install: Add a bootloader none install option#1997
install: Add a bootloader none install option#1997martinezjavier wants to merge 3 commits intobootc-dev:mainfrom
Conversation
github-actions
bot
added
area/install
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a --no-bootloader flag to skip bootloader management during installation, which is a valuable feature for custom environments. However, the current implementation has significant security implications and logic errors. In the ostree installation path, using this flag unintentionally skips all post-deployment operations, including the installation of logically bound images which may contain critical security components, potentially leaving the system in an insecure or incomplete state. Furthermore, in the composefs installation path, the --no-bootloader flag is completely ignored, leading to unexpected bootloader installation. These issues need to be addressed to ensure the flag behaves as expected and doesn't leave the system in an insecure or inconsistent state. My review includes detailed comments on how to resolve these problems.
martinezjavier
force-pushed
the
add-no-bootloader-opt
branch
5 times, most recently
from
1d743c2 to
ea65bef
Compare
Implicitly assuming the installation target will manage its own bootloader is a bit risky. The lack of an EFI partition could be the result of a mistake which would result in an installation that is not bootable. So I think it'd be best to keep this as an explicit option. |
|
We already detect if bootupd is missing and assume systemd-boot (except for s390x). Arguably, we could extend that and just allow bootupd to be missing, and assume that bootloader state is handled after installation. But I dunno...
Also coreos/bootupd#766 is related here in that I think there's an argument that bootupd should gain support for other things. Anyways just for my understanding, we still relying on the ostree aboot backend (which isn't implemented for composefs), correct? To combine these two things, how about instead of |
IMHO bootupd should be able to support more things, like rpi firmware, etc. And, it should be made to handle the aboot case "cleanly". I.e. not fall over itself if there is no EFI in the system at all. However, in the short term I think it makes sense to just drop bootupd in the "pure aboot" case, as it has no current value, and the full solution is more long term.
Yes. However, note that there are two ways we can use the ostree aboot backend. Either with a "pure" android boot firmware, in which case there will be no EFI partition at all, or with ukiboot, which is an EFI implementation of aboot. In the ukiboot case we do have an EFI partition, and we will need bootupd to properly install and update ukiboot.efi.
So, this would be fine in the "pure aboot" case, but would not work with ukiboot. So the "detect the presence" case here need to be careful about this. |
That is fair. And what about using whether Yes, it could be a mistake and |
Not a huge deal but I prefer to limit the chances a user could end up with a non-bootable system that is difficult to troubleshoot, which could be the case if we just print a message that will likely be ignored. Ideally we would explicitly handle each bootloader we intend to support. |
Can't we detect ukiboot too? BTW one big picture thing here is that we must support configuring things via files in the container image (also supporting CLI args is fine too), but I think the former should be generally preferred. Previous relevant changes: etc. |
We could but IMO explicit is better than trying to come up with heuristics and make assumptions about this.
I see. Thanks a lot for the references! Any suggestions on how the file config option should be named? There's already a |
I think we could reasonably make the detection not feel heuristic though...but it would need some bikeshedding.
Well...at this point this has a very high overlap with the ostree "bootloader" backend right? I guess we could extend our |
Yes, there' s a lot of overlap here. Can bootc just query the ostree configuration?
We could. As mentioned currently that |
|
Please, lets not tie bootc to the ostree configure more than necessarily. Long term we want a composefs backend that doesn't use ostree. What I would like is that bootupd just had a "raw" backend for EFI, which didn't do any special grub or shim related special stuff, just copied things to the ESP, and didn't fall over in the case where there isn't an ESP, or any EFI files (like in aboot). Then we could have on top of that an extra option to enable "grub" related changes, but ideally these two should be different "setting" (with maybe some heuristics to pick which one. aboot and ukiboot doesn't need anything else, so I much like to avoid anything saying bootloader=ukiboot or suchlike. However, I think such fixes to bootupd is a bit more long term, and right now I think the easiest solution would be if we can set something in a file in /usr/lib/bootc/install/ to trigger using something like crate::spec::Bootloader::None. Then we can just set that in our aboot images. |
martinezjavier
force-pushed
the
add-no-bootloader-opt
branch
from
ea65bef to
42221cd
Compare
martinezjavier
changed the title
This command line argument can be also be used by the ostree backend. For example, when using Android Boot Images (aboot) there is a need to avoid calling to bootupd since all the boot setup is managed outside of bootc. A future change will add a bootloader=none option to force this behavior. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
martinezjavier
force-pushed
the
add-no-bootloader-opt
branch
from
42221cd to
e96fdba
Compare
ckyrouac
left a comment
ckyrouac
left a comment
There was a problem hiding this comment.
Looks generally good, thanks! Just a few things:
- could you update the
bootloaders.mddocs with a section explainingnoneand why it would be used? - I'd feel more confident if there were some TMT tests for this, especially to validate things like
bootc upgrade/switch/rollback/statuson a booted system. Although I'm not totally sure how we could install with no bootloader in a TMT test so I guess it's OK for now if you have manually validated those still work? - We should disallow
--generic-imagewith--bootloader=none - We can disallow
--bootloader=nonefor s390x, similar to composefs
martinezjavier
force-pushed
the
add-no-bootloader-opt
branch
from
e96fdba to
b69263a
Compare
Thanks for your review and feedback!
Done.
I've manually tested boot install using automotive-image-builder with the changes in this PR. I've not tested the upgrade/switch/rollback paths on a booted system, I'll try that now and let you know.
Done these too. |
Actually, we are hitting the |
Currently, the bootc install workflow assumes that the bootloader must be managed by bootupd. This works well for server and edge environments, but it is too inflexible for embedded or custom platforms where the bootloader is managed externally (e.g., aboot for automotive use cases). In these scenarios, users want to install the filesystem content (OSTree commit, kernel, initramfs, etc), without bootc assuming that a boot or ESP partition exists that have to be setup or udpated by bootupd. By adding a --bootloader=none option users can have explicit control over how the boot loading is handled, without bootc or bootupd intervention. Note that so far only support for the ostree backend has been added and the bootloader=none option is not supported by the composefs backend. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
There is already a --bootloader command line argument. Make it this to also be available as an install file configuration option. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
martinezjavier
force-pushed
the
add-no-bootloader-opt
branch
from
b69263a to
5f9cdd8
Compare
Ah, yea I guess there's no avoiding that without adding another option like |
I'm fine merging this and fixing any bugs related to ^ in a follow up. |
Perfect, thanks! I've tested |
Ok, is the existing documentation in |
It can be added in a followup. I think just noting in the |
4 participants
Currently, the bootc install workflow assumes that the bootloader must be
managed by bootupd. This works well for server and edge environments, but
it is too inflexible for embedded or custom platforms where the bootloader
is managed externally (e.g., aboot for automotive use cases).
In these scenarios, users want to install the filesystem content (OSTree
commit, kernel, initramfs, etc), without bootc assuming that a boot or ESP
partition exists that have to be setup or udpated by bootupd.
By adding a --bootloader=none option users can have explicit control over
how the boot loading is handled, without bootc or bootupd intervention.
Note that so far only support for the ostree backend has been added and
the bootloader=none option is not supported by the composefs backend.