Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-50844

Doc Update: Add Steps to enable FIPS for ABI on IBMZ

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 4.18
    • Documentation / Agents
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          Add FIPS support for ABI in RH Doc

      ABI FIPS:
      To generate FIPS-compatible images, use a FIPS-compatible binary for s390x. Additionally, ensure that the VM or LPAR where you are generating the FIPS image for ABI is FIPS-compatible.

      Manually adding IBM Z agents
      Configuring FIPS in an IBM Z environment for LPAR & z/VM
      Procedure
      If you have an existing .parm file, edit it to include the following entry to enable fips.
      fips=1
      This parameter allows the file to enable fips to the cluster.

      Example .parm file

      rd.neednet=1 cio_ignore=all,!condev
      console=ttysclp0
      coreos.live.rootfs_url=<coreos_url>
      ip=<ip>::<gateway>:<netmask>:<hostname>::none nameserver=<dns>
      rd.znet=qeth,<network_adaptor_range>,layer2=1
      rd.<disk_type>=<adapter>
      rd.zfcp=<adapter>,<wwpn>,<lun> random.trust_cpu=on
      fips=1
      zfcp.allow_lun_scan=0
      ai.ip_cfg_override=1
      ignition.firstboot ignition.platform.id=metal
      random.trust_cpu=on
      Adding IBM Z agents with RHEL KVM
      To enable FIPS mode, add --extra-args "fips=1" to the virt-install command."
      Sample virt-install command

      virt-install \
      --name <vm_name> \
      --autostart \
      --ram=16384 \
      --cpu host \
      --vcpus=8 \
      --location <path_to_kernel_initrd_image>,kernel=kernel.img,initrd=initrd.img \
      --disk <qcow_image_path> \
      --network network:macvtap ,mac=<mac_address> \
      --graphics none \
      --noautoconsole \
      --wait=-1 \
      --extra-args "rd.neednet=1 nameserver=<nameserver>" \
      --extra-args "ip=<IP>::<nameserver>::<hostname>:enc1:none" \
      --extra-args "coreos.live.rootfs_url=http://<http_server>:8080/agent.s390x-rootfs.img" \
      --extra-args "random.trust_cpu=on rd.luks.options=discard" \
      --extra-args "ignition.firstboot ignition.platform.id=metal" \
      --extra-args "console=tty1 console=ttyS1,115200n8" \
      --extra-args "coreos.inst.persistent-kargs=console=tty1 console=ttyS1,115200n8" \
      --extra-args “fips=1”
      --osinfo detect=on,require=off

      Note : FIPS with ISO boot for IBM Z is not supported.

              sniemann@redhat.com Silke Niemann
              dveerabh@redhat.com Neeraj Mishra (Inactive)
              None
              None
              Manoj Hans Manoj Hans
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: