Boot issue after the upgrade

skp18

New Member
Joined
Dec 4, 2022
Messages
16
Reaction score
1
Credits
152
I upgraded (in place using leapp) one of the servers RHEL v7.9 to 8.9. As per the preupgrade report I had to disable the FIPS mode. I enabled the FIPS mode after the successful upgrade & reboot. The server doesn't boot now. Any help would be greatly appreciated.

I enabled using the below commands.

grub2-mkconfg -o /boot/grub2/grub.cfg
dracut -f
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1
 


I tried to enable the fips mode

fips-mode-setup --check
fips-mode-setup --enable

It shows a lot of .ko files, no such file or directory errors, and then

Installation of FIPS modules could not be completed.
 
I haven't worked with fips, but your answers aren't very informative.
It shows a lot of .ko files, no such file or directory errors, and then
Which ko files and which directories? I looked something up and it seems with Rhel7 there are packages installed for fips but with Rhel8 there aren't any packages installed for fips.
I installed Rhel8 and enabled fips without issues, so it would be helpful if you provided the details mentioned earlier or you can just create a contact for Redhat support.
 
The errors are basically a lot of occurrences of dracut installkernal failed and a lot of occurrences of "no such file or directory" errors. I really cannot get the complete output here.
I also tried updating the kernal and removing old kernel using "yum remove --oldinstallonly --setopt installonly_limit=2 kernal"
 
The only thing I can think of since enabling fips on a freshly installed Rhel8 system worked for me and it's not working for you that something might be left over from the way fips was implemented on Rhel7. So look in that direction and the other option is to contact Red Hat support since you have a Rhel license.
 
In RHEL7 whenever I apply automated OS patching it has the below commands as well to enable FIPS. These are all AWS EC2 instances.

grub2-mkconfg -o /boot/grub2/grub.cfg
dracut -f
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1

I tried the same in 8 but was not able to boot.
 
grub2-mkconfg -o /boot/grub2/grub.cfg
dracut -f
grubby --update-kernel=$(grubby --default-kernel) --args=fips=1

I tried the same in 8 but was not able to boot.
When I do that on my Rhel8 system it doesn't boot correctly and it gets stuck at booting. When I run the following.
Code:
/usr/bin/fips-mode-setup --enable
And then reboot, my system boots in fips mode with the fips enabled boot parameters.
[root@rocky8-test ~]# cat /etc/redhat-release
Rocky Linux release 8.9 (Green Obsidian)
[root@rocky8-test ~]# /usr/bin/fips-mode-setup --check
FIPS mode is enabled.
[root@rocky8-test ~]# grep fips /proc/cmdline
BOOT_IMAGE=(hd0,msdos1)/vmlinuz-4.18.0-513.5.1.el8_9.x86_64 root=/dev/mapper/rl-root ro crashkernel=auto resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap rhgb quiet fips=1 boot=UUID=6baa6603-ed5b-426c-9a9e-a90c07605205
According to the Rhel8 documentation you shouldn't be using what you use for Rhel8 but the command "fips-mode-setup".
The steps for fips mode Rhel7,8, and 9 are different.
 
I was able to enable the FIPS mode after removing the el7 boot loader kernel packages. Redhat documentation says, "After you upgrade a system that is running in Federal Information Processing Standard (FIPS) mode, you must regenerate and otherwise ensure the FIPS compliance of all cryptographic keys." Should I re-generate cryptographic keys?

 
I was able to enable the FIPS mode after removing the el7 boot loader kernel packages. Redhat documentation says, "After you upgrade a system that is running in Federal Information Processing Standard (FIPS) mode, you must regenerate and otherwise ensure the FIPS compliance of all cryptographic keys." Should I re-generate cryptographic keys?
If Red Hat advises it in their documentation I would do so.
 
I'm moving this to Red Hat

Wizard
 
Top