Bug 1788051
Summary: | Rhel node failed to start due to "dracut: FATAL: FIPS integrity test failed" with public image | ||||||
---|---|---|---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | xiyuan | ||||
Component: | Documentation | Assignee: | Vikram Goyal <vigoyal> | ||||
Status: | CLOSED EOL | QA Contact: | Xiaoli Tian <xtian> | ||||
Severity: | high | Docs Contact: | Vikram Goyal <vigoyal> | ||||
Priority: | unspecified | ||||||
Version: | 4.3.0 | CC: | aos-bugs, bbreard, dustymabe, eparis, imcleod, jligon, jokerman, kalexand, mifiedle, nstielau, pdhamdhe, scuppett, smilner, walters, xtian | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | 4.4.0 | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1789872 (view as bug list) | Environment: | |||||
Last Closed: | 2021-04-07 19:16:05 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1787270, 1789873 | ||||||
Bug Blocks: | 1789872 | ||||||
Attachments: |
|
Description
xiyuan
2020-01-06 09:05:14 UTC
I was able to enable FIPS in Ohio following the doc [1]. For the public image it's important to leave the boot= option out of GRUB[2]: [ec2-user@ip-10-0-36-218 ~]$ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/nvme0n1p2 33542124 2680564 30861560 8% / GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau crashkernel=auto fips=1" [ec2-user@ip-10-0-36-218 ~]$ cat /proc/sys/crypto/fips_enabled 1 Is this the procedure followed or did I do something different/incorrect? [1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations [2]: http://blog.kwnetapps.com/aws-centos-7-fips-mode/ "TestBlocker" flag removed. The issue is now for AWS public images only when root was the same filesystem as boot. The rhel node could startup, only the fips compliant check not executed. No such issue with GCE, Openstack, Vsphere. There's no good component for this, but RHCOS is for RHEL CoreOS, this is about traditional. I think most likely this is either scaleup or docs. Moving to the latter for now. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days This comment was flagged a spam, view the edit history to see the original text if required. |