Machine fails to boot if MAAS server is not available

Many thanks to Francisco Hernandez for fact checking the repro steps and replicating the issue!

Hi Michael,

I've been able to reproduce this with a NUC, but I've not been able to reproduce this with a Server.

I'll keep it as incomplete for the time being, but this might as well be an issue with UEFI not falling back to booting from disk.

Ok, so I confirm that this is definitely a bug. Since MAAS doesn't write UEFI config onto the fs, I believe this is a curtin issue. What I've done to reproduce is to install 3 different machines:

A. Machine on legacy boot mode
B. Machine on EFI mode (NUC)
C. Machine on EFI mode (Server)

I then did;

1. killed MAAS completely.
2. rebooted (A), the machine booted into the OS just fine.
3. rebooted (B), the machine didn't boot into the OS.
4. rebooted (C), the machine didn't boot into the OS.

Thanks for the prompt action Andres!

After a bit more debugging, here is the root cause:

Despite the fact that this is a UEFI system, we do not install a signed linux kernel.
Seems that some EFI implementations are more pedantic than others, thus it affects Intel NUCs but not other systems.

Indeed, going through the repro steps:

1. Install on the node (Intel NUC) Ubuntu 16.04 (default flat disk layout, default network config)
2. SSH into the deployed node.
3. (this is the workaround)
sudo apt-get install linux-signed-generic
sudo dpkg-reconfigure grub-efi-amd64-signed
4. On the MAAS server, terminate all MAAS services.
5. On the deployed node, do a reboot.

Observed behavior: the machine properly boots from its disk, as expected.

From my side I am happy with the workaround for the time being, but it would be great if the fix could land with 2.2.0rc2

Is there any way curtin would know that it needed the signed version vs. not? Ie, if we default to installing the signed, is that going to break someone else?

On the systems that required secureboot, can someone run:

My local, older i5 NUC does not have it enabled; I'm curious to see
if those machines that fail to boot without MAAS and require the
signed package report if they're SecureBoot enabled or not.

(lambic) ~ % sudo bootctl status
Using EFI System Parition at /boot/efi.
System:
     Firmware: n/a (n/a)
  Secure Boot: disabled
   Setup Mode: setup

Loader:
      Product: n/a
    Partition: n/a
         File: └─n/a

Boot Loader Binaries:
          ESP: /dev/disk/by-partuuid/5f811d5e-73fe-44a0-a57c-6f8eaa91743e
systemd-boot not installed in ESP.
No default/fallback boot loader installed in ESP.

Boot Loader Entries in EFI Variables:
        Title: ubuntu
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/5f811d5e-73fe-44a0-a57c-6f8eaa91743e
         File: └─/EFI/ubuntu/shimx64.efi

I'm somewhat confused on how a system which requires SecureBoot could PXE boot to maas and then fallback to localdisk.

@Ryan

Here is the config from my system:

https://imagebin.ca/v/3II8ELx9oJsE
https://imagebin.ca/v/3II8W9Kd2Leh
https://imagebin.ca/v/3II9B3AOdE3L

Thanks for confirming that Secure Boot is not enabled.
I don't understand then why installing signed packages is required...
SecureBoot enabled *surely* requires signed packages but not quite
sure why if it's disabled the BIOS cares; that kinda feels like a BIOS
bug.

On Fri, Apr 7, 2017 at 4:32 PM, Michael Iatrou <email address hidden>
wrote:

> @Ryan
>
> Here is the config from my system:
>
> https://imagebin.ca/v/3II8ELx9oJsE
> https://imagebin.ca/v/3II8W9Kd2Leh
> https://imagebin.ca/v/3II9B3AOdE3L
>
> --
> You received this bug notification because you are subscribed to curtin.
> Matching subscriptions: curtin-bugs-all
> https://bugs.launchpad.net/bugs/1680917
>
> Title:
> Machine fails to boot if MAAS server is not available
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/curtin/+bug/1680917/+subscriptions
>

If the importance is Critical, then can we get the required information?

When should curtin install shim or signed grub? how is curtin to know which
package to install if SecureBoot isnt' enabled?

Questions in Comment 5, 9 are unanswered at this point, we don't have enough
information to make forward progress.

This bug is believed to be fixed in curtin in 17.1. If this is still a problem for you, please make a comment and set the state back to New

Thank you.