-
Notifications
You must be signed in to change notification settings - Fork 120
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Let's describe the status quo.
- Loading branch information
Showing
2 changed files
with
80 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,79 @@ | ||
| = Updating the bootloader | ||
|
|
||
| == bootupd | ||
|
|
||
| Updating the bootloader is not currently automatic. The https://github.com/coreos/bootupd/[bootupd] | ||
| project is included in Fedora CoreOS and may be used for manual updates. | ||
|
|
||
| This is usually only relevant on bare metal scenarios, or virtualized | ||
| hypervisors that support Secure Boot. An example reason to update the | ||
| bootloader is for https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/[the BootHole vulnerablity]. | ||
|
|
||
| Inspect the system status: | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| # bootupctl status | ||
| Component EFI | ||
| Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64 | ||
| Update: At latest version | ||
| # | ||
| ---- | ||
|
|
||
| If an update is available, use `bootupctl update` to apply it; the | ||
| change will take effect for the next reboot. | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| # bootupctl update | ||
| ... | ||
| Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64 | ||
| # | ||
| ---- | ||
|
|
||
| .Example systemd unit to automate bootupd updates | ||
| [source,yaml] | ||
| ---- | ||
| variant: fcos | ||
| version: 1.1.0 | ||
| systemd: | ||
| units: | ||
| - name: custom-bootupd-auto.service | ||
| enabled: true | ||
| contents: | | ||
| [Unit] | ||
| Description=Bootupd automatic update | ||
| [Service] | ||
| ExecStart=/usr/bin/bootupctl update | ||
| RemainAfterExit=yes | ||
| [Install] | ||
| WantedBy=multi-user.target | ||
| ---- | ||
|
|
||
| === Using images that predate bootupd | ||
|
|
||
| Older CoreOS images that predate the existence of bootupd need | ||
| an explicit "adoption" phase. You can see this by looking at | ||
| `bootupctl status` and if it says the component is "Adoptable". | ||
|
|
||
| [source,bash] | ||
| ---- | ||
| # bootupctl adopt-and-update | ||
| ... | ||
| Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64 | ||
| # | ||
| ---- | ||
|
|
||
| === Future versions may default to automatic updates | ||
|
|
||
| It is possible that future Fedora CoreOS versions may default | ||
| to automating bootloader updates similar to the above. | ||
| If you choose to add a systemd unit per above (or manually | ||
| `ssh` to a node for updates), note that concurrent | ||
| `bootupctl update` invocations will not explicitly conflict. | ||
| The only side effect is that without explicit ordering, | ||
| one invocation may see and perform an update, and | ||
| the second may detect no update available. | ||
|
|