Bug 1788051

Summary: Rhel node failed to start due to "dracut: FATAL: FIPS integrity test failed" with public image
Product: OpenShift Container Platform Reporter: xiyuan
Component: DocumentationAssignee: Vikram Goyal <vigoyal>
Status: CLOSED EOL QA Contact: Xiaoli Tian <xtian>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 4.3.0CC: aos-bugs, bbreard, dustymabe, eparis, imcleod, jligon, jokerman, kalexand, mifiedle, nstielau, pdhamdhe, scuppett, smilner, walters, xtian
Target Milestone: ---Keywords: Reopened
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1789872 (view as bug list) Environment:
Last Closed: 2021-04-07 19:16:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1787270, 1789873    
Bug Blocks: 1789872    
Attachments:
Description Flags
Console log for system halted none

Description xiyuan 2020-01-06 09:05:14 UTC 
Created attachment 1650067 [details]
Console log for system halted

Description of problem:
This is a clone of Bug 1787270. Just for tracking use for OCP as  Component for Bug 1787270 is RHEL7.

Enable fips on Rhel VM with public image(RHEL7.6 provided by aws
  image: ami-0e166e72fda655c63). when fips mode enalbed, intall  OCP, and reboot, it will failed to start because of "dracut: FATAL: FIPS  integrity test failed".

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-12-30-201911

How reproducible:
Always

Steps to Reproduce:
1.Enable fips on Rhel VM with public image.
2.install OCP and other mandatory packages.
3.reboot

Actual results:
it will failed to start because of "dracut: FATAL: FIPS  integrity test failed".

Expected results:
rhel node start up normally without error

Additional info:
The cluster is upi-aws.
It passed with QE image(ami-02abd74486ad35bff), but failed with public image(ami-0e166e72fda655c63, RHEL-7.6_HVM-20190618-x86_64-0-Hourly2-GP2, US East (Ohio) us-east-2).
This issue is blocking testing for all public images on aws, gce and openstack.
This issue was not reported earlier because there was no such issue with QE private image. Recently, we have changed all images from private QE image to public images provided by aws, gce and openstack.
Comment 4 Stephen Cuppett 2020-01-07 19:29:41 UTC 
I was able to enable FIPS in Ohio following the doc [1]. For the public image it's important to leave the boot= option out of GRUB[2]:


[ec2-user@ip-10-0-36-218 ~]$ df /boot
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/nvme0n1p2  33542124 2680564  30861560   8% /


GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau crashkernel=auto fips=1"


[ec2-user@ip-10-0-36-218 ~]$ cat /proc/sys/crypto/fips_enabled
1

Is this the procedure followed or did I do something different/incorrect?

[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations
[2]: http://blog.kwnetapps.com/aws-centos-7-fips-mode/
Comment 12 xiyuan 2020-01-17 02:42:21 UTC 
"TestBlocker" flag removed.
The issue is now for AWS public images only when root was the same filesystem as boot. The rhel node could startup, only the fips compliant check not executed.
No such issue with GCE, Openstack, Vsphere.
Comment 13 Colin Walters 2020-01-31 19:09:00 UTC 
There's no good component for this, but RHCOS is for RHEL CoreOS, this is about traditional.  I think most likely this is either scaleup or docs.  Moving to the latter for now.
Comment 16 Red Hat Bugzilla 2023-09-15 00:20:28 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Comment 17 Martinez 2023-11-23 09:20:32 UTC Comment hidden (spam)