i submitted a fips pattern already.


i will submit libkcapi from factory to ALP

thanks Marcus!

should be done

I just tried on the latest Dolomite build (6.8), but I still don't see any fips pattern there.

I think we may need to wait for next build as 6.8 was done earlier?

Yes, the build was done before this change but, AFAIK, the main repo is always the same between builds (e.g. https://updates.suse.com/SUSE/Products/ALP-Dolomite/1.0/x86_64/product/)

worked with Jiri via email on this, will be fixed in the milestone after the next

I see, thanks Marcus :)

-> jiri

Same for latest build 7.30:
https://openqa.suse.de/tests/12484669#step/fips_setup/25

same for latest build (7.95): https://openqa.suse.de/tests/12861727#step/fips_setup/23

The package should be included in the latest media (for both Dolomite and Marble), search it in the generated package list at:
 https://build.suse.de/package/view_file/SUSE:ALP:Products:Dolomite:1.0/000product/alp_dolomite.group?expand=1

(and similarly for Marble). Could you, please, verify that you can install the package from the latest build? Try this URL

https://download.suse.de/ibs/SUSE:/ALP:/Products:/Dolomite:/1.0/images/repo/ALP-Dolomite-1.0-x86_64-Media1/

Ah, I see. The pattern is called "alp_fips" and not "fips".

Now get the following issue though:

Loading repository data...
Reading installed packages...
Resolving package dependencies...

Problem: the to be installed pattern:alp_fips-5.0-11.1.x86_64 requires 'patterns-alp-fips', but this requirement cannot be provided
  not installable providers: patterns-alp-fips-5.0-11.1.x86_64[ALP-Dolomite-1.0]
 Solution 1: Following actions will be done:
  deinstallation of openssh-clients-9.3p2-2.52.x86_64
  deinstallation of openssh-9.3p2-2.52.x86_64
  downgrade of dracut-059+suse.501.gc44a365d-1.44.x86_64 to dracut-059+suse.501.gc44a365d-1.23.x86_64
  deinstallation of patterns-alp-defaults-5.0-11.3.x86_64
  deinstallation of patterns-alp-base-zypper-5.0-11.3.x86_64
 Solution 2: do not install pattern:alp_fips-5.0-11.1.x86_64
 Solution 3: break pattern:alp_fips-5.0-11.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 




Moreover, openssh-fips doesn't seem to be part of the pattern. Is this expected?

zypper se fips
Loading repository data...
Reading installed packages...

S  | Name              | Summary                                                            | Type
---+-------------------+--------------------------------------------------------------------+--------
i+ | alp_fips          | FIPS 140-3 Support                                                 | pattern
i  | dracut-fips       | Dracut modules to build a dracut initramfs with an integrity check | package
   | openssh-fips      | OpenSSH FIPS crypto module HMACs                                   | package
i+ | patterns-alp-fips | FIPS 140-3 Support                                                 | package

Comment #13 is also true on Marble beta 1.

(In reply to Timo Jyrinki from comment #14)
> Comment #13 is also true on Marble beta 1.

Maybe this was fixed meanwhile?

I was able to install it

> localhost:~ # transactional-update pkg install patterns-alp-fips
> Checking for newer version.
> transactional-update 4.4.0 started
> Options: pkg install patterns-alp-fips
> Separate /var detected.
> WARNING: You are creating a snapshot from a different base (3) than the
>          current default snapshot (4).
>          If you want to continue a previous snapshot use the --continue
>          option, otherwise the previous changes will be discarded.
> 2023-11-30 23:25:10 tukit 4.4.0 started
> 2023-11-30 23:25:10 Options: -c3 open 
> 2023-11-30 23:25:10 Using snapshot 3 as base for new snapshot 5.
> 2023-11-30 23:25:10 Syncing /etc of previous snapshot 2 as base into new snapshot "/.snapshots/5/snapshot"
> 2023-11-30 23:25:10 SELinux is enabled.
> ID: 5
> 2023-11-30 23:25:13 Transaction completed.
> Calling zypper install
> 2023-11-30 23:25:16 tukit 4.4.0 started
> 2023-11-30 23:25:16 Options: callext 5 zypper -R {} install patterns-alp-fips 
> 2023-11-30 23:25:18 Executing `zypper -R /tmp/transactional-update-clE0Om install patterns-alp-fips`:
> Refreshing service 'SUSE_Linux_Enterprise_Micro_6.0_x86_64'.
> Loading repository data...
> Reading installed packages...
> Resolving package dependencies...
> 
> The following 6 NEW packages are going to be installed:
>   dracut-fips libkcapi-tools libkcapi1 libopenssl1_1 openssh-fips patterns-alp-fips
> 
> The following NEW pattern is going to be installed:
>   alp_fips
> 
> 6 new packages to install.
> Overall download size: 2.3 MiB. Already cached: 0 B. After the operation, additional 4.6 MiB will be used.
> Continue? [y/n/v/...? shows all options] (y): y
> 
> Checking for file conflicts: [...done]
> Warning: 6 packages had to be excluded from file conflicts check because they are not yet downloaded.
> 
>     Note: Checking for file conflicts requires not installed packages to be downloaded in advance in
>     order to access their file lists. See option '--download-in-advance / --dry-run --download-only'
>     in the zypper manual page for details.
> 
> Retrieving: libkcapi1-1.4.0-1.25.x86_64 (SLE-Micro-6.0-Pool) (1/6),  50.9 KiB    
> Retrieving: libkcapi1-1.4.0-1.25.x86_64.rpm [..................done (50.9 KiB/s)]
> (1/6) Installing: libkcapi1-1.4.0-1.25.x86_64 [...done]
> Retrieving: libopenssl1_1-1.1.1w-3.1.x86_64 (SLE-Micro-6.0-Pool) (2/6),   1.6 MiB    
> Retrieving: libopenssl1_1-1.1.1w-3.1.x86_64.rpm [....................................................................................................................................................................................................................................................................................................................................................................................................................................done (799.9 KiB/s)]
> (2/6) Installing: libopenssl1_1-1.1.1w-3.1.x86_64 [...done]
> Retrieving: openssh-fips-9.3p2-2.56.x86_64 (SLE-Micro-6.0-Pool) (3/6), 225.4 KiB    
> Retrieving: openssh-fips-9.3p2-2.56.x86_64.rpm [.............done (225.4 KiB/s)]
> (3/6) Installing: openssh-fips-9.3p2-2.56.x86_64 [..done]
> Retrieving: libkcapi-tools-1.4.0-1.25.x86_64 (SLE-Micro-6.0-Pool) (4/6), 248.2 KiB    
> Retrieving: libkcapi-tools-1.4.0-1.25.x86_64.rpm [...................done (248.2 KiB/s)]
> (4/6) Installing: libkcapi-tools-1.4.0-1.25.x86_64 [..done]
> Retrieving: dracut-fips-059+suse.501.gc44a365d-1.49.x86_64 (SLE-Micro-6.0-Pool) (5/6), 187.7 KiB    
> Retrieving: dracut-fips-059+suse.501.gc44a365d-1.49.x86_64.rpm [..............done (187.7 KiB/s)]
> (5/6) Installing: dracut-fips-059+suse.501.gc44a365d-1.49.x86_64 [..done]
> Retrieving: patterns-alp-fips-6.0-3.1.x86_64 (SLE-Micro-6.0-Pool) (6/6),   9.3 KiB    
> Retrieving: patterns-alp-fips-6.0-3.1.x86_64.rpm [...done (9.3 KiB/s)]
> (6/6) Installing: patterns-alp-fips-6.0-3.1.x86_64 [..done]
> Running post-transaction scripts [..
> %posttrans(dracut-fips-059+suse.501.gc44a365d-1.49.x86_64) script output:
> dracut[I]: Executing: /usr/bin/dracut --kver=6.4.0-3-default -f
> dracut[I]: Module 'systemd-networkd' will not be installed, because command 'networkctl' could not be found!
> dracut[I]: Module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd' could not be found!
> dracut[I]: Module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd-wait-online' could not be found!
> dracut[I]: Module 'systemd-pcrphase' will not be installed, because command '/usr/lib/systemd/systemd-pcrphase' could not be found!
> dracut[I]: Module 'systemd-portabled' will not be installed, because command 'portablectl' could not be found!
> dracut[I]: Module 'systemd-portabled' will not be installed, because command '/usr/lib/systemd/systemd-portabled' could not be found!
> dracut[I]: Module 'systemd-repart' will not be installed, because command 'systemd-repart' could not be found!
> dracut[I]: Module 'systemd-resolved' will not be installed, because command 'resolvectl' could not be found!
> dracut[I]: Module 'systemd-resolved' will not be installed, because command '/usr/lib/systemd/systemd-resolved' could not be found!
> dracut[I]: Module 'modsign' will not be installed, because command 'keyctl' could not be found!
> dracut[I]: Module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found!
> dracut[I]: Module 'rngd' will not be installed, because command 'rngd' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmand' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmanctl' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmand-wait-online' could not be found!
> dracut[I]: 35network-legacy: Could not find any command of 'dhclient wicked'!
> dracut[I]: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
> dracut[I]: Module 'dmraid' will not be installed, because command 'dmraid' could not be found!
> dracut[I]: Module 'dmsquash-live-ntfs' will not be installed, because command 'ntfs-3g' could not be found!
> dracut[I]: Module 'pcsc' will not be installed, because command 'pcscd' could not be found!
> dracut[I]: Module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsiadm' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsid' could not be found!
> dracut[I]: 95nfs: Could not find any command of 'rpcbind portmap'!
> dracut[I]: Module 'nvmf' will not be installed, because command 'nvme' could not be found!
> dracut[I]: Module 'nvmf' will not be installed, because command 'jq' could not be found!
> dracut[I]: Module 'memstrack' will not be installed, because command 'memstrack' could not be found!
> dracut[I]: memstrack is not available
> dracut[I]: If you need to use rd.memdebug>=4, please install memstrack and procps-ng
> dracut[I]: Module 'squash' will not be installed, because command 'mksquashfs' could not be found!
> dracut[I]: Module 'squash' will not be installed, because command 'unsquashfs' could not be found!
> dracut[I]: Module 'systemd-pcrphase' will not be installed, because command '/usr/lib/systemd/systemd-pcrphase' could not be found!
> dracut[I]: Module 'systemd-portabled' will not be installed, because command 'portablectl' could not be found!
> dracut[I]: Module 'systemd-portabled' will not be installed, because command '/usr/lib/systemd/systemd-portabled' could not be found!
> dracut[I]: Module 'systemd-repart' will not be installed, because command 'systemd-repart' could not be found!
> dracut[I]: Module 'systemd-resolved' will not be installed, because command 'resolvectl' could not be found!
> dracut[I]: Module 'systemd-resolved' will not be installed, because command '/usr/lib/systemd/systemd-resolved' could not be found!
> dracut[I]: Module 'modsign' will not be installed, because command 'keyctl' could not be found!
> dracut[I]: Module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found!
> dracut[I]: Module 'rngd' will not be installed, because command 'rngd' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmand' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmanctl' could not be found!
> dracut[I]: Module 'connman' will not be installed, because command 'connmand-wait-online' could not be found!
> dracut[I]: 35network-legacy: Could not find any command of 'dhclient wicked'!
> dracut[I]: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
> dracut[I]: Module 'dmraid' will not be installed, because command 'dmraid' could not be found!
> dracut[I]: Module 'dmsquash-live-ntfs' will not be installed, because command 'ntfs-3g' could not be found!
> dracut[I]: Module 'pcsc' will not be installed, because command 'pcscd' could not be found!
> dracut[I]: Module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsiadm' could not be found!
> dracut[I]: Module 'iscsi' will not be installed, because command 'iscsid' could not be found!
> dracut[I]: 95nfs: Could not find any command of 'rpcbind portmap'!
> dracut[I]: Module 'nvmf' will not be installed, because command 'nvme' could not be found!
> dracut[I]: Module 'nvmf' will not be installed, because command 'jq' could not be found!
> dracut[I]: Module 'memstrack' will not be installed, because command 'memstrack' could not be found!
> dracut[I]: memstrack is not available
> dracut[I]: If you need to use rd.memdebug>=4, please install memstrack and procps-ng
> dracut[I]: Module 'squash' will not be installed, because command 'mksquashfs' could not be found!
> dracut[I]: Module 'squash' will not be installed, because command 'unsquashfs' could not be found!
> dracut[I]: *** Including module: bash ***
> dracut[I]: *** Including module: systemd ***
> dracut[I]: *** Including module: fips ***
> dracut[I]: *** Including module: systemd-initrd ***
> dracut[I]: *** Including module: i18n ***
> dracut[I]: No KEYMAP configured.
> dracut[I]: *** Including module: drm ***
> dracut[I]: *** Including module: health-checker ***
> dracut[I]: *** Including module: transactional-update ***
> dracut[I]: *** Including module: btrfs ***
> dracut[I]: *** Including module: kernel-modules ***
> dracut[I]: *** Including module: kernel-modules-extra ***
> dracut[I]: *** Including module: rootfs-block ***
> dracut[I]: *** Including module: suse-btrfs ***
> dracut[I]: *** Including module: suse-xfs ***
> dracut[I]: *** Including module: terminfo ***
> dracut[I]: *** Including module: udev-rules ***
> dracut[I]: *** Including module: biosdevname ***
> dracut[I]: *** Including module: dracut-systemd ***
> dracut[I]: *** Including module: haveged ***
> dracut[I]: *** Including module: selinux-microos ***
> dracut[I]: *** Including module: usrmount ***
> dracut[I]: *** Including module: base ***
> dracut[I]: *** Including module: fs-lib ***
> dracut[I]: *** Including module: shutdown ***
> dracut[I]: *** Including module: suse ***
> dracut[I]: *** Including module: suse-initrd ***
> dracut[I]: *** Including modules done ***
> dracut[I]: *** Installing kernel module dependencies ***
> dracut[I]: *** Installing kernel module dependencies done ***
> dracut[I]: *** Resolving executable dependencies ***
> dracut[I]: *** Resolving executable dependencies done ***
> dracut[I]: *** Hardlinking files ***
> dracut[I]: *** Hardlinking files done ***
> dracut[I]: *** Generating early-microcode cpio image ***
> dracut[I]: *** Constructing GenuineIntel.bin ***
> dracut[I]: *** Store current command line parameters ***
> dracut[I]: Stored kernel commandline:
> dracut[I]:  rd.driver.pre=btrfs
> dracut[I]: rd.driver.pre=overlay
> dracut[I]:  root=UUID=6327f0c5-0454-4b19-8355-10beef082fe8 rootfstype=btrfs rootflags=rw,relatime,seclabel,space_cache=v2,subvolid=281,subvol=/@/.snapshots/5/snapshot,subvol=@/.snapshots/5/snapshot
> dracut[I]: *** Creating image file '/boot/initrd-6.4.0-3-default' ***
> dracut[I]: *** Creating initramfs image file '/boot/initrd-6.4.0-3-default' done ***
> ..done]
> 2023-11-30 23:25:43 Application returned with exit status 0.
> 2023-11-30 23:25:44 Transaction completed.
> Trying to rebuild kdump initrd
> 2023-11-30 23:25:46 tukit 4.4.0 started
> 2023-11-30 23:25:46 Options: close 5 
> 2023-11-30 23:25:48 New default snapshot is #5 (/.snapshots/5/snapshot).
> 2023-11-30 23:25:48 Transaction completed.
> 
> Please reboot your machine to activate the changes and avoid data loss.
> 
> WARNING: This snapshot has been created from a different base (3)
>          than the previous default snapshot (4) and does not
>          contain the changes from the latter.
> 
> New default snapshot is #5 (/.snapshots/5/snapshot).
> transactional-update finished

I'm using the encrypted raw image (SLE-Micro.x86_64-6.0-Default-encrypted-Build3.4.raw), did SUSEConnect -r to register and then tried the transactional-update pkg install -t pattern alp_fips

The problem still happens on this VM in a similar way to before (also if using patterns-alp-fips), and also after zypper ref (which states SLE-Micro-6.0-Pool is up to date.

(In reply to Timo Jyrinki from comment #16)
> I'm using the encrypted raw image
> (SLE-Micro.x86_64-6.0-Default-encrypted-Build3.4.raw), did SUSEConnect -r to
> register and then tried the transactional-update pkg install -t pattern
> alp_fips
> 
> The problem still happens on this VM in a similar way to before (also if
> using patterns-alp-fips), and also after zypper ref (which states
> SLE-Micro-6.0-Pool is up to date.

The fix has been pushed to ToTest channel, not released yet. you need to use the proxy SCC as URL for registration. Maybe that's the cause why it still doesn't work for you?

Ok, adding 10.100.93.51 micro-3.4.proxy.scc.suse.de to /etc/hosts and using SUSEConnect -r [REGCODE] --url micro-3.4.proxy.scc.suse.de indeed works so that zypper can find the correct in-sync repositories and transactional-update pkg install -t pattern alp_fips works.

t-u setup-fips currently does:

- looks for pattern() = fips
- installs that pattern

This alias was currently alp_fips for not a real good reason, adjusted.

The patter rename is in, should be fixed in next snapshot.