[SOLVED] Kernel upgrade trouble.

[kd2017]

CentOS 6.8
On second computer after 'yum update -y' (new kernel kernel-2.6.32-642.13.1.el6.x86_64 was installed during upgrade) on boot kernel fails to load all modules from initramfs with message like:
FATAL: Error inserting <module name> (<module path>): Key was rejected by service.

I tried to boot previous versions of kernel but they also fail with the same errors.

Fresh installation of CentOS 6.8 and upgrade do not reproduce the problem.

'Secure boot' is not enabled (first computer has no UEFI bios).

AFAIK this messages correspond to module signing. What could enabled it?
TIA

[TrevorH]

As far as I know, module signing is only used on systems using secure boot.

[kd2017]

I've just checked once more.

In BIOS:
Secure boot state - disabled
Platform Keys (PK) - unloaded
OS Type - Other OS

First lines of kernel output right after grub messages:
Module signature verification failed
Error inserting dm_mod (/lib/modules/2.6.32-642.13.1.el6.x86_64/kernel/drivers/md/dm-mod.ko): Key was rejected by service
Module signature verification failed
Module signature verification failed
Module signature verification failed

[kd2017]

Next episode:

I've just cloned one of my virtual machines, updated it and caught the same problem.
Coping /boot/initramfs-2.6.32-642.13.1.el6.x86_64.img from freshly installed and updated system revived boot failure.

Hope any one can explain it...

[TrevorH]

So it would appear to be a problem with the initramfs. Are you out of space on /boot perhaps?

[kd2017]

Yes, it's really problem with initramfs. No, all systems have a lot of space in /boot (checked).

I've found that the only affecting difference between working and failed initramfs is _striping_: dracut -f --nostrip produces working initramfs.
I've added do_strip=no to the end of /etc/dracut.conf, removed new kernel and run 'yum update kernel' again.

Code: Select all

# Sample dracut config file

# Specific list of dracut modules to use
#dracutmodules+=""

# Dracut modules to omit
#omit_dracutmodules+=""

# Dracut modules to add to the default
#add_dracutmodules+=""

# additional kernel modules to the default
#add_drivers+=""

# list of kernel filesystem modules to be included in the generic initramfs
#filesystems+=""

# build initrd only to boot current hardware
#hostonly="yes"
#

# install local /etc/mdadm.conf
mdadmconf="yes"

# install local /etc/lvm/lvm.conf
lvmconf="yes"

#
do_strip=no

Now system boots correctly.

[kd2017]

Important addition
All affected machines had the 'binutils' port updated to 2.27 version (backported from Fedora by request from development). CentOS binutils 2.20 works without any problem.

[TrevorH]

Which would be one of the reasons why we always tell people who ask "is it safe to run Fedora packages on CentOS" that, no, it isn't.