[OCPBUGS-39536] RHCOS boot fails with fips=0 - Red Hat Issue Tracker

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.18
Component/s: RHCOS
Labels:
- rhcos-bootimage-needed

Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, explicitly disabling FIPS mode with `fips=0` caused some systemd services, that assume FIPS mode was requested, to run and consequently fail. This issue resulted in {op-system} failing to boot. With this release, the relevant systemd services now only run if FIPS mode is enabled by specifying `fips=1`. As a result, {op-system} now correctly boots without FIPS mode enabled when `fips=0` is specified. (link:https://issues.redhat.com/browse/OCPBUGS-39536[*~~OCPBUGS-39536~~*])

Show
* Previously, explicitly disabling FIPS mode with `fips=0` caused some systemd services, that assume FIPS mode was requested, to run and consequently fail. This issue resulted in {op-system} failing to boot. With this release, the relevant systemd services now only run if FIPS mode is enabled by specifying `fips=1`. As a result, {op-system} now correctly boots without FIPS mode enabled when `fips=0` is specified. (link: https://issues.redhat.com/browse/OCPBUGS-39536 [* OCPBUGS-39536 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.18.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Adding fips=0 to the kernel params in RHOS results in rhcos-fips-finish failing and dracut dropping the the emergency shell

Sep 04 09:12:15 localhost.localdomain systemd[1]: Starting Finish FIPS mode setup...
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 09:12:15 localhost.localdomain rhcos-fips[1000]: FIPS mode is not enabled.
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Failed with result 'exit-code'.
Sep 04 09:12:15 localhost.localdomain systemd[1]: Failed to start Finish FIPS mode setup.
Sep 04 09:12:15 localhost.localdomain systemd[1]: rhcos-fips-finish.service: Triggering OnFailure= dependencies.

From what I can see rhcos-fips-finish shouldn't be getting triggered at all?

is blocked by

OCPBUGS-41259 [4.18] Bootimage bump tracker

Closed

links to

openshift/os#1600: OCPBUGS-39536: Only run rhcos-fips services if fips=1

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

Assignee:: Derek Higgins

Reporter:: Derek Higgins

QA Contact:: Michael Nguyen

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2024/09/04 10:47 AM

Updated:: 2025/02/25 4:41 AM

Resolved:: 2025/02/25 4:41 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates