Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a bootupd section #203

Merged
merged 1 commit into from
Dec 18, 2020
+75 −0
Merged

Add a bootupd section #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/ROOT/nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
** OS updates
*** xref:update-streams.adoc[Update Streams]
*** xref:auto-updates.adoc[Auto-Updates]
*** xref:bootloader-updates.adoc[Bootloader Updates]
** Troubleshooting
*** xref:manual-rollbacks.adoc[Manual Rollbacks]
*** xref:access-recovery.adoc[Access Recovery]
Expand Down
74 changes: 74 additions & 0 deletions modules/ROOT/pages/bootloader-updates.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
= Updating the bootloader

== bootupd
cgwalters marked this conversation as resolved.
Show resolved Hide resolved

Updating the bootloader is not currently automatic. The https://github.com/coreos/bootupd/[bootupd]
project is included in Fedora CoreOS and may be used for manual updates.

This is usually only relevant on bare metal scenarios, or virtualized
hypervisors that support Secure Boot. An example reason to update the
bootloader is for https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/[the BootHole vulnerability].

At the moment, only the EFI system partition (i.e. not the BIOS MBR) can be updated by bootupd.

Inspect the system status:

[source,bash]
----
# bootupctl status
Component EFI
Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
Update: At latest version
#
----

If an update is available, use `bootupctl update` to apply it; the
change will take effect for the next reboot.

[source,bash]
----
# bootupctl update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
#
----

.Example systemd unit to automate bootupd updates
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have a Note: somewhere around here to say that one may not actually want to update the bootloader automatically on every host update?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what to say; either you update it automatically or you don't, right?

[source,yaml]
----
variant: fcos
version: 1.1.0
systemd:
units:
- name: custom-bootupd-auto.service
enabled: true
contents: |
[Unit]
Description=Bootupd automatic update
[Service]
ExecStart=/usr/bin/bootupctl update
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
----

=== Using images that predate bootupd

Older CoreOS images that predate the existence of bootupd need
an explicit "adoption" phase. If `bootupctl status` says the component
is `Adoptable`, perform the adoption with `bootupctl adopt-and-update`.

[source,bash]
----
# bootupctl adopt-and-update
...
Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
#
----

=== Future versions may default to automatic updates

It is possible that future Fedora CoreOS versions may default
to automating bootloader updates similar to the above.