View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0015033CentOS-7grub2public2018-07-11 12:042018-07-11 20:32
Reporterkimball2058 
PrioritynormalSeverityblockReproducibilityalways
Status newResolutionopen 
Product Version7.5.1804 
Target VersionFixed in Version 
Summary0015033: Running grub2-mkconfig on installation with DISA STIG security profile results in unbootable system
DescriptionRunning grub2-mkconfig on installation with DISA STIG security profile results in unbootable system. Tested on clean load with minimal installation for this report, but problem occurs with any installation profile and at any point after installation. Problem observed on both physical and virtual machines.
Steps To Reproduce(1) Install from installation media
-minimal load
-set network and hostname
-default partitioning
-DISA STIG security profile
(2) Set root password and create administrative user during installation (STIG profile will not allow root login at console)
(3) Reboot after installation
(4) Log in as administrative user, execute sudo -s
(5) Run grub2-mkconfig -o /boot/grub2/grub.cfg
(6) Reboot
Additional InformationNo changes made to /etc/default/grub.
"yum update" executes without problem, even when updates include new kernel.
Screenshots attached --
snapshot1 - log into clean installation and execute grub2-mkconfig
snapshot2 - errors after reboot
TagsNo tags attached.
abrt_hash
URL

Activities

kimball2058

kimball2058

2018-07-11 12:04

reporter  

snapshot1.png (42,932 bytes)
snapshot1.png (42,932 bytes)
snapshot2.png (48,300 bytes)
snapshot2.png (48,300 bytes)
TrevorH

TrevorH

2018-07-11 14:14

manager   ~0032225

Why are you running grub2-mkconfig in the first place? It's not necessary on CentOS/RHEL as grubby does it all for you.
TrevorH

TrevorH

2018-07-11 14:38

manager   ~0032226

Tested and confirmed. The grub2-mkconfig is removing 'boot=/dev/sda1' (or whatever your /boot device is). That needs to be added to /etc/default/grub prior to running grub2-mkconfig (which still isn't necessary or recommended on CentOS/RHEL). You can recover the installed system by editing the entry at the grub menu at boot time and appending boot=/dev/whatever to the end of the linux16/linuxefi line for the relevant kernel.
kimball2058

kimball2058

2018-07-11 17:42

reporter   ~0032228

Thanks for the test and for the feedback. The steps in the bug report are the result of troubleshooting after a failed load.

Part of the load for the subject machine is to install kmod-nvidia-340xx. This allows better access to the graphics hardware, but doesn't play nice with plymouth, and the resulting boot-up screens are just plain ugly. I generally replace "rhgb" with "vga=845" in /etc/default/grub to clean up the boot screens. In this case, when combined with the security profile, it broke the load.

You are correct, adding "boot=/dev/sda1" to /etc/default/grub (after the initial entry at the grub menu) allows the machine to boot normally. Many thanks once again!
TrevorH

TrevorH

2018-07-11 17:53

manager   ~0032229

FYI, the CentOS supplied kernel packages contain a postscript that runs `new-kernel-pkg` which in turn invokes grubby to add the new kernel entry to grub2. The way that works is it takes the current entry and copies it and amends it for the new kernel version. It copies any parameters from the current kernel entry. This means that you can edit this file, make your change there and grubby will then propagate that to subsequent kernel installs. For belt and braces, you can also (and probably should) amend /etc/default/grub to contain the same changes but nothing in CentOS will ever run grub2-mkconfig unless an admin does.
kimball2058

kimball2058

2018-07-11 20:32

reporter   ~0032230

Great info, good to know. I didn't see anywhere in new-kernel-pkg to add the vga= or boot= parameters. However, I did test a kernel update + other updates via yum after having run grub2-mkconfig with the new parameters added to /etc/default/grub. All updates were successful.

My test vm and production machine are both back in service. Thanks again for the assist.

Issue History

Date Modified Username Field Change
2018-07-11 12:04 kimball2058 New Issue
2018-07-11 12:04 kimball2058 File Added: snapshot1.png
2018-07-11 12:04 kimball2058 File Added: snapshot2.png
2018-07-11 14:14 TrevorH Note Added: 0032225
2018-07-11 14:38 TrevorH Note Added: 0032226
2018-07-11 17:42 kimball2058 Note Added: 0032228
2018-07-11 17:53 TrevorH Note Added: 0032229
2018-07-11 20:32 kimball2058 Note Added: 0032230