I am doing a provisioning of Fedora 34 using Discovery and the FDI bootable iso. Everything installs correctly, except the first kernel entry. See the images attached below.
Could someone point me in the right direction how to get this right? Pointers could be kickstart commands or options to try in the discovery template, arguments to try in the kexec template, general options, or something other I haven’t thought off. Running grub2-mkconfig after installation fixes the boot entry, but that seems like a rather clumsy way to do it.
Hi David, this is new. I haven’t seen that yet. Did you do PXE or kexec process?
Can you pastebin your provisioning (kickstart) template of that host? I am particularly interested in partition scheme. This looks like UEFI and there could be a leftover. Discovery itself does not change anything on disk, so it had to be Anaconda.
This smells like a new feature in Anaconda that writes some extra entry. I suggest you ask on Fedora dev lists/irc.
FYI I asked on Fedora channel and Javier from Red Hat grub team confirmed there were no changes in F34 in this regard:
12:07 <sharkcz> lzap: hi, try asking on #anaconda
12:08 <sharkcz> lzap: https://fedoraproject.org/wiki/Releases/34/ChangeSet are the announced and tracked changes
12:12 <javierm> lzap: the only grub change from that list is https://fedoraproject.org/wiki/Releases/34/ChangeSet#Unify_the_GRUB_configuration_files_location_across_all_supported_architectures
12:12 <javierm> but I can't see how would be related...
12:12 <javierm> lzap: maybe filing a BZ for grub2 or anaconda ?
I did try to change an argument in the kexec template, and I saw that this change also took effect on the Grub entry after provisioning. So the installation enters the arguments given during kexec into the first Grub entry.
It is indeed UEFI. I just tried to provisioning a BIOS system with the same config, and it gave the same result in the first Grub entry.
I did kexec, not PXE.
This is the kickstart template delivered to the host:
# This kickstart file was rendered from the Foreman provisioning template "Kickstart Fedora 34".
graphical
url --url https://dl.fedoraproject.org/pub/fedora/linux/releases/34/Everything/x86_64/os
lang nb_NO.utf8
selinux --enforcing
keyboard no
xconfig
network --device=XX:XX:XX:XX:XX --hostname test43.lin.local --noipv6 --bootproto static --ip=XXX.XXX.XXX.XXX --netmask=255.255.255.0 --gateway=XXX.XXX.XXX.XXX --mtu=1500 --nameserver=XXX.XXX.XXX.XXX
rootpw --iscrypted XXXXXXXXXXXXXXXXXXXXXXXXXXXXXx
firewall --service=ssh
authselect --useshadow --passalgo=sha256 --kickstart
timezone --utc UTC
# Bootloader exception for Fedora 16:
#bootloader --extlinux --append="nofb quiet splash=quiet "
#part biosboot --fstype=biosboot --size=1
bootloader --location=mbr
ignoredisk --only-use=sda
clearpart --all
zerombr
autopart
#text
reboot
%packages
@^workstation-product-environment
yum
dhclient
vim
chrony
-ntp
wget
#redhat-lsb-core
%end
#firstboot --enable
%post --nochroot
exec < /dev/tty3 > /dev/tty3
#changing to VT 3 so that we can see whats going on....
/usr/bin/chvt 3
(
cp -va /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
/usr/bin/chvt 1
) 2>&1 | tee /mnt/sysimage/root/install.postnochroot.log
%end
%post --log=/root/install.post.log
logger "Starting anaconda test43.lin.local postinstall"
exec < /dev/tty3 > /dev/tty3
#changing to VT 3 so that we can see whats going on....
/usr/bin/chvt 3
# ens192 interface
real=`grep -l XX:XX:XX:XX:XX /sys/class/net/*/{bonding_slave/perm_hwaddr,address} 2>/dev/null | awk -F '/' '// {print $5}' | head -1`
sanitized_real=`echo $real | sed s/:/_/`
cat << EOF > /etc/sysconfig/network-scripts/ifcfg-$sanitized_real
BOOTPROTO="none"
IPADDR="XXX.XXX.XXX.XXX"
NETMASK="255.255.255.0"
GATEWAY="XXX.XXX.XXX.XXX"
DOMAIN="lin.local"
DEVICE=$real
HWADDR="XX:XX:XX:XX:XX"
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
DEFROUTE=yes
DNS1="XXX.XXX.XXX.XXX30"
MTU=1500
EOF
echo "Updating system time"
systemctl enable --now chronyd
/usr/bin/chronyc -a makestep
/usr/sbin/hwclock --systohc
# FreeIPA Registration Snippet
#
# Optional parameters:
#
# freeipa_server IPA server
#
# freeipa_sudo Enable sudoers
# Default: true
#
# freeipa_ssh Enable ssh integration
# Default: true
#
# freeipa_automount Enable automounter
# Default: false
#
# freeipa_automount_location Location for automounts
#
# freeipa_mkhomedir Enable automatically making home directories
# Default: true
#
# freeipa_opts Additional options to pass directly to installer
#
# freeipa_automount_server Override automount server if freeipa_automount is true and the server differs from freeipa_server
#
freeipa_client=freeipa-client
/usr/libexec/openssh/sshd-keygen rsa
yum install -y libsss_sudo $freeipa_client
##
## IPA Client Installation
##
freeipa_mkhomedir="--mkhomedir"
# One-time password will be requested at install time. Otherwise, $HOST[OTP] is used as a placeholder value.
/usr/sbin/ipa-client-install -w '$HOST[OTP]' --realm=LIN.LOCAL -U $freeipa_mkhomedir $freeipa_opts $freeipa_server $freeipa_domain $freeipa_ssh
##
## Automounter
##
##
## Sudoers
##
freeipa_client_version=$(ipa-client-install --version)
freeipa_client_version_major=$(echo $freeipa_client_version | cut -f1 -d.)
freeipa_client_version_minor=$(echo $freeipa_client_version | cut -f2 -d.)
freeipa_realm=$(grep default_realm /etc/krb5.conf | cut -d"=" -f2 | tr -d ' ')
freeipa_domain=$(grep -A 2 domain_realm /etc/krb5.conf | tail -n1 | awk '{print $1}')
freeipa_dn=$(for word in $(echo $freeipa_domain | sed 's/\./ /g'); do echo -n dc=$word,; done)
sssd_version=$(sssd --version)
sssd_major=$(echo $sssd_version | cut -f1 -d.)
sssd_minor=$(echo $sssd_version | cut -f2 -d.)
LDAP_CONFIG=$(mktemp)
# >=ipa-client-4.1.0 automatically configures sssd for sudo
# =<ipa-client-3 requires manual configuration which this snippet takes care of
if [ $freeipa_client_version_major -lt 4 ]
then
# Modify sssd.conf
sed -i -e "s/services = .*/\0, sudo/" /etc/sssd/sssd.conf
# Modify sssd.conf for sssd <1.11 (RHEL <6.6)
if [ $sssd_minor -lt 11 ] || [ $sssd_major -lt 1 ]
then
krb5_server="_srv_"
cat <<EOF > $LDAP_CONFIG
sudo_provider = ldap
ldap_uri = _srv_ $ldap_uri
ldap_sudo_search_base = ou=SUDOers,${freeipa_dn%?}
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/$HOSTNAME
ldap_sasl_realm = $freeipa_realm
krb5_server = $krb5_server
EOF
sed -i -e "/\[domain\/.*\]/ r $LDAP_CONFIG" /etc/sssd/sssd.conf
fi
# Modify nsswitch.conf
grep -q sudoers /etc/nsswitch.conf
if [[ $? -eq 0 ]];
then
sed -i -e "s/^sudoers.*/sudoers: files sss/" /etc/nsswitch.conf
else
echo "sudoers: files sss" >> /etc/nsswitch.conf
fi
# Configure nisdomain
authconfig --nisdomain ${freeipa_domain} --update
chkconfig sssd on
if [[ $(rpm -qa systemd | wc -l) -gt 0 ]];
then
domain_service=/usr/lib/systemd/system/*-domainname.service
# Workaround for BZ1071969 on RHEL 7.0
grep -q "DefaultDependencies=no" $domain_service
if [[ $? -ne 0 ]]
then
sed -i -e "s/\[Unit\]/\[Unit\]\nDefaultDependencies=no/" $domain_service
fi
systemctl start $(basename $domain_service)
systemctl enable $(basename $domain_service)
fi
fi
# update all the base packages from the updates repository
if [ -f /usr/bin/dnf ]; then
dnf -y update
else
yum -t -y update
fi
# SSH keys setup snippet for Remote Execution plugin
#
# Parameters:
#
# remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys
#
# remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
# authorized
#
# remote_execution_create_user: create user if it not already existing
#
# remote_execution_effective_user_method: method to switch from ssh user to
# effective user
#
# This template sets up SSH keys in any host so that as long as your public
# SSH key is in remote_execution_ssh_keys, you can SSH into a host. This
# works in combination with Remote Execution plugin by querying smart proxies
# to build an array.
#
# To use this snippet without the plugin provide the SSH keys as host parameter
# remote_execution_ssh_keys. It expects the same format like the authorized_keys
# file.
user_exists=false
getent passwd root >/dev/null 2>&1 && user_exists=true
if $user_exists; then
mkdir -p ~root/.ssh
cat << EOF >> ~root/.ssh/authorized_keys
ssh-rsa XXXXXXXXXXXXXXXXXXXXXXXXXXX/ foreman-proxy@sat.lin.local
EOF
chmod 0700 ~root/.ssh
chmod 0600 ~root/.ssh/authorized_keys
chown -R root: ~root/.ssh
# Restore SELinux context with restorecon, if it's available:
command -v restorecon && restorecon -RvF ~root/.ssh || true
else
echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true. remote_execution_ssh_keys snippet will not install keys'
fi
yum install -y http://sat.lin.local/pub/fedora34/puppet-agent-6.22.1-1.fc32.x86_64.rpm
if [ -f /usr/bin/dnf ]; then
dnf -y install puppet-agent
else
yum -t -y install puppet-agent
fi
cat > /etc/puppetlabs/puppet/puppet.conf << EOF
[main]
[agent]
pluginsync = true
report = true
ca_server = sat.lin.local
certname = test43.lin.local
environment = fedora34_prod
server = sat.lin.local
EOF
puppet_unit=puppet
/usr/bin/systemctl list-unit-files | grep -q puppetagent && puppet_unit=puppetagent
/usr/bin/systemctl enable ${puppet_unit}
# export a custom fact called 'is_installer' to allow detection of the installer environment in Puppet modules
export FACTER_is_installer=true
# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server sat.lin.local --no-daemonize
touch /tmp/foreman_built
%end
%post --erroronfail
if test -f /tmp/foreman_built; then
echo "calling home: build is done!"
if [ -x /usr/bin/curl ]; then
/usr/bin/curl -o /dev/null --noproxy \* -H 'Content-Type: text/plain' --data @/mnt/sysimage/root/install.post.log --silent 'http://sat.lin.local/unattended/built'
elif [ -x /usr/bin/wget ]; then
/usr/bin/wget -q -O /dev/null --no-proxy --method POST --header 'Content-Type: text/plain' --body-file=/mnt/sysimage/root/install.post.log 'http://sat.lin.local/unattended/built'
else
wget -q -O /dev/null --header 'Content-Type: text/plain' 'http://sat.lin.local/unattended/built'
fi
else
echo "calling home: build failed!"
if [ -x /usr/bin/curl ]; then
/usr/bin/curl -o /dev/null --noproxy \* -H 'Content-Type: text/plain' --data @/mnt/sysimage/root/install.post.log --silent 'http://sat.lin.local/unattended/failed'
elif [ -x /usr/bin/wget ]; then
/usr/bin/wget -q -O /dev/null --no-proxy --method POST --header 'Content-Type: text/plain' --body-file=/mnt/sysimage/root/install.post.log 'http://sat.lin.local/unattended/failed'
else
wget -q -O /dev/null --header 'Content-Type: text/plain' 'http://sat.lin.local/unattended/failed'
fi
fi
sync
%end
I do not. However, I did try to change the arguments in the append line for the sake of verifying (kexec template). The exact change was reflected in the first kernel option. So I can confirm this behaviour in the default setup regarding Fedora 34.
