Ignore efi grub2-install failure
Recent releases of redhat grub2 will always fail when installing to EFI paths, to encourage a transition to the signed shim bootloader. Partition image deploys avoid calling grub2-install with the preserve-efi-assets functions. Deploying whole disk images doesn't require grub2-install. This leaves whole disk images installed onto softraid devices, which still attempts to call grub2-install. This change will still attempt to run grub2-install in this one remaining case, but will ignore any failure. A future enhancement can avoid calling grub2-install entirely so that non-redhat secure-boot capable images can keep their signed bootloaders. Story: 2008923 Task: 42521 Change-Id: If432ef795d64d76442d739eb4f7d155ff847041e
This commit is contained in:
parent
5c063c8224
commit
a057be7dad
@ -631,34 +631,38 @@ def _install_grub2(device, root_uuid, efi_system_part_uuid=None,
|
||||
"Secure Boot signed binaries.", efi_partition)
|
||||
utils.execute('mount', efi_partition, efi_partition_mount_point)
|
||||
efi_mounted = True
|
||||
# FIXME(rg): does not work in cross boot mode case (target
|
||||
# boot mode differs from ramdisk one)
|
||||
# Probe for the correct target (depends on the arch, example
|
||||
# --target=x86_64-efi)
|
||||
utils.execute('chroot %(path)s /bin/sh -c '
|
||||
'"%(bin)s-install"' %
|
||||
{'path': path, 'bin': binary_name},
|
||||
shell=True,
|
||||
env_variables={
|
||||
'PATH': path_variable
|
||||
})
|
||||
# Also run grub-install with --removable, this installs grub to
|
||||
# the EFI fallback path. Useful if the NVRAM wasn't written
|
||||
# correctly, was reset or if testing with virt as libvirt
|
||||
# resets the NVRAM on instance start.
|
||||
# This operation is essentially a copy operation. Use of the
|
||||
# --removable flag, per the grub-install source code changes
|
||||
# the default file to be copied, destination file name, and
|
||||
# prevents NVRAM from being updated.
|
||||
# We only run grub2_install for uefi if we can't verify the
|
||||
# uefi bits
|
||||
utils.execute('chroot %(path)s /bin/sh -c '
|
||||
'"%(bin)s-install --removable"' %
|
||||
{'path': path, 'bin': binary_name},
|
||||
shell=True,
|
||||
env_variables={
|
||||
'PATH': path_variable
|
||||
})
|
||||
try:
|
||||
utils.execute('chroot %(path)s /bin/sh -c '
|
||||
'"%(bin)s-install"' %
|
||||
{'path': path, 'bin': binary_name},
|
||||
shell=True,
|
||||
env_variables={
|
||||
'PATH': path_variable
|
||||
})
|
||||
except processutils.ProcessExecutionError as e:
|
||||
LOG.warning('Ignoring GRUB2 boot loader installation failure: '
|
||||
'%s.', e)
|
||||
try:
|
||||
# Also run grub-install with --removable, this installs grub to
|
||||
# the EFI fallback path. Useful if the NVRAM wasn't written
|
||||
# correctly, was reset or if testing with virt as libvirt
|
||||
# resets the NVRAM on instance start.
|
||||
# This operation is essentially a copy operation. Use of the
|
||||
# --removable flag, per the grub-install source code changes
|
||||
# the default file to be copied, destination file name, and
|
||||
# prevents NVRAM from being updated.
|
||||
# We only run grub2_install for uefi if we can't verify the
|
||||
# uefi bits
|
||||
utils.execute('chroot %(path)s /bin/sh -c '
|
||||
'"%(bin)s-install --removable"' %
|
||||
{'path': path, 'bin': binary_name},
|
||||
shell=True,
|
||||
env_variables={
|
||||
'PATH': path_variable
|
||||
})
|
||||
except processutils.ProcessExecutionError as e:
|
||||
LOG.warning('Ignoring GRUB2 boot loader installation failure: '
|
||||
'%s.', e)
|
||||
utils.execute('umount', efi_partition_mount_point, attempts=3,
|
||||
delay_on_retry=True)
|
||||
efi_mounted = False
|
||||
|
@ -1675,6 +1675,21 @@ efibootmgr: ** Warning ** : Boot0005 has same label ironic1\n
|
||||
mock_is_md_device,
|
||||
mock_execute, mock_dispatch):
|
||||
|
||||
# return success for every execute call
|
||||
mock_execute.side_effect = [('', '')] * 21
|
||||
|
||||
# make grub2-install calls fail
|
||||
grub_failure = processutils.ProcessExecutionError(
|
||||
stdout='',
|
||||
stderr='grub2-install: error: this utility cannot be used '
|
||||
'for EFI platforms because it does not support '
|
||||
'UEFI Secure Boot.\n',
|
||||
exit_code=1,
|
||||
cmd='grub2-install'
|
||||
)
|
||||
mock_execute.side_effect[9] = grub_failure
|
||||
mock_execute.side_effect[10] = grub_failure
|
||||
|
||||
mock_get_part_uuid.side_effect = [self.fake_root_part,
|
||||
self.fake_efi_system_part]
|
||||
environ_mock.get.return_value = '/sbin'
|
||||
@ -1686,7 +1701,10 @@ efibootmgr: ** Warning ** : Boot0005 has same label ironic1\n
|
||||
efi_system_part_uuid=self.fake_efi_system_part_uuid,
|
||||
target_boot_mode='uefi')
|
||||
|
||||
expected = [mock.call('mount', '/dev/fake2', self.fake_dir),
|
||||
expected = [mock.call('partx', '-u', '/dev/fake', attempts=3,
|
||||
delay_on_retry=True),
|
||||
mock.call('udevadm', 'settle'),
|
||||
mock.call('mount', '/dev/fake2', self.fake_dir),
|
||||
mock.call('mount', '-o', 'bind', '/dev',
|
||||
self.fake_dir + '/dev'),
|
||||
mock.call('mount', '-o', 'bind', '/proc',
|
||||
|
@ -0,0 +1,10 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Recent releases of redhat grub2 will always fail when installing to EFI
|
||||
paths, to encourage a transition to the signed shim bootloader. Partition
|
||||
image deploys avoid calling grub2-install with the preserve-efi-assets
|
||||
functions. Deploying whole disk images doesn't require grub2-install. This
|
||||
leaves whole disk images installed onto softraid devices, which still calls
|
||||
grub2-install. Running grub2-install is still attempted in this one
|
||||
remaining case, but any failures are now ignored.
|
Loading…
Reference in New Issue
Block a user