RHEL8.3 Won't Boot After Kickstart
I ran into a strange issue trying to build a RHEL8.3 box from a kickstart and wanted to put this out for anyone having the same problem.
TLDR; If you enable FIPS in your kickstart (bootloader --location=mbr --append="fips=1"), you need to include fips=1 in the kernel boot options when you start the install.
I am not really sure what has changed between 8.2 and 8.3 but the kickstart I used to build a RHEL8.2 box would not work for RHEL8.3.
Just after install, my freshly minted RHEL8.3 box would hang. It did so very similarly to what is described here: https://access.redhat.com/discussions/2598541
I noticed at the very beginning of my install, there were error messages saying certain modules could not be found.
dracut-pre-trigger[252]: modprobe: FATAL: Module sha1 not found.
dracut-pre-trigger[252]: modprobe: FATAL: Module sha256 not found.
This led me to this post: https://access.redhat.com/solutions/2853221
Now Red Hat says the errors can be ignored, but if you read the last 2 comments, Renaud Metrich asks about boot options:
12 December 2018 1:46 PM
Margaret (Peg) McCartney
The error messages cannot be disregarded. In my case, they are followed by: dracut: FATAL: FIPS integrity test failed dracut: Refusing to continue dracut-pre-trigger[295]: Warning: /boot/.vmlinuz-3.10.0-957.1.3.el7.x86_64.hmac does not exist System halted After the latest RHEL7 patches, the system will not boot
reply
12 December 2018 2:02 PM
Renaud Metrich
I believe this has nothing to do with the messages, please show us the kernel command line arguments. This looks like you didn't specify "boot=" parameter
This got me thinking. I had recently ran into a somewhat related issue a few weeks back. When I would enable FIPS and LUKS on a RHEL8.2 box in my kickstart, and I did not include fips=1 in the kernel boot options during install, the OS would not accept my LUKS password and the install was essentially dead in the water.
With this in mind, I went back to my dead 8.3 box and set the kernel boot option to fips=0. Guess what; It booted.
So I took this a step further and added fips=1 to the kernel boot option during the install. Guess what; the machine no longer hung and booted as expected.
In my kickstart, I enable FIPS like this:
bootloader --location=mbr --append="fips=1"
kernel boot options would look something like this:
inst.ks=http:192.168.100.1:80/kickstart.cfg RUNKS=1 fips=1
You would think that setting --append="fips=1" in your kickstart is enough to enable FIPS, but sadly it is not.
I hope this helps someone else.