Bug 1788051 - Rhel node failed to start due to "dracut: FATAL: FIPS integrity test failed" with public image [NEEDINFO]
Summary: Rhel node failed to start due to "dracut: FATAL: FIPS integrity test failed" ...
Keywords:
Status: ASSIGNED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.4.0
Assignee: Vikram Goyal
QA Contact: Xiaoli Tian
Vikram Goyal
URL:
Whiteboard:
Depends On: 1787270 1789873
Blocks: 1789872
TreeView+ depends on / blocked
 
Reported: 2020-01-06 09:05 UTC by xiyuan
Modified: 2020-02-02 12:01 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1789872 (view as bug list)
Environment:
Last Closed: 2020-01-08 06:06:41 UTC
Target Upstream Version:
smilner: needinfo? (xiyuan)
scuppett: needinfo? (xiyuan)
mifiedle: needinfo? (xiyuan)


Attachments (Terms of Use)
Console log for system halted (63.86 KB, text/plain)
2020-01-06 09:05 UTC, xiyuan
no flags Details

Description xiyuan 2020-01-06 09:05:14 UTC
Created attachment 1650067 [details]
Console log for system halted

Description of problem:
This is a clone of Bug 1787270. Just for tracking use for OCP as  Component for Bug 1787270 is RHEL7.

Enable fips on Rhel VM with public image(RHEL7.6 provided by aws
  image: ami-0e166e72fda655c63). when fips mode enalbed, intall  OCP, and reboot, it will failed to start because of "dracut: FATAL: FIPS  integrity test failed".

Version-Release number of selected component (if applicable):
4.3.0-0.nightly-2019-12-30-201911

How reproducible:
Always

Steps to Reproduce:
1.Enable fips on Rhel VM with public image.
2.install OCP and other mandatory packages.
3.reboot

Actual results:
it will failed to start because of "dracut: FATAL: FIPS  integrity test failed".

Expected results:
rhel node start up normally without error

Additional info:
The cluster is upi-aws.
It passed with QE image(ami-02abd74486ad35bff), but failed with public image(ami-0e166e72fda655c63, RHEL-7.6_HVM-20190618-x86_64-0-Hourly2-GP2, US East (Ohio) us-east-2).
This issue is blocking testing for all public images on aws, gce and openstack.
This issue was not reported earlier because there was no such issue with QE private image. Recently, we have changed all images from private QE image to public images provided by aws, gce and openstack.

Comment 4 Stephen Cuppett 2020-01-07 19:29:41 UTC
I was able to enable FIPS in Ohio following the doc [1]. For the public image it's important to leave the boot= option out of GRUB[2]:


[ec2-user@ip-10-0-36-218 ~]$ df /boot
Filesystem     1K-blocks    Used Available Use% Mounted on
/dev/nvme0n1p2  33542124 2680564  30861560   8% /


GRUB_CMDLINE_LINUX="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau crashkernel=auto fips=1"


[ec2-user@ip-10-0-36-218 ~]$ cat /proc/sys/crypto/fips_enabled
1

Is this the procedure followed or did I do something different/incorrect?

[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations
[2]: http://blog.kwnetapps.com/aws-centos-7-fips-mode/

Comment 12 xiyuan 2020-01-17 02:42:21 UTC
"TestBlocker" flag removed.
The issue is now for AWS public images only when root was the same filesystem as boot. The rhel node could startup, only the fips compliant check not executed.
No such issue with GCE, Openstack, Vsphere.

Comment 13 Colin Walters 2020-01-31 19:09:00 UTC
There's no good component for this, but RHCOS is for RHEL CoreOS, this is about traditional.  I think most likely this is either scaleup or docs.  Moving to the latter for now.


Note You need to log in before you can comment on or make changes to this bug.