Rework grub2 default static config

[champtar]

Rework grub2 default static config

• Add support for GRUB2_PASSWORD in user.cfg (partially fix https://issues.redhat.com/browse/RHEL-78299)
• include dropins instead of sourcing them, this should help updating config in the future
• add multiple small dropins to match classic grub2 installs

[openshift-ci]

Hi @champtar. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[champtar]

Can someone with CI / FCOS knowledge chime in ? I think 10_blscfg and other configs.d are not copied in the continuous-integration/jenkins/pr-merge test, is this expected ? ie does FCOS overwrite the full folder, or we are just testing the binary and not the full rpm ?
c9s CI works ok / I can see the new files being used.

[champtar]

@cgwalters any opinions on this PR ?

[champtar]

Anyone ?

[champtar]

@HuijingHei maybe ?

[cgwalters]

So sorry for the delay on review here! I really value your contributions overall. You've chosen to work on some thorny problems, which is good but for this particular code we're highly subject to regressions.

Overall though, I see no issues in this so far, and probably what we need to do is just try to land it and maybe put it in Rawhide and soak for a bit.

Actually after landing here in git main it will appear in the bootc base-images-dev and we have CI coverage of that.

[cgwalters]

/ok-to-test

[cgwalters]

That all said it does look quite likely related that the upgrade test failed here https://jenkins-coreos-ci.apps.ocp.fedoraproject.org/job/bootupd/job/PR-841/6/artifact/tmp/console.txt

[champtar]

That all said it does look quite likely related that the upgrade test failed here https://jenkins-coreos-ci.apps.ocp.fedoraproject.org/job/bootupd/job/PR-841/6/artifact/tmp/console.txt

See my previous comment #841 (comment), I bet the failing test only copy the new binary and not the new configs.d

[champtar]

My ci fix is ignored, should I move it to another PR that we merge first, then rebase on top ?

[cgwalters]

My ci fix is ignored, should I move it to another PR that we merge first, then rebase on top ?

ci: also install grub config and systemd unit looks correct to me and would indeed make sense to aim to land as a distinct PR.

[champtar]

#879 need to be merged first then I can rebase on top

[HuijingHei]

Need to fix CI first.

[champtar]

Need to fix CI first.

In console.txt boot seems ok (https://jenkins-coreos-ci.apps.ocp.fedoraproject.org/job/bootupd/job/PR-841/8/artifact/tmp/console.txt), but kola qemuexec timeout (https://jenkins-coreos-ci.apps.ocp.fedoraproject.org/blue/rest/organizations/jenkins/pipelines/bootupd/branches/PR-841/runs/8/log/?start=0)
comparing with a sucessfull boot, ignition.firstboot kargs is missing, but ignition.platform.id=qemu is present

[champtar]

Ok I'm actually breaking ignition because 40_coreos-ignition.cfg is now after blscfg

[2025-03-17T02:47:25.147Z] Added 01_grub2_password.cfg
[2025-03-17T02:47:25.147Z] Added 10_blscfg.cfg
[2025-03-17T02:47:25.147Z] Added 14_menu_show_once.cfg
[2025-03-17T02:47:25.147Z] Added 30_uefi-firmware.cfg
[2025-03-17T02:47:25.147Z] Added 40_coreos-ignition.cfg
[2025-03-17T02:47:25.147Z] Added 41_custom.cfg
[2025-03-17T02:47:25.147Z] Added 70_coreos-user.cfg

[champtar]

Reordered the files a bit to see if it fixes, if yes I'll need to change ignition.cfg to 40_ignition.cfg
BTW 70_coreos-user.cfg is not needed for a long time I think

[champtar]

Jenkins seems to be broken right now

[champtar]

Opened a PR to remove 70_coreos-user.cfg as it duplicates 01_grub2_password.cfg: coreos/fedora-coreos-config#3399

[champtar]

And another PR for ignition: coreos/ignition#2037

[champtar]

CI is green now BTW

[champtar]

Anyone aware of a repo with another copy of ignition.cfg ? (Something similar to fedora-coreos-config)
Should we just stop if file doesn't start with a number to make it easier to debug ? Or just add a warning ?

[champtar]

Found https://github.com/openshift/os/blob/master/overlay.d/40grub but it just uses fedora-coreos-config

[HuijingHei]

Anyone aware of a repo with another copy of ignition.cfg ? (Something similar to fedora-coreos-config) Should we just stop if file doesn't start with a number to make it easier to debug ? Or just add a warning ?

I am OK with a warning and skip, but after Rename ignition.cfg -> 40_ignition.cfg, will it be duplicated with 40_coreos-ignition.cfg and have 2 same part in the new grub.cfg?

[champtar]

Anyone aware of a repo with another copy of ignition.cfg ? (Something similar to fedora-coreos-config) Should we just stop if file doesn't start with a number to make it easier to debug ? Or just add a warning ?

I am OK with a warning and skip, but after Rename ignition.cfg -> 40_ignition.cfg, will it be duplicated with 40_coreos-ignition.cfg and have 2 same part in the new grub.cfg?

ignition.cfg right now is in a separate rpm named ignition-ignition-grub, but yes we should use this package in coreos (once fixed) and remove 40_coreos-ignition.cfg

[champtar]

I am OK with a warning and skip

That would also require to fix greenboot if we skip

[cgwalters]

/ok-to-test

[champtar]

PR for greenboot: fedora-iot/greenboot#214

[champtar]

On a legacy grub install we have:

• 00_header (load_env / ...)
• 01_users (user.cfg / GRUB2_PASSWORD)
• 08_fallback_counting
• 10_linux (blscfg ++)
• 10_reset_boot_success (goes with 08_fallback_counting)
• 12_menu_auto_hide (goes with 08_fallback_counting)
• 14_menu_show_once
• 20_linux_xen
• 20_ppc_terminfo
• 30_os-prober
• 30_uefi-firmware (must be after blscfg as we want to firmware menu to be last)
• 35_fwupd (no equivalent)
• 40_custom
• 41_custom (source custom.cfg)

Before this PR we have

• grub-static-pre.cfg (bootuuid.cfg / load_env / console.cfg / menuentry_id_option / all_video)
• 40_coreos-ignition.cfg
• greenboot.cfg
• grub-static-post.cfg (timeout / user.cfg / blscfg)

After all the PRs we should have:

• grub-static-pre.cfg (bootuuid.cfg / load_env / console.cfg / menuentry_id_option / all_video) + timeout
• 01_grub2_password.cfg (user.cfg / GRUB2_PASSWORD)
• 08_greenboot.cfg (== 08_fallback_counting + 10_reset_boot_success)
• 40_coreos-ignition.cfg or 40_ignition.cfg
• 50_blscfg.cfg (blscfg / == 10_linux)
• 60_menu_show_once.cfg (== 14_menu_show_once)
• 70_uefi-firmware.cfg (== 30_uefi-firmware)
• 80_custom.cfg (== 41_custom)

So the ordering related to blscfg is preserved (can break ignition and uefi-firmware), user.cfg + timeout are way sooner but this match legacy grub install

How do we want to go forward with this PR ?

[champtar]

As no one is using ignition-ignition-grub (coreos/ignition#2037 (comment)), should we just rename to 05_ignition.cfg and same in fedora-coreos-config, so we can keep the numbering the same as in legacy grub ?

[champtar]

I went ahead and opened a PR to rename to 05_ignition.cfg: coreos/fedora-coreos-config#3406

[champtar]

(draft until coreos/fedora-coreos-config#3406 lands)

[dustymabe]

google is failing me a bit. Is there a short description somewhere on the internet of what menu_show_once_timeout does?

[champtar]

with some integration in the OS:

• /usr/lib/systemd/system/reboot.target.wants/grub2-systemd-integration.service
• /usr/libexec/grub2/systemd-integration.sh

or manually using grub2-editenv

it allow for a longer timeout before you boot to the default option
When using OOBM like iLO / iDRAC virtual console 1s can be way too short

[dustymabe]

Adding a comment here in the file I think would be useful:

Setting a `menu_show_once_timeout` value in grub env vars will show
the menu for a longer timeout on just one boot to allow for extra
time to interactively stop boot and interface with GRUB directly.

[dustymabe]

Actually the comment in the legacy version of this should suffice:

# Force the menu to be shown once, with a timeout of ${menu_show_once_timeout}
# if requested by ${menu_show_once_timeout} being set in the env.

[dustymabe]

As no one is using ignition-ignition-grub (coreos/ignition#2037 (comment)), should we just rename to 05_ignition.cfg and same in fedora-coreos-config, so we can keep the numbering the same as in legacy grub ?

let's assume the rename to 05_ignition.cfg lands.. what will the new order (like what you detailed in #841 (comment)) look like?

[champtar]

As no one is using ignition-ignition-grub (coreos/ignition#2037 (comment)), should we just rename to 05_ignition.cfg and same in fedora-coreos-config, so we can keep the numbering the same as in legacy grub ?

let's assume the rename to 05_ignition.cfg lands.. what will the new order (like what you detailed in #841 (comment)) look like?

@dustymabe I would remove the last commit, so that would be:

• grub-static-pre.cfg (bootuuid.cfg / load_env / console.cfg / menuentry_id_option / all_video) + timeout
• 01_grub2_password.cfg (user.cfg / GRUB2_PASSWORD)
• 05_ignition.cfg
• 08_greenboot.cfg (== 08_fallback_counting + 10_reset_boot_success)
• 10_blscfg.cfg (blscfg / == 10_linux)
• 14_menu_show_once.cfg (== 14_menu_show_once)
• 30_uefi-firmware.cfg (== 30_uefi-firmware)
• 41_custom.cfg (== 41_custom)

[dustymabe]

at the top of each of the files should we mention the legacy version of GRUB config they correspond to?

[champtar]

Now waiting for coreos/fedora-coreos-config#3407