Re: grub2 password and docs

2015-12-21 Thread Chris Murphy 
On Fri, Dec 18, 2015 at 2:01 PM, Eric Griffith  wrote:
> Grub2-mkconfig works fine on F23. Maybe not for complex operations but for
> general modifications to /etc/default/grub it creates a perfectly working
> grub.cfg

The default menu entries for other OS's is definitely suboptimal. OS X
and Windows+Secure Boot entries don't work. [1] And other Linux OS
installations get generic menu entries rather than pointing to the
distro specific grub.cfg instance using the GRUB 'configfile' command.

There are many different implementations of GRUB2 by the distros,
including grub.cfg location, what and where the 1st stage bootloader
(jump code) goes. And Fedora atomic builds manage all the bootloader
stuff internally, leveraging some of grub2-mkconfig but not all of it.
So that's a 3rd variation for producing a grub.cfg, on a single
distro. If you care about understanding how systems boot, in
particular to know how to fix booting when it breaks, good luck with
that. It's a lot of work. Most search results will be polluted with
the misleading irrelevancies of how other distros do things.



[1]

Automatic MacOSX grub entries are broken (and weird)
https://bugzilla.redhat.com/show_bug.cgi?id=893179

SecureBoot enabled causes Win 8 UEFI to not start from grub
https://bugzilla.redhat.com/show_bug.cgi?id=1170245


-- 
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-21 Thread Chris Murphy 
On Fri, Dec 18, 2015 at 3:07 PM, Andrew Lutomirski  wrote:
> On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith  wrote:
>> Grub2-mkconfig works fine on F23. Maybe not for complex operations but for
>> general modifications to /etc/default/grub it creates a perfectly working
>> grub.cfg
>
> Sure, but do we support grub2-mkconfig?

Yes it's supported, it's used by the installer to get a base grub.cfg
to work with; and then shortly thereafter grubby comes by and makes
modifications after each initramfs is created. While grub-mkconfig is
not used automatically thereafter, it's still supported in that any
bugs found which adversely affect install time grub.cfg creation must
be fixed.


> If yes, why don't we use it for real.  If no, then users are asking
> for trouble by using upstream-supported tools.

We do use it for real, but switching from grubby to grub-mkconfig is
just rearranging the deck chairs. It doesn't actually make anything
more reliable, or more understandable. Try stracing grub2-mkconfig and
all of its children (use -ff and -o) and be prepared to be awed by the
result.

-- 
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-21 Thread Chris Murphy 
On Fri, Dec 18, 2015 at 3:38 PM, Andrew Lutomirski  wrote:

> I agree.  I think Fedora should use Grub the way that the Grub
> developers thing Grub should be used, and that is to use
> grub2-mkconfig to propagate configuration (/etc/grub.d, etc) and
> kernel changes into the grub config.

Probably not.

GRUB upstream is a general grocery store. It isn't a restaurant.
They're just offering raw ingredients for distro installer developers
to build something that doesn't require starting completely from
scratch. It's not really meant for distro end user support, it isn't
that friendly, and the documentation is fairly limited to the code and
the mailing list.

Upstream might represent 80% agreement among distros? And even some
things most distros agree on, like UEFI Secure Boot support, still
aren't upstream and may never be. Bootloaderspec file format support
is in that same category, meanwhile grub can read any version of its
own configuration file format including legacy, and iso/sys/extlinux
formats.

About the best opportunity to fix things is with atomic builds, which
don't use grubby, but do use bootloaderspec drop-in snippets. If/when
atomic builds get more traction, it's plausible conventional
installations will move to align with the way atomic builds boot. That
might mean fixing blscfg.mod in Fedora's GRUB to directly consume
bootloaderspec scripts, rather than the current way of doing it by
integrating them into grub.cfg using a combination of ostree and
grub2-mkconfig. Or maybe it means a more complex grub.cfg to find bls
scripts, and a bls format change to use one of the formats grub
already understands.

In any case, one bls script per "other" OS, for chainloading a native
bootloader, or using one of the configfile forwarding commands to
point to an OS specific grub.cfg, grub.conf, or ext/syslinux.conf file
permits support for non-bls supporting OS's. Right now, BLS completely
punts on "other" OS's and that's not really workable for the
workstation product (which is funny seeing as it really doesn't work
all that well right now anyway).


-- 
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

grub2 password and docs

2015-12-18 Thread Reindl Harald 

https://fedoraproject.org/wiki/GRUB_2#Setting_a_password_for_interactive_edit_mode
_

If you wish to password-protect GRUB2's interactive edit mode but you do 
not want to require users to enter a password to do a plain, simple, 
ordinary boot, create /etc/grub.d/01_users with the following lines:


cat << EOF
set superusers="root"
export superusers
password root secret
EOF
_

and then you find such a file there pointing to some "user.cfg" where 
nobody knows what \${prefix} is and how that is supposed to work - 
honestly the whole grub2 config stuff is cryptical crap while "More 
details can be found at Ubuntu Help: GRUB2 Passwords" even makes it more 
confusing


[root@testserver:~]$ cat /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
  source \${prefix}/user.cfg
  if [ -n "\${GRUB2_PASSWORD}" ]; then
set superusers="root"
export superusers
password_pbkdf2 root \${GRUB2_PASSWORD}
  fi
fi
EOF



signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Reindl Harald 
besides that the wiki is completly outdated "grub2-setpassword" only 
works on english machines 
https://bugzilla.redhat.com/show_bug.cgi?id=1292830


if /etc/grub.d/01_users would containa comment that 
"/boot/grub2/user.cfg" (who knows prefix just staring at the source of 
that file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the 
variable "GRUB2_PASSWORD" it would be so more helpful


[root@testserver:/etc/grub.d]$ grub2-setpassword
Enter password:
Confirm password:

[root@testserver:/etc/grub.d]$ locate user.cfg
/boot/grub2/user.cfg

[root@testserver:/etc/grub.d]$ cat /boot/grub2/user.cfg
GRUB2_PASSWORD=Passwort eingeben:
Passwort erneut eingeben:
PBKDF2-Prüfsumme Ihres Passworts ist 
grub.pbkdf2.sha512.1.094C7CFED3F6F9D9854C821E48C6D2909C720B806BF69303D5782EA31790AF2ACD89ED73DA4A53C1B94D7E37EC240AAEEA85E779E1C88DE0ECA899747479F130.C7CEB0D35AF519B3C616871AF2BE9C02B151EBFA57162192DF45DA39FF80F871E1D1D87FCFD7C33016412BA835AEA8FECCFA44431C8EA0B43150F62FE5BBB0EE


Am 18.12.2015 um 13:16 schrieb Reindl Harald:

https://fedoraproject.org/wiki/GRUB_2#Setting_a_password_for_interactive_edit_mode

_

If you wish to password-protect GRUB2's interactive edit mode but you do
not want to require users to enter a password to do a plain, simple,
ordinary boot, create /etc/grub.d/01_users with the following lines:

cat << EOF
set superusers="root"
export superusers
password root secret
EOF
_

and then you find such a file there pointing to some "user.cfg" where
nobody knows what \${prefix} is and how that is supposed to work -
honestly the whole grub2 config stuff is cryptical crap while "More
details can be found at Ubuntu Help: GRUB2 Passwords" even makes it more
confusing

[root@testserver:~]$ cat /etc/grub.d/01_users
#!/bin/sh -e
cat << EOF
if [ -f \${prefix}/user.cfg ]; then
   source \${prefix}/user.cfg
   if [ -n "\${GRUB2_PASSWORD}" ]; then
 set superusers="root"
 export superusers
 password_pbkdf2 root \${GRUB2_PASSWORD}
   fi
fi
EOF




signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Andrew Lutomirski 
On Fri, Dec 18, 2015 at 5:05 AM, Reindl Harald  wrote:
>
> besides that the wiki is completly outdated "grub2-setpassword" only works on 
> english machines https://bugzilla.redhat.com/show_bug.cgi?id=1292830
>
> if /etc/grub.d/01_users would containa comment that "/boot/grub2/user.cfg" 
> (who knows prefix just staring at the source of that file) just needs the 
> hash output of "grub2-mkpasswd-pbkdf2" in the variable "GRUB2_PASSWORD" it 
> would be so more helpful
>

/etc/grub.d is consumed by grub2-mkconfig.  Since Fedora doesn't use
grub2-mkconfig after installation, basically every GRUB 2
configuration reference that has upstream GRUB 2 in mind doesn't
actually work on Fedora.

Perhaps Fedora should consider switching to using grub2-mkconfig
during normal use... :)

--Andy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Reindl Harald 



Am 18.12.2015 um 20:30 schrieb Andrew Lutomirski:

On Fri, Dec 18, 2015 at 5:05 AM, Reindl Harald  wrote:


besides that the wiki is completly outdated "grub2-setpassword" only works on 
english machines https://bugzilla.redhat.com/show_bug.cgi?id=1292830

if /etc/grub.d/01_users would containa comment that "/boot/grub2/user.cfg" (who knows prefix just 
staring at the source of that file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the 
variable "GRUB2_PASSWORD" it would be so more helpful



/etc/grub.d is consumed by grub2-mkconfig.  Since Fedora doesn't use
grub2-mkconfig after installation, basically every GRUB 2
configuration reference that has upstream GRUB 2 in mind doesn't
actually work on Fedora.

Perhaps Fedora should consider switching to using grub2-mkconfig
during normal use... :)


we had that discussion and it has *nothing to do* with 
/etc/grub.d/01_users don't contain a useful hint and a outdated wiki 
(not talking about the bug with LANG var)


"grub2-setpassword" is enough (after "LANG=C")



signature.asc
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Eric Griffith 
Grub2-mkconfig works fine on F23. Maybe not for complex operations but for
general modifications to /etc/default/grub it creates a perfectly working
grub.cfg
On Dec 18, 2015 14:31, "Andrew Lutomirski"  wrote:

> On Fri, Dec 18, 2015 at 5:05 AM, Reindl Harald 
> wrote:
> >
> > besides that the wiki is completly outdated "grub2-setpassword" only
> works on english machines
> https://bugzilla.redhat.com/show_bug.cgi?id=1292830
> >
> > if /etc/grub.d/01_users would containa comment that
> "/boot/grub2/user.cfg" (who knows prefix just staring at the source of that
> file) just needs the hash output of "grub2-mkpasswd-pbkdf2" in the variable
> "GRUB2_PASSWORD" it would be so more helpful
> >
>
> /etc/grub.d is consumed by grub2-mkconfig.  Since Fedora doesn't use
> grub2-mkconfig after installation, basically every GRUB 2
> configuration reference that has upstream GRUB 2 in mind doesn't
> actually work on Fedora.
>
> Perhaps Fedora should consider switching to using grub2-mkconfig
> during normal use... :)
>
> --Andy
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
>
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Andrew Lutomirski 
On Fri, Dec 18, 2015 at 2:17 PM, Eric Griffith  wrote:
> Fedora, officially, supports Grubby. There was a different thread saying
> "This is silly, why are we sticking with grubby?" and what I got out of that
> thread was: there's some use case that grub2-mkconfig doesnt support, but
> that grubby does, and Fedora wants to support that use case.

I think that thread identified use cases that are *not* supported by
grubby but that are supported by grub2-mkconfig (e.g. some btrfs
setup) and that Fedora's resolution is to declare those configurations
unsupported in general.

> Frankly, the
> fact that you had the say phrase: "users are asking for trouble by using
> upstream-supported tools", just screams "clusterf***" to me as an end-user.
> I can't tell you -who- is holding said cluster, whether its upstream or
> downstream, but it needs to get sorted-- especially given the emphasis the
> Fedora places upon staying as close to upstream as possible.

I agree.  I think Fedora should use Grub the way that the Grub
developers thing Grub should be used, and that is to use
grub2-mkconfig to propagate configuration (/etc/grub.d, etc) and
kernel changes into the grub config.

--Andy

>
> On Fri, Dec 18, 2015 at 5:07 PM, Andrew Lutomirski  wrote:
>>
>> On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith 
>> wrote:
>> > Grub2-mkconfig works fine on F23. Maybe not for complex operations but
>> > for
>> > general modifications to /etc/default/grub it creates a perfectly
>> > working
>> > grub.cfg
>>
>> Sure, but do we support grub2-mkconfig?
>>
>> If yes, why don't we use it for real.  If no, then users are asking
>> for trouble by using upstream-supported tools.
>>
>> --Andy
>> --
>> devel mailing list
>> devel@lists.fedoraproject.org
>> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
>
>
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Andrew Lutomirski 
On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith  wrote:
> Grub2-mkconfig works fine on F23. Maybe not for complex operations but for
> general modifications to /etc/default/grub it creates a perfectly working
> grub.cfg

Sure, but do we support grub2-mkconfig?

If yes, why don't we use it for real.  If no, then users are asking
for trouble by using upstream-supported tools.

--Andy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: grub2 password and docs

2015-12-18 Thread Eric Griffith 
Fedora, officially, supports Grubby. There was a different thread saying
"This is silly, why are we sticking with grubby?" and what I got out of
that thread was: there's some use case that grub2-mkconfig doesnt support,
but that grubby does, and Fedora wants to support that use case. Frankly,
the fact that you had the say phrase: "users are asking for trouble by
using upstream-supported tools", just screams "clusterf***" to me as an
end-user. I can't tell you -who- is holding said cluster, whether its
upstream or downstream, but it needs to get sorted-- especially given the
emphasis the Fedora places upon staying as close to upstream as possible.

On Fri, Dec 18, 2015 at 5:07 PM, Andrew Lutomirski  wrote:

> On Fri, Dec 18, 2015 at 1:01 PM, Eric Griffith 
> wrote:
> > Grub2-mkconfig works fine on F23. Maybe not for complex operations but
> for
> > general modifications to /etc/default/grub it creates a perfectly working
> > grub.cfg
>
> Sure, but do we support grub2-mkconfig?
>
> If yes, why don't we use it for real.  If no, then users are asking
> for trouble by using upstream-supported tools.
>
> --Andy
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
>
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org