From e02a9c5b3e173d7a3950c9630c60ea2ab10451e7 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Thu, 14 Nov 2024 11:47:48 +0100 Subject: [PATCH] images: Install kernel with fixed FIPS on rhel-10-0 Current nightly RHEL 10 images oops the kernel in FIPS mode (https://issues.redhat.com/browse/RHEL-65498). This breaks Cockpit's crypto-policies tests in a really awkward way that takes > 15 minutes to eventually fail, and so handling this through a naughty is awkward. Install the fixed kernel instead. This automatically becomes a no-op as soon as the next kernel lands. --- images/scripts/rhel.setup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/images/scripts/rhel.setup b/images/scripts/rhel.setup index f0e5896ad..a64caa041 100755 --- a/images/scripts/rhel.setup +++ b/images/scripts/rhel.setup @@ -297,6 +297,12 @@ stratisd dnf install -y $TEST_PACKAGES $COCKPIT_DEPS $IPA_CLIENT_PACKAGES +# HACK: broken kernel which oopses with FIPS (https://issues.redhat.com/browse/RHEL-65498); failing and recovering +# takes ages, so too expensive/intrusive for a naughty to work around; install the proposed fix instead +if [ "$IMAGE" = "rhel-10-0" ] && [ "$(uname -r)" = "6.11.0-28.el10.x86_64" ]; then + dnf update -y https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-core-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-modules-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-modules-core-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-tools-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/kernel-tools-libs-6.11.0-29.3_1538040423.el10.x86_64.rpm https://artifacts.internal.cki-project.org/arr-cki-prod-internal-artifacts/internal-artifacts/1538040565/publish_x86_64/8332871928/artifacts/repo/6.11.0-29.3_1538040423.el10.x86_64/python3-perf-6.11.0-29.3_1538040423.el10.x86_64.rpm +fi + # HACK: wireguard-tools pulls in systemd-resolved, but installing that doesn't start the service, # thus breaking DNS; https://issues.redhat.com/browse/RHEL-37686 if [ "$IMAGE" = "centos-10" ] || [ "${IMAGE#rhel-10*}" != "$IMAGE" ]; then