From 52c28861416a7bc995849eccf864136d3ed7d94d Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Thu, 24 Oct 2024 10:51:40 +0200 Subject: [PATCH 1/2] INFRA-804: document GRUB boot issue on RL9 --- doc/source/operations/upgrading-openstack.rst | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index 0708f655f2..049d482f55 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -130,6 +130,12 @@ Known issues around this in custom config, see the SMS PR for an example: https://github.com/stackhpc/smslab-kayobe-config/pull/354 +* Due to a `security-related change in the GRUB package on Rocky Linux 9 + `__, the operating + system can become unbootable (boot will stop at a ``grub>`` prompt). Remove + the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after + applying package updates. + Security baseline ================= From eaefad7e6724d2eca4aee003aec98a8bcdc90278 Mon Sep 17 00:00:00 2001 From: technowhizz <7688823+technowhizz@users.noreply.github.com> Date: Fri, 25 Oct 2024 18:27:17 +0100 Subject: [PATCH 2/2] Add hook to automate removal of --root-dev-only --- doc/source/operations/upgrading-openstack.rst | 12 +++++++++++- etc/kayobe/ansible/fix-grub-rl9.yml | 15 +++++++++++++++ .../post.d/10-fix-grub-rl9.yml | 1 + 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 etc/kayobe/ansible/fix-grub-rl9.yml create mode 120000 etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst index 049d482f55..deaaccb94c 100644 --- a/doc/source/operations/upgrading-openstack.rst +++ b/doc/source/operations/upgrading-openstack.rst @@ -134,7 +134,8 @@ Known issues `__, the operating system can become unbootable (boot will stop at a ``grub>`` prompt). Remove the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after - applying package updates. + applying package updates. This will happen automatically as a post hook when + running the ``kayobe overcloud host package update`` command. Security baseline ================= @@ -869,6 +870,15 @@ To update all eligible packages, use ``*``, escaping if necessary: kayobe overcloud host package update --packages "*" --limit +.. note:: + + Due to a `security-related change in the GRUB package on Rocky Linux 9 + `__, the operating + system can become unbootable (boot will stop at a ``grub>`` prompt). Remove + the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after + applying package updates. This will happen automatically as a post hook when + running the ``kayobe overcloud host package update`` command. + If the kernel has been upgraded, reboot the host or batch of hosts to pick up the change: diff --git a/etc/kayobe/ansible/fix-grub-rl9.yml b/etc/kayobe/ansible/fix-grub-rl9.yml new file mode 100644 index 0000000000..c81402fe6a --- /dev/null +++ b/etc/kayobe/ansible/fix-grub-rl9.yml @@ -0,0 +1,15 @@ +--- +- name: Remove "--root-dev-only" from grub.cfg if OS is Rocky Linux 9 + hosts: overcloud + become: yes + gather_facts: true + + tasks: + - name: Remove "--root-dev-only" from /boot/efi/EFI/rocky/grub.cfg + ansible.builtin.replace: + path: /boot/efi/EFI/rocky/grub.cfg + regexp: '--root-dev-only\s?' + replace: '' + when: + - ansible_facts['distribution'] == 'Rocky' + - ansible_facts['distribution_major_version'] == '9' diff --git a/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml b/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml new file mode 120000 index 0000000000..775762abf2 --- /dev/null +++ b/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml @@ -0,0 +1 @@ +../../../ansible/fix-grub-rl9.yml \ No newline at end of file