Created attachment 1777825 [details] console-log Thanks for reporting your issue! In order for the CoreOS team to be able to quickly and successfully triage your issue, please fill out the following template as completely as possible. Be ready for follow-up questions and please respond in a timely manner. If we can't reproduce a bug, we might close your issue. --- OCP Version at Install Time: 4.7 RHCOS Version at Install Time: OCP Version after Upgrade (if applicable): RHCOS Version after Upgrade (if applicable): Platform: Z Architecture: s390x What are you trying to do? What is your use case? Installing a worker in fips mode What happened? What went wrong or what did you expect? Displaying logs from failed units: rhcos-fips.service -- Logs begin at Thu 2021-04-29 20:48:46 UTC, end at Thu 2021-04-29 20:48:51 UTC. -- Apr 29 20:48:49 systemd[1]: Starting Check for FIPS mode... Apr 29 20:48:50 rhcos-fips[763]: Found /etc/ignition-machine-config-encapsulated.json in Ignition config Apr 29 20:48:50 rhcos-fips[763]: FIPS mode required; updating BLS entries Apr 29 20:48:50 rhcos-fips[763]: Appending 'fips=1 boot=LABEL=boot' to /run/rhcos-fips/sysroot/boot/loader/entries/ostree-1-rhcos.conf Apr 29 20:48:50 rhcos-fips[763]: /usr/sbin/rhcos-fips: line 78: zipl: command not found Apr 29 20:48:50 systemd[1]: [0;1;39m[0;1;31m[0;1;39mrhcos-fips.service: Main process exited, code=exited, status=127/n/a[0m Apr 29 20:48:50 systemd[1]: [0;1;39m[0;1;31m[0;1;39mrhcos-fips.service: Failed with result 'exit-code'.[0m Apr 29 20:48:50 systemd[1]: [0;1;31m[0;1;39m[0;1;31mFailed to start Check for FIPS mode.[0m Apr 29 20:48:50 systemd[1]: rhcos-fips.service: Triggering OnFailure= dependencies. Press Enter for emergency shell or wait 5 minutes for reboot. Press Enter for emergency shell or wait 4 minutes 45 seconds for reboot. Press Enter for emergency shell or wait 4 minutes 30 seconds for reboot. Press Enter for emergency shell or wait 4 minutes 15 seconds for reboot. Press Enter for emergency shell or wait 3 minutes 30 seconds for reboot. Press Enter for emergency shell or wait 3 minutes 15 seconds for reboot. What are the steps to reproduce your issue? Please try to reduce these steps to something that can be reproduced with a single RHCOS node. If you're having problems booting/installing RHCOS, please provide: - the full contents of the serial console showing disk initialization, network configuration, and Ignition stage (see https://access.redhat.com/articles/7212 for information about configuring your serial console) - Ignition JSON - output of `journalctl -b` console log attached. If you're having problems post-upgrade, please provide: - A complete must-gather (`oc adm must-gather`) If you're having SELinux related issues, please provide: - The full `/var/log/audit/audit.log` file - Were any SELinux modules or booleans changed from the default configuration? - The output of `ostree admin config-diff | grep selinux/targeted` on impacted nodes Please add anything else that might be useful, for example: - kernel command line (`cat /proc/cmdline`) - contents of `/etc/NetworkManager/system-connections/` - contents of `/etc/sysconfig/network-scripts/`
FYI ndubrovs is looking into from a z perspective and will have a patch.
Per comment #1, I'm assigning this to Nikita
Created attachment 1777833 [details] Console Log
OCP Version at Install Time: 4.7.9 RHCOS Version at Install Time: 4.7.7 OCP Version after Upgrade (if applicable): RHCOS Version after Upgrade (if applicable): Platform: Z Architecture: s390x query cplevel z/VM Version 7 Release 1.0, service level 2001 (64-bit) Generated at 08/28/20 14:35:31 EDT IPL at 12/15/20 01:09:52 EDT Ready; T=0.01/0.01 11:24:37
Hi all. I've made a fix, now i'm testing it
PR: https://github.com/openshift/os/pull/546 Because of broken local rpm mirror wasn't able to build rhcos-47 and test it. So work is still in progress
Created attachment 1780295 [details] Installation log with patched rhcos image Log was captured on s390x zVM machine during installation of rhcos-47.83 image built with: - https://github.com/openshift/os/pull/546 - https://github.com/nikita-dubrovskii/s390-tools/commit/70dde0e7d64f39a6f4747306c15ebc053ba01b19
Setting the priority to low as we will be evaluating FIPS support in OCP for Z in an upcoming quarter
After discussing this with the OCP Multi Arch team, it appears there has been a misunderstanding. FIPS compliance on OCP running on s390x has never been supported. There is an open RFE for this work being tracked here - https://issues.redhat.com/browse/MULTIARCH-690 Since this would be a feature level change and not a bug fix, I am going to close this BZ as DEFERRED. Please follow the RFE for progress on supporting FIPS + OCP s390x.