Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-80867

[RHEL-9] Initial attempts to download stage2 are failing when using encrypted DNS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.6
    • anaconda
    • None
    • No
    • Moderate
    • rhel-sst-installer
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Known Issue
    • Hide
      .Hostname resolution fails with encrypted DNS and custom CA in boot options

      While using the `inst.repo=` or `inst.stage2=` boot options in the kernel command line along with a remote installation URL, an encrypted DNS, and a custom CA certificate in the kickstart file, the installer attempts to download the `install.img` stage2 image before processing the kickstart file. Consequently, the hostname resolution fails, leading to display of some errors before successfully fetching the stage2 image. To work around this issue, define the installation source in the kickstart file instead of the kernel command line.
      Show
      .Hostname resolution fails with encrypted DNS and custom CA in boot options While using the `inst.repo=` or `inst.stage2=` boot options in the kernel command line along with a remote installation URL, an encrypted DNS, and a custom CA certificate in the kickstart file, the installer attempts to download the `install.img` stage2 image before processing the kickstart file. Consequently, the hostname resolution fails, leading to display of some errors before successfully fetching the stage2 image. To work around this issue, define the installation source in the kickstart file instead of the kernel command line.
    • Done
    • Done
    • Done
    • Done
    • None

      What were you trying to do that didn't work?

      I tried to fetch stage2 from an HTTP server while using and encrypted DNS server to resolve the host names. A few initial attempts to download the image failed, since the provided kickstart file with the eDNS certificate was processed after these initial download attempts. Once the kickstart has been processed and micro-dnsconfd/unbound services started, the stage2 image was downloaded successfully:

      ...
[  OK  ] Reached target basic.target - Basic System.
[  OK  ] Finished nm-wait-online-initrd.service.
         Starting dracut-initqueue.service - dracut initqueue hook...
[   16.819754] dracut-initqueue[1209]: Warning: can't find installer main image path in .treeinfo
[   16.830652] dracut-initqueue[1398]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[   16.830891] dracut-initqueue[1398]:                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   16.833243] dracut-initqueue[1398]: Warning: Problem : timeout. Will retry in 1 seconds. 3 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   17.836761] dracut-initqueue[1398]: Warning: Problem : timeout. Will retry in 2 seconds. 2 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   19.842937] dracut-initqueue[1398]: Warning: Problem : timeout. Will retry in 4 seconds. 1 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   23.858841] dracut-initqueue[1392]: Warning: Downloading 'http://rtt1.usersys.redhat.com/jstodola/edns/unpacked//images/install.img' failed!
[   23.867557] dracut-initqueue[1410]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[   23.867765] dracut-initqueue[1410]:                                  Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   23.871694] dracut-initqueue[1410]: Warning: Problem : timeout. Will retry in 1 seconds. 3 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   24.873840] dracut-initqueue[1410]: Warning: Problem : timeout. Will retry in 2 seconds. 2 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   26.877368] dracut-initqueue[1410]: Warning: Problem : timeout. Will retry in 4 seconds. 1 retries left.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: rtt1.usersys.redhat.com
[   30.884927] dracut-initqueue[1404]: Warning: Downloading 'http://rtt1.usersys.redhat.com/jstodola/edns/unpacked//LiveOS/squashfs.img' failed!
[   30.887146] dracut-initqueue[1209]: Warning: anaconda: failed to fetch stage2 from http://rtt1.usersys.redhat.com/jstodola/edns/unpacked/
         Starting micro-dnsconfd.service - …ative implementation of Dnsconfd...
[  OK  ] Finished micro-dnsconfd.service - … native implementation of Dnsconfd.
         Starting unbound.service - Unbound recursive Domain Name Server...
[  OK  ] Started unbound.service - Unbound recursive Domain Name Server.
[  OK  ] Reached target nss-lookup.target - Host and Network Name Lookups.
[   32.793933] dracut-initqueue[1209]: Warning: can't find installer main image path in .treeinfo
[   32.802059] dracut-initqueue[1649]:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[   32.803145] dracut-initqueue[1649]:                                  Dload  Upload   Total   Spent    Left  Speed
100  632M  100  632M    0     0  18.1M      0  0:00:34  0:00:34 --:--:-- 18.6M
clocksource: Long readout interval, skipping watchdog check: cs_nsec: 1311886314 wd_nsec: 495941539
[  OK  ] Finished dracut-initqueue.service - dracut initqueue hook.
[  OK  ] Reached target remote-fs-pre.targe…reparation for Remote File Systems.
[  OK  ] Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
...

       

      What is the impact of this issue to you?

      Error messages during initial attempts to download stage2 when using encrypted DNS.

      Please provide the package NVR for which the bug is seen:

      An unreleased version of anaconda, custom boot.iso

      How reproducible is this bug?:

      Always

      Steps to reproduce

      1. Have a kickstart file with the %certificate section containing the eDNS CA certificates.
      2. Use mkksiso to insert the kickstart file to the tested ISO image.
      3. Start the installation from the updated ISO, add necessary boot options pointing to the encrypted DNS server. (rd.net.dns=dns+tls://... rd.net.dns-backend=dnsconfd). Also specify the URL to stage2 (inst.stage2=http://...) on the kernel command line.

      Expected results

      Stage2 is fetched without errors.

      Actual results

      Errors during initial attempts to download stage2.

      Workaround

      A workaround is to specify the installation source in the kickstart file and do not use inst.repo= or inst.stage2= kernel cmdline options pointing to a remote location (http/ftp/nfs).

       

              anaconda-maint-list anaconda-maint-list
              jstodola@redhat.com Jan Stodola
              anaconda-maint-list anaconda-maint-list
              Release Test Team Release Test Team
              Sagar Dubewar Sagar Dubewar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: