Bug 2013430
Summary: | RHV 4.4. FIPS install leaves UUID blank in grub after setting kernel option | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | hhaberma |
Component: | ovirt-engine | Assignee: | Liran Rotenberg <lrotenbe> |
Status: | CLOSED ERRATA | QA Contact: | Qin Yuan <qiyuan> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 4.4.6 | CC: | ahadas, apinnick, emarcus, lrotenbe, lsurette, mavital, michal.skrivanek, shaselde |
Target Milestone: | ovirt-4.4.10-1 | Keywords: | ZStream |
Target Release: | 4.4.10 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ovirt-engine-4.4.10.5 | Doc Type: | Bug Fix |
Doc Text: |
Previously, when preparing a host with FIPS kernel parameters enabled, the boot UUID parameter was blank after reboot. In this release, the UUID is present in the kernel arguments. Enabling FIPS does not change the UUID after reboot.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-02-08 16:57:32 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Virt | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
hhaberma
2021-10-12 20:10:29 UTC
I believe "Enable FIPS kernel parms on host through the admin portal" (step 3 from Steps to Reproduce) is not required, if a security profile is already selected during the host deployment. Liran, can you please check why the UUID is empty when FIPS mode is selected (see attachment in comment 1)? If the host already have FIPS enabled, it is not required to change it on the Host edit in the UI. Given the information I can't tell why it's empty. Please provide the output of VDSM getCapabilities (vdsm-client Host getCapabilities | grep boot_uuid) and the output of the vds_dynamic in the DB(select boot_uuid, rpm_version, fips_enabled from vds_dynamic where vds_id='<HOST_ID>';) Also, logs might be useful. Verified with: ovirt-engine-4.4.10.5-0.2.el8ev.noarch Steps: 1. Prepare a host with FIPS enabled [root@janus05 ~]# fips-mode-setup --check FIPS mode is enabled. [root@janus05 ~]# cat /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-348.13.1.el8_5.x86_64 root=/dev/mapper/VolGroup01-root ro nofb intel_iommu=on default_hugepagesz=1G hugepagesz=1G hugepages=4 hugepagesz=2M hugepages=1024 console=tty0 crashkernel=auto resume=UUID=b86cad60-b822-47b5-969e-c7167dd17de0 rd.lvm.lv=VolGroup01/root biosdevname=0 console=ttyS1,115200 fips=1 boot=UUID=6068667c-b186-418a-8299-38494b789e51 2. Enable FIPS kernel params on admin portal according to steps in https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/enabling_fips_using_the_rhv_manager_appendix_fips 3. Check host kernel cmdline after reboot Results: 1. When FIPS mode checkbox is selected on kernel tab of Edit Host window, only "fips=1" is presented in the "Kernel command line" box. 2. After reboot, there is no blank 'boot=UUID=' in the host kernel cmdline: [root@janus05 ~]# cat /proc/cmdline BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-348.13.1.el8_5.x86_64 root=/dev/mapper/VolGroup01-root ro nofb intel_iommu=on default_hugepagesz=1G hugepagesz=1G hugepages=4 hugepagesz=2M hugepages=1024 console=tty0 crashkernel=auto resume=UUID=b86cad60-b822-47b5-969e-c7167dd17de0 rd.lvm.lv=VolGroup01/root biosdevname=0 console=ttyS1,115200 boot=UUID=6068667c-b186-418a-8299-38494b789e51 fips=1 Hi Liran, please review this doc text (for the Errata) Previously, when preparing a host with FIPS kernel parameters enabled, following reboot, the boot UUID parameter was left blank. In this release, the UUID is already present in the kernel arguments, and enabling FIPS does not change the UUID following reboot. (In reply to Eli Marcus from comment #11) > Hi Liran, > please review this doc text (for the Errata) > > > Previously, when preparing a host with FIPS kernel parameters enabled, > following reboot, the boot UUID parameter was left blank. > In this release, the UUID is already present in the kernel arguments, and > enabling FIPS does not change the UUID following reboot. Previously, when preparing a host with FIPS kernel parameters enabled and boot UUID exists on the kernel parameters, following reboot, the boot UUID parameter was left blank. In this release, if UUID is already present in the kernel arguments, enabling FIPS does not change the UUID following reboot. I tried to emphasize that it's only when enabling FIPS and having the UUID already set pre-reboot. When the UUID doesn't exist we add it. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: RHV Manager (ovirt-engine) security update [ovirt-4.4.10-1]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0475 Due to QE capacity, we are not going to cover this issue in our automation |