USHIFT-6978: install dracut-fips in RHEL 9 bootc FIPS images#6657
USHIFT-6978: install dracut-fips in RHEL 9 bootc FIPS images#6657agullon wants to merge 1 commit into
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@agullon: This pull request references USHIFT-6978 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: agullon The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/test e2e-aws-tests-release |
|
/cherrypick release-4.22 |
|
@agullon: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
WalkthroughThe PR removes the FIPS initramfs module presence verification from the ChangesFIPS Validation Test Simplification
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 12✅ Passed checks (12 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Comment |
|
/override ci/prow/e2e-aws-tests-release |
|
@agullon: Overrode contexts on behalf of agullon: ci/prow/e2e-aws-tests-release, ci/prow/e2e-aws-tests-release-arm DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
| ... bash -c 'lsinitrd -m 2>/dev/null | grep -Fxq fips' | ||
| ... sudo=False return_rc=True return_stdout=True return_stderr=True | ||
| Should Be Equal As Integers 0 ${rc} | ||
| END |
There was a problem hiding this comment.
Can we install the missing package instead of disabling the test?
There was a problem hiding this comment.
yes, we can, it's another possible approach, I thought about it
I prefer to keep the test prerequisites as small and simple as possible. I don't see a benefict of adding a new package for a small check. Also, this new package is not needed and tested for RHEL10.
Also, whit this extra if in the test we have documented in the test code the differences between RHEL9 and RHEL10 which may be useful as extra info in the future.
There was a problem hiding this comment.
We should either remove the test completely, or make it work on both operating systems.
Adding OS-specific conditional code should only be a last resort.
There was a problem hiding this comment.
I'll remove this check, I tried these two ideas (add an RPM and add a fips config) ideas but they didn't work.
There was a problem hiding this comment.
@ggiguash all changes done, please review the PR again
openshift-ci
Bot
added
the
do-not-merge/work-in-progress
agullon
changed the title
openshift-ci
Bot
removed
the
do-not-merge/work-in-progress
|
@agullon: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
The lsinitrd FIPS module presence check fails on RHEL 9 bootc images because the dracut-fips package is not installed. Rather than adding the package, remove the check entirely as the remaining validations (crypto flag and crypto policies) are sufficient to verify FIPS mode. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> pre-commit.check-secrets: ENABLED
|
/cherrypick release-4.22 |
|
@agullon: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/verified by CI |
openshift-ci-robot
added
the
verified
|
@agullon: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
4 participants
Summary
dracut-fipsin RHEL 9 bootc FIPS containerfiles (presubmit and release)fipsdracut module is in the separatedracut-fipspackage — without it the initramfs lacks the module and thelsinitrdFIPS check failsdracutpackage and is always presentTest plan
el98-lrel@ai-model-serving-online-fipsscenario passes on RHEL 9 bootcJira: https://issues.redhat.com/browse/USHIFT-6978
🤖 Generated with Claude Code
Summary by CodeRabbit