At the end of an upgrade the error message "Migration failed.“ is shown and a repository rollback was performed

This document (000021452) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server for SAP Applications 15 SP1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
SUSE Linux Enterprise Server for SAP Applications 15 SP3
PAYG instances on Azure

Situation

The upgrade from SLES 12 SP5 to SLES 15 SP1 finished successfully using the SUSE Distribution Migration System (DMS).

At the end of an upgrade from SLES 15 SP3 to SLES 15 SP5 using "zypper migration" command, the error message "Migration failed." and later the message “Rollback successful.” are shown even the instance was upgraded to SLES 15 SP5.

The Azure Serial Console log shows (snippet):



(548/770) Installing: kernel-default-5.14.21-150500.55.52.1.x86_64 [............................................................................................
dracut: Executing: /usr/bin/dracut -f /boot/initrd-5.14.21-150500.55.52-default 5.14.21-150500.55.52-default
dracut: dracut module 'systemd-networkd' will not be installed, because command 'networkctl' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd' could not be found!
dracut: dracut module 'systemd-networkd' will not be installed, because command '/usr/lib/systemd/systemd-networkd-wait-online' could not be found!
dracut: dracut module 'systemd-repart' will not be installed, because command 'systemd-repart' could not be found!
dracut: dracut module 'systemd-resolved' will not be installed, because command 'resolvectl' could not be found!
dracut: dracut module 'systemd-resolved' will not be installed, because command '/usr/lib/systemd/systemd-resolved' could not be found!
dracut: dracut module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found!
.
.
dracut: memstrack is not available
dracut: If you need to use rd.memdebug>=4, please install memstrack and procps-ng
dracut: dracut module 'squash' will not be installed, because command 'mksquashfs' could not be found!
dracut: dracut module 'squash' will not be installed, because command 'unsquashfs' could not be found!
dracut: *** Including module: systemd ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: i18n ***
dracut: No KEYMAP configured.
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: kernel-modules-extra ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: suse-btrfs ***
dracut: *** Including module: suse-xfs ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 50-firmware.rules
dracut: Skipping udev rule: 50-udev.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: haveged ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including module: suse ***
dracut: *** Including module: suse-initrd ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies ***
dracut: *** Installing kernel module dependencies done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done ***
dracut: *** Hardlinking files ***
dracut: Mode:           real
dracut: Files:          1677
dracut: Linked:         2 files
dracut: Compared:       0 xattrs
dracut: Compared:       591 files
dracut: Saved:          738 B
dracut: Duration:       0.010746 seconds
dracut: *** Hardlinking files done ***
dracut: *** Generating early-microcode cpio image ***
dracut: *** Store current command line parameters ***
dracut: Stored kernel commandline:
dracut:  root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rootfstype=xfs rootflags=rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Creating image file '/boot/initrd-5.14.21-150500.55.52-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-5.14.21-150500.55.52-default' done ***
Failed to get root password hash
Failed to import /etc/uefi/certs/76B6A6A0.crt
warning: %post(kernel-default-5.14.21-150500.55.52.1.x86_64) scriptlet failed, exit status 255
done]
.
.
Since the last system boot core libraries or services have been updated.
Reboot is suggested to ensure that your system benefits from these updates.' (exit status 107)

Migration failed.


Performing repository rollback...

Starting to sync system product activations to the server. This can take some time...

Executing '/usr/bin/zypper --disable-repositories --xmlout --non-interactive products -i'
Executing '/usr/bin/zypper --non-interactive removeservice SUSE_Linux_Enterprise_Server_for_SAP_Applications_x86_64'
.
.
Executing '/usr/bin/zypper --non-interactive removeservice SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive removeservice SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive removeservice SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive addservice -t ris plugin:/susecloud?credentials=SUSE_Linux_Enterprise_Live_Patching_x86_64&path=/services/2511 SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive modifyservice -r SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive refs SUSE_Linux_Enterprise_Live_Patching_x86_64'
Executing '/usr/bin/zypper --non-interactive --releasever 15.5 ref -f'

Rollback successful.

[22;27;31;49m'/usr/lib/zypper/commands/zypper-migration' exited with status 1[0m

Resolution

The related error messages "Failed to get root password hash" and "Migration failed." and later the message “Rollback successful.” are not shown if "Secure Boot" was enabled and a temporary root password was set before starting the upgrade of an previously upgraded Azure SLES 12 SP5 based PAYG instance.

The following workaround can be used:

1- Make sure that both required "Secure Boot" packages are installed

2- Enable "Secure Boot" using command line

3- For the upgrade set a temporary "root" password
(this generates the root password hash used by the mokutil command executed in kernel post install script)

4- Reinitialize the bootloader by refreshing the config and reinstall it

5- Verify "Secure Boot" setup

6- Install required patches

7- Reboot the instance and verify if all patches were applied

8- Start the SLES OS upgrade

Example:

1- Make sure that both required "Secure Boot" packages are installed:

sles-sap-12-sp5-gen2:~ # rpm -qa shim
shim-15.7-150300.4.16.1.x86_64


sles-sap-12-sp5-gen2:~ # rpm -qa mokutil
mokutil-0.4.0-150200.4.6.1.x86_64



2- Enable "Secure Boot" using command line:

sles-sap-12-sp5-gen2:~ # cat /etc/sysconfig/bootloader 
DEFAULT_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw "
FAILSAFE_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw  ide=nodma apm=off noresume edd=off nomodeset 3 "
LOADER_LOCATION=none
LOADER_TYPE=grub2-efi
SECURE_BOOT="yes"



3- For the upgrade set a temporary "root" password:

sles-sap-12-sp5-gen2:~ # passwd



4- Reinitialize the bootloader by refreshing the config and reinstall it:

sles-sap-12-sp5-gen2:~ # /sbin/update-bootloader --reinit



5- Verify "Secure boot" setup:

sles-sap-12-sp5-gen2:~ # efibootmgr -v
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0003,0001,0000
Boot0000* EFI Network    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,635161f83edfc546913ff2d2f965ed0e8d3a0d00c6cf0d003a8dcfc6000d3a8d)/MAC(000000000000,0)/IPv4(0.0.0.00.0.0.0,0,0)
Boot0001* EFI SCSI Device    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,d96361baa104294db60572e2ffb1dc7f1a78b3f8821e1848a1c363d806ec15bb)/SCSI(0,0)
Boot0002* EFI SCSI Device    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,d96361baa104294db60572e2ffb1dc7f1a78b3f8821e1848a1c363d806ec15bb)/SCSI(0,1)
Boot0003* sles-secureboot    HD(2,GPT,3c5f99ae-f3e4-4d71-b167-f7e492abc7df,0x1800,0x100000)/File(\EFI\sles\shim.efi)

-

sles-sap-12-sp5-gen2:~ # ll -R /boot/efi/EFI/
/boot/efi/EFI/:
total 16
drwxr-xr-x 2 root root 8192 Jan 23 15:10 BOOT
drwxr-xr-x 2 root root 8192 Mar 26 08:24 sles

/boot/efi/EFI/BOOT:
total 152
-rwxr-xr-x 1 root root 143360 Mar 26 08:24 bootx64.efi
-rwxr-xr-x 1 root root    128 Jan 23 15:10 grub.cfg

/boot/efi/EFI/sles:
total 3136
-rwxr-xr-x 1 root root  852408 Mar 26 08:24 MokManager.efi
-rwxr-xr-x 1 root root      50 Mar 26 08:24 boot.csv
-rwxr-xr-x 1 root root     120 Mar 26 08:24 grub.cfg
-rwxr-xr-x 1 root root 1222656 Mar 26 08:24 grub.efi
-rwxr-xr-x 1 root root  143360 Mar 26 08:24 grubx64.efi
-rwxr-xr-x 1 root root  953800 Mar 26 08:24 shim.efi



6- Install required patches:

sles-sap-12-sp5-gen2:~ # zypper patch



7- Reboot the instance and verify if all patches were applied:

sles-sap-12-sp5-gen2:~ # reboot 

sles-sap-12-sp5-gen2:~ # zypper patch



8- Start the SLES OS upgrade:

sles-sap-12-sp5-gen2:~ # zypper migration -v



Result:

sles-sap-12-sp5-gen2:~ # zypper migration -v 
.
.
dracut:  root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rootfstype=xfs rootflags=rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Creating image file '/boot/initrd-5.14.21-150500.55.52-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-5.14.21-150500.55.52-default' done ***
CA enrolled. Skip /etc/uefi/certs/76B6A6A0.crt
done]
.
.



sles-sap-12-sp5-gen2:~ # echo $?
0

Cause

This issue is reported to SUSE Engineering.

The previous SLES 12 based Azure PAYG marketplace images do not have "Secure Boot" enabled
and there is no root password set for the Azure based public cloud images, so the mokutil command will fail.

Status

Reported to Engineering

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021452
Creation Date: 21-May-2024
Modified Date:20-Jun-2024
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Report a Software Vulnerability

Go to Customer Center

SUSE Support

Here When You Need Us