2053913 – Installation of foreman-discovery-image package fails with error "does not verify: no digest" in Satellite 7.0 on top of FIPS enabled RHEL 8

Bug 2053913 - Installation of foreman-discovery-image package fails with error "does not verify: no digest" in Satellite 7.0 on top of FIPS enabled RHEL 8

Summary: Installation of foreman-discovery-image package fails with error "does not ve...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	6.11.0
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	6.11.0
Assignee:	Marie Hornickova
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-13 06:28 UTC by Sayan Das
Modified:	2022-07-25 13:18 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	RHEL 8 FIPS mode installation failure When installing the `foreman-discovery-package` on RHEL 8 with FIPS mode enabled, the package installation fails with an error message stating `does not verify: no digest`. As a workaround, extract the ISO manually using `rpm2cpio foreman-discovery-image-XYZ.rpm \| cpio -idmv`, then convert the ISO to PXE files using the following commands: [start=1] . `ln -snf foreman-discovery-image-XYZ.iso fdi.iso` . `discovery-iso-to-pxe fdi.iso` . `mkdir -p /var/lib/tftpboot/boot/fdi-image` . `cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz` . `cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img` . `chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image` . `restorecon -RFv /var/lib/tftpboot/boot/fdi-image`
Clone Of:
Environment:
Last Closed:	2022-07-25 13:18:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SATDOC-752	0	None	None	None	2022-04-25 12:56:29 UTC
Red Hat Knowledge Base (Solution)	6964913	0	None	None	None	2022-06-27 16:36:55 UTC

Description Sayan Das 2022-02-13 06:28:32 UTC

Description of problem:

If Satellite 7.0 is running on a FIPS enabled RHEL 8.5, when I am trying to install the foreman-discovery-package it fails to get installed as dnf\yum verify its digest. 

Version-Release number of selected component (if applicable):

Satellite 7.0 (7.0.0-0.5.beta.el8sat)

RHEL 8.5 + FIPS

How reproducible:

Always

Steps to Reproduce:
1. Install RHEL 8.5 and enable FIPS
2. Setup repositories as per ohsnap\rh-engineering instructions 
3. Install "satellite" and "foreman-discovery-image" packages

Actual results:

The foreman-discovery-image package installation fails.


The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package foreman-discovery-image-1:3.8.1-2.el7sat.noarch does not verify: no digest


If we look carefully, we ship an el7 package via RHEL 8 repo for Sat 7.0
~~
foreman-discovery-image.noarch                                 1:3.8.1-2.el7sat                                  Sat6-CI_Red_Hat_Satellite_7_0_Composes_Satellite_7_0_RHEL8
~~


Expected results:

To have foreman-discovery-package installed properly on a FIPS enabled RHEL 8 based Satellite 7.0 without needing to use any workaround 


Additional info:

NA

Comment 8 Lukas Zapletal 2022-04-05 07:29:12 UTC

RELEASE NOTES (please verify Sayan thank you):

Known issue doc:

When installing foreman-discovery-package on FIPS mode in RHEL8, RPM package installation will fail with "does not verify: no digest".

Solution:

Extract the ISO manually:

rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv

Convert the ISO to the PXE files:

ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img

Comment 9 Griffin Sullivan 2022-04-07 14:17:58 UTC

Verified Release Notes:

Issue:

Installing foreman-discovery-image package on FIPS mode in RHEL8, RPM package installation fails with "does not verify: no digest".

Solution:

1. If you do not have the foreman-discovery-image iso, try downloading from package manager at https://access.redhat.com/downloads/content/foreman-discovery-image/3.8.0-1.el7sat/noarch/fd431d51/package

2. Else, continue with steps as follows:

  A. rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv

  B. ln -snf usr/share/foreman-discovery-image/foreman-discovery-image-3.8.0-1.iso fdi.iso

  C. ./usr/bin/discovery-iso-to-pxe fdi.iso

  D. mkdir /var/lib/tftpboot/fdi-image

  E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz

  F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img

Comment 10 Sayan Das 2022-04-25 13:43:58 UTC

(In reply to Griffin Sullivan from comment #9)
> Verified Release Notes:
> 
> Issue:
> 
> Installing foreman-discovery-image package on FIPS mode in RHEL8, RPM
> package installation fails with "does not verify: no digest".
> 
> Solution:
> 
> 1. If you do not have the foreman-discovery-image iso, try downloading from
> package manager at
> https://access.redhat.com/downloads/content/foreman-discovery-image/3.8.0-1.
> el7sat/noarch/fd431d51/package
> 
> 2. Else, continue with steps as follows:
> 
>   A. rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv
> 
>   B. ln -snf
> usr/share/foreman-discovery-image/foreman-discovery-image-3.8.0-1.iso fdi.iso
> 
>   C. ./usr/bin/discovery-iso-to-pxe fdi.iso
> 
>   D. mkdir /var/lib/tftpboot/fdi-image
> 
>   E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz
> 
>   F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img


Hello,

For some reason, I never had a notification in my mailbox about Comment 8 and hence I missed the notes from lzap completely. 

Theoretically, the steps are looking good except for these i.e.

  D. mkdir /var/lib/tftpboot/fdi-image

  E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz

  F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img


The /var/lib/tftpboot/fdi-image/ should be /var/lib/tftpboot/boot/fdi-image/ if i am correct. And also "/var/lib/tftpboot/boot" and anything inside the same should have the ownership of foreman-proxy user 

Now, Practically, To verify whether the manual approach works and allows me to discover a host via PXE or not, I will need to install the latest snap of 6.11 on a FIPS-enabled system which will take some time.


-- Sayan

Comment 16 sabuchan 2022-06-14 19:22:25 UTC

RN draft:
*Installation of foreman-discovery-package fails on RHEL 8 with FIPS enabled* 

When installing the foreman-discovery-package on RHEL 8 with FIPS mode enabled, RPM package installation fails with the following error message: `does not verify: no digest`.

To work around this issue, extract the ISO manually by running `rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv` in your Terminal, then convert the ISO to the PXE files by running `ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
mkdir -p /var/lib/tftpboot/boot/fdi-image
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img
chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image
restorecon -RFv /var/lib/tftpboot/boot/fdi-image` in your Terminal.


Doc: https://docs.google.com/document/d/1xMkjPbkwF9ZJ95tEcWYmRRqVdusIZENHZsL3-B3YvJw/edit

Tagging @lzap for sanity check here and in doc.

Comment 17 Lukas Zapletal 2022-06-15 13:53:49 UTC

Yeah correct.

These are all separate commands, 7 in total, just to be clear:

ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
mkdir -p /var/lib/tftpboot/boot/fdi-image
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img
chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image
restorecon -RFv /var/lib/tftpboot/boot/fdi-image

Comment 18 sabuchan 2022-06-15 20:45:14 UTC

Final RN:

*RHEL 8 FIPS mode installation failure*

When installing the `foreman-discovery-package` on RHEL 8 with FIPS mode enabled, the package installation fails with an error message stating `does not verify: no digest`. As a workaround, extract the ISO manually using `rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv`, then convert the ISO to PXE files using the following commands:

[start=1]

. `ln -snf foreman-discovery-image-XYZ.iso fdi.iso`
. `discovery-iso-to-pxe fdi.iso`
. `mkdir -p /var/lib/tftpboot/boot/fdi-image`
. `cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz`
. `cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img`
. `chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image`
. `restorecon -RFv /var/lib/tftpboot/boot/fdi-image`

Comment 19 sabuchan 2022-07-25 13:18:28 UTC

Link to doc: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/release_notes/assembly_introducing-red-hat-satellite_sat6-release-notes#ref_known-issues_assembly_introducing-red-hat-satellite

Note You need to log in before you can comment on or make changes to this bug.