Bug 1692709

Summary: [RFE] Investigate viability of automatically setting up boot partition for FIPS hosts
Product: [oVirt] ovirt-engine Reporter: Tomasz Barański <tbaransk>
Component: BLL.VirtAssignee: Liran Rotenberg <lrotenbe>
Status: CLOSED CURRENTRELEASE QA Contact: Beni Pelled <bpelled>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: futureCC: bugs, rbarry, sgoodman
Target Milestone: ovirt-4.4.0Keywords: FutureFeature
Target Release: ---Flags: pm-rhel: ovirt-4.4+
pm-rhel: planning_ack?
rbarry: devel_ack+
pm-rhel: testing_ack?
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhv-4.4.0-29 Doc Type: Enhancement
Doc Text:
With this update, each host's boot partition is explicitly stated in the kernel boot parameters. For example: `boot=/dev/sda1` or `boot=UUID=<id>`
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-20 20:02:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1640192    

Description Tomasz Barański 2019-03-26 09:38:49 UTC 
This is a follow-up to https://bugzilla.redhat.com/show_bug.cgi?id=1640192

In addition to setting `fips=1`, host's boot partition need to be explicitly stated in the kernel boot parameters (like: `boot=/dev/sda1`), otherwise the host does not start. At this moment the user needs to put that information manually.

This BZ is to track the effort of investigation of viability of detecting the boot partition automatically, and if possible, implementing it.
Comment 2 Beni Pelled 2020-05-07 08:25:38 UTC 
Verified with:
- ovirt-engine-4.4.0-0.33.master.el8ev.noarch
- vdsm-4.40.13-1.el8ev.x86_64
- Host with RHEL 8.2

Verification steps:
1. Move a non-FIPS active host into maintenance mode
2. Under 'Edit > Kernel' press the Reset button and select 'FIPS mode'
3. 'fips=1 boot=UUID=<bood_pratition_UUID>' will be added to the 'Kernel command line'
4. Make sure the UUID is indeed the host's /boot partition UUID
5. Reinstall and restart the host

Result:
- The host is up and running as a FIPS host (verified by 'sysctl crypto.fips_enabled' and on the engine-UI)
Comment 3 Sandro Bonazzola 2020-05-20 20:02:53 UTC 
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.