Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2053913 - Installation of foreman-discovery-image package fails with error "does not verify: no digest" in Satellite 7.0 on top of FIPS enabled RHEL 8
Summary: Installation of foreman-discovery-image package fails with error "does not ve...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Documentation
Version: 6.11.0
Hardware: All
OS: All
unspecified
high
Target Milestone: 6.11.0
Assignee: Marie Hornickova
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-02-13 06:28 UTC by Sayan Das
Modified: 2022-07-25 13:18 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Release Note
Doc Text:
*RHEL 8 FIPS mode installation failure* When installing the `foreman-discovery-package` on RHEL 8 with FIPS mode enabled, the package installation fails with an error message stating `does not verify: no digest`. As a workaround, extract the ISO manually using `rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv`, then convert the ISO to PXE files using the following commands: [start=1] . `ln -snf foreman-discovery-image-XYZ.iso fdi.iso` . `discovery-iso-to-pxe fdi.iso` . `mkdir -p /var/lib/tftpboot/boot/fdi-image` . `cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz` . `cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img` . `chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image` . `restorecon -RFv /var/lib/tftpboot/boot/fdi-image`
Clone Of:
Environment:
Last Closed: 2022-07-25 13:18:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SATDOC-752 0 None None None 2022-04-25 12:56:29 UTC
Red Hat Knowledge Base (Solution) 6964913 0 None None None 2022-06-27 16:36:55 UTC

Description Sayan Das 2022-02-13 06:28:32 UTC 
Description of problem:

If Satellite 7.0 is running on a FIPS enabled RHEL 8.5, when I am trying to install the foreman-discovery-package it fails to get installed as dnf\yum verify its digest. 

Version-Release number of selected component (if applicable):

Satellite 7.0 (7.0.0-0.5.beta.el8sat)

RHEL 8.5 + FIPS

How reproducible:

Always

Steps to Reproduce:
1. Install RHEL 8.5 and enable FIPS
2. Setup repositories as per ohsnap\rh-engineering instructions 
3. Install "satellite" and "foreman-discovery-image" packages

Actual results:

The foreman-discovery-image package installation fails.


The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package foreman-discovery-image-1:3.8.1-2.el7sat.noarch does not verify: no digest


If we look carefully, we ship an el7 package via RHEL 8 repo for Sat 7.0
~~
foreman-discovery-image.noarch                                 1:3.8.1-2.el7sat                                  Sat6-CI_Red_Hat_Satellite_7_0_Composes_Satellite_7_0_RHEL8
~~


Expected results:

To have foreman-discovery-package installed properly on a FIPS enabled RHEL 8 based Satellite 7.0 without needing to use any workaround 


Additional info:

NA
Comment 8 Lukas Zapletal 2022-04-05 07:29:12 UTC 
RELEASE NOTES (please verify Sayan thank you):

Known issue doc:

When installing foreman-discovery-package on FIPS mode in RHEL8, RPM package installation will fail with "does not verify: no digest".

Solution:

Extract the ISO manually:

rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv

Convert the ISO to the PXE files:

ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img
Comment 9 Griffin Sullivan 2022-04-07 14:17:58 UTC 
Verified Release Notes:

Issue:

Installing foreman-discovery-image package on FIPS mode in RHEL8, RPM package installation fails with "does not verify: no digest".

Solution:

1. If you do not have the foreman-discovery-image iso, try downloading from package manager at https://access.redhat.com/downloads/content/foreman-discovery-image/3.8.0-1.el7sat/noarch/fd431d51/package

2. Else, continue with steps as follows:

  A. rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv

  B. ln -snf usr/share/foreman-discovery-image/foreman-discovery-image-3.8.0-1.iso fdi.iso

  C. ./usr/bin/discovery-iso-to-pxe fdi.iso

  D. mkdir /var/lib/tftpboot/fdi-image

  E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz

  F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img
Comment 10 Sayan Das 2022-04-25 13:43:58 UTC 
(In reply to Griffin Sullivan from comment #9)
> Verified Release Notes:
> 
> Issue:
> 
> Installing foreman-discovery-image package on FIPS mode in RHEL8, RPM
> package installation fails with "does not verify: no digest".
> 
> Solution:
> 
> 1. If you do not have the foreman-discovery-image iso, try downloading from
> package manager at
> https://access.redhat.com/downloads/content/foreman-discovery-image/3.8.0-1.
> el7sat/noarch/fd431d51/package
> 
> 2. Else, continue with steps as follows:
> 
>   A. rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv
> 
>   B. ln -snf
> usr/share/foreman-discovery-image/foreman-discovery-image-3.8.0-1.iso fdi.iso
> 
>   C. ./usr/bin/discovery-iso-to-pxe fdi.iso
> 
>   D. mkdir /var/lib/tftpboot/fdi-image
> 
>   E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz
> 
>   F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img


Hello,

For some reason, I never had a notification in my mailbox about Comment 8 and hence I missed the notes from lzap completely. 

Theoretically, the steps are looking good except for these i.e.

  D. mkdir /var/lib/tftpboot/fdi-image

  E. cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/fdi-image/vmlinuz

  F. cp ./tftpboot/initrd0.img /var/lib/tftpboot/fdi-image/initrd0.img


The /var/lib/tftpboot/fdi-image/ should be /var/lib/tftpboot/boot/fdi-image/ if i am correct. And also "/var/lib/tftpboot/boot" and anything inside the same should have the ownership of foreman-proxy user 

Now, Practically, To verify whether the manual approach works and allows me to discover a host via PXE or not, I will need to install the latest snap of 6.11 on a FIPS-enabled system which will take some time.


-- Sayan
Comment 16 sabuchan 2022-06-14 19:22:25 UTC 
RN draft:
*Installation of foreman-discovery-package fails on RHEL 8 with FIPS enabled* 

When installing the foreman-discovery-package on RHEL 8 with FIPS mode enabled, RPM package installation fails with the following error message: `does not verify: no digest`.

To work around this issue, extract the ISO manually by running `rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv` in your Terminal, then convert the ISO to the PXE files by running `ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
mkdir -p /var/lib/tftpboot/boot/fdi-image
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img
chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image
restorecon -RFv /var/lib/tftpboot/boot/fdi-image` in your Terminal.


Doc: https://docs.google.com/document/d/1xMkjPbkwF9ZJ95tEcWYmRRqVdusIZENHZsL3-B3YvJw/edit

Tagging @lzap for sanity check here and in doc.
Comment 17 Lukas Zapletal 2022-06-15 13:53:49 UTC 
Yeah correct.

These are all separate commands, 7 in total, just to be clear:

ln -snf foreman-discovery-image-XYZ.iso fdi.iso
discovery-iso-to-pxe fdi.iso
mkdir -p /var/lib/tftpboot/boot/fdi-image
cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz
cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img
chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image
restorecon -RFv /var/lib/tftpboot/boot/fdi-image
Comment 18 sabuchan 2022-06-15 20:45:14 UTC 
Final RN:

*RHEL 8 FIPS mode installation failure*

When installing the `foreman-discovery-package` on RHEL 8 with FIPS mode enabled, the package installation fails with an error message stating `does not verify: no digest`. As a workaround, extract the ISO manually using `rpm2cpio foreman-discovery-image-XYZ.rpm | cpio -idmv`, then convert the ISO to PXE files using the following commands:

[start=1]

. `ln -snf foreman-discovery-image-XYZ.iso fdi.iso`
. `discovery-iso-to-pxe fdi.iso`
. `mkdir -p /var/lib/tftpboot/boot/fdi-image`
. `cp ./tftpboot/vmlinuz0 /var/lib/tftpboot/boot/fdi-image/vmlinuz`
. `cp ./tftpboot/initrd0.img /var/lib/tftpboot/boot/fdi-image/initrd0.img`
. `chown -R foreman-proxy:root /var/lib/tftpboot/boot/fdi-image`
. `restorecon -RFv /var/lib/tftpboot/boot/fdi-image`
Comment 19 sabuchan 2022-07-25 13:18:28 UTC 
Link to doc: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.11/html/release_notes/assembly_introducing-red-hat-satellite_sat6-release-notes#ref_known-issues_assembly_introducing-red-hat-satellite
Note You need to log in before you can comment on or make changes to this bug.