Bug 1169957

I don't have any of these problems with 

http://download.devel.redhat.com/nightly/RHEL-7.1-20141118.n.2/compose/Server/x86_64/os/images/pxeboot/initrd.img

Can you point me to a pxeboot/initrd.img which has the problem?

The problems occurred when I tried booting from the iso at:
http://download.devel.redhat.com/nightly/RHEL-7.1-20141201.n.0/compose/Server/x86_64/iso/
and
http://download.devel.redhat.com/nightly/RHEL-7.1-20141128.n.0/compose/Server/x86_64/iso/.

strace reports curl is trying to open libfreeblpriv3.so which does not exist in most recent initrd.

And I've independently reproduced it with the 11/30 nightly and my local self-signed cert setup so something in the initrd has clearly changed in recent builds.

So, it's not only in fips mode as described in bug 1165603

correct, no FIPS involved in my tests.

I think the best way is to undo bug 1165603 and ship the module install as part of nss-softokn as in the RHEL-6.6.z package.

(And of course the same needs to be done in Fedora when the nss change gets there.)

Yes, clearly libfreeblpriv3.so needs to be added to dracut, and softokn is the right place to do it. Adding blocker flag, as soon as both blocker and qa_ack gets set I can check in the patch.

bob

Yes.

nss-softokn-3.16.2.3-4.el7

I'm encountering the identical problem as before with image from 2014 December 12 which has nss-softokn-3.15.2.3-4.el7 package.

Still failing with nss-softokn-3.16.2.3-4.

The Description states "The problem is absent in iso from September 30"

Looking at nss-softokn.spec file %changelog history the release closest and before that date would be 
* Wed Nov 05 2014 Robert Relyea <rrelyea> 3.16.2-12

The brew build still available is nss-softokn-3.16.2-6.sa1.4 whose .srpm I download and extracted to compare with current. I want to test the suspicion that the problem could be caused by a patch being dropped or stop being by applied mistake. Things like that have happened before. My steps

Compare nss-softokn.spec from old that works to current that doesn't.

$ diff -u nss-softokn-3.16.2-6.sa1.4.src/nss-softokn.spec rhel-7.1/nss-softokn.spec > softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch

My analysis in two parts is this:

$ grep Patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch 
 Patch1:            build-nss-softoken-only.patch
 Patch10:           iquote.patch
 Patch11:           nss-softokn-allow-level1.patch
-Patch12: cve-2014-1568-softokn.patch  -- obsoleted by rebase to 3.16.2.3
+Patch12:           additional-covscan-fixes.patch  -- is now  Patch200
 Patch82:	nss-softokn-3.16-fips-rem-old-test.patch
 Patch83:	nss-softokn-3.16-lowhash-test.patch
 Patch90:	nss-softokn-3.16-addG.patch
-Patch100:	nss-softokn-3.16-fipstest.patch
+Patch94:	nss-softokn-3.16-rsa-fips-186.patch
+Patch95:	nss-softokn-3.16-ppc-no-init_support.patch
+Patch97:	nss-softokn-3.16-add_encrypt_derive.patch
+Patch98:	nss-softokn-3.16.allow_level1_init.patch
+Patch99:	nss-softokn-3.16-fips_user_slots.patch
+Patch100:	nss-softokn-3.16-block-sigchld.patch
+Patch200:	nss-softokn-3.16-fipstest.patch
+Patch201:	nss-softokn-3.16-fipstest-186-4.patch
+Patch202:	nss-softokn-fix-error-handling.patch
+Patch203:	nss-softokn-3.16-freebl_dyload.patch
+Patch204:	limit-create-fipscheck.patch        

grep patch softoknChangesFrom-3.16.2-6.sa1To3.16.2.3-6.patch
 %patch1 -p0 -b .softokenonly
 %patch8 -p0 -b .crypto
-%patch10 -p0 -b .iquote       -- enabled only when rebase brings new APIS
+#%patch10 -p0 -b .iquote      -- this not currently the case
 %patch11 -p0 -b .allow_level1
-%patch12 -p1 -b .cve_2014-1568
 %patch80 -p0 -b .fips-post
 %patch82 -p0 -b .rm-old-test
 %patch83 -p0 -b .lowhash-test
 %patch90 -p0 -b .addG
-%patch100 -p0 -b .fipstest     -- moved to patch200, see below
+%patch94 -p1 -b .fips-186-4
+%patch95 -p0 -b .ppc_no_init_support
+%patch97 -p0 -b .add_encrypt_derive
+%patch98 -p0 -b .allow_level1_init
+%patch99 -p0 -b .fips_user_slots
+%patch100 -p0 -b .block_sigchld
+%patch200 -p0 -b .fipstest      -- used to be patch100, see above
+%patch201 -p0 -b .fipstest-186-4
+%patch202 -p0 -b .1154764
+%patch203 -p0 -b .freebl-dyload
+%patch204 -p0 -b .limit_create_fips_check
+%patch12 -p0 -b .1154764extras

To summarize:
Patch12: removed on account of the rebase to nss-3.16.2.3
Patch10 became unapplied for reasons stated above for iquote
Patch100 moved to Patch200 after the reorording of patches

I don't see any patch whose removal I cannot justify.

The 'patch' I meant would have been a patch to the .spec file. I see that it's still there.

The problem turned out to be a RHEL-6/RHEL-7 issue. The patch uses RHEL-6 dracut config syntax rather than RHEL-7 dracut config syntax. It was working on my machine because I had hacked the fips dracut config earlier.

nss-softokn-3.15.2.3-7.el7 should have the updated nss-softokn dracut config file (stored in the correct place) once it completes.

A quick check if dracut has the right config is to do lsinitrd | grep libfreebl.

You should see libfreebl3.so libfreebl3.chk libfreeblpriv3.so and libfreeblpriv3.chk. If you only see libfreebl3.so, then the config isn't correct yet.

bob

switch_root:/# find -name libfreebl*
./sysroot/usr/lib64/libfreebl3.chk
./sysroot/usr/lib64/libfreeblpriv3.so
./sysroot/usr/lib64/libfreebl3.so
./sysroot/usr/lib64/libfreeblpriv3.chk
./usr/lib64/libfreebl3.so

so libfreeblpriv3.so is not available, should be in /usr/lib64/ to work.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0364.html