Re: grub2 password and docs
On Fri, Dec 18, 2015 at 2:01 PM, Eric Griffithwrote: > Grub2-mkconfig works fine on F23. Maybe not for complex operations but for > general modifications to /etc/default/grub it creates a perfectly working > grub.cfg The default menu entries for other OS's is definitely suboptimal. OS X and Windows+Secure Boot entries don't work. [1] And other Linux OS installations get generic menu entries rather than pointing to the distro specific grub.cfg instance using the GRUB 'configfile' command. There are many different implementations of GRUB2 by the distros, including grub.cfg location, what and where the 1st stage bootloader (jump code) goes. And Fedora atomic builds manage all the bootloader stuff internally, leveraging some of grub2-mkconfig but not all of it. So that's a 3rd variation for producing a grub.cfg, on a single distro. If you care about understanding how systems boot, in particular to know how to fix booting when it breaks, good luck with that. It's a lot of work. Most search results will be polluted with the misleading irrelevancies of how other distros do things. [1] Automatic MacOSX grub entries are broken (and weird) https://bugzilla.redhat.com/show_bug.cgi?id=893179 SecureBoot enabled causes Win 8 UEFI to not start from grub https://bugzilla.redhat.com/show_bug.cgi?id=1170245 -- Chris Murphy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
On Fri, Dec 18, 2015 at 3:07 PM, Andrew Lutomirskiwrote: > On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith wrote: >> Grub2-mkconfig works fine on F23. Maybe not for complex operations but for >> general modifications to /etc/default/grub it creates a perfectly working >> grub.cfg > > Sure, but do we support grub2-mkconfig? Yes it's supported, it's used by the installer to get a base grub.cfg to work with; and then shortly thereafter grubby comes by and makes modifications after each initramfs is created. While grub-mkconfig is not used automatically thereafter, it's still supported in that any bugs found which adversely affect install time grub.cfg creation must be fixed. > If yes, why don't we use it for real. If no, then users are asking > for trouble by using upstream-supported tools. We do use it for real, but switching from grubby to grub-mkconfig is just rearranging the deck chairs. It doesn't actually make anything more reliable, or more understandable. Try stracing grub2-mkconfig and all of its children (use -ff and -o) and be prepared to be awed by the result. -- Chris Murphy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
On Fri, Dec 18, 2015 at 3:38 PM, Andrew Lutomirskiwrote: > I agree. I think Fedora should use Grub the way that the Grub > developers thing Grub should be used, and that is to use > grub2-mkconfig to propagate configuration (/etc/grub.d, etc) and > kernel changes into the grub config. Probably not. GRUB upstream is a general grocery store. It isn't a restaurant. They're just offering raw ingredients for distro installer developers to build something that doesn't require starting completely from scratch. It's not really meant for distro end user support, it isn't that friendly, and the documentation is fairly limited to the code and the mailing list. Upstream might represent 80% agreement among distros? And even some things most distros agree on, like UEFI Secure Boot support, still aren't upstream and may never be. Bootloaderspec file format support is in that same category, meanwhile grub can read any version of its own configuration file format including legacy, and iso/sys/extlinux formats. About the best opportunity to fix things is with atomic builds, which don't use grubby, but do use bootloaderspec drop-in snippets. If/when atomic builds get more traction, it's plausible conventional installations will move to align with the way atomic builds boot. That might mean fixing blscfg.mod in Fedora's GRUB to directly consume bootloaderspec scripts, rather than the current way of doing it by integrating them into grub.cfg using a combination of ostree and grub2-mkconfig. Or maybe it means a more complex grub.cfg to find bls scripts, and a bls format change to use one of the formats grub already understands. In any case, one bls script per "other" OS, for chainloading a native bootloader, or using one of the configfile forwarding commands to point to an OS specific grub.cfg, grub.conf, or ext/syslinux.conf file permits support for non-bls supporting OS's. Right now, BLS completely punts on "other" OS's and that's not really workable for the workstation product (which is funny seeing as it really doesn't work all that well right now anyway). -- Chris Murphy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
grub2 password and docs
https://fedoraproject.org/wiki/GRUB_2#Setting_a_password_for_interactive_edit_mode _ If you wish to password-protect GRUB2's interactive edit mode but you do not want to require users to enter a password to do a plain, simple, ordinary boot, create /etc/grub.d/01_users with the following lines: cat << EOF set superusers="root" export superusers password root secret EOF _ and then you find such a file there pointing to some "user.cfg" where nobody knows what \${prefix} is and how that is supposed to work - honestly the whole grub2 config stuff is cryptical crap while "More details can be found at Ubuntu Help: GRUB2 Passwords" even makes it more confusing [root@testserver:~]$ cat /etc/grub.d/01_users #!/bin/sh -e cat << EOF if [ -f \${prefix}/user.cfg ]; then source \${prefix}/user.cfg if [ -n "\${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root \${GRUB2_PASSWORD} fi fi EOF signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
besides that the wiki is completly outdated "grub2-setpassword" only works on english machines https://bugzilla.redhat.com/show_bug.cgi?id=1292830 if /etc/grub.d/01_users would containa comment that "/boot/grub2/user.cfg" (who knows prefix just staring at the source of that file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the variable "GRUB2_PASSWORD" it would be so more helpful [root@testserver:/etc/grub.d]$ grub2-setpassword Enter password: Confirm password: [root@testserver:/etc/grub.d]$ locate user.cfg /boot/grub2/user.cfg [root@testserver:/etc/grub.d]$ cat /boot/grub2/user.cfg GRUB2_PASSWORD=Passwort eingeben: Passwort erneut eingeben: PBKDF2-Prüfsumme Ihres Passworts ist grub.pbkdf2.sha512.1.094C7CFED3F6F9D9854C821E48C6D2909C720B806BF69303D5782EA31790AF2ACD89ED73DA4A53C1B94D7E37EC240AAEEA85E779E1C88DE0ECA899747479F130.C7CEB0D35AF519B3C616871AF2BE9C02B151EBFA57162192DF45DA39FF80F871E1D1D87FCFD7C33016412BA835AEA8FECCFA44431C8EA0B43150F62FE5BBB0EE Am 18.12.2015 um 13:16 schrieb Reindl Harald: https://fedoraproject.org/wiki/GRUB_2#Setting_a_password_for_interactive_edit_mode _ If you wish to password-protect GRUB2's interactive edit mode but you do not want to require users to enter a password to do a plain, simple, ordinary boot, create /etc/grub.d/01_users with the following lines: cat << EOF set superusers="root" export superusers password root secret EOF _ and then you find such a file there pointing to some "user.cfg" where nobody knows what \${prefix} is and how that is supposed to work - honestly the whole grub2 config stuff is cryptical crap while "More details can be found at Ubuntu Help: GRUB2 Passwords" even makes it more confusing [root@testserver:~]$ cat /etc/grub.d/01_users #!/bin/sh -e cat << EOF if [ -f \${prefix}/user.cfg ]; then source \${prefix}/user.cfg if [ -n "\${GRUB2_PASSWORD}" ]; then set superusers="root" export superusers password_pbkdf2 root \${GRUB2_PASSWORD} fi fi EOF signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
On Fri, Dec 18, 2015 at 5:05 AM, Reindl Haraldwrote: > > besides that the wiki is completly outdated "grub2-setpassword" only works on > english machines https://bugzilla.redhat.com/show_bug.cgi?id=1292830 > > if /etc/grub.d/01_users would containa comment that "/boot/grub2/user.cfg" > (who knows prefix just staring at the source of that file) just needs the > hash output of "grub2-mkpasswd-pbkdf2" in the variable "GRUB2_PASSWORD" it > would be so more helpful > /etc/grub.d is consumed by grub2-mkconfig. Since Fedora doesn't use grub2-mkconfig after installation, basically every GRUB 2 configuration reference that has upstream GRUB 2 in mind doesn't actually work on Fedora. Perhaps Fedora should consider switching to using grub2-mkconfig during normal use... :) --Andy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
Am 18.12.2015 um 20:30 schrieb Andrew Lutomirski: On Fri, Dec 18, 2015 at 5:05 AM, Reindl Haraldwrote: besides that the wiki is completly outdated "grub2-setpassword" only works on english machines https://bugzilla.redhat.com/show_bug.cgi?id=1292830 if /etc/grub.d/01_users would containa comment that "/boot/grub2/user.cfg" (who knows prefix just staring at the source of that file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the variable "GRUB2_PASSWORD" it would be so more helpful /etc/grub.d is consumed by grub2-mkconfig. Since Fedora doesn't use grub2-mkconfig after installation, basically every GRUB 2 configuration reference that has upstream GRUB 2 in mind doesn't actually work on Fedora. Perhaps Fedora should consider switching to using grub2-mkconfig during normal use... :) we had that discussion and it has *nothing to do* with /etc/grub.d/01_users don't contain a useful hint and a outdated wiki (not talking about the bug with LANG var) "grub2-setpassword" is enough (after "LANG=C") signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
Grub2-mkconfig works fine on F23. Maybe not for complex operations but for general modifications to /etc/default/grub it creates a perfectly working grub.cfg On Dec 18, 2015 14:31, "Andrew Lutomirski"wrote: > On Fri, Dec 18, 2015 at 5:05 AM, Reindl Harald > wrote: > > > > besides that the wiki is completly outdated "grub2-setpassword" only > works on english machines > https://bugzilla.redhat.com/show_bug.cgi?id=1292830 > > > > if /etc/grub.d/01_users would containa comment that > "/boot/grub2/user.cfg" (who knows prefix just staring at the source of that > file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the variable > "GRUB2_PASSWORD" it would be so more helpful > > > > /etc/grub.d is consumed by grub2-mkconfig. Since Fedora doesn't use > grub2-mkconfig after installation, basically every GRUB 2 > configuration reference that has upstream GRUB 2 in mind doesn't > actually work on Fedora. > > Perhaps Fedora should consider switching to using grub2-mkconfig > during normal use... :) > > --Andy > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org > -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
On Fri, Dec 18, 2015 at 2:17 PM, Eric Griffithwrote: > Fedora, officially, supports Grubby. There was a different thread saying > "This is silly, why are we sticking with grubby?" and what I got out of that > thread was: there's some use case that grub2-mkconfig doesnt support, but > that grubby does, and Fedora wants to support that use case. I think that thread identified use cases that are *not* supported by grubby but that are supported by grub2-mkconfig (e.g. some btrfs setup) and that Fedora's resolution is to declare those configurations unsupported in general. > Frankly, the > fact that you had the say phrase: "users are asking for trouble by using > upstream-supported tools", just screams "clusterf***" to me as an end-user. > I can't tell you -who- is holding said cluster, whether its upstream or > downstream, but it needs to get sorted-- especially given the emphasis the > Fedora places upon staying as close to upstream as possible. I agree. I think Fedora should use Grub the way that the Grub developers thing Grub should be used, and that is to use grub2-mkconfig to propagate configuration (/etc/grub.d, etc) and kernel changes into the grub config. --Andy > > On Fri, Dec 18, 2015 at 5:07 PM, Andrew Lutomirski wrote: >> >> On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith >> wrote: >> > Grub2-mkconfig works fine on F23. Maybe not for complex operations but >> > for >> > general modifications to /etc/default/grub it creates a perfectly >> > working >> > grub.cfg >> >> Sure, but do we support grub2-mkconfig? >> >> If yes, why don't we use it for real. If no, then users are asking >> for trouble by using upstream-supported tools. >> >> --Andy >> -- >> devel mailing list >> devel@lists.fedoraproject.org >> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org > > > > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffithwrote: > Grub2-mkconfig works fine on F23. Maybe not for complex operations but for > general modifications to /etc/default/grub it creates a perfectly working > grub.cfg Sure, but do we support grub2-mkconfig? If yes, why don't we use it for real. If no, then users are asking for trouble by using upstream-supported tools. --Andy -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Re: grub2 password and docs
Fedora, officially, supports Grubby. There was a different thread saying "This is silly, why are we sticking with grubby?" and what I got out of that thread was: there's some use case that grub2-mkconfig doesnt support, but that grubby does, and Fedora wants to support that use case. Frankly, the fact that you had the say phrase: "users are asking for trouble by using upstream-supported tools", just screams "clusterf***" to me as an end-user. I can't tell you -who- is holding said cluster, whether its upstream or downstream, but it needs to get sorted-- especially given the emphasis the Fedora places upon staying as close to upstream as possible. On Fri, Dec 18, 2015 at 5:07 PM, Andrew Lutomirskiwrote: > On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith > wrote: > > Grub2-mkconfig works fine on F23. Maybe not for complex operations but > for > > general modifications to /etc/default/grub it creates a perfectly working > > grub.cfg > > Sure, but do we support grub2-mkconfig? > > If yes, why don't we use it for real. If no, then users are asking > for trouble by using upstream-supported tools. > > --Andy > -- > devel mailing list > devel@lists.fedoraproject.org > http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org > -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org