Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

overlay/15fcos: fix aleph file and update bootloader for Secure Boot nodes #3042

Merged
merged 2 commits into from
Jun 27, 2024

Conversation

jbtrystram
Copy link
Contributor

@jbtrystram jbtrystram commented Jun 27, 2024

overlay/15fcos: ensure valid aleph file

Due to an ordering mishap, some builds have both a version and a
build field. This causes bootupctl to fail while parsing the file.

Detect this case, and fix the aleph if necessary by removing the build
field.

This should be removed after the next barrier release.

Fixes: coreos/fedora-coreos-tracker#1724


overlay/15fcos: upgrade bootloader for Secure Boot-enabled systems

The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

@jbtrystram jbtrystram force-pushed the fix-bootupd-aleph branch 3 times, most recently from 857c991 to 9ace03e Compare June 27, 2024 10:04
@travier travier changed the title overlay/15fcos: fix aleph file and upload bootlodaer for secureboot nodes overlay/15fcos: fix aleph file and upload bootloader for secureboot nodes Jun 27, 2024
@travier travier changed the title overlay/15fcos: fix aleph file and upload bootloader for secureboot nodes overlay/15fcos: fix aleph file and update bootloader for secureboot nodes Jun 27, 2024
@travier travier changed the title overlay/15fcos: fix aleph file and update bootloader for secureboot nodes overlay/15fcos: fix aleph file and update bootloader for Secure Boot nodes Jun 27, 2024
@travier
Copy link
Member

travier commented Jun 27, 2024

secureboot -> Secure Boot

@jlebon
Copy link
Member

jlebon commented Jun 27, 2024

In the script, I think let's just have two separate paths entirely for RAID1 and non-RAID1. You can detect if a system is using RAID1 or not by checking if there is a /dev/disk/by-label/esp-1 and /dev/disk/by-label/esp-2. So then:

@jbtrystram
Copy link
Contributor Author

In the script, I think let's just have two separate paths entirely for RAID1 and non-RAID1. You can detect if a system is using RAID1 or not by checking if there is a /dev/disk/by-label/esp-1 and /dev/disk/by-label/esp-2. So then:

* if not RAID: just do `bootupctl update` and exit

* if RAID: do [bootupd fails on mirrored boot disks fedora-coreos-tracker#1485 (comment)](https://github.com/coreos/fedora-coreos-tracker/issues/1485#issuecomment-1533350911)

This won´t support RAID-1 with more than two disks though

@jbtrystram jbtrystram force-pushed the fix-bootupd-aleph branch 5 times, most recently from 51c42eb to 2fad4a6 Compare June 27, 2024 15:52
@jbtrystram
Copy link
Contributor Author

Sorry for the multiples force pushes, I'm getting burn by the trailing whitespaces !

@jlebon jlebon force-pushed the fix-bootupd-aleph branch 3 times, most recently from de8c104 to 3379e15 Compare June 27, 2024 17:01
Due to an ordering mishap, some builds have both a `version` and a
`build` field. This causes bootupctl to fail while parsing the file.

Detect this case, and fix the aleph if necessary by removing the `build`
field.

This should be removed after the next barrier release.

Fixes: coreos/fedora-coreos-tracker#1724

Co-authored-by: Jonathan Lebon <[email protected]>
The 6.9 kernel won't boot on systems installed prior to F39, as the shim
is too old.

Add a systemd unit that updates the bootloader on those machines.
Manually handle systems with mirrored ESPs.

See also: coreos/fedora-coreos-tracker#1752
Fixes: fedora-silverblue/issue-tracker#543

Co-authored-by: Jonathan Lebon <[email protected]>
@jlebon jlebon force-pushed the fix-bootupd-aleph branch from 3379e15 to 8f0bfde Compare June 27, 2024 17:51
Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested this pretty extensively. Secure Boot/non-Secure boot, RAID/non-RAID, old builds, new builds, builds affected by coreos/fedora-coreos-tracker#1724.

LGTM

@jlebon jlebon enabled auto-merge (rebase) June 27, 2024 18:02
@jlebon jlebon merged commit 8dd5b81 into coreos:testing-devel Jun 27, 2024
3 checks passed
@jbtrystram
Copy link
Contributor Author

Thanks @jlebon for pushing it through!

@travier
Copy link
Member

travier commented Jun 28, 2024

👍🏻

jbtrystram added a commit to jbtrystram/bootupd that referenced this pull request Sep 3, 2024
This enables bootloader updates automatically on boot.
Note that the service is intentionally not enabled by default,
it should be up to the distribution to add a systemd preset if
auto-update for the bootloader is desired.

Right now RAID setups are not supported but see [1] for an example
in coreos.

[1] coreos/fedora-coreos-config#3042
jbtrystram added a commit to jbtrystram/bootupd that referenced this pull request Sep 3, 2024
This enables bootloader updates automatically on boot.
Note that the service is intentionally not enabled by default,
it should be up to the distribution to add a systemd preset if
auto-update for the bootloader is desired.

Right now RAID setups are not supported but see [1] for an example
in coreos.

[1] coreos/fedora-coreos-config#3042
jbtrystram added a commit to jbtrystram/bootupd that referenced this pull request Sep 3, 2024
This enables bootloader updates automatically on boot.
Note that the service is intentionally not enabled by default,
it should be up to the distribution to add a systemd preset if
auto-update for the bootloader is desired.

Right now RAID setups are not supported but see [1] for an example
in coreos.

[1] coreos/fedora-coreos-config#3042
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants