Was looking at this for AlmaLinux 10 (so should work with Rocky 10 I guess) and seems you need to specify the UUID of the /boot partition in the kernel options. So what I did (STIG hardening) in the kickstart for my AlmaLinux kickstart:
The Bootloader line (also have a --password line in there but not shared here):
Thank you for your answer. When I added the boot device to the kernel parameters, it booted, but I have the problem that FIPS is not enabled correctly. It says that the installation of FIPS modules is incomplete.
I added the following line to the %post area:
fips-mode-setup --enable.
It automatically adds the boot partition as a kernel parameter, and I don’t receive any messages indicating that the modules are incomplete.
Does this have any effect on FIPS? Should I enable it another way?
This works fine for Rocky 8 and 9, however that command doesn’t exist in RHEL10/Rocky10. Using fips=1 when booting from grub or in kickstart will be the only way for the future.
In theory no, there shouldn’t be any problems. But then, Rocky and the Rocky team do not support upgrades. It’s usually recommended to reinstall the system and restore data/apps using things like ansible to configure/reconfigure the server.
There is the elevate project which allows upgrading Rocky, but again, there is no support for it if things go wrong. Even RHEL with leapp don’t guarantee that all systems can be upgraded, even if you have a purchased support contract. In most cases it should work, but there are sometimes situations when it doesn’t.