Page 1 of 1

eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 01 Aug 2020 11:34
by MauriceW
After an update that apparently happened last Thursday, my eFA 4.0.2 appliance on Hyper-V would no longer boot.

This seems to be the cause: https://access.redhat.com/solutions/5272311

After a lot of troubleshooting (downgrading grub2, shim and mokutil) and recreating the grub.cfg file on the EFI partition, I managed to get CentOS 7 booting again.

However, I have two remaining issues:

1. I can only boot by manually choosing the second boot entry in the grub menu (kernel version 3.10.0-1127.13.1.el7). Choosing 3.10.0-1127.18.1.el7 results in a kernel panic about "Unable to mount root fs on unknown-block(0,0).

Also, when booting with 3.10.0-1127.13.1.el7, I need to add "selinux=0" before booting, otherwise it won't work.

2. Once eFA is up & running, mail processing seems to work fine, messages are forwarded to my Exchange server, but they are no longer stored in quarantine on the eFA appliance.

I'm quite surprised nobody else has reported this yet :)

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 02 Aug 2020 16:34
by zarkon555
I have the same issue.

Trying to get mine to boot again...

-W

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 02 Aug 2020 17:37
by shawniverson
I'm checking my installations, I was afraid this might come down the pipe and affect some folks.

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 02 Aug 2020 17:41
by shawniverson
I would advise everybody to hold off restarting their instances to allow time for the shim fixes to arrive (mine arrived last night, it appears)

Chances are if you are here, you rebooted while the boot shim bug was active.... :?

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 03 Aug 2020 12:50
by MauriceW
I ended up provisioning a new eFA VM and used the "v3 to v4" migration procedure to transfer all my settings to the new machine.

Back up & running now, with the updates for grub2 and shim disabled in yum.conf.

I was not able to fix the selinux issue on the old VM and I also noticed a MySQL related error from MailScanner in maillog that looked something like this "install_driver(mysql) failed: Can’t load ‘/usr/lib64/perl5/vendor_perl/auto/DBD/mysql/mysql.so’ for module DBD::mysql: libmysqlclient.so.16:" (not the exact error message, since the old VM is shutdown now). I believe this error was related to the fact that messages were no longer being stored in quarantine, nor were the visible under Recent Messages.

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 03 Aug 2020 21:05
by tesme33
Hi
before reading this post i was doing a yum -update , luckily it didnt do any upgrade/update.
Looking into the linked post from redhat i checked if i have shim installed. What i dont have.
Now im asking myself why i dont have it but others have. Was there a change in the installation procedure ?
Im comming from the release candidate version via changing the repositories.

--

Code: Select all

[root@efa4 milterin]# rpm -qa shim-\* --qf "%{SOURCERPM}\n" | sort | uniq
[root@efa4 milterin]# uname -a
Linux efa4.stuebiland.de 3.10.0-1127.18.2.el7.x86_64 #1 SMP Sun Jul 26 15:27:06 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@efa4 milterin]# cat /etc/centos-release
CentOS Linux release 7.8.2003 (Core)
--

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 04 Aug 2020 06:27
by MauriceW
If I'm not mistaken it only happens if you use UEFI boot and not legacy boot.

I'm running a Generation 2 Hyper-V machine and that will use UEFI boot if the OS supports it (which CentOS 7 does).

Re: eFA 4.0.2 does not boot after grub2/shim security fix

Posted: 24 Aug 2020 10:46
by Sang15512
Good information