Bug 1216059

Summary: [Build 26.1] FIPS setup failing for many scenarios with Core dump
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Joaquín Rivera <jeriveramoya>
Component: Security CertificationsAssignee: dracut maintainers <dracut-maintainers>
Status: RESOLVED FIXED QA Contact:
Severity: Critical    
Priority: P1 - Urgent CC: antonio.feijoo, felice.maccaro, meissner, riccardo.ceragioli, tjyrinki
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/12409540/modules/fips_setup/steps/80
Whiteboard: FIPS
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Joaquín Rivera 2023-10-09 14:03:40 UTC 
#### Observation

FIPS setup is broken seems several builds for many test scenarios:
See the failing ones here for latest build:
https://openqa.suse.de/tests/overview?result=failed&arch=&flavor=&machine=&test=&modules=fips_setup&module_re=&modules_result=failed&distri=sle&version=15-SP6&build=26.1&groupid=268#

and the passing ones:
https://openqa.suse.de/tests/overview?arch=&flavor=&machine=&test=&modules=fips_setup&module_re=&modules_result=passed&distri=sle&version=15-SP6&build=26.1&groupid=268#

See the core dumps in any of the jobs in serial0.txt
for example:
https://openqa.suse.de/tests/12409540/logfile?filename=serial0.txt

I could provide more info, but didn't have the time to dive deeper yet, but I wanted to share the big impact of this failure in test coverage as soon as possible.
Comment 1 Marcus Meissner 2023-10-09 14:11:24 UTC 
[    2.070819][  T115] (sd-e[115]: /usr/lib/systemd/system-generators/systemd-hibernate-resume-generator terminated by signal ABRT.

could be missing fips packages causing abort
Comment 2 Joaquín Rivera 2023-10-09 14:22:43 UTC 
A previous failure in the same test in latest build.
https://openqa.suse.de/tests/12410728#step/fips_setup/19
so in previous build was also there:
https://openqa.suse.de/tests/12306353#step/fips_setup/62

We have a ticket for adapting the automation with the problem installing the pattern https://progress.opensuse.org/issues/135401
but it is this connected as well?
Comment 3 Marcus Meissner 2023-10-09 15:17:09 UTC 
but the fips pattern is there now according t o the serial terminal output.
Comment 4 Marcus Meissner 2023-10-09 15:17:32 UTC 
i will need to test this on a local vm :(
Comment 5 Marcus Meissner 2023-10-19 07:48:33 UTC 
ok. even without vm we need to remove the hmac packages from dracut-fips

Currently we only removed libgcrypt, but will do so for libopenssl1_1-hmac soonish.

dracut maintainers, can you remove the 

Requires:       libgcrypt20-hmac

line from the dracut-fips package?
Comment 6 Antonio Feijoo 2023-10-19 09:48:20 UTC 
(In reply to Marcus Meissner from comment #5)
> ok. even without vm we need to remove the hmac packages from dracut-fips
> 
> Currently we only removed libgcrypt, but will do so for libopenssl1_1-hmac
> soonish.
> 
> dracut maintainers, can you remove the 
> 
> Requires:       libgcrypt20-hmac
> 
> line from the dracut-fips package?

Sure: https://build.suse.de/request/show/310834
Comment 7 Antonio Feijoo 2023-10-19 10:40:26 UTC 
(In reply to Marcus Meissner from comment #5)
> dracut maintainers, can you remove the 
> 
> Requires:       libgcrypt20-hmac
> 
> line from the dracut-fips package?

Marcus, I was asked if this change shouldn't be submitted to Factory first. Could you provide some feedback about that?
Comment 8 Marcus Meissner 2023-10-19 12:21:56 UTC 
yes, factory should get the same fix.

currently I think the issue is that libgcrypt20-hmac is still available (but wrong version) on SLES 15 SP6, but not on Favtory anymore.
Comment 9 Antonio Feijoo 2023-10-19 12:25:06 UTC 
(In reply to Marcus Meissner from comment #8)
> yes, factory should get the same fix.
> 
> currently I think the issue is that libgcrypt20-hmac is still available (but
> wrong version) on SLES 15 SP6, but not on Favtory anymore.

Ok, I'll patch Factory as well. Thanks!