SUSE Support

Here When You Need Us

At the end of an upgrade the error message "Migration failed.“ is shown and a repository rollback was performed

This document (000021452) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 15 SP2
SUSE Linux Enterprise Server 15 SP1
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP3
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP2
SUSE Linux Enterprise Server for SAP Applica­tions 15 SP1
PAYG and BYOS instances on Azure

Situation

The upgrade from SLES 12 SP5 to SLES 15 SP1 finished successfully using the SUSE Distribution Migration System (DMS) and afterwards the upgrade from SLES 15 SP1 to SLES 15 SP2 also finished successfully and no errors were shown.

At the end of an upgrade from SLES 15 SP2 to SLES 15 SP3 using "zypper migration" command, the error message "Migration failed." and later the message “Rollback successful.” is shown even the instance was upgraded to SLES 15 SP3.

Example (snippet): 
sles-sap-12-sp5-gen2:~ # zypper migration
.
.
dracut: *** Creating image file '/boot/initrd-5.3.18-150300.59.174-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-5.3.18-150300.59.174-default' done ***
Failed to get root password hash
Failed to import /etc/uefi/certs/76B6A6A0.crt
warning: %post(kernel-default-5.3.18-150300.59.174.1.x86_64) scriptlet failed, exit status 255
done]
(267/542) Installing: iscsiuio-0.7.8.6-150300.32.24.1.x86_64 [...done]
.
.
dracut: Stored kernel commandline:
dracut:  root=UUID=85360ea8-604e-4070-b40c-6dc02d61105b rootfstype=xfs rootflags=rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota
dracut: *** Creating image file '/boot/initrd-5.3.18-150300.59.174-default' ***
dracut: *** Creating initramfs image file '/boot/initrd-5.3.18-150300.59.174-default' done ***
........done]
CommitResult  (total 542, done 542, error 0, skipped 0, updateMessages 0)
Checking for running processes using deleted libraries...
There are running programs which still use files and libraries deleted or updated by recent upgrades. They should be restarted to benefit from the latest updates. Run 'zypper ps -s' to list these programs.
 
Since the last system boot core libraries or services have been updated.
Reboot is suggested to ensure that your system benefits from these updates.' (exit status 107)

Migration failed.

Performing repository rollback...
.
.
Executing '/usr/bin/zypper --non-interactive --releasever 15.2 ref -f'

Rollback successful.
'/usr/lib/zypper/commands/zypper-migration' exited with status 1


sles-sap-12-sp5-gen2:~ # echo $?
1

Resolution

The following workaround can be used if Secure Boot support is disabled:

1- Verify UEFI Secure Boot support

2- Start the upgrade adding the "--no-recommends" option to the "zypper migration" command

Note:
With this option the recommended "shim" package from the "base" pattern will not be installed and also the dependent "mokutil" package won't be installed.
Without having the "mokutil" package installed the Kernel post-install script will NOT execute the command "mokutil --reset --root-pw" and the related error messages "Failed to get root password hash" and "Migration failed." and later the message “Rollback successful.” are not shown.

Example: 
1- Verify UEFI Secure Boot support - No entry showing SECURE_BOOT="yes":

sles-sap-12-sp5-gen2:~ # cat /etc/sysconfig/bootloader
DEFAULT_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw "
FAILSAFE_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw  ide=nodma apm=off noresume edd=off nomodeset 3 "
LOADER_LOCATION=none
LOADER_TYPE=grub2-efi

2- Start the upgrade adding the "--no-recommends" option to the "zypper migration" command:

sles-sap-12-sp5-gen2:~ # zypper migration --no-recommends


sles-sap-12-sp5-gen2:~ # echo $?
0

The following workaround can be used if Secure Boot support is already or should be enabled:

1- Make sure that both required "Secure Boot" packages are installed

2- Enable UEFI Secure Boot support using command line

3- For the upgrade set a temporary "root" password
   (this generates the root password hash used by the mokutil command executed in kernel post install script)

4- Reinitialize the bootloader by refreshing the config and reinstall it

5- Verify "Secure Boot" setup

6- Install required patches

7- Reboot the instance and verify if all patches were applied

8- Start the SLES OS upgrade


Note:
The related error messages "Failed to get root password hash" and "Migration failed." and later the message “Rollback successful.” are not shown if a temporary root password was set before starting the upgrade.

 
Example:
1- Make sure that both required "Secure Boot" packages are installed:

sles-sap-12-sp5-gen2:~ # rpm -qa shim
shim-15.8-150300.4.20.2.x86_64


sles-sap-12-sp5-gen2:~ # rpm -qa mokutil
mokutil-0.4.0-150200.4.6.1.x86_64


2- Enable UEFI Secure Boot support using command line:

sles-sap-12-sp5-gen2:~ # cat /etc/sysconfig/bootloader 
DEFAULT_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw "
FAILSAFE_APPEND="USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 multipath=off net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rw  ide=nodma apm=off noresume edd=off nomodeset 3 "
LOADER_LOCATION=none
LOADER_TYPE=grub2-efi
SECURE_BOOT="yes"


3- For the upgrade set a temporary "root" password:

sles-sap-12-sp5-gen2:~ # passwd


4- Reinitialize the bootloader by refreshing the config and reinstall it:

sles-sap-12-sp5-gen2:~ # /sbin/update-bootloader --reinit


5- Verify "Secure boot" setup:

sles-sap-12-sp5-gen2:~ # efibootmgr -v
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 0003,0001,0000
Boot0000* EFI Network    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,635161f83edfc546913ff2d2f965ed0e8d3a0d00c6cf0d003a8dcfc6000d3a8d)/MAC(000000000000,0)/IPv4(0.0.0.00.0.0.0,0,0)
Boot0001* EFI SCSI Device    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,d96361baa104294db60572e2ffb1dc7f1a78b3f8821e1848a1c363d806ec15bb)/SCSI(0,0)
Boot0002* EFI SCSI Device    AcpiEx(VMBus,,)/VenHw(9b17e5a2-0891-42dd-b653-80b5c22809ba,d96361baa104294db60572e2ffb1dc7f1a78b3f8821e1848a1c363d806ec15bb)/SCSI(0,1)
Boot0003* sles-secureboot    HD(2,GPT,3c5f99ae-f3e4-4d71-b167-f7e492abc7df,0x1800,0x100000)/File(\EFI\sles\shim.efi)

-

sles-sap-12-sp5-gen2:~ # ll -R /boot/efi/EFI/
/boot/efi/EFI/:
total 16
drwxr-xr-x 2 root root 8192 Jan 23 15:10 BOOT
drwxr-xr-x 2 root root 8192 Mar 26 08:24 sles

/boot/efi/EFI/BOOT:
total 152
-rwxr-xr-x 1 root root 143360 Mar 26 08:24 bootx64.efi
-rwxr-xr-x 1 root root    128 Jan 23 15:10 grub.cfg

/boot/efi/EFI/sles:
total 3136
-rwxr-xr-x 1 root root  852408 Mar 26 08:24 MokManager.efi
-rwxr-xr-x 1 root root      50 Mar 26 08:24 boot.csv
-rwxr-xr-x 1 root root     120 Mar 26 08:24 grub.cfg
-rwxr-xr-x 1 root root 1222656 Mar 26 08:24 grub.efi
-rwxr-xr-x 1 root root  143360 Mar 26 08:24 grubx64.efi
-rwxr-xr-x 1 root root  953800 Mar 26 08:24 shim.efi


6- Install required patches:

sles-sap-12-sp5-gen2:~ # zypper patch


7- Reboot the instance and verify if all patches were applied:

sles-sap-12-sp5-gen2:~ # reboot 

sles-sap-12-sp5-gen2:~ # zypper patch


8- Start the SLES OS upgrade:

sles-sap-12-sp5-gen2:~ # zypper migration -v


Result:

sles-sap-12-sp5-gen2:~ # zypper migration -v 
.
.
dracut:  root=UUID=98dd41fd-30fc-4bb4-bcd0-ad816abb6621 rootfstype=xfs rootflags=rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota
dracut: *** Stripping files ***
dracut: *** Stripping files done ***
dracut: *** Creating image file '/boot/initrd-5.3.18-150300.59.174-default' *** dracut: *** Creating initramfs image file '/boot/initrd-5.3.18-150300.59.174-
default' done ***
CA enrolled. Skip /etc/uefi/certs/76B6A6A0.crt
done]
.
.


sles-sap-12-sp5-gen2:~ # echo $?
0

Cause

This issue is reported to SUSE Engineering.

There is no root password set for the Azure based public cloud images, if UEFI Secure Boot support is enabled the mokutil command will fail if no root password hash can be found in /etc/shadow file.

 

Status

Reported to Engineering

Additional Information

UEFI Secure boot support description:

https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-uefi.html#sec-uefi-secboot

https://documentation.suse.com/sles/15-SP5/html/SLES-all/cha-grub2.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021452
  • Creation Date: 21-May-2024
  • Modified Date:20-Sep-2024
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center