[pve-devel] [PATCH 0/3] adapt to systemd-boot hooks in bookworm

[pve-devel] [PATCH 0/3] adapt to systemd-boot hooks in bookworm

[Stoiko Ivanov]

This patchset addresses the change of shipping systemd-boot as separate
binary packge introduced with Debian Bookworm.

The patches are mostly cosmetic in nature - since they silence warnings,
which look scary, but don't hurt functionality.

The second patch should help users who upgrade from 7.X -> 8, as they
won't have systemd-boot installed automatically - so for them initializing
new ESPs will not work.

Adding systemd-boot as Recommends to proxmox-kernel-helper should also
only help in case someone setup their system on plain Debian, with the
plan of incorporating proxmox-boot-tool into it later (by partitioning
accordingly)

While I tested the patches - some review and consideration, especially
about potential pitfalls regarding the in place editing of the
hook-scripts would be very much appreciated!

Stoiko Ivanov (3):
  boot-tool: disarm upstream systemd-boot hookscripts
  proxmox-boot: warn on missing systemd-boot package
  d/control: add Recommends on systemd-boot

 debian/control                   |  1 +
 src/bin/proxmox-boot-tool        |  6 ++++++
 src/proxmox-boot/zz-proxmox-boot | 23 +++++++++++++++++++++++
 3 files changed, 30 insertions(+)

-- 
2.30.2

[pve-devel] [PATCH 1/3] boot-tool: disarm upstream systemd-boot hookscripts

[Stoiko Ivanov]

With Debian Bookworm systemd-boot is a separate binary-package,
instead of part of the main systemd package.
Since it's not installed by default, Debian-upstream has added
hook-scripts to the package, which manage kernel copying to the esp
(kernel-install).

The hookscripts print a warning if the ESP is not mounted at
$SYSTEMD_ESP_PATH or /boot/efi, /efi or /boot - through `bootctl
is-installed --quiet` [0,1].

This patch adds a function, which disables the hookscripts from
upstream if /etc/kernel/proxmox-boot-uuids is present.
It adds an explanation as marker and 'exit 0' on top of the script, so
that users know why the scripts were touched (e.g. when a new
systemd-boot hookscript version from upstream asks what to do with the
local modifications)

While editing shell-script hooks from other packages is quite brittle
it still seems like the best option, to support most use-cases
(including users, who don't use proxmox-boot-tool, but want to
manually install systemd-boot).
Alternatives considered:
* dpkg-divert for all hookscripts - sadly the Debian policy manual
  warns against this
* adding Replaces: systemd-boot to d/control - afaict this would need
  systemd-boot to also declare this for proxmox-kernel-helper [3]

Tested on 2 VMs installed with the 8.0 ISO (once with legacy once with
uefi boot)

[0]
https://github.com/systemd/systemd/blob/8a38b62f37189b071a30f208530ce5dc278e521e/src/shared/find-esp.c#L503
[1]
https://github.com/systemd/systemd/blob/8a38b62f37189b071a30f208530ce5dc278e521e/src/boot/bootctl.c#L90
[2] https://www.debian.org/doc/debian-policy/ap-pkg-diversions.html
[3] https://www.debian.org/doc/debian-policy/ch-relationships.html

Reported-by: Aaron Lauterer <a.lauterer@proxmox.com>
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/proxmox-boot/zz-proxmox-boot | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/src/proxmox-boot/zz-proxmox-boot b/src/proxmox-boot/zz-proxmox-boot
index c6c708c..c72f9ef 100755
--- a/src/proxmox-boot/zz-proxmox-boot
+++ b/src/proxmox-boot/zz-proxmox-boot
@@ -191,6 +191,27 @@ remove_old_kernels_legacy() {
 
 }
 
+disable_systemd_boot_hook() {
+
+	if [ ! -f "${ESP_LIST}" ]; then
+		return
+	fi
+
+	marker="# This hookfile has been disabled by proxmox-boot-tool"
+	for hookfile in \
+		"/etc/initramfs/post-update.d/systemd-boot" \
+		"/etc/kernel/postinst.d/zz-systemd-boot" \
+		"/etc/kernel/postrm.d/zz-systemd-boot" ; \
+	do
+		grep -q "$marker" "$hookfile" && continue
+		warn "	Disabling upstream hook $hookfile"
+		printf "#!/bin/sh\n\n%s\nexit 0\n" "$marker" > "$hookfile.pbt.tmp"
+		cat "$hookfile" >> "$hookfile.pbt.tmp"
+		mv "$hookfile.pbt.tmp" "$hookfile"
+	done
+
+}
+
 set -- $DEB_MAINT_PARAMS
 mode="${1#\'}"
 mode="${mode%\'}"
@@ -203,12 +224,14 @@ case $0:$mode in
 		reexec_in_mountns "$@"
 		BOOT_KVERS="$(boot_kernel_list "$@")"
 		update_esps
+		disable_systemd_boot_hook
 	;;
 	 */postrm.d/*:|*/postrm.d/*:remove)
 		reexec_in_mountns "$@"
 		# no newly installed kernel
 		BOOT_KVERS="$(boot_kernel_list)"
 		update_esps
+		disable_systemd_boot_hook
 	;;
 esac
 
-- 
2.30.2

[pve-devel] [PATCH 2/3] proxmox-boot: warn on missing systemd-boot package

[Stoiko Ivanov]

With the shipping of systemd-boot as separate package, we cannot rely
on `bootctl` being present in all systems (e.g. currently all systems
upgraded from PVE 7 will not automatically pull systemd-boot in.

This patch adds a check for existence + warning with an explanation to
the only invocation of bootctl in the boot-tool codebase

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 src/bin/proxmox-boot-tool | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/bin/proxmox-boot-tool b/src/bin/proxmox-boot-tool
index d41f921..913b0f6 100755
--- a/src/bin/proxmox-boot-tool
+++ b/src/bin/proxmox-boot-tool
@@ -153,6 +153,12 @@ init_bootloader() {
 	if [ -d /sys/firmware/efi ]; then
 		echo "Installing systemd-boot.."
 		mkdir -p "$esp_mp/$PMX_ESP_DIR"
+		if ! command -V bootctl >/dev/null 2>&1 ;
+		then
+			warn "E: bootctl is not available - make sure systemd-boot is installed"
+			exit 1
+		fi
+
 		bootctl --graceful --path "$esp_mp" install
 
 		echo "Configuring systemd-boot.."
-- 
2.30.2

[pve-devel] [PATCH 3/3] d/control: add Recommends on systemd-boot

[Stoiko Ivanov]

systemd-boot is a separate binary package, and proxmox-boot-tool needs
it in the uefi-case as boot-loader for the ESPs

Not adding as Depends, because it is not strictly necessary for
proxmox-boot-tool (pinning is independent as is its use on legacy-boot
systems)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 debian/control | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/control b/debian/control
index 1e2309a..c5f1179 100644
--- a/debian/control
+++ b/debian/control
@@ -10,6 +10,7 @@ Architecture: all
 Section: admin
 Priority: optional
 Depends: dosfstools, gdisk, systemd, udev, ${misc:Depends},
+Recommends: systemd-boot,
 Breaks: proxmox-ve (<< 6.0-2~), pve-kernel-helper,
 Replaces: proxmox-ve (<< 6.0-2~), pve-kernel-helper,
 Provides: pve-kernel-helper,
-- 
2.30.2

[pve-devel] applied: [PATCH 0/3] adapt to systemd-boot hooks in bookworm

[Thomas Lamprecht]

Am 21/06/2023 um 16:32 schrieb Stoiko Ivanov:
> This patchset addresses the change of shipping systemd-boot as separate
> binary packge introduced with Debian Bookworm.
> 
> The patches are mostly cosmetic in nature - since they silence warnings,
> which look scary, but don't hurt functionality.
> 
> The second patch should help users who upgrade from 7.X -> 8, as they
> won't have systemd-boot installed automatically - so for them initializing
> new ESPs will not work.
> 
> Adding systemd-boot as Recommends to proxmox-kernel-helper should also
> only help in case someone setup their system on plain Debian, with the
> plan of incorporating proxmox-boot-tool into it later (by partitioning
> accordingly)
> 
> While I tested the patches - some review and consideration, especially
> about potential pitfalls regarding the in place editing of the
> hook-scripts would be very much appreciated!
> 
> Stoiko Ivanov (3):
>   boot-tool: disarm upstream systemd-boot hookscripts
>   proxmox-boot: warn on missing systemd-boot package
>   d/control: add Recommends on systemd-boot
> 
>  debian/control                   |  1 +
>  src/bin/proxmox-boot-tool        |  6 ++++++
>  src/proxmox-boot/zz-proxmox-boot | 23 +++++++++++++++++++++++
>  3 files changed, 30 insertions(+)
> 


applied, with two changes as talked off-list:

- downgraded systemd-boot from recommends to suggests, as otherwise it can
  get pulled in on a lot of systems

- changed the "grep -q "$marker" "$hookfile" && continue" to a if+then to
  avoid that this fails if the marker ins't found and grep exits with non-zero
  as we got `set -e` at the top.

thanks!