-
Notifications
You must be signed in to change notification settings - Fork 521
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grub: update to grub-2.06-42.amzn2022 #2503
grub: update to grub-2.06-42.amzn2022 #2503
Conversation
@@ -1,2 +1,3 @@ | |||
#!/bin/sh | |||
docker run --rm amazonlinux:2 sh -c 'yum install -q -y yum-utils && yumdownloader -q --source --urls grub2 | grep ^http' | |||
cmd='dnf install -q -y --releasever=latest yum-utils && yumdownloader -q --releasever=latest --source --urls grub2' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this make sure that the latest RPM repo will be used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume you're referring to Amazon Linux 2022's version locking? If so, yes, this will always pull the latest RPM due to --releasever=latest
. I happened to still have an old container image around, so can provide some evidence as well. :-)
bash-5.1# yumdownloader -q --source --urls grub2
https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/guids/7121068131b337400594464d34e729a039727242067ddefbd6a8545886479c22/SRPMS/../../../../blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm
bash-5.1# yumdownloader -q --releasever=latest --source --urls grub2
https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/guids/3639f46a50c6c4978d36ecda0895b164e42fa86ff7fd8dc984898128901b9962/SRPMS/../../../../blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm
Note that here only the repo GUIDs differ.
packages/grub/grub.spec
Outdated
|
||
Name: %{_cross_os}grub | ||
Version: 2.06 | ||
Release: 1%{?dist} | ||
Summary: Bootloader with support for Linux and more | ||
License: GPL-3.0-or-later AND Unicode-DFS-2015 | ||
URL: https://www.gnu.org/software/grub/ | ||
Source0: https://cdn.amazonlinux.com/blobstore/21d0df3b06c1c5cc9e5cf3bb559dad713335e782ac3a46b57c5d0097e22c0aec/grub2-2.06-9.amzn2.0.1.src.rpm | ||
Source0: https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/guids/3639f46a50c6c4978d36ecda0895b164e42fa86ff7fd8dc984898128901b9962/SRPMS/../../../../blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last time I updated this I was asked to do the test described in this comment, I think we should do that as well for this PR:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can do, will have to look into running under ESXi though. To better understand this, what's the concern? Has the boot menu broken before? Do we want to ensure a GRUB update doesn't break it to retain the ability to interactively engage with GRUB in a debug build?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the PR description with the testing done for serial console output. The only one left at the moment is ESXi/VMware. I'm working to get this set up and tested.
packages/grub/Cargo.toml
Outdated
@@ -9,5 +9,5 @@ build = "build.rs" | |||
path = "pkg.rs" | |||
|
|||
[[package.metadata.build-package.external-files]] | |||
url = "https://cdn.amazonlinux.com/blobstore/21d0df3b06c1c5cc9e5cf3bb559dad713335e782ac3a46b57c5d0097e22c0aec/grub2-2.06-9.amzn2.0.1.src.rpm" | |||
sha512 = "f27b4005e789ce1e0e792133f6adfbdbf221245c03b27c25285ff5b81e53065385536971934744f33c52a924022480aa15cd25e8d5ded9f4999c753e8394ae36" | |||
url = "https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/guids/3639f46a50c6c4978d36ecda0895b164e42fa86ff7fd8dc984898128901b9962/SRPMS/../../../../blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it might be good to canonicalize this somehow:
url = "https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/core/guids/3639f46a50c6c4978d36ecda0895b164e42fa86ff7fd8dc984898128901b9962/SRPMS/../../../../blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm" | |
url = "https://al2022-repos-us-west-2-9761ab97.s3.dualstack.us-west-2.amazonaws.com/blobstore/aa41fdf9982b65a4c4dad5df5b49ba143b1710d60f82688221966f3c790c6c63/grub2-2.06-42.amzn2022.0.1.src.rpm" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before submitting the PR, I was mentally going back and forth on this a bit. In the end I liked latest-srpm-url.sh
giving the same output as copied into Cargo.toml
for consistency (since clients should remove the dotted components during normalization). I'll send an update for both.
Update GRUB to grub-2.06-42.amzn2022. This also switches Bottlerocket's immediate upstream from Amazon Linux 2 to Amazon Linux 2022, which more closely tracks the GRUB project. Signed-off-by: Markus Boehme <markubo@amazon.com>
3f99c37
to
61517d2
Compare
The force push canonicalizes the upstream package URLs and brings a change to |
docker run --rm amazonlinux:2022 sh -c "${cmd}" \ | ||
| grep '^http' \ | ||
| xargs --max-args=1 --no-run-if-empty realpath --canonicalize-missing --relative-to=. \ | ||
| sed 's_:/_://_' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! 😀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧦
I just verified serial console output/responsiveness on VMware as well. Merging now. |
Issue number: No dedicated issue, but related to #2501
Description of changes: Update GRUB to grub-2.06-42.amzn2022. This also switches Bottlerocket's immediate upstream from Amazon Linux 2 to Amazon Linux 2022, which more closely tracks the GRUB project.
This picks up the fixes for the CVEs dubbed BootHole 3. These are relevant for eventually supporting Secure Boot (#2501).
Testing done: I used the metal-dev variant to test the following aspects and scenarios:
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.