Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OKD on SCOS (4.14 2024-01-30) deployment fails on vSphere UPI, SCOS bad shim signature #1938

Closed
kai-uwe-rommel opened this issue May 4, 2024 · 7 comments
Closed

OKD on SCOS (4.14 2024-01-30) deployment fails on vSphere UPI, SCOS bad shim signature #1938

kai-uwe-rommel opened this issue May 4, 2024 · 7 comments

Comments

@kai-uwe-rommel
Copy link

Describe the bug
Tried to deploy a okd-scos-2024-01-30-032525 cluster on vSphere UPI.
After pulling the SCOS image onto the bootstrap VM with FCOS, the reboot fails with "bad shim signature"

Version
okd-scos-2024-01-30-032525
on vSphere UPI

How reproducible
100%

Log bundle
No log bundle at this time.
grafik
@bdlink
Copy link

bdlink commented May 19, 2024

Be sure you are not using secure boot for the guest machine.

Under Settings, click the VM Options tab, and expand Boot Options. I am using Bios for firmware, which has worked in the past. If you are using EFI firmware, be sure to deselect the Secure Boot check box.

@LorbusChris
Copy link
Contributor

Broken Secure Boot on SCOS is a known issue: https://issues.redhat.com/browse/RHEL-4391

@kai-uwe-rommel
Copy link
Author

Yes, disabling secure boot as a workaround solved the problem. I could successfully deploy such an OKD/SCOS cluster.
I guess we need to wait for an upstream fix in CentOS Stream.
Also there already seems to be an OCPBUGS issue for my problem: https://issues.redhat.com/browse/OCPBUGS-21838

@kai-uwe-rommel
Copy link
Author

If someone is looking for a workaround when installing on vSphere UPI ...

I wrote our automation in PowerShell to be able to use PowerCLI for VMware vSphere tasks. What I did there to disable Secure Boot:

	$vm = New-Vm -Name $vmName -VMHost $vmHost -Template $vmTemplate -Datastore $vmDatastore -Location $vmFolder -Confirm:$false

    ......
    $vmSecureBoot = $false # in case of SCOS ...

	$secureBootStatus = $vm.ExtensionData.Config.BootOptions.EfiSecureBootEnabled
	If ($secureBootStatus -ne $vmSecureBoot) {
	    $spec = New-Object VMware.Vim.VirtualMachineConfigSpec
	    $spec.BootOptions = New-Object VMware.Vim.VirtualMachineBootOptions
	    $spec.BootOptions.EfiSecureBootEnabled = $vmSecureBoot
	    $taskMoRef = $vm.ExtensionData.ReconfigVM_Task($spec)
	    Get-Task -Id $taskMoRef | Wait-Task | Out-Null
	}

@JaimeMagiera
Copy link
Contributor

I've grabbed your tip and will put it in the release notes. Closing this for completeness.

@kai-uwe-rommel
Copy link
Author

BTW, FCOS 40 also has this "bad shim signature" problem now.

@jcpowermac
Copy link

jcpowermac commented Aug 19, 2024
edited
Loading

@kai-uwe-rommel openshift/installer#8793

But probably only will be backported to 4.16

edit: (oops I misread this was upi, the change above was for ipi)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bdlink @jcpowermac @LorbusChris @kai-uwe-rommel @JaimeMagiera