RHEL8.3 Won't Boot After Kickstart

Posted on

I ran into a strange issue trying to build a RHEL8.3 box from a kickstart and wanted to put this out for anyone having the same problem.

TLDR; If you enable FIPS in your kickstart (bootloader --location=mbr --append="fips=1"), you need to include fips=1 in the kernel boot options when you start the install.

I am not really sure what has changed between 8.2 and 8.3 but the kickstart I used to build a RHEL8.2 box would not work for RHEL8.3.

Just after install, my freshly minted RHEL8.3 box would hang. It did so very similarly to what is described here: https://access.redhat.com/discussions/2598541

I noticed at the very beginning of my install, there were error messages saying certain modules could not be found.

dracut-pre-trigger[252]: modprobe: FATAL: Module sha1 not found.
dracut-pre-trigger[252]: modprobe: FATAL: Module sha256 not found.

This led me to this post: https://access.redhat.com/solutions/2853221
Now Red Hat says the errors can be ignored, but if you read the last 2 comments, Renaud Metrich asks about boot options:

12 December 2018 1:46 PM Margaret (Peg) McCartney The error messages cannot be disregarded. In my case, they are followed by: dracut: FATAL: FIPS integrity test failed dracut: Refusing to continue dracut-pre-trigger[295]: Warning: /boot/.vmlinuz-3.10.0-957.1.3.el7.x86_64.hmac does not exist System halted After the latest RHEL7 patches, the system will not boot reply 12 December 2018 2:02 PM Renaud Metrich I believe this has nothing to do with the messages, please show us the kernel command line arguments. This looks like you didn't specify "boot=" parameter

This got me thinking. I had recently ran into a somewhat related issue a few weeks back. When I would enable FIPS and LUKS on a RHEL8.2 box in my kickstart, and I did not include fips=1 in the kernel boot options during install, the OS would not accept my LUKS password and the install was essentially dead in the water.

With this in mind, I went back to my dead 8.3 box and set the kernel boot option to fips=0. Guess what; It booted.

So I took this a step further and added fips=1 to the kernel boot option during the install. Guess what; the machine no longer hung and booted as expected.

In my kickstart, I enable FIPS like this:

bootloader --location=mbr --append="fips=1"

kernel boot options would look something like this:

inst.ks=http: RUNKS=1 fips=1 

You would think that setting --append="fips=1" in your kickstart is enough to enable FIPS, but sadly it is not.

I hope this helps someone else.