curtin

Failing to deploy debian stretch "grub-efi-amd64-signed" and "shim-signed" packages missing

Bug #1802154 reported by Yanos Angelopoulos
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
curtin
Triaged
Medium
Unassigned

Bug Description

I'm using use MAAS 2.4.2 and I'm trying to deploy debian stretch.

Following these instructions: https://askubuntu.com/questions/882911/how-do-i-use-maas-to-create-a-debian-image

I do the following:

Download a debian cloud image in raw format.

Mount the image

sudo mkdir /mnt/loop
sudo mount -o ro,loop,offset=1048576 <nameofdebianimage.raw> /mnt/loop

Convert to a gzipped tarball

cd /mnt/loop
sudo tar czvf ~/debian.tgz ./*
sudo umount /mnt/loop

Upload this to maas

cd ~
maas login your.user http://<maasserver>:5240/MAAS 'user:credentials'
maas your.user boot-resources create name=custom/debian title="debian" architecture=amd64/generic content@=debian.tgz

Edit /etc/maas/preseeds/curtin_userdata_custom and add the following at the top after the comment line and before debconf_selections to override the kernel to install:

kernel:
  fallback-package: linux-image-amd64
  package: linux-image-amd64

Debian image downloaded from here:
http://cdimage.debian.org/cdimage/openstack/current/

The error I'm getting in the MAAS logs is this:

        Reading package lists...

        Building dependency tree...

        Reading state information...

        E: Unable to locate package grub-efi-amd64-signed

        E: Unable to locate package shim-signed

        Unexpected error while running command.

        Command: ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmptqnpbobk/target', 'apt-get', '--quiet', '--assume-yes', '--option=Dpkg::options::=--force-unsafe-io', '--option=Dpkg::Options::=--force-confold', 'install', 'grub-efi-amd64', 'grub-efi-amd64-signed', 'shim-signed']

        Exit code: 100

So the packages 'grub-efi-amd64', 'grub-efi-amd64-signed' don't exist in debian stretch default mirrors. What would be the best solution?

Thanks in advance.

Revision history for this message
Scott Moser (smoser) wrote :

Untested suggestion to yan0s in IRC
 http://paste.ubuntu.com/p/VSjZpMvtH6/

Changed in curtin:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → Medium
Revision history for this message
Yanos Angelopoulos (yan0s) wrote :

In MAAS 2.4.2:

In file curtin/commands/curthooks.py

commenting out the following (starting from line 356):

    # UEFI requires grub-efi-{arch}. If a signed version of that package
    # exists then it will be installed.
    if util.is_uefi_bootable():
        arch = util.get_architecture()
        pkgs = ['grub-efi-%s' % arch]

## My edit start
# # Architecture might support a signed UEFI loader
# uefi_pkg_signed = 'grub-efi-%s-signed' % arch
# if util.has_pkg_available(uefi_pkg_signed):
# pkgs.append(uefi_pkg_signed)
#
# # AMD64 has shim-signed for SecureBoot support
# if arch == "amd64":
# pkgs.append("shim-signed")
## My edit end

        # Install the UEFI packages needed for the architecture
        util.install_packages(pkgs, target=target)

Deployment is successful on Debian 9, Ubuntu 18.04 and Centos 7.
But then secure boot is not supported even for distros that do offer support.

Revision history for this message
Yanos Angelopoulos (yan0s) wrote :

An idea would be moving this decision (about which grub packages are needed) from the python code to the preseed file as "early_commands". And maybe create a preseed_examples directory for major distros. What do you think?

Revision history for this message
Juan Vela (juan.vela) wrote :

I've overcommed this problem by forcing curtin to use the stretch and the buster repos. The both packages required for UEFI secure booting are being installed (as they are present in the buster repos), and once the target OS is booted for first time cloud-init takes the control and replaces the sources so the buster repos automagically dissapear.

Check the guide I've made for a more detailed process if you want

https://github.com/juan-vg/maas/wiki/Create-a-Debian-9-(Stretch)-image-that-works-with-UEFI-secure-booting

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.