Ignore efi grub2-install failure

Recent releases of redhat grub2 will always fail when installing to
EFI paths, to encourage a transition to the signed shim bootloader.

Partition image deploys avoid calling grub2-install with the
preserve-efi-assets functions. Deploying whole disk images doesn't
require grub2-install. This leaves whole disk images installed onto
softraid devices, which still attempts to call grub2-install.

This change will still attempt to run grub2-install in this
one remaining case, but will ignore any failure.

A future enhancement can avoid calling grub2-install entirely so that
non-redhat secure-boot capable images can keep their signed
bootloaders.

Story: 2008923
Task: 42521
Change-Id: If432ef795d64d76442d739eb4f7d155ff847041e
This commit is contained in:
Steve Baker 2021-06-03 13:16:55 +12:00
parent 5c063c8224
commit a057be7dad
3 changed files with 61 additions and 29 deletions

View File

@ -631,34 +631,38 @@ def _install_grub2(device, root_uuid, efi_system_part_uuid=None,
"Secure Boot signed binaries.", efi_partition)
utils.execute('mount', efi_partition, efi_partition_mount_point)
efi_mounted = True
# FIXME(rg): does not work in cross boot mode case (target
# boot mode differs from ramdisk one)
# Probe for the correct target (depends on the arch, example
# --target=x86_64-efi)
utils.execute('chroot %(path)s /bin/sh -c '
'"%(bin)s-install"' %
{'path': path, 'bin': binary_name},
shell=True,
env_variables={
'PATH': path_variable
})
# Also run grub-install with --removable, this installs grub to
# the EFI fallback path. Useful if the NVRAM wasn't written
# correctly, was reset or if testing with virt as libvirt
# resets the NVRAM on instance start.
# This operation is essentially a copy operation. Use of the
# --removable flag, per the grub-install source code changes
# the default file to be copied, destination file name, and
# prevents NVRAM from being updated.
# We only run grub2_install for uefi if we can't verify the
# uefi bits
utils.execute('chroot %(path)s /bin/sh -c '
'"%(bin)s-install --removable"' %
{'path': path, 'bin': binary_name},
shell=True,
env_variables={
'PATH': path_variable
})
try:
utils.execute('chroot %(path)s /bin/sh -c '
'"%(bin)s-install"' %
{'path': path, 'bin': binary_name},
shell=True,
env_variables={
'PATH': path_variable
})
except processutils.ProcessExecutionError as e:
LOG.warning('Ignoring GRUB2 boot loader installation failure: '
'%s.', e)
try:
# Also run grub-install with --removable, this installs grub to
# the EFI fallback path. Useful if the NVRAM wasn't written
# correctly, was reset or if testing with virt as libvirt
# resets the NVRAM on instance start.
# This operation is essentially a copy operation. Use of the
# --removable flag, per the grub-install source code changes
# the default file to be copied, destination file name, and
# prevents NVRAM from being updated.
# We only run grub2_install for uefi if we can't verify the
# uefi bits
utils.execute('chroot %(path)s /bin/sh -c '
'"%(bin)s-install --removable"' %
{'path': path, 'bin': binary_name},
shell=True,
env_variables={
'PATH': path_variable
})
except processutils.ProcessExecutionError as e:
LOG.warning('Ignoring GRUB2 boot loader installation failure: '
'%s.', e)
utils.execute('umount', efi_partition_mount_point, attempts=3,
delay_on_retry=True)
efi_mounted = False

View File

@ -1675,6 +1675,21 @@ efibootmgr: ** Warning ** : Boot0005 has same label ironic1\n
mock_is_md_device,
mock_execute, mock_dispatch):
# return success for every execute call
mock_execute.side_effect = [('', '')] * 21
# make grub2-install calls fail
grub_failure = processutils.ProcessExecutionError(
stdout='',
stderr='grub2-install: error: this utility cannot be used '
'for EFI platforms because it does not support '
'UEFI Secure Boot.\n',
exit_code=1,
cmd='grub2-install'
)
mock_execute.side_effect[9] = grub_failure
mock_execute.side_effect[10] = grub_failure
mock_get_part_uuid.side_effect = [self.fake_root_part,
self.fake_efi_system_part]
environ_mock.get.return_value = '/sbin'
@ -1686,7 +1701,10 @@ efibootmgr: ** Warning ** : Boot0005 has same label ironic1\n
efi_system_part_uuid=self.fake_efi_system_part_uuid,
target_boot_mode='uefi')
expected = [mock.call('mount', '/dev/fake2', self.fake_dir),
expected = [mock.call('partx', '-u', '/dev/fake', attempts=3,
delay_on_retry=True),
mock.call('udevadm', 'settle'),
mock.call('mount', '/dev/fake2', self.fake_dir),
mock.call('mount', '-o', 'bind', '/dev',
self.fake_dir + '/dev'),
mock.call('mount', '-o', 'bind', '/proc',

View File

@ -0,0 +1,10 @@
---
fixes:
- |
Recent releases of redhat grub2 will always fail when installing to EFI
paths, to encourage a transition to the signed shim bootloader. Partition
image deploys avoid calling grub2-install with the preserve-efi-assets
functions. Deploying whole disk images doesn't require grub2-install. This
leaves whole disk images installed onto softraid devices, which still calls
grub2-install. Running grub2-install is still attempted in this one
remaining case, but any failures are now ignored.