OpenStack-Ansible

Nova is looking for OVMF file no longer provided by CentOS 7.6

Bug #1825386 reported by Chris Friesen on 2019-04-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Undecided	Kashyap Chamarthy
	OpenStack-Ansible	Fix Released	Undecided	Mohammed Naser

Bug Description

In nova/virt/libvirt/driver.py the code looks for a hardcoded path "/usr/share/OVMF/OVMF_CODE.fd".

It appears that centos 7.6 has modified the OVMF-20180508-3 rpm to no longer contain this file. Instead it now seems to be named /usr/share/OVMF/OVMF_CODE.secboot.fd

This will break the ability to boot guests using UEFI.

Tags:

Revision history for this message

Kashyap Chamarthy (kashyapc) wrote on 2019-04-18:

Yes, that's a known problem, because Nova hard-codes the OVMF binary file path:

    DEFAULT_UEFI_LOADER_PATH = {
        "x86_64": "/usr/share/OVMF/OVMF_CODE.fd",
        "aarch64": "/usr/share/AAVMF/AAVMF_CODE.fd"
    }

Simple (but ugly) workaround
----------------------------

You can do this on your CentOS host:

ln -sf /usr/share/OVMF/OVMF_CODE.secboot.fd /usr/share/OVMF/OVMF_CODE.fd

More robust fix
---------------

This whole firmware binary selection will addressed as part of a larger effort to support Secure Boot for KVM/QEMU guests:

https://review.openstack.org/#/c/506720
Add "Secure Boot support for KVM & QEMU guests" spec

Where Nova will use libvirt's (release 5.2 or 5.3) firmware auto-selection features, and all this hard-coding will go away. More of it is discussed in the above mentioned spec.

Kashyap Chamarthy (kashyapc) on 2019-05-16

summary:

- nova is looking for OVMF file no longer provided by latest CentOS
+ nova is looking for OVMF file no longer provided by CentOS 7.6

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-05-31: Fix proposed to openstack-ansible-os_nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/662552

Changed in openstack-ansible:
assignee:	nobody → Mohammed Naser (mnaser)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-06-01: Fix merged to openstack-ansible-os_nova (master)

Reviewed: https://review.opendev.org/662552
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_nova/commit/?id=739647dffaee468122fa3984ab907c07cb6b9c16
Submitter: Zuul
Branch: master

commit 739647dffaee468122fa3984ab907c07cb6b9c16
Author: Mohammed Naser <email address hidden>
Date: Fri May 31 15:30:15 2019 -0400

kvm: add support for booting uefi instances

    In order to boot UEFI instances successfully, the OVMF image
    must be installed and located at the path that is hardcoded
    inside Nova.

    This patch takes care of installing the OVMF images and sets
    up links to point towards the hardcoded path for operating
    systems that don't install at the expected path.

    Change-Id: I62f4aa26ffd0d2f3ba4aa19fbdb72578ef0223e4
    Closes-Bug: #1825386
    Closes-Bug: #1831279

Changed in openstack-ansible:
status:	In Progress → Fix Released

Kashyap Chamarthy (kashyapc) on 2019-07-24

summary:

- nova is looking for OVMF file no longer provided by CentOS 7.6
+ Nova is looking for OVMF file no longer provided by CentOS 7.6

OpenStack Infra (hudson-openstack) on 2019-07-31

Changed in nova:
assignee:	nobody → Kashyap Chamarthy (kashyapc)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-08-09: Fix merged to nova (master)

Reviewed: https://review.opendev.org/348394
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=363710b655434a15b6b85d9ca65343210b104e56
Submitter: Zuul
Branch: master

commit 363710b655434a15b6b85d9ca65343210b104e56
Author: Dirk Mueller <email address hidden>
Date: Thu Jul 28 16:39:19 2016 +0200

libvirt: Handle alternative UEFI firmware binary paths

The OVMF binary paths differ based on the Linux distribution:

      - Debian and Ubuntu:
         - /usr/share/OVMF/OVMF_CODE.fd
      - Fedora:
         - /usr/share/edk2/ovmf/OVMF_CODE.fd
           (`symlink`s to /usr/share/OVMF/OVMF_CODE.fd)
         - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd (`symlink`s to
           /usr/share/OVMF/OVMF_CODE.secboot.fd)
      - CentOS and RHEL:
         - /usr/share/OVMF/OVMF_CODE.secboot.fd
      - SUSE:
         - /usr/share/qemu/ovmf-x86_64-opensuse-code.bin

    Currently, Nova only checks for one location OVMF_CODE.fd. Let's also
    check for the other two common distributions, SUSE and CentOS OVMF
    binary paths. This is a short-term solution to fix two bugs.

In the long run:

      - We will get rid of the "DEFAULT_UEFI_LOADER_PATH", which is used to
        probe for firmware file paths. Instead, we'll use the more robust
        approach of the recently introduced[1] get_domain_capabilities()[1]
        to query for the firmware binary paths (as reported in the 'loader'
        attribute).

      - Use libvirt's (>=5.3) firmware auto-selection feature. Which is a
        more robust way to decide UEFI boot (secure or otherwise). More
        details of it in the spec here[2].

    [1] https://opendev.org/openstack/nova/commit/297f3ba687 -- Add
        infrastructure for invoking libvirt's getDomainCapabilities API
    [2] http://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html

    Co-Authored-By: Kashyap Chamarthy <email address hidden>
    Closes-Bug: 1607400
    Closes-Bug: 1825386
    blueprint: allow-secure-boot-for-qemu-kvm-guests
    Signed-off-by: Kashyap Chamarthy <email address hidden>
    Change-Id: I28afdb09d300be39981606d5234fd837ea738e1d

Reviewed:  https://review.opendev.org/348394
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=363710b655434a15b6b85d9ca65343210b104e56
Submitter: Zuul
Branch:    master

commit 363710b655434a15b6b85d9ca65343210b104e56
Author: Dirk Mueller <dirk@dmllr.de>
Date:   Thu Jul 28 16:39:19 2016 +0200

libvirt: Handle alternative UEFI firmware binary paths
    
    The OVMF binary paths differ based on the Linux distribution:
    
      - Debian and Ubuntu:
         - /usr/share/OVMF/OVMF_CODE.fd
      - Fedora:
         - /usr/share/edk2/ovmf/OVMF_CODE.fd
           (`symlink`s to /usr/share/OVMF/OVMF_CODE.fd)
         - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd (`symlink`s to
           /usr/share/OVMF/OVMF_CODE.secboot.fd)
      - CentOS and RHEL:
         - /usr/share/OVMF/OVMF_CODE.secboot.fd
      - SUSE:
         - /usr/share/qemu/ovmf-x86_64-opensuse-code.bin
    
    Currently, Nova only checks for one location OVMF_CODE.fd.  Let's also
    check for the other two common distributions, SUSE and CentOS OVMF
    binary paths.  This is a short-term solution to fix two bugs.
    
    In the long run:
    
      - We will get rid of the "DEFAULT_UEFI_LOADER_PATH", which is used to
        probe for firmware file paths.  Instead, we'll use the more robust
        approach of the recently introduced[1] get_domain_capabilities()[1]
        to query for the firmware binary paths (as reported in the 'loader'
        attribute).
    
      - Use libvirt's (>=5.3) firmware auto-selection feature.  Which is a
        more robust way to decide UEFI boot (secure or otherwise).  More
        details of it in the spec here[2].
    
    [1] https://opendev.org/openstack/nova/commit/297f3ba687 -- Add
        infrastructure for invoking libvirt's getDomainCapabilities API
    [2] http://specs.openstack.org/openstack/nova-specs/specs/train/approved/allow-secure-boot-for-qemu-kvm-guests.html
    
    Co-Authored-By: Kashyap Chamarthy <kchamart@redhat.com>
    Closes-Bug: 1607400
    Closes-Bug: 1825386
    blueprint: allow-secure-boot-for-qemu-kvm-guests
    Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
    Change-Id: I28afdb09d300be39981606d5234fd837ea738e1d

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/nova 20.0.0.0rc1

This issue was fixed in the openstack/nova 20.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-12-21: Fix included in openstack/openstack-ansible-os_nova train-eol

This issue was fixed in the openstack/openstack-ansible-os_nova train-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-03: Fix included in openstack/openstack-ansible-os_nova ussuri-eol

This issue was fixed in the openstack/openstack-ansible-os_nova ussuri-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-08: Fix included in openstack/openstack-ansible-os_nova yoga-eom

This issue was fixed in the openstack/openstack-ansible-os_nova yoga-eom release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-14: Fix included in openstack/openstack-ansible-os_nova victoria-eom

This issue was fixed in the openstack/openstack-ansible-os_nova victoria-eom release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-14: Fix included in openstack/openstack-ansible-os_nova wallaby-eom

#10

This issue was fixed in the openstack/openstack-ansible-os_nova wallaby-eom release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-14: Fix included in openstack/openstack-ansible-os_nova xena-eom

#11

This issue was fixed in the openstack/openstack-ansible-os_nova xena-eom release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.