Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-39536

RHCOS boot fails with fips=0

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.18
    • RHCOS
    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Cause: Explicitly disabling FIPS mode with `fips=0` causes some systemd services to run that assume FIPS mode was requested and fail. Even though FIPS mode being off is the default, adding `fips=0` shouldn't cause failures.

      Consequence: RHCOS fails to boot when `fips=0` is specified.

      Fix: A fix was introduced in the relevant systemd services so that they only run if `fips=1` was specified.

      Result: RHCOS now correctly boots without FIPS mode enabled when `fips=0` is specified.
      Show
      Cause: Explicitly disabling FIPS mode with `fips=0` causes some systemd services to run that assume FIPS mode was requested and fail. Even though FIPS mode being off is the default, adding `fips=0` shouldn't cause failures. Consequence: RHCOS fails to boot when `fips=0` is specified. Fix: A fix was introduced in the relevant systemd services so that they only run if `fips=1` was specified. Result: RHCOS now correctly boots without FIPS mode enabled when `fips=0` is specified.
    • Bug Fix
    • Proposed

      Adding fips=0 to the kernel params in RHOS results in rhcos-fips-finish failing and dracut dropping the the emergency shell

       

      Sep 04 09:12:15 localhost.localdomain systemd[1]: Starting Finish FIPS mode setup...
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 09:12:15 localhost.localdomain rhcos-fips[1000]: FIPS mode is not enabled.
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Failed with result 'exit-code'.
Sep 04 09:12:15 localhost.localdomain systemd[1]: Failed to start Finish FIPS mode setup.
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Triggering OnFailure= dependencies.

      From what I can see rhcos-fips-finish shouldn't be getting triggered at all?

              dhiggins@redhat.com Derek Higgins
              dhiggins@redhat.com Derek Higgins
              Michael Nguyen Michael Nguyen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: