From 56a0162e3c7244b3d65523c0288abe1b4be6ffb0 Mon Sep 17 00:00:00 2001 From: Nikita Dubrovskii Date: Mon, 3 May 2021 11:10:27 +0200 Subject: [PATCH 1/3] overlay.d: s390x: add to ramdisk missig zipl This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1955621 When starting OCP in fips mode it immediate fails during install: ``` systemd[1]: Starting Check for FIPS mode... rhcos-fips[763]: Found /etc/ignition-machine-config-encapsulated.json in Ignition config rhcos-fips[763]: FIPS mode required; updating BLS entries rhcos-fips[763]: Appending 'fips=1 boot=LABEL=boot' to /run/rhcos-fips/sysroot/boot/loader/entries/ostree-1-rhcos.conf rhcos-fips[763]: /usr/sbin/rhcos-fips: line 78: zipl: command not found ``` Signed-off-by: Nikita Dubrovskii --- .../usr/lib/dracut/modules.d/40rhcos-fips/module-setup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/module-setup.sh b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/module-setup.sh index 1375fb9f..4747674c 100755 --- a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/module-setup.sh +++ b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/module-setup.sh @@ -17,6 +17,12 @@ install() { bwrap \ env + local _arch=${DRACUT_ARCH:-$(uname -m)} + if [[ "$_arch" == "s390x" ]]; then + inst_multiple zipl + inst /lib/s390-tools/stage3.bin + fi + inst_script "$moddir/rhcos-fips.sh" \ "/usr/sbin/rhcos-fips" inst_script "$moddir/coreos-dummy-ignition-files-run.sh" \ From 11fa5a236fda040a94d83fcbe2e70f8a3da95623 Mon Sep 17 00:00:00 2001 From: Muhammad Adeel Date: Fri, 18 Jun 2021 09:14:21 +0200 Subject: [PATCH 2/3] overlay.d: fips: s390x: fix zipl parmfile Zipl expects only kernel command line options in the parmfile. If a whole bls file is provided as a parmfile, the system will not be able to boot and switch to rescue mode after reboot. --- .../usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh index f1071819..6d8158dd 100755 --- a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh +++ b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh @@ -70,16 +70,18 @@ firstboot() { # We need to call zipl with the kernel image and ramdisk as running it without these options would require a zipl.conf and chroot # into rootfs tmpfile=$(mktemp) + optfile=$(mktemp) for f in "${tmpsysroot}"/boot/loader/entries/*.conf; do for line in title version linux initrd options; do echo $(grep $line $f) >> $tmpfile done done + grep options $tmpfile | cut -d ' ' -f2- > $optfile zipl --verbose \ --target "${tmpsysroot}/boot" \ --image $tmpsysroot/boot/"$(grep linux $tmpfile | cut -d' ' -f2)" \ --ramdisk $tmpsysroot/boot/"$(grep initrd $tmpfile | cut -d' ' -f2)" \ - --parmfile $tmpfile + --parmfile $optfile fi echo "Rebooting" From 2e65604b8893aeefa65a8db20c62d67835285966 Mon Sep 17 00:00:00 2001 From: Nikita Dubrovskii Date: Tue, 4 May 2021 14:54:05 +0200 Subject: [PATCH 3/3] overlay.d: s390x: rhcos-fips: add ignition.firstboot kernel option to zipl We enable FIPS during firstboot and than reboot the machine before ignition runs, so to allow it do its work on next boot with enabled FIPS, we have to save ignition.firstboot karg Signed-off-by: Nikita Dubrovskii --- .../usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh index 6d8158dd..ce89e420 100755 --- a/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh +++ b/overlay.d/05rhcos/usr/lib/dracut/modules.d/40rhcos-fips/rhcos-fips.sh @@ -76,7 +76,9 @@ firstboot() { echo $(grep $line $f) >> $tmpfile done done - grep options $tmpfile | cut -d ' ' -f2- > $optfile + echo "Appending 'ignition.firstboot' to ${optfile}" + options="$(grep options $tmpfile | cut -d ' ' -f2-) ignition.firstboot" + echo $options > "$optfile" zipl --verbose \ --target "${tmpsysroot}/boot" \ --image $tmpsysroot/boot/"$(grep linux $tmpfile | cut -d' ' -f2)" \