Problem: We have a customer setting up notebooks via discovery and kexec. That worked quite well until they performed an upgrade, including a new version of foreman_discovery. With quite some time we can now track the issue down to one change but we do not understand how we could patch it back or work around.
The problem is caused by this commit: Fixes #30680: Add conditional option for kexec to work with UEFI+Secu… · theforeman/smart_proxy_discovery_image@67688b5 · GitHub
There a new flag for secureboot is implemented, checking if secureboot is on/off and the modifying the kexec by adding --kexec-file-syscall.
However, for all tested hardware (and some VMware-VMs) we never got any machine to work with the kexec-file-syscall - while in older versions we had no issues with secure boot on and without kexec-file-syscall. It would be nice if this option could be switched off with some host-parameter or something like that, but we do not understand where and how this “smart_proxy_discovery_image”-component is used in discovery and where this power_api.rb file is located.
We tried that with the default (EL7)-discovery-image, the new EL8-image and some RCs of the EL8-image and tried to build own images of EL7 and EL8. We always run into the issue that kexec throws errors when secureboot is on and the kexec-file-syscall is used. It still works with secureboot off. It also works if secureboot is on and we run the kexec manually over ssh withouth kexec-file-syscall.
With the EL7-image it results in this error:
Jan 12 13:45:38 fdi sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 12 13:45:38 fdi systemd: Started Session c1 of user root. Jan 12 13:45:38 fdi smart-proxy: Try gzip decompression. Jan 12 13:45:38 fdi smart-proxy: Try LZMA decompression. Jan 12 13:45:38 fdi smart-proxy: lzma_decompress_file: read on /tmp/vmlinuz of 65536 bytes failed Jan 12 13:45:38 fdi smart-proxy: kexec_file_load failed: Required key not available
With the EL8-image it results in:
Jan 12 13:27:18 fdi sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Jan 12 13:27:18 fdi smart-proxy: Try gzip decompression. Jan 12 13:27:18 fdi smart-proxy: Try LZMA decompression. Jan 12 13:27:18 fdi smart-proxy: lzma_decompress_file: read on /tmp/vmlinuz of 65536 bytes failed Jan 12 13:27:18 fdi smart-proxy: kexec_file_load failed: Operation not permitted Jan 12 13:27:18 fdi kernel: Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7
And with the newest released EL8-image we cannot boot into PXE with secureboot off anymore. The machines get stuck and use maximum of CPU and nothing changes and the screen goes black - we cannot connect to the machine because nothing responds anymore.
In el7 + el8 the kexec-command without the file-syscall executed manually works with secureboot enabled.
I guess the best candidate to help us or at least possible to explain how and where the smart_proxy_discovery_image-part is used is @lzap, so I hope you have some minutes to point us into the right direction.