Bug 1778940
Summary: | Need to have /etc/system-fips in the initrd for true FIPS boot | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Jonathan Lebon <jlebon> |
Component: | RHCOS | Assignee: | Jonathan Lebon <jlebon> |
Status: | CLOSED ERRATA | QA Contact: | Michael Nguyen <mnguyen> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.3.0 | CC: | bbreard, dustymabe, imcleod, jligon, miabbott, nagrawal, nstielau, smilner |
Target Milestone: | --- | ||
Target Release: | 4.3.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-01-23 11:14:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1752313 |
Description
Jonathan Lebon
2019-12-02 21:23:08 UTC
Investigating this. Verified on 4.3.0-0.nightly-2019-12-18-145749 that /etc/system-fips on the master and worker nodes in the initrd $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2019-12-18-145749 True False 26s Cluster version is 4.3.0-0.nightly-2019-12-18-145749 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-136-147.ec2.internal Ready worker 20m v1.16.2 ip-10-0-139-154.ec2.internal Ready master 31m v1.16.2 ip-10-0-145-3.ec2.internal Ready worker 20m v1.16.2 ip-10-0-146-248.ec2.internal Ready master 31m v1.16.2 ip-10-0-164-215.ec2.internal Ready worker 20m v1.16.2 ip-10-0-170-115.ec2.internal Ready master 31m v1.16.2 $ oc debug node/ip-10-0-136-147.ec2.internal Starting pod/ip-10-0-136-147ec2internal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# ls -latr /boot/ostree/ total 8 drwxrwxr-x. 2 root root 1024 Dec 13 16:36 rhcos-f5d289b85923cedb8f8bdb3a971bcabfa460ae30ce4217998e963edea26b983e drwxrwxr-x. 4 root root 1024 Dec 18 20:55 . drwxr-xr-x. 2 root root 1024 Dec 18 20:55 rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f drwxr-xr-x. 7 root root 1024 Dec 18 20:55 .. sh-4.4# lsinitrd /boot/ostree/rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f/initramfs-4.18.0-147.3.1.el8_1.x86_64.img | grep 'etc/system-fips' -rw-r--r-- 1 root root 40 Jan 1 1970 etc/system-fips sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... $ oc debug node/ip-10-0-139-154.ec2.internal Starting pod/ip-10-0-139-154ec2internal-debug ... To use host binaries, run `chroot /host` If you don't see a command prompt, try pressing enter. sh-4.2# chroot /host sh-4.4# ls -latr /boot/ostree/ total 8 drwxrwxr-x. 2 root root 1024 Dec 13 16:36 rhcos-f5d289b85923cedb8f8bdb3a971bcabfa460ae30ce4217998e963edea26b983e drwxrwxr-x. 4 root root 1024 Dec 18 20:42 . drwxr-xr-x. 2 root root 1024 Dec 18 20:42 rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f drwxr-xr-x. 7 root root 1024 Dec 18 20:42 .. sh-4.4# lsinitrd /boot/ostree/rhcos-0ec938e112081a96697abc020798aac47a778e37290c0e4cba231a5781ac573f/initramfs-4.18.0-147.3.1.el8_1.x86_64.img | grep 'etc/system-fips' -rw-r--r-- 1 root root 40 Jan 1 1970 etc/system-fips sh-4.4# exit exit sh-4.2# exit exit Removing debug pod ... Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062 |