File: 50-bootloader

package info (click to toggle)
python-diskimage-builder 3.37.0-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,572 kB
  • sloc: sh: 7,380; python: 6,444; makefile: 37
file content (350 lines) | stat: -rwxr-xr-x 12,740 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
 
#!/bin/bash

# Configure grub. Note that the various conditionals here are to handle
# different distributions gracefully.

if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail

if [ ${DIB_EXTLINUX:-0} != "0" ]; then
    echo "DIB_EXTLINUX no longer supported"
    exit 1
fi

# Some distros have pre-installed grub in some other way, and want to
# skip this.
if [[ -f "/tmp/grub/install" ]]; then
    exit 0
fi

BOOT_DEV=$IMAGE_BLOCK_DEVICE
# All available devices, handy for some bootloaders...
declare -A DEVICES
eval DEVICES=( $IMAGE_BLOCK_DEVICES )

DIB_BLOCK_DEVICE=${DIB_BLOCK_DEVICE:-}

# Right now we can't use pkg-map to branch by arch, so tag an
# architecture specific virtual package so we can install the
# rigth thing based on distribution.
if [[ "$ARCH" =~ "ppc" ]]; then
    GRUB_PACKAGES="grub-ppc64"
elif [[ "${DIB_BLOCK_DEVICE}" == "mbr" ||
            "${DIB_BLOCK_DEVICE}" == "gpt" ]]; then
    GRUB_PACKAGES="grub-pc"
elif [[ "${DIB_BLOCK_DEVICE}" == "efi" ]]; then
    GRUB_PACKAGES="grub-efi grub-efi-$ARCH"
else
    GRUB_PACKAGES="grub-pc grub-efi grub-efi-$ARCH"
fi

if [[ "False" == "${DIB_SKIP_GRUB_PACKAGE_INSTALL:-False}" ]]; then
    install-packages -m bootloader $GRUB_PACKAGES
fi

GRUBNAME=$(type -p grub-install) || echo "trying grub2-install"
if [ -z "$GRUBNAME" ]; then
    GRUBNAME=$(type -p grub2-install)
fi

if type grub2-mkconfig >/dev/null; then
    GRUB_MKCONFIG="grub2-mkconfig"
else
    GRUB_MKCONFIG="grub-mkconfig"
fi

if [[ ! $($GRUBNAME --version) =~ ' 2.' ]]; then
    echo "Failure: not grub2"
    exit 1
fi

# Ensure BLS entries are updated with default args
if [[ $($GRUB_MKCONFIG --help) =~ '--update-bls-cmdline' ]]; then
    GRUB_MKCONFIG="$GRUB_MKCONFIG --update-bls-cmdline"
fi

# Some distros keep things in /boot/grub2, others in /boot/grub
if [ -d /boot/grub2 ]; then
    GRUB_CFG=/boot/grub2/grub.cfg
    GRUBENV=/boot/grub2/grubenv
else
    # NOTE(ianw) This used to be behind a "-d /boot/grub" but this
    # directory doesn't seem to exist for gentoo at this point;
    # something creates it later.  So we just fallback to this
    # unconditionally.
    GRUB_CFG=/boot/grub/grub.cfg
    GRUBENV=/boot/grub/grubenv
    mkdir -p /boot/grub
fi

# When using EFI image-based builds, particularly rhel element
# based on RHEL>=8.2 .qcow2, we might have /boot/grub2/grubenv
# as a dangling symlink to /boot/efi because we have extracted
# it from the root fs, but we didn't populate the separate EFI
# boot partition from the image.  grub2-install calls rename()
# on this file, so if it's a dangling symlink it errors.  Just
# remove it if it exists.
if [[ -L $GRUBENV ]]; then
    rm -f $GRUBENV
fi

function append_or_replace {
    local file=$1
    local key=$2
    local value=$3

    if grep -q "^$key=" "$file"; then
        sed -i "s/^$key=.*/$key=$value/" "$file"
    else
        echo $key=$value >>"$file"
    fi
}


# NOTE(TheJulia): Explicitly strip out embedded console settings
# in the source's grub defaults. This prevents re-introduction later.
# Intentionally matching 'console=ttyS0,115200n8 console=tty0'
# Also globally matches so it can handle 'console=tty0 stuff console=tty1'
# ... and also matches
# 'console=ttyS0,112500n81 console=ttyS1,n8 console=tty0'
if [[ -f /etc/default/grub ]]; then
    sed -i 's/\<console=[[:alnum:],]*[[:space:]]*//g' /etc/default/grub
fi

append_or_replace /etc/default/grub GRUB_DEVICE "LABEL=${DIB_ROOT_LABEL}"
append_or_replace /etc/default/grub GRUB_DISABLE_LINUX_UUID true
append_or_replace /etc/default/grub GRUB_TIMEOUT "${DIB_GRUB_TIMEOUT:-1}"
append_or_replace /etc/default/grub GRUB_TIMEOUT_STYLE "${DIB_GRUB_TIMEOUT_STYLE:-hidden}"
if [[ "True" == "${DIB_BOOTLOADER_USE_SERIAL_CONSOLE:-True}" ]]; then
    append_or_replace /etc/default/grub GRUB_TERMINAL \""serial console"\"
else
    append_or_replace /etc/default/grub GRUB_TERMINAL \"console\"
fi
append_or_replace /etc/default/grub GRUB_GFXPAYLOAD_LINUX auto

# NOTE(TheJulia): We need to remove any boot entry from the /etc/default/grub
# file that may already exist, such as what was added by fips being setup on
# either in the source image or by by an element, as we repack the image.
# with new filesystems.
# Matches any element which looks like " boot=" and the associated value
# in order for us to have a clean starting point to put a value in place,
# if applicable.
# Removes entry trailing with a space, or any entry where boot is set as
# the last argument on the line.
sed -i 's/\ boot=[0-9A-Za-z/=\-]\+//' /etc/default/grub
# NOTE(TheJulia): When using FIPS, dracut wants to evaluate
# the hmac files for the kernel checksum. However, if /boot is
# located on a separate filesystem from the root filesystem,
# than this fails. As a result, we need to identify IF /boot
# is a separate filesystem, and convey this fact as a boot
# argument so dracut does not halt the system on boot.

BOOT_FS=""

if [[ -n "${DIB_BOOT_LABEL}" ]]; then
    BOOT_FS=" boot=LABEL=${DIB_BOOT_LABEL}"
fi

# NOTE(TheJulia): While on the subject of FIPS, if there is not an
# explicit /boot partition, then the fips setup command will return
# a successful result, but then also tell you to update your grub
# configuration. This happens specifically with Rocky linux.
# as such, we check/reconcile the flag into place for the kernel
# as the utility will return a result code of 1 if the state is
# inconsistent, i.e. policy in place, but not kernel command line
# argument.

BOOT_FIPS=""

if [[ -x /bin/fips-mode-setup ]]; then
    set +e
    fips-mode-setup --is-enabled
    is_fips_enabled=$?
    set -e
    if [ $is_fips_enabled -eq 1 ]; then
        BOOT_FIPS=" fips=1"
    fi
fi


if [[ "True" == "${DIB_BOOTLOADER_USE_SERIAL_CONSOLE:-True}" ]]; then
    if [[ -n "${DIB_BOOTLOADER_SERIAL_CONSOLE}" ]]; then
        SERIAL_CONSOLE="console=${DIB_BOOTLOADER_SERIAL_CONSOLE}"
    elif [[ "powerpc ppc64 ppc64le" =~ "$ARCH" ]]; then
        # Serial console on Power is hvc0
        SERIAL_CONSOLE="console=hvc0"
    elif [[ "arm64" =~ "$ARCH" ]]; then
        SERIAL_CONSOLE="console=ttyAMA0,115200"
    else
        SERIAL_CONSOLE="console=ttyS0,115200"
    fi
else
    SERIAL_CONSOLE=""
fi

if [[ -n "${DIB_BOOTLOADER_VIRTUAL_TERMINAL}" ]]; then
    VIRTUAL_TERMINAL="console=${DIB_BOOTLOADER_VIRTUAL_TERMINAL}"
else
    VIRTUAL_TERMINAL=""
fi

if [[ "True" == "${DIB_NO_TIMER_CHECK:-True}" ]]; then
    NO_TIMER_CHECK="no_timer_check"
else
    NO_TIMER_CHECK=""
fi

GRUB_CMDLINE_LINUX_DEFAULT="${VIRTUAL_TERMINAL} ${SERIAL_CONSOLE} ${NO_TIMER_CHECK}"
echo "GRUB_CMDLINE_LINUX_DEFAULT=\"${GRUB_CMDLINE_LINUX_DEFAULT} ${DIB_BOOTLOADER_DEFAULT_CMDLINE}${BOOT_FS}${BOOT_FIPS}\"" >>/etc/default/grub


if [[ "True" == "${DIB_BOOTLOADER_USE_SERIAL_CONSOLE:-True}" ]]; then
    echo 'GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"' >>/etc/default/grub
fi

# os-prober leaks /dev/sda into config file in dual-boot host
# Disable grub-os-prober to avoid the issue  while running
# grub-mkconfig
# Setting a flag to track whether the entry is already there in grub config
PROBER_DISABLED=
if ! grep -qe "^\s*GRUB_DISABLE_OS_PROBER=true" /etc/default/grub; then
    PROBER_DISABLED=true
    echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
fi

# GRUB_MKCONFIG call needs to happen after we configure
# /etc/default/grub above. Without this we can set inappropriate
# root device labels and then images don't boot.
#
# This produces a legacy config which both bios and uefi can boot
# Later we copy the final config to an efi specific location to
# support uefi specific functionality like secure boot.
$GRUB_MKCONFIG -o $GRUB_CFG

# If we are using BLS, for debugging purposes dump out the kernel
if [[ -e /boot/loader/entries ]]; then
    grubby --info=ALL
fi

# Remove the fix to disable os_prober
if [ -n "$PROBER_DISABLED" ]; then
    sed -i '$d' /etc/default/grub
fi

# Fix efi specific instructions in grub config file
if [ -d /sys/firmware/efi ]; then
    sed -i 's%\(initrd\|linux\)efi /boot%\1 /boot%g' $GRUB_CFG
fi

# when using efi, and having linux16/initrd16, it needs to be replaced
# by linuxefi/initrdefi. When building images on a non-efi system,
# the 16 suffix is added to linux/initrd entries, but we need it to be
# linuxefi/initrdefi for the image to boot under efi
if [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
    sed -i 's%\(linux\|initrd\)16 /boot%\1efi /boot%g' $GRUB_CFG
fi

# Finally copy the grub.cfg and grubenv to the EFI specific dir
# to support functionality like secure boot. We make a copy because
# /boot and /boot/efi may be different partitions and uefi looks
# for a specific partition UUID preventing symlinks from working.
if [ -n "${EFI_BOOT_DIR:-}" ] && [ -d /boot/efi/$EFI_BOOT_DIR ] ; then
    cp $GRUB_CFG /boot/efi/$EFI_BOOT_DIR/grub.cfg
    if [ -a $GRUBENV ]; then
        cp $GRUBENV /boot/efi/$EFI_BOOT_DIR/grubenv
    fi
fi

# Ensure paths in BLS entries account for /boot being a partition or part of the
# root partition and perform any required entry removal.
if [[ -e /boot/loader/entries ]]; then
    pushd /boot/loader/entries
    set +e
    mountpoint /boot
    bootmount=$?

    for entry in *; do
        if [[ $bootmount -eq 0 ]]; then
            sed -i "s| /boot/vmlinuz| /vmlinuz|" $entry
            sed -i "s| /boot/initramfs| /initramfs|" $entry
        else
            sed -i "s| /vmlinuz| /boot/vmlinuz|" $entry
            sed -i "s| /initramfs| /boot/initramfs|" $entry
        fi
    done
    set -e
    popd

    # Since we are already aware we're using BLS, we can go ahead and
    # do any cleanup to disable embedded serial console settings if they
    # already exist.
    if [[ "True" != "${DIB_BOOTLOADER_USE_SERIAL_CONSOLE:-True}" ]] && [[ "${VIRTUAL_TERMINAL}" == "" ]]; then
        # NOTE(TheJulia): This removes any console arguments and allows grub
        # to use it's default. It will also remove any embedded consoles in
        # source images, which may be highly desirable if your running
        # interrupt sensitive workloads, such as NFV workloads.
        grubby --update-kernel ALL --remove-args=console
    fi
    # Print resulting grubby output for debug purposes
    grubby --info=ALL
fi

if [[ ! "$ARCH" =~ "ppc" ]] && [[ -z  "${DIB_BLOCK_DEVICE}" ]]; then
    echo "WARNING: No bootloader installation will occur."
    echo "To install a bootloader ensure you have included a block-device-* element"
    exit 0
fi

echo "Installing GRUB2..."

# We need --force so grub does not fail due to being installed on the
# root partition of a block device.
GRUB_OPTS="--force "

if [[ "$ARCH" =~ "ppc" ]] ; then
    # For PPC (64-Bit regardless of Endian-ness), we use the "boot"
    # partition as the one to point grub-install to, not the loopback
    # device.  ppc has a dedicated PReP boot partition.
    # For grub2 < 2.02~beta3 this needs to be a /dev/mapper/... node after
    # that a dev/loopXpN node will work fine.
    $GRUBNAME --modules="part_msdos" $GRUB_OPTS ${DEVICES[boot]} --no-nvram
else
    # This set of modules is sufficient for all installs (mbr/gpt/efi)
    modules="part_msdos part_gpt lvm"

    if [[ ${DIB_BLOCK_DEVICE} == "mbr" || ${DIB_BLOCK_DEVICE} == "gpt" ]]; then
        if [[ ! "x86_64 amd64" =~ ${ARCH} ]]; then
            echo "*** ${ARCH} is not supported by mbr/gpt"
        fi
        $GRUBNAME --modules="$modules biosdisk" --target=i386-pc \
                $GRUB_OPTS $BOOT_DEV
    elif [[ ${DIB_BLOCK_DEVICE} == "efi" ]]; then
        # We need to manually set the target if it's different to
        # the host.  Setup for EFI
        case $ARCH in
            "x86_64"|"amd64")
                # This call installs grub for BIOS compatability
                # which makes portable EFI/BIOS images.
                $GRUBNAME --modules="$modules" --target=i386-pc $BOOT_DEV
                # Append the x86_64 specific efi target for the generic
                # installation below.
                GRUB_OPTS="${GRUB_OPTS} --target=x86_64-efi"
                ;;
            # At this point, we don't need to override the target
            # for any other architectures.
        esac
        # If we don't have a distro specific dir with presigned efi targets
        # we install a generic one.
        if [ ! -d /boot/efi/$EFI_BOOT_DIR ]; then
            echo "WARNING: /boot/efi/$EFI_BOOT_DIR does not exist, UEFI secure boot not supported"
            # This tells the EFI install to put the EFI binaries into
            # the generic /BOOT directory and avoids trying to update
            # nvram settings.
            extra_options="--removable"
            $GRUBNAME --modules="$modules" $extra_options $GRUB_OPTS $BOOT_DEV
        fi
    fi
fi