Wrong arguments in Grub after provisioning Fedora 34 using Discovery

Hello

I am doing a provisioning of Fedora 34 using Discovery and the FDI bootable iso. Everything installs correctly, except the first kernel entry. See the images attached below.

Could someone point me in the right direction how to get this right? Pointers could be kickstart commands or options to try in the discovery template, arguments to try in the kexec template, general options, or something other I haven’t thought off. Running grub2-mkconfig after installation fixes the boot entry, but that seems like a rather clumsy way to do it.

Image 1: First option (selected white) do not work, second option works.

Image 2: This is the screenshot of the first option. I have anonymised IPs. It seems like the arguments given from the kexec stage.

Image 3: This is a screenshot form the second kernel option. This is the way it should look like, and this one boots without any issues.

/ David

Hi David, this is new. I haven’t seen that yet. Did you do PXE or kexec process?

Can you pastebin your provisioning (kickstart) template of that host? I am particularly interested in partition scheme. This looks like UEFI and there could be a leftover. Discovery itself does not change anything on disk, so it had to be Anaconda.

This smells like a new feature in Anaconda that writes some extra entry. I suggest you ask on Fedora dev lists/irc.

FYI I asked on Fedora channel and Javier from Red Hat grub team confirmed there were no changes in F34 in this regard:

12:07 <sharkcz> lzap: hi, try asking on #anaconda
12:08 <sharkcz> lzap: https://fedoraproject.org/wiki/Releases/34/ChangeSet are the announced and tracked changes
12:12 <javierm> lzap: the only grub change from that list is https://fedoraproject.org/wiki/Releases/34/ChangeSet#Unify_the_GRUB_configuration_files_location_across_all_supported_architectures
12:12 <javierm> but I can't see how would be related... 
12:12 <javierm> lzap: maybe filing a BZ for grub2 or anaconda ?

Hi Lukas

I did try to change an argument in the kexec template, and I saw that this change also took effect on the Grub entry after provisioning. So the installation enters the arguments given during kexec into the first Grub entry.

It is indeed UEFI. I just tried to provisioning a BIOS system with the same config, and it gave the same result in the first Grub entry.

I did kexec, not PXE.

This is the kickstart template delivered to the host:

# This kickstart file was rendered from the Foreman provisioning template "Kickstart Fedora 34".


graphical

url --url https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Everything/x86_64/os


lang nb_NO.utf8
selinux --enforcing
keyboard no
xconfig

network --device=XX:XX:XX:XX:XX --hostname test43.lin.local --noipv6 --bootproto static --ip=XXX.XXX.XXX.XXX --netmask=255.255.255.0 --gateway=XXX.XXX.XXX.XXX --mtu=1500 --nameserver=XXX.XXX.XXX.XXX

rootpw --iscrypted XXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
firewall --service=ssh
authselect --useshadow --passalgo=sha256 --kickstart
timezone --utc UTC 




# Bootloader exception for Fedora 16:
#bootloader --extlinux --append="nofb quiet splash=quiet " 
#part biosboot --fstype=biosboot --size=1
bootloader --location=mbr


ignoredisk --only-use=sda
clearpart --all
zerombr
autopart


#text
reboot

%packages

@^workstation-product-environment
yum
dhclient
vim
chrony
-ntp
wget
#redhat-lsb-core
%end

#firstboot --enable



%post --nochroot
exec < /dev/tty3 > /dev/tty3
#changing to VT 3 so that we can see whats going on....
/usr/bin/chvt 3
(
cp -va /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
/usr/bin/chvt 1
) 2>&1 | tee /mnt/sysimage/root/install.postnochroot.log
%end

%post --log=/root/install.post.log
logger "Starting anaconda test43.lin.local postinstall"
exec < /dev/tty3 > /dev/tty3
#changing to VT 3 so that we can see whats going on....
/usr/bin/chvt 3





# ens192 interface
real=`grep -l XX:XX:XX:XX:XX /sys/class/net/*/{bonding_slave/perm_hwaddr,address} 2>/dev/null | awk -F '/' '// {print $5}' | head -1`
sanitized_real=`echo $real | sed s/:/_/`


cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$sanitized_real
BOOTPROTO="none"
IPADDR="XXX.XXX.XXX.XXX"
NETMASK="255.255.255.0"
GATEWAY="XXX.XXX.XXX.XXX"
DOMAIN="lin.local"
DEVICE=$real
HWADDR="XX:XX:XX:XX:XX"
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
DEFROUTE=yes
DNS1="XXX.XXX.XXX.XXX30"
MTU=1500
EOF







echo "Updating system time"
systemctl enable --now chronyd
/usr/bin/chronyc -a makestep
/usr/sbin/hwclock --systohc

















# FreeIPA Registration Snippet
#
# Optional parameters:
#
#   freeipa_server              IPA server
#
#   freeipa_sudo                Enable sudoers
#                               Default: true
#
#   freeipa_ssh                 Enable ssh integration
#                               Default: true
#
#   freeipa_automount           Enable automounter
#                               Default: false
#
#   freeipa_automount_location  Location for automounts
#
#   freeipa_mkhomedir           Enable automatically making home directories
#                               Default: true
#
#   freeipa_opts                Additional options to pass directly to installer
#
#   freeipa_automount_server    Override automount server if freeipa_automount is true and the server differs from freeipa_server
#

      freeipa_client=freeipa-client
    
  
    /usr/libexec/openssh/sshd-keygen rsa
  
yum install -y libsss_sudo $freeipa_client

##
## IPA Client Installation
##


freeipa_mkhomedir="--mkhomedir"



# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
/usr/sbin/ipa-client-install -w '$HOST[OTP]' --realm=LIN.LOCAL -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_domain $freeipa_ssh

##
## Automounter
##



##
## Sudoers
##



freeipa_client_version=$(ipa-client-install --version)
freeipa_client_version_major=$(echo $freeipa_client_version | cut -f1 -d.)
freeipa_client_version_minor=$(echo $freeipa_client_version | cut -f2 -d.)
freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_domain=$(grep -A 2 domain_realm /etc/krb5.conf | tail -n1 | awk '{print $1}')
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)
sssd_version=$(sssd --version)
sssd_major=$(echo $sssd_version | cut -f1 -d.)
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
LDAP_CONFIG=$(mktemp)

# >=ipa-client-4.1.0 automatically configures sssd for sudo
# =<ipa-client-3 requires manual configuration which this snippet takes care of

if [ $freeipa_client_version_major -lt 4 ]
then
  # Modify sssd.conf
  sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf

  # Modify sssd.conf for sssd <1.11 (RHEL <6.6)
  if [ $sssd_minor -lt 11 ] || [ $sssd_major -lt 1 ]
  then
        krb5_server="_srv_"
    
cat <<EOF > $LDAP_CONFIG
sudo_provider = ldap
ldap_uri = _srv_ $ldap_uri
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/$HOSTNAME
ldap_sasl_realm = $freeipa_realm
krb5_server = $krb5_server
EOF
  sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
  fi

  # Modify nsswitch.conf
  grep -q sudoers /etc/nsswitch.conf
  if [[ $? -eq 0 ]];
  then
    sed -i -e "s/^sudoers.*/sudoers:    files sss/" /etc/nsswitch.conf
  else
    echo "sudoers:    files sss" >> /etc/nsswitch.conf
  fi

  # Configure nisdomain
      authconfig --nisdomain ${freeipa_domain} --update
    chkconfig sssd on
    
    if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
    then
      domain_service=/usr/lib/systemd/system/*-domainname.service
      
      # Workaround for BZ1071969 on RHEL 7.0
      grep -q "DefaultDependencies=no" $domain_service
      if [[ $? -ne 0 ]]
      then
        sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
      fi

      systemctl start $(basename $domain_service)
      systemctl enable $(basename $domain_service)
    fi
  fi




# update all the base packages from the updates repository
if [ -f /usr/bin/dnf ]; then
  dnf -y update
else
  yum -t -y update
fi


# SSH keys setup snippet for Remote Execution plugin
#
# Parameters:
#
# remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
#
# remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
#                            authorized
#
# remote_execution_create_user: create user if it not already existing
#
# remote_execution_effective_user_method: method to switch from ssh user to
#                                         effective user
#
# This template sets up SSH keys in any host so that as long as your public
# SSH key is in remote_execution_ssh_keys, you can SSH into a host. This
# works in combination with Remote Execution plugin by querying smart proxies
# to build an array.
#
# To use this snippet without the plugin provide the SSH keys as host parameter
# remote_execution_ssh_keys. It expects the same format like the authorized_keys
# file.





user_exists=false
getent passwd root >/dev/null 2>&1 && user_exists=true


if $user_exists; then


  mkdir -p ~root/.ssh

  cat << EOF >> ~root/.ssh/authorized_keys
ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXX/ foreman-proxy@sat.lin.local
EOF

  chmod 0700 ~root/.ssh
  chmod 0600 ~root/.ssh/authorized_keys
  chown -R root: ~root/.ssh

  # Restore SELinux context with restorecon, if it's available:
  command -v restorecon && restorecon -RvF ~root/.ssh || true

else
  echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true.  remote_execution_ssh_keys snippet will not install keys'
fi







yum install -y http://sat.lin.local/pub/fedora34/puppet-agent-6.22.1-1.fc32.x86_64.rpm
if [ -f /usr/bin/dnf ]; then
  dnf -y install puppet-agent
else
  yum -t -y install puppet-agent
fi

cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]

[agent]
pluginsync      = true
report          = true
ca_server       = sat.lin.local
certname        = test43.lin.local
environment     = fedora34_prod
server          = sat.lin.local

EOF


puppet_unit=puppet
/usr/bin/systemctl list-unit-files | grep -q puppetagent && puppet_unit=puppetagent
/usr/bin/systemctl enable ${puppet_unit}

# export a custom fact called 'is_installer' to allow detection of the installer environment in Puppet modules
export FACTER_is_installer=true
# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server sat.lin.local --no-daemonize










touch /tmp/foreman_built
%end

%post --erroronfail


if test -f /tmp/foreman_built; then
  echo "calling home: build is done!"
  if [ -x /usr/bin/curl ]; then
    /usr/bin/curl -o /dev/null --noproxy \* -H 'Content-Type: text/plain' --data @/mnt/sysimage/root/install.post.log --silent 'http://sat.lin.local/unattended/built'
  elif [ -x /usr/bin/wget ]; then
    /usr/bin/wget -q -O /dev/null --no-proxy --method POST --header 'Content-Type: text/plain' --body-file=/mnt/sysimage/root/install.post.log 'http://sat.lin.local/unattended/built'
  else
    wget -q -O /dev/null --header 'Content-Type: text/plain' 'http://sat.lin.local/unattended/built'
  fi
else
  echo "calling home: build failed!"
  if [ -x /usr/bin/curl ]; then
    /usr/bin/curl -o /dev/null --noproxy \* -H 'Content-Type: text/plain' --data @/mnt/sysimage/root/install.post.log --silent 'http://sat.lin.local/unattended/failed'
  elif [ -x /usr/bin/wget ]; then
    /usr/bin/wget -q -O /dev/null --no-proxy --method POST --header 'Content-Type: text/plain' --body-file=/mnt/sysimage/root/install.post.log 'http://sat.lin.local/unattended/failed'
  else
    wget -q -O /dev/null --header 'Content-Type: text/plain' 'http://sat.lin.local/unattended/failed'
  fi
fi

sync
%end

FYI, I solved this problem by putting

sync
grub2-mkconfig
<%= section_end -%>

At the bottom of the kickstart template file

Thanks for getting back to us. Do you know what was the culprit?

I do not. However, I did try to change the arguments in the append line for the sake of verifying (kexec template). The exact change was reflected in the first kernel option. So I can confirm this behaviour in the default setup regarding Fedora 34.