Loading...
Loading...
The in-place upgrade is failing when FIPS is enabled using builds with the new storage initialisation (tbd: add ticket). The problem is that we mount the boot partition into the /sysroot/boot, but the fips dracut module expect it to be mounted in /boot (iniramfs) instead. As it cannot discover any related .hmac file, it ends with following error: dracut: FATAL: FIPS integrity test failed Warning: /boot//.vmlinuz-<version>.hmac does not exists dracut: Refusing to continue The solution is to either removal of the `boot` argument from the kernel cmdline (only for the upgrade boot entry!); then ensure it's set back for the target upgrade kernel or create additional mount unit file to bind-mount /sysroot/boot to /boot automatically. The 2nd option seems better as we do not know what negative consequence could occur on some setups if we drop the boot argument from the kernel cmdline. So bind-mount seems to be a safer. Steps to reproduce: 1. Setup the machine to use FIPS following the article 2. Proceed with standard upgrade Additional info: Content of /boot: [root@localhost rh]# ls -la /boot/ | grep vmlinuz-upgrade -rwxr-xr-x. 1 root root 15092528 Oct 24 07:21 vmlinuz-upgrade.x86_64 -rw-r--r--. 1 root root 153 Oct 24 07:23 .vmlinuz-upgrade.x86_64.hmac
Unresolved
Click on a version to see all relevant bugs
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.