Open JedMeister opened 3 years ago
@JedMeister status on this bug?
@OnGle - this is still an issue...
The essence is that unless the user installs from ISO, the grub install location is not configured. When grub updates occur, grub does not know where to install to which will cause the error. The workaround is fairly straight forward; pre-seed the grub install location.
E.g. on a AWS EC2 instance:
debconf-set-selections <<< "grub-pc grub-pc/install_devices multiselect /dev/xvda"
Or for a OVA/VMDK VM:
debconf-set-selections <<< "grub-pc grub-pc/install_devices multiselect /dev/sda"
To fix/close this issue, this needs to be done within buildtasks.
It seems like grub installer cannot work with symbolic links.
After applying recommendation from previous comment - it installed with any issue.
Before it was as defined at screenshot below:
Issue:
Automatic security update of
grub-pc
package fails.Affects:
All AMI (AWS EC2), OVA & VMDK v16.x appliances released to date. ISO & LXC/Proxmox builds are NOT affected.
Severity:
PITA - This issue means that the recent
grub-pc
package update isn't installed (and thus remains vulnerable) on TurnKey v16.x systems. On face value that doesn't sound good. But it's not as bad as it sounds... Of the 7 CVEs patched by thegrub-pc
security update, only CVE-2021-20233 appears to be relevant to TurnKey users. And that one relates to USB... (For full details; please see Debian Security Advisory DSA-4867-1).I will provide further details about the issue below (scroll down to "What the issue looks like"), but first I'll post what to do:
To resolve - or check if you're ok (simplified)
Log into your server as
root
(oradmin
for AWSMP users). Then manually ensure that there are no broken pacakges:(AWSMP users, will need to pre-fix
sudo
).If it responds like this:
Then you are NOT AFFECTED and you can safely ignore the rest of this post.
If you have been hit with this issue, then it will interactively ask you where to install
grub
(the default bootloader). First you should see this screen:As that text notes, there is no harm in installing it places it doesn't need to be. But to ensure that this (and any future grub updates) are installed to the correct place it is important that it is installed to where it needs to be.
As part of the build process, we always install grub to the primary (and only) disk image that contains TurnKey Linux. In the case of OVA/VMDK builds that should be
/dev/sda
; in the case of our AMI (AWS EC2 instance) that should be/dev/xvda
.The next screen will ask you to select where to install (OVA/VMDK):
Assuming that you haven't added any additional volumes, then you only need to install to
/dev/sda
in OVA/VMDK; or/dev/xvda
AMI (AWS EC2). If you have additional permanent volumes in use on your server, then unless you are 100% sure which is which, please don't hesitate to install to all disks. It's important to note, that if you have ANY DOUBT at all, please install it everywhere you can!To select the relevant places to install grub, please use the arrow keys to move up & down the list, space to select/deselect the individual options and tab to move between the list and the "Ok". Here's is what OVA users might expect after selecting
/dev/sda
:Once you click Ok, it will go about installing grub to the relevant place. Please note that any of the following warnings/errors can safely be ignored:
File descriptor 3 (pipe:[xxxxxxx]) leaked on vgs invocation. Parent PID xxxxx: grub-install
grub-install: error: unable to identify a filesystem in hostdisk//dev/sda; safety check can't be performed.
(orhostdisk//dev/xvda
for AWS users).grub-install: warning: File system 'ext2' doesn't support embedding.
grub-install: warning: Embedding is not possible. GRUB can only be installed in this setup by using blocklists. However, blocklists are UNRELIABLE and their use is discouraged.
grub-install: error: diskfilter writes are not supported.
What the issue looks like
It can be confirmed to exist if either you have been getting emails that look like this:
Or perhaps if you're not getting the emails, when you log in via SSH, you will see a message at the bottom of the MOTD (message of the day - the message you see when you first log in) saying
You have mail
. If you check your mail (e.g. for theroot
user:cat /var/mail/root
) then you will see the above message.If you didn't get the email, then that's a separate issue. Please get in touch and we can discuss that further...