Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1672498 - Change permissions for grub2/shim.efi
Summary: Change permissions for grub2/shim.efi
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Packaging
Version: 6.5.0
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: 6.5.0
Assignee: Jitendra Yejare
QA Contact: Jitendra Yejare
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-05 07:27 UTC by Jitendra Yejare
Modified: 2019-11-05 22:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-14 12:40:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
PXE UEFI Discovery Failed (111.24 KB, image/png)
2019-02-05 07:27 UTC, Jitendra Yejare 		no flags Details
[Verified Screenshot] Discovery_Boot_grub2 (118.60 KB, image/png)
2019-03-26 15:28 UTC, Jitendra Yejare 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1222 0 None None None 2019-05-14 12:40:11 UTC

Description Jitendra Yejare 2019-02-05 07:27:10 UTC 
Created attachment 1527032 [details]
PXE UEFI Discovery Failed

Description of problem:
The UEFI host was unable to boot the grub2/shim.efi(was saying efi is of size 0 Bytes). On digging more, I came to know that the shim.efi don't have any permission to group and others. It has rwx permissions to owner only. Also, both owner and group were set to root for shim.efi. I set 755 permission to the shim.efi and set owner to foreman-proxy and then the UEFI host was pxe booted successfully.

Version-Release number of selected component (if applicable):
Satellite 6.5 snap 13

How reproducible:


Steps to Reproduce:
1. Setup Discovery on Satellite server (setup DHCP, TFTP and DNS on sat server only).
2. Build the pxe grub2 default template for UEFI discovery.
3. PXE Boot the UEFI firmware bare metal system to be discovered by satellite.

Actual results:
Discovery is failed with system showing the shim.efi is of 0 bytes and hence error : PXE-E23: Client received TFTP error from server. [screenshot attached]

Expected results:
The UEFI system should be pxe booted and discovered successfully using shim.efi


Additional info:
Setting correct permissions to shim.efi and retrying discovery works as stated in description.
Comment 5 Lukas Zapletal 2019-02-06 14:00:28 UTC 
Changing the component to packaging actually. The file is under puppet control but puppet does not manage permissions. I initially flipped the BZ to installer team because shim.efi is being deployed by puppet: https://bugzilla.redhat.com/show_bug.cgi?id=1672498 but today I realized that puppet does not manage permissions of the file. Downstream we do have a package foreman-bootloaders-redhat and script called foreman-generate-bootloaders that does execute upon RPM install. So we need a slight change in foreman-generate-bootloaders script.

REL-ENG: Please modify the foreman-generate-bootloaders script in dist-git foreman-bootloaders-redhat and modify as follows:

diff --git a/foreman-generate-bootloaders b/foreman-generate-bootloaders
index d994ef6..f20e8a1 100755
--- a/foreman-generate-bootloaders
+++ b/foreman-generate-bootloaders
@@ -50,3 +50,5 @@ fi
 check_pkg shim-ia32
 check_pkg shim-x64
 cp -f /boot/efi/EFI/*/shim*.efi /var/lib/tftpboot/grub2
+chmod 644 /var/lib/tftpboot/grub2/*.efi
+chown root:root /var/lib/tftpboot/grub2/*.efi
Comment 6 Jitendra Yejare 2019-03-26 15:28:30 UTC 
Created attachment 1548122 [details]
[Verified Screenshot] Discovery_Boot_grub2

Verified!

@ Satellite 6.5 snap 21


Steps:
--------

Steps to Reproduce:
1. Setup Discovery on Satellite server (setup DHCP, TFTP and DNS on sat server only).
2. Build the pxe grub2 default template for UEFI discovery.
3. PXE Boot the UEFI firmware bare metal system to be discovered by satellite.


Observation:

The UEFI system pxe booted successfully with shim.efi file from satellite.

Screenshot is attached.
Comment 9 errata-xmlrpc 2019-05-14 12:40:00 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:1222
Note You need to log in before you can comment on or make changes to this bug.