openshift · bobfuru · Jan 18, 2021 · Dec 11, 2020
diff --git a/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc b/installing/installing_bare_metal/installing-bare-metal-network-customizations.adoc
@@ -98,6 +98,8 @@ include::modules/installation-user-infra-machines-advanced.adoc[leveloffset=+2]
 
 include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+3]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+2]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

diff --git a/installing/installing_bare_metal/installing-bare-metal.adoc b/installing/installing_bare_metal/installing-bare-metal.adoc
@@ -109,6 +109,8 @@ include::modules/installation-user-infra-machines-advanced.adoc[leveloffset=+2]
 
 include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+3]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+2]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

diff --git a/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc b/installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
@@ -115,6 +115,8 @@ include::modules/installation-user-infra-machines-advanced.adoc[leveloffset=+2]
 
 include::modules/installation-user-infra-machines-static-network.adoc[leveloffset=+3]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+2]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

diff --git a/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc b/installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
@@ -70,6 +70,8 @@ include::modules/machine-vsphere-machines.adoc[leveloffset=+1]
 
 include::modules/installation-disk-partitioning.adoc[leveloffset=+1]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+1]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

diff --git a/installing/installing_vsphere/installing-vsphere-network-customizations.adoc b/installing/installing_vsphere/installing-vsphere-network-customizations.adoc
@@ -61,6 +61,8 @@ include::modules/machine-vsphere-machines.adoc[leveloffset=+1]
 
 include::modules/installation-disk-partitioning.adoc[leveloffset=+1]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+1]
+
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]
 
 include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

diff --git a/installing/installing_vsphere/installing-vsphere.adoc b/installing/installing_vsphere/installing-vsphere.adoc
@@ -59,6 +59,8 @@ include::modules/machine-vsphere-machines.adoc[leveloffset=+1]
 
 include::modules/installation-disk-partitioning.adoc[leveloffset=+1]
 
+include::modules/architecture-rhcos-updating-bootloader.adoc[leveloffset=+1]
+
 include::modules/cli-installing-cli.adoc[leveloffset=+1]
 
 include::modules/installation-installing-bare-metal.adoc[leveloffset=+1]

diff --git a/modules/architecture-rhcos-updating-bootloader.adoc b/modules/architecture-rhcos-updating-bootloader.adoc
@@ -0,0 +1,93 @@
+// Module included in the following assemblies:
+//
+// * installing-restricted-networks-vsphere.adoc
+// * installing-vsphere-network-customizations.adoc
+// * installing-vsphere.adoc
+// * installing-bare-metal-network-customizations.adoc
+// * installing-bare-metal.adoc
+// * installing-restricted-networks-bare-metal.adoc
+
+[id="architecture-rhcos-updating-bootloader.adoc_{context}"]
+= Updating the bootloader using bootupd
+
+To update the bootloader by using `bootupd`, you must either install `bootupd` on {op-system} machines manually or provide a machine config with the enabled `systemd` unit. Unlike `grubby` or other bootloader tools, `bootupd` does not manage kernel space configuration such as passing kernel arguments.
+
+After you have installed `bootupd`, you can manage it remotely from the {product-title} cluster.
+
+[NOTE]
+====
+It is recommended that you use `bootupd` only on bare metal or virtualized hypervisor installations, such as for protection against the BootHole vulnerability.
+====
+
+.Manual install method
+You can manually install `bootupd` by using the `bootctl` command-line tool.
+
+. Inspect the system status:
++
+[source,terminal]
+----
+# bootupctl status
+----
++
+.Example output
+[source,terminal]
+----
+Component EFI
+  Installed: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+  Update: At latest version
+----
+
+[start=2]
+. {op-system} images created without `bootupd` installed on them require an explicit adoption phase.
++
+If the system status is `Adoptable`, perform the adoption:
++
+[source,terminal]
+----
+# bootupctl adopt-and-update
+----
++
+.Example output
+[source,terminal]
+----
+Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+----
+
+. If an update is available, apply the update so that the changes take effect on the next reboot:
++
+[source,terminal]
+----
+# bootupctl update
+----
++
+.Example output
+[source,terminal]
+----
+Updated: grub2-efi-x64-1:2.04-31.fc33.x86_64,shim-x64-15-8.x86_64
+----
+
+.Machine config method
+Another way to enable `bootupd` is by providing a machine config.
+
+* Provide a machine config file with the enabled `systemd` unit, as shown in the following example:
++
+.Example output
+[source,yaml]
+----
+  variant: rhcos
+  version: 1.1.0
+  systemd:
+    units:
+      - name: custom-bootupd-auto.service
+        enabled: true
+        contents: |
+          [Unit]
+          Description=Bootupd automatic update
+
+          [Service]
+          ExecStart=/usr/bin/bootupctl update
+          RemainAfterExit=yes
+
+          [Install]
+          WantedBy=multi-user.target
+----