Since commit on grub2 package: mar. sept. 01 2020 tv <tv> 2.04.0-24.mga8 + Revision: 1620640 - Roll over TFTP block counter to prevent timeouts with data packets (rhbz#1869335) - Add support for "systemctl reboot --boot-loader-menu=xx" (rhbz#1857389) - Add support for setting boot_success / boot_indeterminate grubenv flags Add support for making the user session automatically set the boot_success flag and make offline-updates increment the boot_indeterminate grubenv var. systemd complains about impossibility to mark current boot as successful. Here is journal output nearly 3 or 4 minutes after system boots and user is logged: systemd[2632]: Starting Mark boot as successful... grub2-set-bootflag[3867]: Error setuid(0) failed: Operation not permitted systemd[2632]: grub-boot-success.service: Main process exited, code=exited, status=1/FAILURE systemd[2632]: grub-boot-success.service: Failed with result 'exit-code'. systemd[2632]: Failed to start Mark boot as successful. Look at systemd's PID: 2632, not PID 1. Why is it systemd user session which deal this? Assigning to all packagers and latest commiters for forensic.
The bug title "Success" was crytpic. Hope my change is correct, please refine it if not.
CC: (none) => lewyssmithSummary: Success => systemd/grub2: "Failed to start Mark boot as successful" since latest grub2 updates 1 Sep '20
(In reply to Lewis Smith from comment #1) > The bug title "Success" was crytpic. Hope my change is correct, please > refine it if not. Yeah you're right. My fault, I pushed too early + did phone call...
Confirmed. As per https://github.com/rhboot/grub2/commit/9a1d81c028d88c548181521619f954bc97714d88 It's supposed to be run by the systemd-user, 2 minutes after login, using pkexec. /usr/lib/systemd/user/grub-boot-success.service has ... ExecStart=/usr/sbin/grub2-set-bootflag boot_success It's supposed to have ... ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success No idea what purpose the flag sets, but if it is included, it should be done in a way that works. Regarding the subject, It caught my attention to get me to look at it. :-)
CC: (none) => davidwhodgins
It appears to be a Fedora feature to support hiding the boot menu. No idea why we would want that.
Thanks Dave for the advice, and the reference, which starts: "This commit adds a new grub-set-bootflag utility, which can be used to set known bootflags in the grubenv: boot_success or menu_show_once. grub-set-bootflag is different from grub-editenv in 2 ways: 1) It is intended to be executed by regular users through pkexec, so running as root if the polkit policy allows this. As such it is written to not use any existing grubenv related code for easy auditing. 2) Since it can be executed by regular users it only allows setting (assigning a value of 1 to) bootflags which it knows about. Currently those are just boot_success and menu_show_once." -------------- As it is Grub2, changing the bug assignment to tv, who did the commit for this new feature not long ago.
Assignee: pkg-bugs => thierry.vignaudCC: lewyssmith, thierry.vignaud => (none)
Hi, This is High priority bug for a good reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please make the status to Assigned when you are working on this. Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it. On October 1st 2020, we will drop priority to normal.
Updating SRPM. This is still valid as of Beta 2: 'journalctl -b | grep boot systemd[2233]: Starting Mark boot as successful... grub2-set-bootflag[3593]: Error setuid(0) failed: Operation not permitted systemd[2233]: grub-boot-success.service: Main process exited, code=exited, status=1/FAILURE systemd[2233]: grub-boot-success.service: Failed with result 'exit-code'. systemd[2233]: Failed to start Mark boot as successful. Seems the partial fix here: (In reply to Dave Hodgins from comment #3) > Confirmed. As per > https://github.com/rhboot/grub2/commit/ > 9a1d81c028d88c548181521619f954bc97714d88 > It's supposed to be run by the systemd-user, 2 minutes after login, using > pkexec. > > /usr/lib/systemd/user/grub-boot-success.service has ... > ExecStart=/usr/sbin/grub2-set-bootflag boot_success > > It's supposed to have ... > ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success > > No idea what purpose the flag sets, but if it is included, it should be done > in a way that works. Regarding the subject, It caught my attention to get me > to look at it. :-) Correcting as Dave mentioned in /usr/lib/systemd/user/grub-boot-success.service to s/ExecStart=/usr/sbin/grub2-set-bootflag boot_success/ExecStart=/usr/bin/pkexec /usr/sbin/grub2-set-bootflag boot_success resulting subsequent reboot: systemd[2240]: Starting Mark boot as successful... polkitd[1147]: Operator of unix-session:c2 successfully authenticated as unix-user:aurelien to gain ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2240:2719 [/usr/lib/systemd/systemd --user] (owned by unix-user:aurelien) pkexec[3187]: pam_unix(polkit-1:session): session opened for user root by (uid=1000) pkexec[3187]: aurelien: Executing command [USER=root] [TTY=unknown] [CWD=/home/aurelien] [COMMAND=/usr/sbin/grub2-set-bootflag boot_success] systemd[2240]: grub-boot-success.service: Succeeded. systemd[2240]: Finished Mark boot as successful. BUT this requires password input from user, which is not the desired case. Upstream as added a polkit rule that is not implemented on our side. So this should be resolved. Fixing it or dropping it.
Source RPM: grub2-2.04.0-24.mga8.src.rpm => grub2-2.04.0-25.mga8.src.rpmKeywords: Triaged => (none)
Note that adding this XML file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <vendor>GNU GRUB</vendor> <vendor_url>https://www.gnu.org/software/grub/</vendor_url> <action id="org.gnu.grub.set-bootflag"> <!-- SECURITY: - A normal active user on the local machine does not need permission to set bootflags to show the menu / mark current boot successful. --> <description>Set GRUB bootflags</description> <message>Authentication is required to modify the bootloaders bootflags</message> <defaults> <allow_any>no</allow_any> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/sbin/grub2-set-bootflag</annotate> </action> </policyconfig> to /usr/share/polkit-1/actions/org.gnu.grub.policy solves the asking for user password.
@Thierry, unless you have a reason for wanting this feature, I propose to remove it, as I can't see it serves any useful purpose as it stands.
Yeah, please nuke it atleast for Mageia 8
Reverted in grub2-2.04.0-26.
Assignee: thierry.vignaud => mageiaResolution: (none) => FIXEDStatus: NEW => RESOLVED