Bug 1672498 - Change permissions for grub2/shim.efi
Summary: Change permissions for grub2/shim.efi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Packaging
Version: 6.5.0
Hardware: Unspecified
OS: Unspecified
low
medium vote
Target Milestone: Released
Assignee: Jitendra Yejare
QA Contact: Jitendra Yejare
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-05 07:27 UTC by Jitendra Yejare
Modified: 2019-10-07 17:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-14 12:40:00 UTC


Attachments (Terms of Use)
PXE UEFI Discovery Failed (111.24 KB, image/png)
2019-02-05 07:27 UTC, Jitendra Yejare
no flags Details
[Verified Screenshot] Discovery_Boot_grub2 (118.60 KB, image/png)
2019-03-26 15:28 UTC, Jitendra Yejare
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1222 None None None 2019-05-14 12:40:11 UTC

Description Jitendra Yejare 2019-02-05 07:27:10 UTC
Created attachment 1527032 [details]
PXE UEFI Discovery Failed

Description of problem:
The UEFI host was unable to boot the grub2/shim.efi(was saying efi is of size 0 Bytes). On digging more, I came to know that the shim.efi don't have any permission to group and others. It has rwx permissions to owner only. Also, both owner and group were set to root for shim.efi. I set 755 permission to the shim.efi and set owner to foreman-proxy and then the UEFI host was pxe booted successfully.

Version-Release number of selected component (if applicable):
Satellite 6.5 snap 13

How reproducible:


Steps to Reproduce:
1. Setup Discovery on Satellite server (setup DHCP, TFTP and DNS on sat server only).
2. Build the pxe grub2 default template for UEFI discovery.
3. PXE Boot the UEFI firmware bare metal system to be discovered by satellite.

Actual results:
Discovery is failed with system showing the shim.efi is of 0 bytes and hence error : PXE-E23: Client received TFTP error from server. [screenshot attached]

Expected results:
The UEFI system should be pxe booted and discovered successfully using shim.efi


Additional info:
Setting correct permissions to shim.efi and retrying discovery works as stated in description.

Comment 5 Lukas Zapletal 2019-02-06 14:00:28 UTC
Changing the component to packaging actually. The file is under puppet control but puppet does not manage permissions. I initially flipped the BZ to installer team because shim.efi is being deployed by puppet: https://bugzilla.redhat.com/show_bug.cgi?id=1672498 but today I realized that puppet does not manage permissions of the file. Downstream we do have a package foreman-bootloaders-redhat and script called foreman-generate-bootloaders that does execute upon RPM install. So we need a slight change in foreman-generate-bootloaders script.

REL-ENG: Please modify the foreman-generate-bootloaders script in dist-git foreman-bootloaders-redhat and modify as follows:

diff --git a/foreman-generate-bootloaders b/foreman-generate-bootloaders
index d994ef6..f20e8a1 100755
--- a/foreman-generate-bootloaders
+++ b/foreman-generate-bootloaders
@@ -50,3 +50,5 @@ fi
 check_pkg shim-ia32
 check_pkg shim-x64
 cp -f /boot/efi/EFI/*/shim*.efi /var/lib/tftpboot/grub2
+chmod 644 /var/lib/tftpboot/grub2/*.efi
+chown root:root /var/lib/tftpboot/grub2/*.efi

Comment 6 Jitendra Yejare 2019-03-26 15:28:30 UTC
Created attachment 1548122 [details]
[Verified Screenshot] Discovery_Boot_grub2

Verified!

@ Satellite 6.5 snap 21


Steps:
--------

Steps to Reproduce:
1. Setup Discovery on Satellite server (setup DHCP, TFTP and DNS on sat server only).
2. Build the pxe grub2 default template for UEFI discovery.
3. PXE Boot the UEFI firmware bare metal system to be discovered by satellite.


Observation:

The UEFI system pxe booted successfully with shim.efi file from satellite.

Screenshot is attached.

Comment 9 errata-xmlrpc 2019-05-14 12:40:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222


Note You need to log in before you can comment on or make changes to this bug.