Bug 1220390

Summary: fips pattern not found
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Micro 6.0 Reporter: Martin Loviska <mloviska>
Component: PatternsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Jose Lausuch <jalausuch>
Severity: Normal    
Priority: P1 - Urgent CC: felix.niederwanger, giacomo.leidi, jsrain, meissner, tjyrinki
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: zypper.log

Description Martin Loviska 2024-02-27 08:17:47 UTC 
Created attachment 873020 [details]
zypper.log

Trying to setup fips on sle-micro 6.0 does not work as the pattern package is missing. 

> # transactional-update setup-fips


2024-02-27 09:07:16 tukit 4.5.0 started
2024-02-27 09:07:16 Options: call 3 zypper install -y --auto-agree-with-product-licenses pattern() = fips
2024-02-27 09:07:18 Executing `zypper install -y --auto-agree-with-product-licenses pattern() = fips`:
Refreshing service 'SUSE_Linux_Enterprise_Micro_6.0_x86_64'.
Loading repository data...
Reading installed packages...
'pattern() = fips' not found in package names. Trying capabilities.
No provider of 'pattern() = fips' found.
2024-02-27 09:07:18 Application returned with exit status 104.
ERROR: zypper install on /.snapshots/3/snapshot failed with exit code 104!
Use '--interactive' for manual problem resolution.
2024-02-27 09:07:18 tukit 4.5.0 started
2024-02-27 09:07:18 Options: call 3 sed -i -e s|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 fips=1"|g /etc/default/grub
2024-02-27 09:07:20 Executing `sed -i -e s|\(^GRUB_CMDLINE_LINUX_DEFAULT=.*\)"|\1 fips=1"|g /etc/default/grub`:
2024-02-27 09:07:20 Application returned with exit status 0.
2024-02-27 09:07:20 Transaction completed.
Creating new initrd
2024-02-27 09:07:20 tukit 4.5.0 started
2024-02-27 09:07:20 Options: call 3 dracut --force --regenerate-all
2024-02-27 09:07:22 Executing `dracut --force --regenerate-all`:
dracut[I]: Executing: /usr/bin/dracut --kver=6.4.0-7-default --force


> localhost:~ # zypper se fips
> Refreshing service 'SUSE_Linux_Enterprise_Micro_6.0_x86_64'.
> Loading repository data...
> Reading installed packages...

S | Name              | Summary                                                            | Type
--+-------------------+--------------------------------------------------------------------+--------
  | alp_fips          | FIPS 140-3 Support                                                 | pattern
  | dracut-fips       | Dracut modules to build a dracut initramfs with an integrity check | package
  | openssh-fips      | OpenSSH FIPS crypto module HMACs                                   | package
  | patterns-alp-fips | FIPS 140-3 Support                                                 | package
Comment 2 Timo Jyrinki 2024-02-27 13:02:22 UTC 
As a sidenote the alp_fips pattern itself is functional (see fips_setup at https://openqa.suse.de/tests/13619286).

I'm not sure what should be done about transactional-update's setup-fips feature, maybe it should at least have a useful error message? Notably SLE 15-SP4 and newer obtained crypto-policies-scripts recently which contain a "fips-mode-setup" script that is now used, so there are multiple ways. That has not been available in SLE Micro 6.0 packages however.
Comment 3 Marcus Meissner 2024-02-29 14:22:26 UTC 
fix submitted
Comment 5 Marcus Meissner 2024-03-02 15:08:09 UTC 
subnmitted