Created attachment 1650067 [details] Console log for system halted Description of problem: This is a clone of Bug 1787270. Just for tracking use for OCP as Component for Bug 1787270 is RHEL7. Enable fips on Rhel VM with public image(RHEL7.6 provided by aws image: ami-0e166e72fda655c63). when fips mode enalbed, intall OCP, and reboot, it will failed to start because of "dracut: FATAL: FIPS integrity test failed". Version-Release number of selected component (if applicable): 4.3.0-0.nightly-2019-12-30-201911 How reproducible: Always Steps to Reproduce: 1.Enable fips on Rhel VM with public image. 2.install OCP and other mandatory packages. 3.reboot Actual results: it will failed to start because of "dracut: FATAL: FIPS integrity test failed". Expected results: rhel node start up normally without error Additional info: The cluster is upi-aws. It passed with QE image(ami-02abd74486ad35bff), but failed with public image(ami-0e166e72fda655c63, RHEL-7.6_HVM-20190618-x86_64-0-Hourly2-GP2, US East (Ohio) us-east-2). This issue is blocking testing for all public images on aws, gce and openstack. This issue was not reported earlier because there was no such issue with QE private image. Recently, we have changed all images from private QE image to public images provided by aws, gce and openstack.
I was able to enable FIPS in Ohio following the doc [1]. For the public image it's important to leave the boot= option out of GRUB[2]: [ec2-user@ip-10-0-36-218 ~]$ df /boot Filesystem 1K-blocks Used Available Use% Mounted on /dev/nvme0n1p2 33542124 2680564 30861560 8% / GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau crashkernel=auto fips=1" [ec2-user@ip-10-0-36-218 ~]$ cat /proc/sys/crypto/fips_enabled 1 Is this the procedure followed or did I do something different/incorrect? [1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations [2]: http://blog.kwnetapps.com/aws-centos-7-fips-mode/
"TestBlocker" flag removed. The issue is now for AWS public images only when root was the same filesystem as boot. The rhel node could startup, only the fips compliant check not executed. No such issue with GCE, Openstack, Vsphere.
There's no good component for this, but RHCOS is for RHEL CoreOS, this is about traditional. I think most likely this is either scaleup or docs. Moving to the latter for now.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
This comment was flagged a spam, view the edit history to see the original text if required.