e.g., MD5/SHA1) while verifying repository metadata. Because FIPS is system‑wide, container processes inherit these constraints and the build terminates early.
Steps To Reproduce
- Run
poetry run invoke build on a host with FIPS enabled.
- Observe apt steps in
environments/Dockerfile:7 and environments/Dockerfile:18 and environments/Dockerfile-LDAP:7 and environments/Dockerfile-LDAP:18.
- The build uses Compose args from
environments/docker-compose.base.yml:3 and environments/docker-compose.ldap.yml:3.
Actual Behavior
apt-get update aborts:
fatal error in libgcrypt ... requested algo not in md context- Exit code 134 from the apt RUN layer.
Expected Behavior
- Image builds succeed on FIPS hosts or provide a supported way to skip/avoid apt paths that trigger non‑FIPS algorithms.
Environment
- Host: Linux with FIPS mode enabled.
- Base images:
ghcr.io/nautobot/nautobot:${NAUTOBOT_VERSION}-py${PYTHON_VER}, ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VERSION}-py${PYTHON_VER}.
- Build command:
poetry run invoke build.
- Task env passing:
tasks.py:87 sets only PYTHON_VER and NAUTOBOT_VERSION for Compose.
Logs (excerpt)
Reading package lists...fatal error in libgcrypt ... requested algo not in md contextAborted
Impact
- Builds cannot complete on FIPS‑enforced systems.
- LDAP Dockerfile additionally relies on apt for dev libraries (
libldap2-dev, libsasl2-dev, libssl-dev), increasing exposure to apt failures.
Proposed Fix
Workarounds
- Manually comment out apt lines in Dockerfiles (not ideal, breaks reproducibility).
- Set
SKIP_APT=1 and run Compose directly if the build arg is added.
- Build the image in a non‑FIPS environment and run it on the FIPS host.
Description
Building the Nautobot images with
poetry run invoke buildfails on hosts enforcing FIPS mode. Duringapt-get update/upgrade,libgcryptaborts with “requested algo not in md context,” which indicates apt/GnuPG hit a non‑FIPS digest path (e.g., MD5/SHA1) while verifying repository metadata. Because FIPS is system‑wide, container processes inherit these constraints and the build terminates early.Steps To Reproduce
poetry run invoke buildon a host with FIPS enabled.environments/Dockerfile:7andenvironments/Dockerfile:18andenvironments/Dockerfile-LDAP:7andenvironments/Dockerfile-LDAP:18.environments/docker-compose.base.yml:3andenvironments/docker-compose.ldap.yml:3.Actual Behavior
apt-get updateaborts:fatal error in libgcrypt ... requested algo not in md contextExpected Behavior
Environment
ghcr.io/nautobot/nautobot:${NAUTOBOT_VERSION}-py${PYTHON_VER},ghcr.io/nautobot/nautobot-dev:${NAUTOBOT_VERSION}-py${PYTHON_VER}.poetry run invoke build.tasks.py:87sets onlyPYTHON_VERandNAUTOBOT_VERSIONfor Compose.Logs (excerpt)
Reading package lists...fatal error in libgcrypt ... requested algo not in md contextAbortedImpact
libldap2-dev,libsasl2-dev,libssl-dev), increasing exposure to apt failures.Proposed Fix
Make apt steps optional via a build arg and skip by default on FIPS:
ARG SKIP_APT=0and wrap apt RUN lines inif [ "$SKIP_APT" != "1" ]; then ...; fi.SKIP_APTthrough Compose args inenvironments/docker-compose.base.yml:3andenvironments/docker-compose.ldap.yml:3.tasks.py:87to forwardSKIP_APTfrom the user environment (or mergeos.environ) sopoetry run invoke buildcan toggle it.Reduce/avoid apt usage:
apt-get upgradeat build time; only runapt-get updatewhen strictly needed.Dockerfile-LDAP, prefer binary wheels:pip install --only-binary=:all: django-auth-ldapto avoid installing dev libs via apt.Document FIPS guidance:
Workarounds
SKIP_APT=1and run Compose directly if the build arg is added.