Skip to content

USHIFT-6978: remove initramfs FIPS module check from bootc validation#6657

Open
agullon wants to merge 1 commit into
openshift:mainfrom
agullon:USHIFT-6978
Open

USHIFT-6978: remove initramfs FIPS module check from bootc validation#6657
agullon wants to merge 1 commit into
openshift:mainfrom
agullon:USHIFT-6978

Conversation

@agullon
Copy link
Copy Markdown
Contributor

@agullon agullon commented May 12, 2026
edited
Loading

Summary

  • Remove the lsinitrd -m | grep fips check from Fips Should Be Enabled Bootc in validate-fips.robot
  • This check tests a RHEL packaging detail (whether dracut-fips is installed), not actual FIPS enablement
  • The remaining two checks — /proc/sys/crypto/fips_enabled and update-crypto-policies --show — are sufficient to verify FIPS mode is active
  • On RHEL 9, the fips dracut module lives in a separate dracut-fips package not present in bootc images; on RHEL 10+ it's in base dracut

Test plan

  • Verify el98-lrel@ai-model-serving-online-fips scenario passes on RHEL 9 bootc
  • Verify FIPS test still passes on RHEL 10 bootc

Jira: https://issues.redhat.com/browse/USHIFT-6978

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 12, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented May 12, 2026
edited by openshift-ci Bot
Loading

@agullon: This pull request references USHIFT-6978 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

  • Skip the lsinitrd -m | grep fips initramfs check on RHEL 9 bootc systems
  • On RHEL 9, the fips dracut module is in the separate dracut-fips package, which is not installed in bootc images
  • On RHEL 10+, this module was merged into the base dracut package and is always present
  • The other two checks (kernel fips flag + crypto policy) already verify FIPS is properly enabled on both versions

Test plan

  • Verify el98-lrel@ai-model-serving-online-fips scenario passes on RHEL 9 bootc
  • Verify FIPS test still passes on RHEL 10 bootc (lsinitrd check still runs)

Jira: https://issues.redhat.com/browse/USHIFT-6978

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from eslutsky and kasturinarra May 12, 2026 15:05
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 12, 2026
@agullon
Copy link
Copy Markdown
Contributor Author

agullon commented May 12, 2026

/test e2e-aws-tests-release
/test e2e-aws-tests-release-arm
/test e2e-aws-tests-bootc-release-el9
/test e2e-aws-tests-bootc-release-el10
/test e2e-aws-tests-bootc-release-arm-el9
/test e2e-aws-tests-bootc-release-arm-el10

@agullon
Copy link
Copy Markdown
Contributor Author

agullon commented May 12, 2026

/cherrypick release-4.22

@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented May 12, 2026

@agullon: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 12, 2026
edited
Loading

Walkthrough

The PR removes the FIPS initramfs module presence verification from the Fips Should Be Enabled Bootc test keyword. After confirming system crypto policies show FIPS, the test now skips the lsinitrd module check and proceeds directly to the next step.

Changes

FIPS Validation Test Simplification

Layer / File(s) Summary
FIPS initramfs module check removal
test/suites/fips/validate-fips.robot		 The Fips Should Be Enabled Bootc keyword removes the 6-line initramfs FIPS module presence check (lsinitrd -m ... | grep -Fxq fips). The test now concludes after validating crypto policies without verifying the initramfs module.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

lgtm, verified

Suggested reviewers

  • pmtk
  • kasturinarra
  • jogeo
🚥 Pre-merge checks | ✅ 12
✅ Passed checks (12 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Custom check is not applicable. PR modifies only Robot Framework test files (.robot), not Ginkgo tests (Go BDD framework). No Ginkgo test names exist to validate.
Test Structure And Quality ✅ Passed Check is not applicable. The custom check requires reviewing Ginkgo test code patterns, but this PR modifies only Robot Framework test files (.robot), not Go/Ginkgo tests.
Microshift Test Compatibility ✅ Passed No new Ginkgo e2e tests were added in this PR. Changes are limited to Robot Framework tests (test/suites/fips/validate-fips.robot), which are outside the scope of this check.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR modifies a Robot Framework test file (.robot), not Ginkgo e2e tests. Custom check applies only to new Ginkgo tests (It(), Describe(), Context(), When()). No Ginkgo tests found.
Topology-Aware Scheduling Compatibility ✅ Passed PR modifies only test file (validate-fips.robot), removing FIPS module validation step. No deployment manifests, operator code, or scheduling constraints introduced.
Ote Binary Stdout Contract ✅ Passed Custom check is not applicable. PR modifies only Robot Framework test file (test/suites/fips/validate-fips.robot), not OTE Go binaries that communicate via JSON stdout.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Check does not apply—PR modifies Robot Framework tests only, not Ginkgo tests. Custom check targets Go/Ginkgo patterns (It(), Describe(), etc.).
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: removing the initramfs FIPS module check from bootc validation, which aligns with the PR's core objective of installing dracut-fips separately.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

  • Generate code and open pull requests
  • Plan features and break down work
  • Investigate incidents and troubleshoot customer tickets together
  • Automate recurring tasks and respond to alerts with triggers
  • Summarize progress and report instantly

Built for teams:

  • Shared memory across your entire org—no repeating context
  • Per-thread sandboxes to safely plan and execute work
  • Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

Comment @coderabbitai help to get the list of available commands and usage tips.

@agullon
Copy link
Copy Markdown
Contributor Author

agullon commented May 12, 2026

/override ci/prow/e2e-aws-tests-release
/override ci/prow/e2e-aws-tests-release-arm

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 12, 2026

@agullon: Overrode contexts on behalf of agullon: ci/prow/e2e-aws-tests-release, ci/prow/e2e-aws-tests-release-arm

Details

In response to this:

/override ci/prow/e2e-aws-tests-release
/override ci/prow/e2e-aws-tests-release-arm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

ggiguash
ggiguash reviewed May 13, 2026
View reviewed changes
Comment thread test/suites/fips/validate-fips.robot Outdated
@agullon agullon marked this pull request as draft May 13, 2026 07:30
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2026
@agullon agullon changed the title USHIFT-6978: skip lsinitrd FIPS check on bootc RHEL 9 USHIFT-6978: install dracut-fips in RHEL 9 bootc FIPS images May 13, 2026
@agullon agullon marked this pull request as ready for review May 13, 2026 07:31
@openshift-ci openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2026
@openshift-ci openshift-ci Bot requested review from jogeo and pacevedom May 13, 2026 07:32
@agullon agullon mentioned this pull request May 13, 2026
Closed
2 tasks
@agullon
USHIFT-6978: remove initramfs FIPS module check from bootc validation
6d47bb5 
The lsinitrd FIPS module presence check fails on RHEL 9 bootc images
because the dracut-fips package is not installed. Rather than adding
the package, remove the check entirely as the remaining validations
(crypto flag and crypto policies) are sufficient to verify FIPS mode.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pre-commit.check-secrets: ENABLED
@agullon
Copy link
Copy Markdown
Contributor Author

agullon commented May 14, 2026

/cherrypick release-4.22

@openshift-cherrypick-robot
Copy link
Copy Markdown

openshift-cherrypick-robot commented May 14, 2026

@agullon: once the present PR merges, I will cherry-pick it on top of release-4.22 in a new PR and assign it to you.

Details

In response to this:

/cherrypick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@agullon
Copy link
Copy Markdown
Contributor Author

agullon commented May 14, 2026

/verified by CI

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label May 14, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented May 14, 2026

@agullon: This PR has been marked as verified by CI.

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ggiguash
Copy link
Copy Markdown
Contributor

ggiguash commented May 14, 2026

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 14, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 14, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: agullon, ggiguash

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@agullon agullon changed the title USHIFT-6978: install dracut-fips in RHEL 9 bootc FIPS images USHIFT-6978: remove initramfs FIPS module check from bootc validation May 14, 2026
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 14, 2026

@agullon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggiguash ggiguash ggiguash left review comments

@eslutsky eslutsky Awaiting requested review from eslutsky

@kasturinarra kasturinarra Awaiting requested review from kasturinarra

@jogeo jogeo Awaiting requested review from jogeo

@pacevedom pacevedom Awaiting requested review from pacevedom

Assignees

@ggiguash ggiguash

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@agullon @openshift-ci-robot @openshift-cherrypick-robot @ggiguash