From 0b6d253dba2248c66206c16319736636f6a52309 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 13 May 2026 09:30:30 +0200 Subject: [PATCH 1/3] USHIFT-6978: install dracut-fips in RHEL 9 bootc FIPS images On RHEL 9, the fips dracut module is in the separate dracut-fips package. Without it, the initramfs does not contain the fips module and the lsinitrd FIPS validation check fails. On RHEL 10+, this module was merged into the base dracut package and is always present. Add dracut-fips to both RHEL 9 FIPS containerfiles (presubmit and release) so the FIPS test passes consistently across RHEL versions. Co-Authored-By: Claude Opus 4.6 (1M context) pre-commit.check-secrets: ENABLED --- .../group2/rhel98-bootc-source-fips.containerfile | 2 +- .../group2/rhel98-bootc-brew-lrel-fips.containerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile b/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile index 64062111bd..cbb724c03f 100644 --- a/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile +++ b/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile @@ -11,6 +11,6 @@ EOF # # Note: CNI plugins are required for podman to operate normally on RHEL 9.x. # This package is no longer installed as cri-o dependency. -RUN dnf install -y crypto-policies-scripts containernetworking-plugins && \ +RUN dnf install -y crypto-policies-scripts containernetworking-plugins dracut-fips && \ update-crypto-policies --no-reload --set FIPS && \ dnf clean all diff --git a/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile b/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile index dc2ccc51ad..90beaf89a5 100644 --- a/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile +++ b/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile @@ -13,7 +13,7 @@ EOF # # Note: CNI plugins are required for podman to operate normally on RHEL 9.x. # This package is no longer installed as cri-o dependency. -RUN dnf install -y crypto-policies-scripts containernetworking-plugins && \ +RUN dnf install -y crypto-policies-scripts containernetworking-plugins dracut-fips && \ update-crypto-policies --no-reload --set FIPS && \ dnf clean all # {{- end -}} From 06daa7000d3ae4b311cf6df4b051eee836bc176d Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Wed, 13 May 2026 12:11:53 +0200 Subject: [PATCH 2/3] test pre-commit.check-secrets: ENABLED --- test/bin/manage_build_cache.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/test/bin/manage_build_cache.sh b/test/bin/manage_build_cache.sh index edfa245310..fb7b506f7b 100755 --- a/test/bin/manage_build_cache.sh +++ b/test/bin/manage_build_cache.sh @@ -8,6 +8,7 @@ SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" source "${SCRIPTDIR}/common.sh" AWS_BUCKET_NAME="${AWS_BUCKET_NAME:-microshift-build-cache}" +AWS_BUCKET_NAME=agullon-build-cache-ushift-6978-test BCH_SUBDIR= TAG_SUBDIR= ARCH_SUBDIR="${UNAME_M}" From 2a8820d550b38b1cc9f0e6ba0f2b6ab0c0f137d6 Mon Sep 17 00:00:00 2001 From: Alejandro Gullon Date: Thu, 14 May 2026 10:37:23 +0200 Subject: [PATCH 3/3] USHIFT-6978: configure dracut fips module via conf instead of dracut-fips package On RHEL 9.8, dracut-fips was merged into the base dracut package, making `dnf install dracut-fips` a no-op. The fips dracut module files are present on disk but dracut is not configured to include them in the initramfs, causing the lsinitrd FIPS validation to fail. Replace the dracut-fips package install with an explicit dracut config file that ensures the fips module is included in the initramfs when bootc generates it during deployment. Co-Authored-By: Claude Opus 4.6 (1M context) pre-commit.check-secrets: ENABLED --- .../group2/rhel98-bootc-source-fips.containerfile | 3 ++- .../group2/rhel98-bootc-brew-lrel-fips.containerfile | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile b/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile index cbb724c03f..2185828dbe 100644 --- a/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile +++ b/test/image-blueprints-bootc/el9/layer2-presubmit/group2/rhel98-bootc-source-fips.containerfile @@ -11,6 +11,7 @@ EOF # # Note: CNI plugins are required for podman to operate normally on RHEL 9.x. # This package is no longer installed as cri-o dependency. -RUN dnf install -y crypto-policies-scripts containernetworking-plugins dracut-fips && \ +RUN dnf install -y crypto-policies-scripts containernetworking-plugins && \ update-crypto-policies --no-reload --set FIPS && \ + echo 'add_dracutmodules+=" fips "' > /etc/dracut.conf.d/40-fips.conf && \ dnf clean all diff --git a/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile b/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile index 90beaf89a5..0dabcbbad5 100644 --- a/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile +++ b/test/image-blueprints-bootc/el9/layer4-release/group2/rhel98-bootc-brew-lrel-fips.containerfile @@ -13,7 +13,8 @@ EOF # # Note: CNI plugins are required for podman to operate normally on RHEL 9.x. # This package is no longer installed as cri-o dependency. -RUN dnf install -y crypto-policies-scripts containernetworking-plugins dracut-fips && \ +RUN dnf install -y crypto-policies-scripts containernetworking-plugins && \ update-crypto-policies --no-reload --set FIPS && \ + echo 'add_dracutmodules+=" fips "' > /etc/dracut.conf.d/40-fips.conf && \ dnf clean all # {{- end -}}