Bug 2148472

Summary:	stalld doesn't start when secure boot is enabled
Product:	Red Hat Enterprise Linux 8	Reporter:	Marius Cornea <mcornea>
Component:	stalld	Assignee:	Leah Leshchinsky <lleshchi>
Status:	CLOSED DUPLICATE	QA Contact:
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	8.6	CC:	bhu, kcarcia
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-12-02 13:54:16 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	128472, 2136560
Bug Blocks:

Description Marius Cornea 2022-11-25 15:21:56 UTC

Description of problem:

This issue has been observed on a single node OpenShift cluster. When secure boot is enabled stalld cannot start because it cannot access /sys/kernel/debug/sched_features as use of debugfs is not permitted in lockdown mode:

Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com kernel: Lockdown: stalld: debugfs is restricted; see man kernel_lockdown.7

Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com systemd[1]: Started Stall Monitor.
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com systemd[1]: Reloading.
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com stalld[15704]: /sys/kernel/debug/sched/features doesn't exist
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com kernel: Lockdown: stalld: debugfs is restricted; see man kernel_lockdown.7
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com stalld[15704]: /sys/kernel/debug/sched_features exists
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com stalld[15704]: could not open /sys/kernel/debug/sched_features to set HRTICK: Operation not permitted
Nov 25 14:12:49 sno.kni-qe-24.lab.eng.rdu2.redhat.com stalld[15704]: stalld can't enable HRTICK. stalld cannot run in this mode. Exiting..


Version-Release number of selected component (if applicable):
stalld-1.17-3.el8_6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Run stalld on a secure boot enabled system

Actual results:
stalld service cannot start

Expected results:
stalld service start

Additional info: