Chapter 26. Working with GRUB 2

Red Hat Enterprise Linux 7 is distributed with version 2 of the GNU GRand Unified Bootloader (GRUB 2), which allows the user to select an operating system or kernel to be loaded at system boot time. GRUB 2 also allows the user to pass arguments to the kernel.

26.1. Introduction to GRUB 2

GRUB 2 reads its configuration from the /boot/grub2/grub.cfg file on traditional BIOS-based machines and from the /boot/efi/EFI/redhat/grub.cfg file on UEFI machines. This file contains menu information.

The GRUB 2 configuration file, grub.cfg, is generated during installation, or by invoking the /usr/sbin/grub2-mkconfig utility, and is automatically updated by grubby each time a new kernel is installed. When regenerated manually using grub2-mkconfig, the file is generated according to the template files located in /etc/grub.d/, and custom settings in the /etc/default/grub file. Edits of grub.cfg will be lost any time grub2-mkconfig is used to regenerate the file, so care must be taken to reflect any manual changes in /etc/default/grub as well.

Normal operations on grub.cfg, such as the removal and addition of new kernels, should be done using the grubby tool and, for scripts, using new-kernel-pkg tool. If you use grubby to modify the default kernel the changes will be inherited when new kernels are installed. For more information on grubby, see Section 26.4, “Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool”.

The /etc/default/grub file is used by the grub2-mkconfig tool, which is used by anaconda when creating grub.cfg during the installation process, and can be used in the event of a system failure, for example if the boot loader configurations need to be recreated. In general, it is not recommended to replace the grub.cfg file by manually running grub2-mkconfig except as a last resort. Note that any manual changes to /etc/default/grub require rebuilding the grub.cfg file.

Menu Entries in grub.cfg

Among various code snippets and directives, the grub.cfg configuration file contains one or more menuentry blocks, each representing a single GRUB 2 boot menu entry. These blocks always start with the menuentry keyword followed by a title, list of options, and an opening curly bracket, and end with a closing curly bracket. Anything between the opening and closing bracket should be indented. For example, the following is a sample menuentry block for Red Hat Enterprise Linux 7 with Linux kernel 3.8.0-0.40.el7.x86_64:

menuentry 'Red Hat Enterprise Linux Server' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c60731dc-9046-4000-9182-64bdcce08616' {
    load_video
    set gfxpayload=keep
    insmod gzio
    insmod part_msdos
    insmod xfs
    set root='hd0,msdos1'
    if [ x$feature_platform_search_hint = xy ]; then
     search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1' 19d9e294-65f8-4e37-8e73-d41d6daa6e58
    else
     search --no-floppy --fs-uuid --set=root 19d9e294-65f8-4e37-8e73-d41d6daa6e58
    fi
    echo  'Loading Linux 3.8.0-0.40.el7.x86_64 ...'
    linux16  /vmlinuz-3.8.0-0.40.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb quiet
    echo  'Loading initial ramdisk ...'
    initrd /initramfs-3.8.0-0.40.el7.x86_64.img
}

Each menuentry block that represents an installed Linux kernel contains linux on 64-bit IBM POWER Series, linux16 on x86_64 BIOS-based systems, and linuxefi on UEFI-based systems. Then the initrd directives followed by the path to the kernel and the initramfs image respectively. If a separate /boot partition was created, the paths to the kernel and the initramfs image are relative to /boot. In the example above, the initrd /initramfs-3.8.0-0.40.el7.x86_64.img line means that the initramfs image is actually located at /boot/initramfs-3.8.0-0.40.el7.x86_64.img when the root file system is mounted, and likewise for the kernel path.

The kernel version number as given on the linux16 /vmlinuz-kernel_version line must match the version number of the initramfs image given on the initrd /initramfs-kernel_version.img line of each menuentry block. For more information on how to verify the initial RAM disk image, see see Red Hat Enterprise 7 Kernel Administration Guide.

Note

In menuentry blocks, the initrd directive must point to the location (relative to the /boot/ directory if it is on a separate partition) of the initramfs file corresponding to the same kernel version. This directive is called initrd because the previous tool which created initial RAM disk images, mkinitrd, created what were known as initrd files. The grub.cfg directive remains initrd to maintain compatibility with other tools. The file-naming convention of systems using the dracut utility to create the initial RAM disk image is initramfs-kernel_version.img.

For information on using Dracut, see Red Hat Enterprise 7 Kernel Administration Guide.

26.2. Configuring GRUB 2

Changes to the GRUB 2 menu can be made temporarily at boot time, made persistent for a single system while the system is running, or as part of making a new GRUB 2 configuration file.

26.3. Making Temporary Changes to a GRUB 2 Menu

Making Temporary Changes to a Kernel Menu Entry

To change kernel parameters only during a single boot process, proceed as follows:

  1. Start the system and, on the GRUB 2 boot screen, move the cursor to the menu entry you want to edit, and press the e key for edit.
  2. Move the cursor down to find the kernel command line. The kernel command line starts with linux on 64-Bit IBM Power Series, linux16 on x86-64 BIOS-based systems, or linuxefi on UEFI systems.
  3. Move the cursor to the end of the line.

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

  4. Edit the kernel parameters as required. For example, to run the system in emergency mode, add the emergency parameter at the end of the linux16 line:

    linux16   /vmlinuz-3.10.0-0.rc4.59.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root rhgb quiet emergency

    The rhgb and quiet parameters can be removed in order to enable system messages.

    These settings are not persistent and apply only for a single boot. To make persistent changes to a menu entry on a system, use the grubby tool. See the section called “Adding and Removing Arguments from a GRUB 2 Menu Entry” for more information on using grubby.

26.4. Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool

The grubby tool can be used to read information from, and make persistent changes to, the grub.cfg file. It enables, for example, changing GRUB 2 menu entries to specify what arguments to pass to a kernel on system start and changing the default kernel.

In Red Hat Enterprise Linux 7, if grubby is invoked manually without specifying a GRUB 2 configuration file, it defaults to searching for /etc/grub2.cfg, which is a symbolic link to the grub.cfg file, whose location is architecture dependent. If that file cannot be found it will search for an architecture dependent default.

Listing the Default Kernel

To find out the file name of the default kernel, enter a command as follows:

~]# grubby --default-kernel
/boot/vmlinuz-3.10.0-229.4.2.el7.x86_64

To find out the index number of the default kernel, enter a command as follows:

~]# grubby --default-index
0

Changing the Default Boot Entry

To make a persistent change in the kernel designated as the default kernel, use the grubby command as follows:

~]# grubby --set-default /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64

Viewing the GRUB 2 Menu Entry for a Kernel

To list all the kernel menu entries, enter a command as follows:

~]$ grubby --info=ALL

On UEFI systems, all grubby commands must be entered as root.

To view the GRUB 2 menu entry for a specific kernel, enter a command as follows:

~]$ grubby --info /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
index=0
kernel=/boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
args="ro rd.lvm.lv=rhel/root crashkernel=auto rd.lvm.lv=rhel/swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us rhgb quiet LANG=en_US.UTF-8"
root=/dev/mapper/rhel-root
initrd=/boot/initramfs-3.10.0-229.4.2.el7.x86_64.img
title=Red Hat Enterprise Linux Server (3.10.0-229.4.2.el7.x86_64) 7.0 (Maipo)

Try tab completion to see the available kernels within the /boot/ directory.

Adding and Removing Arguments from a GRUB 2 Menu Entry

The --update-kernel option can be used to update a menu entry when used in combination with --args to add new arguments and --remove-arguments to remove existing arguments. These options accept a quoted space-separated list. The command to simultaneously add and remove arguments a from GRUB 2 menu entry has the follow format:

grubby --remove-args="argX argY" --args="argA argB" --update-kernel /boot/kernel

To add and remove arguments from a kernel’s GRUB 2 menu entry, use a command as follows:

~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64

This command removes the Red Hat graphical boot argument, enables boot message to be seen, and adds a serial console. As the console arguments will be added at the end of the line, the new console will take precedence over any other consoles configured.

To review the changes, use the --info command option as follows:

~]# grubby --info /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
index=0
kernel=/boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
args="ro rd.lvm.lv=rhel/root crashkernel=auto rd.lvm.lv=rhel/swap vconsole.font=latarcyrheb-sun16 vconsole.keymap=us LANG=en_US.UTF-8 ttyS0,115200"
root=/dev/mapper/rhel-root
initrd=/boot/initramfs-3.10.0-229.4.2.el7.x86_64.img
title=Red Hat Enterprise Linux Server (3.10.0-229.4.2.el7.x86_64) 7.0 (Maipo)

Updating All Kernel Menus with the Same Arguments

To add the same kernel boot arguments to all the kernel menu entries, enter a command as follows:

~]# grubby --update-kernel=ALL --args=console=ttyS0,115200

The --update-kernel parameter also accepts DEFAULT or a comma separated list of kernel index numbers.

Changing a Kernel Argument

To change a value in an existing kernel argument, specify the argument again, changing the value as required. For example, to change the virtual console font size, use a command as follows:

~]# grubby --args=vconsole.font=latarcyrheb-sun32 --update-kernel /boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
index=0
kernel=/boot/vmlinuz-3.10.0-229.4.2.el7.x86_64
args="ro rd.lvm.lv=rhel/root crashkernel=auto rd.lvm.lv=rhel/swap vconsole.font=latarcyrheb-sun32 vconsole.keymap=us LANG=en_US.UTF-8"
root=/dev/mapper/rhel-root
initrd=/boot/initramfs-3.10.0-229.4.2.el7.x86_64.img
title=Red Hat Enterprise Linux Server (3.10.0-229.4.2.el7.x86_64) 7.0 (Maipo)

See the grubby(8) manual page for more command options.

26.5. Customizing the GRUB 2 Configuration File

GRUB 2 scripts search the user’s computer and build a boot menu based on what operating systems the scripts find. To reflect the latest system boot options, the boot menu is rebuilt automatically when the kernel is updated or a new kernel is added.

However, users may want to build a menu containing specific entries or to have the entries in a specific order. GRUB 2 allows basic customization of the boot menu to give users control of what actually appears on the screen.

GRUB 2 uses a series of scripts to build the menu; these are located in the /etc/grub.d/ directory. The following files are included:

  • 00_header, which loads GRUB 2 settings from the /etc/default/grub file.
  • 01_users, which reads the superuser password from the user.cfg file. In Red Hat Enterprise Linux 7.0 and 7.1, this file was only created when boot password was defined in the kickstart file during installation, and it included the defined password in plain text.
  • 10_linux, which locates kernels in the default partition of Red Hat Enterprise Linux.
  • 30_os-prober, which builds entries for operating systems found on other partitions.
  • 40_custom, a template, which can be used to create additional menu entries.

Scripts from the /etc/grub.d/ directory are read in alphabetical order and can be therefore renamed to change the boot order of specific menu entries.

Important

To hide the list of bootable kernels, do not set GRUB_TIMEOUT to 0 in /etc/default/grub. With such setting, the system always boots immediately on the default menu entry, and if the default kernel fails to boot, it is not possible to boot an older kernel.

Instead, to prevent GRUB 2 from displaying the list of bootable kernels when the system starts up, set the GRUB_TIMEOUT_STYLE option in the /etc/default/grub file as follows:

GRUB_TIMEOUT_STYLE=hidden

To display the list when booting, press and hold any alphanumeric key when the BIOS information is displayed using the keyboard or other serial console, and GRUB 2 will present you with the GRUB 2 menu.

26.5.1. Changing the Default Boot Entry

By default, the key for the GRUB_DEFAULT directive in the /etc/default/grub file is the word saved. This instructs GRUB 2 to load the kernel specified by the saved_entry directive in the GRUB 2 environment file, located at /boot/grub2/grubenv. You can set another GRUB 2 record to be the default, using the grub2-set-default command, which will update the GRUB 2 environment file.

By default, the saved_entry value is set to the name of latest installed kernel of package type kernel. This is defined in /etc/sysconfig/kernel by the UPDATEDEFAULT and DEFAULTKERNEL directives. The file can be viewed by the root user as follows:

~]# cat /etc/sysconfig/kernel
# UPDATEDEFAULT specifies if new-kernel-pkg should make
# new kernels the default
UPDATEDEFAULT=yes

# DEFAULTKERNEL specifies the default kernel package type
DEFAULTKERNEL=kernel

The DEFAULTKERNEL directive specifies what package type will be used as the default. Installing a package of type kernel-debug will not change the default kernel while the DEFAULTKERNEL is set to package type kernel.

GRUB 2 supports using a numeric value as the key for the saved_entry directive to change the default order in which the operating systems are loaded. To specify which operating system should be loaded first, pass its number to the grub2-set-default command. For example:

~]# grub2-set-default 2

Note that the position of a menu entry in the list is denoted by a number starting with zero; therefore, in the example above, the third entry will be loaded. This value will be overwritten by the name of the next kernel to be installed.

To force a system to always use a particular menu entry, use the menu entry name as the key to the GRUB_DEFAULT directive in the /etc/default/grub file. To list the available menu entries, run the following command as root:

~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg

The file name /etc/grub2.cfg is a symbolic link to the grub.cfg file, whose location is architecture dependent. For reliability reasons, the symbolic link is not used in other examples in this chapter. It is better to use absolute paths when writing to a file, especially when repairing a system.

Changes to /etc/default/grub require rebuilding the grub.cfg file as follows:

  • On BIOS-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

26.5.2. Editing a Menu Entry

If required to prepare a new GRUB 2 file with different parameters, edit the values of the GRUB_CMDLINE_LINUX key in the /etc/default/grub file. Note that you can specify multiple parameters for the GRUB_CMDLINE_LINUX key, similarly to adding the parameters in the GRUB 2 boot menu. For example:

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,9600n8"

Where console=tty0 is the first virtual terminal and console=ttyS0 is the serial terminal to be used.

Changes to /etc/default/grub require rebuilding the grub.cfg file as follows:

  • On BIOS-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

26.5.3. Adding a new Entry

When executing the grub2-mkconfig command, GRUB 2 searches for Linux kernels and other operating systems based on the files located in the /etc/grub.d/ directory. The /etc/grub.d/10_linux script searches for installed Linux kernels on the same partition. The /etc/grub.d/30_os-prober script searches for other operating systems. Menu entries are also automatically added to the boot menu when updating the kernel.

The 40_custom file located in the /etc/grub.d/ directory is a template for custom entries and looks as follows:

#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.

This file can be edited or copied. Note that as a minimum, a valid menu entry must include at least the following:

menuentry "<Title>"{
<Data>
}

26.5.4. Creating a Custom Menu

If you do not want menu entries to be updated automatically, you can create a custom menu.

Important

Before proceeding, back up the contents of the /etc/grub.d/ directory in case you need to revert the changes later.

Note

Note that modifying the /etc/default/grub file does not have any effect on creating custom menus.

  1. On BIOS-based machines, copy the contents of /boot/grub2/grub.cfg, or, on UEFI machines, copy the contents of /boot/efi/EFI/redhat/grub.cfg. Put the content of the grub.cfg into the /etc/grub.d/40_custom file below the existing header lines. The executable part of the 40_custom script has to be preserved.
  2. From the content put into the /etc/grub.d/40_custom file, only the menuentry blocks are needed to create the custom menu. The /boot/grub2/grub.cfg and /boot/efi/EFI/redhat/grub.cfg files might contain function specifications and other content above and below the menuentry blocks. If you put these unnecessary lines into the 40_custom file in the previous step, erase them.

    This is an example of a custom 40_custom script:

    #!/bin/sh
    exec tail -n +3 $0
    # This file provides an easy way to add custom menu entries. Simply type the
    # menu entries you want to add after this comment. Be careful not to change
    # the 'exec tail' line above.
    
    menuentry 'First custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.10.0-67.el7.x86_64-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod xfs
        set root='hd0,msdos1'
        if [ x$feature_platform_search_hint = xy ]; then
         search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        else
         search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        fi
        linux16 /vmlinuz-3.10.0-67.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel/swap vconsole.keymap=us crashkernel=auto rhgb quiet LANG=en_US.UTF-8
        initrd16 /initramfs-3.10.0-67.el7.x86_64.img
    }
    menuentry 'Second custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {
        load_video
        insmod gzio
        insmod part_msdos
        insmod xfs
        set root='hd0,msdos1'
        if [ x$feature_platform_search_hint = xy ]; then
         search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        else
         search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        fi
        linux16 /vmlinuz-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=rhel/swap vconsole.keymap=us crashkernel=auto rhgb quiet
        initrd16 /initramfs-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c.img
    }
  3. Remove all files from the /etc/grub.d/ directory except the following:

    • 00_header,
    • 40_custom,
    • 01_users (if it exists),
    • and README.

      Alternatively, if you want to keep the files in the /etc/grub2.d/ directory, make them unexecutable by running the chmod a-x <file_name> command.

  4. Edit, add, or remove menu entries in the 40_custom file as desired.
  5. Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

    • On BIOS-based machines, issue the following command as root:

      ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    • On UEFI-based machines, issue the following command as root:

      ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

26.6. Protecting GRUB 2 with a Password

GRUB 2 offers two types of password protection:

  • Password is required for modifying menu entries but not for booting existing menu entries;
  • Password is required for modifying menu entries and for booting one, several, or all menu entries.

Configuring GRUB 2 to Require a Password only for Modifying Entries

To require password authentication for modifying GRUB 2 entries, follow these steps:

  1. Run the grub2-setpassword command as root:

    ~]# grub2-setpassword
  2. Enter and confirm the password:

    Enter password:
    Confirm password:

Following this procedure creates a /boot/grub2/user.cfg file that contains the hash of the password. The user for this password, root, is defined in the /boot/grub2/grub.cfg file. With this change, modifying a boot entry during booting requires you to specify the root user name and your password.

Configuring GRUB 2 to Require a Password for Modifying and Booting Entries

Setting a password using the grub2-setpassword prevents menu entries from unauthorized modification but not from unauthorized booting. To also require password for booting an entry, follow these steps after setting the password with grub2-setpassword:

Warning

If you forget your GRUB 2 password, you will not be able to boot the entries you reconfigure in the following procedure.

  1. Open the /boot/grub2/grub.cfg file.
  2. Find the boot entry that you want to protect with password by searching for lines beginning with menuentry.
  3. Delete the --unrestricted parameter from the menu entry block, for example:

    [file contents truncated]
    menuentry 'Red Hat Enterprise Linux Server (3.10.0-327.18.2.rt56.223.el7_2.x86_64) 7.2 (Maipo)' --class red --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-327.el7.x86_64-advanced-c109825c-de2f-4340-a0ef-4f47d19fe4bf' {
        load_video
        set gfxpayload=keep
    [file contents truncated]
  4. Save and close the file.

Now even booting the entry requires entering the root user name and password.

Note

Manual changes to the /boot/grub2/grub.cfg persist when new kernel versions are installed, but are lost when re-generating grub.cfg using the grub2-mkconfig command. Therefore, to retain password protection, use the above procedure after every use of grub2-mkconfig.

Note

If you delete the --unrestricted parameter from every menu entry in the /boot/grub2/grub.cfg file, all newly installed kernels will have menu entry created without --unrestricted and hence automatically inherit the password protection.

Passwords Set Before Updating to Red Hat Enterprise Linux 7.2

The grub2-setpassword tool was added in Red Hat Enterprise Linux 7.2 and is now the standard method of setting GRUB 2 passwords. This is in contrast to previous versions of Red Hat Enterprise Linux, where boot entries needed to be manually specified in the /etc/grub.d/40_custom file, and super users - in the /etc/grub.d/01_users file.

Additional GRUB 2 Users

Booting entries without the --unrestricted parameter requires the root password. However, GRUB 2 also enables creating additional non-root users that can boot such entries without providing a password. Modifying the entries still requires the root password. For information on creating such users, see the GRUB 2 Manual.

26.7. Reinstalling GRUB 2

Reinstalling GRUB 2 is a convenient way to fix certain problems usually caused by an incorrect installation of GRUB 2, missing files, or a broken system. Other reasons to reinstall GRUB 2 include the following:

  • Upgrading from the previous version of GRUB.
  • The user requires the GRUB 2 boot loader to control installed operating systems. However, some operating systems are installed with their own boot loaders. Reinstalling GRUB 2 returns control to the desired operating system.
  • Adding the boot information to another drive.

26.7.1. Reinstalling GRUB 2 on BIOS-Based Machines

When using the grub2-install command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.

Use the grub2-install device command to reinstall GRUB 2 if the system is operating normally. For example, if sda is your device:

~]# grub2-install /dev/sda

26.7.2. Reinstalling GRUB 2 on UEFI-Based Machines

When using the yum reinstall grub2-efi shim command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.

Use the yum reinstall grub2-efi shim command to reinstall GRUB 2 if the system is operating normally. For example:

~]# yum reinstall grub2-efi shim

26.7.3. Resetting and Reinstalling GRUB 2

This method completely removes all GRUB 2 configuration files and system settings. Apply this method to reset all configuration settings to their default values. Removing of the configuration files and subsequent reinstalling of GRUB 2 fixes failures caused by corrupted files and incorrect configuration. To do so, as root, follow these steps:

  1. Run the rm /etc/grub.d/* command;
  2. Run the rm /etc/sysconfig/grub command;
  3. For EFI systems only, run the following command:

    ~]# yum reinstall grub2-efi shim grub2-tools
  4. For BIOS and EFI systems, run this command:

    ~]# yum reinstall grub2-tools
  5. Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

    • On BIOS-based machines, issue the following command as root:

      ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    • On UEFI-based machines, issue the following command as root:

      ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
  6. Now follow the procedure in Section 26.7, “Reinstalling GRUB 2” to restore GRUB 2 on the /boot/ partition.

26.8. Upgrading from GRUB Legacy to GRUB 2

When you do an in-place upgrade of Red Hat Enterprise Linux (RHEL) from version 6 to 7, the upgrade from GRUB Legacy to GRUB 2 does not happen automatically, but it should be done manually. Perform the GRUB upgrade for these reasons:

  • In RHEL 7 and later versions, GRUB Legacy is no longer maintained and does not receive updates.
  • GRUB Legacy is unable to boot on systems without the /boot/ directory.
  • GRUB 2 has more features and is more reliable.
  • GRUB 2 supports more hardware configurations, file systems, and drive layouts.

Upgrading from GRUB Legacy to GRUB 2 after the in-place upgrade of the operating system

Upgrading from GRUB Legacy to GRUB 2

  1. Ensure that the GRUB Legacy package has been uninstalled by the Red Hat Upgrade Tool:

    ~]# yum remove grub
    Note

    Uninstalling the grub2 package does not affect the installed GRUB Legacy bootloader.

  2. Make sure that the grub2 package has been installed. If grub2 is not on the system after the upgrade to RHEL 7, you can install it manually by running:

    ~]# yum install grub2

Generating the GRUB 2 configuration files

This section describes how to add a GRUB 2 configuration without removing the original GRUB Legacy configuration. The procedure keeps the GRUB Legacy configuration in case that GRUB 2 does not work correctly.

  1. Manually create the /etc/default/grub file by using one of the following options:

  2. Install the GRUB 2 files to the /boot/grub/ directory of /dev/sdX disk:

    ~]# grub2-install --grub-setup=/bin/true /dev/sdX

    Substitute /dev/sdX with the bootable device file.

    The --grub-setup=/bin/true option ensures that the old GRUB Legacy configuration is not deleted.

    Warning

    Note the difference in the configuration file extensions:

    • .conf is for GRUB
    • .cfg is for GRUB 2

    Do not overwrite the old GRUB configuration file by mistake in the next step.

  3. Generate the /boot/grub2/grub.cfg:

    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
    Note

    For customizing the generated GRUB 2 configuration file, see Section 26.5, “Customizing the GRUB 2 Configuration File”. You should make changes in /etc/default/grub, not directly in /boot/grub2/grub.cfg. Otherwise, changes in /boot/grub2/grub.cfg are lost every time the file is re-generated.

Testing GRUB 2 with GRUB Legacy bootloader still installed

This section describes how to test GRUB 2 without removing the GRUB Legacy configuration. The GRUB Legacy configuration needs to stay until GRUB 2 configuration is verified; otherwise the system might become unbootable. To safely test GRUB 2 configuration, we will start GRUB 2 from GRUB Legacy.

  1. Add a new section into /boot/grub/grub.conf.

    For systems with a separate /boot partition, use:

    title GRUB 2 Test
    	root (hd0,0)
    	kernel /grub2/i386-pc/core.img
    	boot

    Substitute (hd0,0) with the GRUB Legacy bootable device designation.

    For systems without a separate /boot partition, use:

    title GRUB 2 Test
    	root (hd0,0)
    	kernel /boot/grub2/i386-pc/core.img
    	boot

    Substitute (hd0,0) with the GRUB Legacy bootable device designation.

  2. Reboot the system.
  3. When presented with a GRUB Legacy menu, select the GRUB 2 Test entry.
  4. When presented with a GRUB 2 menu, select a kernel to boot.
  5. If the above did not work, restart, and do not choose the GRUB 2 Test entry on next boot.

Replacing GRUB Legacy bootloader

If GRUB 2 works successfully:

  1. Replace GRUB Legacy bootloader with the GRUB 2 bootloader:

    ~]# grub2-install /dev/sda
  2. Reboot the system:

    ~]# reboot
Warning

After the upgrade, the operating system is unsupported until manual upgrade of the GRUB Legacy bootloader to GRUB 2 has been successfully finished. This is due to the fact that installation of packages across major releases is not supported. In case of RHEL 7, only GRUB 2 is supported, developed, and tested; unlike GRUB Legacy from RHEL 6.

26.9. GRUB 2 over a Serial Console

This section describes how to configure GRUB 2 for serial communications on machines with no display or keyboard.

To access the GRUB 2 terminal over a serial connection, an additional option must be added to a kernel definition to make that particular kernel monitor a serial connection.

For example:

console=ttyS0,9600n8

Where console=ttyS0 is the serial terminal to be used, 9600 is the baud rate, n is for no parity, and 8 is the word length in bits. A much higher baud rate, for example 115200, is preferable for tasks such as following log files.

For more information on serial console settings, see the section called “Installable and External Documentation”

26.9.1. Configuring GRUB 2 for a single boot

To set the system to use a serial terminal only during a single boot process, when the GRUB 2 boot menu appears, move the cursor to the kernel you want to start, and press the e key to edit the kernel parameters. Remove the rhgb and quiet parameters and add console parameters at the end of the linux16 line as follows:

linux16   /vmlinuz-3.10.0-0.rc4.59.el7.x86_64 root=/dev/mapper/rhel-root ro rd.md=0 rd.dm=0 rd.lvm.lv=rhel/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=rhel/root console=ttyS0,9600

These settings are not persistent and apply only for a single boot.

26.9.2. Configuring GRUB 2 for a persistent change

To make persistent changes to a menu entry on a system, use the grubby tool. For example, to update the entry for the default kernel, enter a command as follows:

~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,9600 --update-kernel=DEFAULT

The --update-kernel parameter also accepts the keyword ALL or a comma separated list of kernel index numbers. See the section called “Adding and Removing Arguments from a GRUB 2 Menu Entry” for more information on using grubby.

26.9.3. Configuring a new GRUB 2 file

If required to build a new GRUB 2 configuration file, add the following two lines in the /etc/default/grub file:

GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

The first line disables the graphical terminal. Note that specifying the GRUB_TERMINAL key overrides values of GRUB_TERMINAL_INPUT and GRUB_TERMINAL_OUTPUT. On the second line, adjust the baud rate, parity, and other values to fit your environment and hardware. A much higher baud rate, for example 115200, is preferable for tasks such as following log files. Once you have completed the changes in the /etc/default/grub file, it is necessary to update the GRUB 2 configuration file.

Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

  • On BIOS-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • On UEFI-based machines, issue the following command as root:

    ~]# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

26.9.4. Using screen to Connect to the Serial Console

The screen tool serves as a capable serial terminal. To install it, run as root:

~]# yum install screen

To connect to your machine using the serial console, use a command in the follow format:

screen /dev/console_port baud_rate

By default, if no option is specified, screen uses the standard 9600 baud rate. To set a higher baud rate, enter:

~]$ screen /dev/console_port 115200

Where console_port is ttyS0, or ttyUSB0, and so on.

To end the session in screen, press Ctrl+a, type :quit and press Enter.

See the screen(1) manual page for additional options and detailed information.

26.10. Terminal Menu Editing During Boot

Menu entries can be modified and arguments passed to the kernel on boot. This is done using the menu entry editor interface, which is triggered when pressing the e key on a selected menu entry in the boot loader menu. The Esc key discards any changes and reloads the standard menu interface. The c key loads the command line interface.

The command line interface is the most basic GRUB 2 interface, but it is also the one that grants the most control. The command line makes it possible to type any relevant GRUB 2 commands followed by the Enter key to execute them. This interface features some advanced features similar to shell, including Tab key completion based on context, and Ctrl+a to move to the beginning of a line and Ctrl+e to move to the end of a line. In addition, the arrow, Home, End, and Delete keys work as they do in the bash shell.

26.10.1. Booting to Rescue Mode

Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. In Red Hat Enterprise Linux 7, rescue mode is equivalent to single user mode and requires the root password.

  1. To enter rescue mode during boot, on the GRUB 2 boot screen, press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

    systemd.unit=rescue.target

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

    Note that equivalent parameters, 1, s, and single, can be passed to the kernel as well.

  3. Press Ctrl+x to boot the system with the parameter.

26.10.2. Booting to Emergency Mode

Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts few essential services. In Red Hat Enterprise Linux 7, emergency mode requires the root password.

  1. To enter emergency mode, on the GRUB 2 boot screen, press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

    systemd.unit=emergency.target

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

    Note that equivalent parameters, emergency and -b, can be passed to the kernel as well.

  3. Press Ctrl+x to boot the system with the parameter.

26.10.3. Booting to the Debug Shell

The systemd debug shell provides a shell very early in the startup process that can be used to diagnose systemd related boot-up problems. Once in the debug shell, systemctl commands such as systemctl list-jobs, and systemctl list-units can be used to look for the cause of boot problems. In addition, the debug option can be added to the kernel command line to increase the number of log messages. For systemd, the kernel command-line option debug is now a shortcut for systemd.log_level=debug.

Adding the Debug Shell Command

To activate the debug shell only for this session, proceed as follows:

  1. On the GRUB 2 boot screen, move the cursor to the menu entry you want to edit and press the e key for edit.
  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

    systemd.debug-shell

    Optionally add the debug option.

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

  3. Press Ctrl+x to boot the system with the parameter.

If required, the debug shell can be set to start on every boot by enabling it with the systemctl enable debug-shell command. Alternatively, the grubby tool can be used to make persistent changes to the kernel command line in the GRUB 2 menu. See Section 26.4, “Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool” for more information on using grubby.

Warning

Permanently enabling the debug shell is a security risk because no authentication is required to use it. Disable it when the debugging session has ended.

Connecting to the Debug Shell

During the boot process, the systemd-debug-generator will configure the debug shell on TTY9.

  1. Press Ctrl+Alt+F9 to connect to the debug shell. If working with a virtual machine, sending this key combination requires support from the virtualization application. For example, if using Virtual Machine Manager, select Send KeyCtrl+Alt+F9 from the menu.
  2. The debug shell does not require authentication, therefore a prompt similar to the following should be seen on TTY9: [root@localhost /]#
  3. If required, to verify you are in the debug shell, enter a command as follows:

    /]# systemctl status $$
    ● debug-shell.service - Early root shell on /dev/tty9 FOR DEBUGGING ONLY
      Loaded: loaded (/usr/lib/systemd/system/debug-shell.service; disabled; vendor preset: disabled)
      Active: active (running) since Wed 2015-08-05 11:01:48 EDT; 2min ago
       Docs: man:sushell(8)
     Main PID: 450 (bash)
      CGroup: /system.slice/debug-shell.service
          ├─ 450 /bin/bash
          └─1791 systemctl status 450
  4. To return to the default shell, if the boot succeeded, press Ctrl+Alt+F1.

To diagnose start up problems, certain systemd units can be masked by adding systemd.mask=unit_name one or more times on the kernel command line. To start additional processes during the boot process, add systemd.wants=unit_name to the kernel command line. The systemd-debug-generator(8) manual page describes these options.

26.10.4. Changing and Resetting the Root Password

Setting up the root password is a mandatory part of the Red Hat Enterprise Linux 7 installation. If you forget or lose the root password it is possible to reset it, however users who are members of the wheel group can change the root password as follows:

~]$ sudo passwd root

Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Red Hat Enterprise Linux 6. The root password is now required to operate in single-user mode as well as in emergency mode.

Two procedures for resetting the root password are shown here:

  • Resetting the Root Password Using an Installation Disk takes you to a shell prompt, without having to edit the GRUB 2 menu. It is the shorter of the two procedures and it is also the recommended method. You can use a boot disk or a normal Red Hat Enterprise Linux 7 installation disk.
  • Resetting the Root Password Using rd.break makes use of rd.break to interrupt the boot process before control is passed from initramfs to systemd. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB 2 menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for /etc/shadow/ when the boot completes.

Resetting the Root Password Using an Installation Disk

  1. Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
  2. Choose Troubleshooting.
  3. Choose Rescue a Red Hat Enterprise Linux System.
  4. Choose Continue which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.
  5. Press OK to acknowledge the information displayed until the shell prompt appears.
  6. Change the file system root as follows:

    sh-4.2# chroot /mnt/sysimage
  7. Enter the passwd command and follow the instructions displayed on the command line to change the root password.
  8. Remove the autorelable file to prevent a time consuming SELinux relabel of the disk:

    sh-4.2# rm -f /.autorelabel
  9. Enter the exit command to exit the chroot environment.
  10. Enter the exit command again to resume the initialization and finish the system boot.

Resetting the Root Password Using rd.break

  1. Start the system and, on the GRUB 2 boot screen, press the e key for edit.
  2. Remove the rhgb and quiet parameters from the end, or near the end, of the linux16 line, or linuxefi on UEFI systems.

    Press Ctrl+a and Ctrl+e to jump to the start and end of the line, respectively. On some systems, Home and End might also work.

    Important

    The rhgb and quiet parameters must be removed in order to enable system messages.

  3. Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

    rd.break enforcing=0

    Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.

    The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.

    Note that the initramfs prompt will appear on the last console specified on the Linux line.

  4. Press Ctrl+x to boot the system with the changed parameters.

    With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

    The initramfs switch_root prompt appears.

  5. The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writable.

    Remount the file system as writable:

    switch_root:/# mount -o remount,rw /sysroot
  6. The file system is remounted with write enabled.

    Change the file system’s root as follows:

    switch_root:/# chroot /sysroot

    The prompt changes to sh-4.2#.

  7. Enter the passwd command and follow the instructions displayed on the command line to change the root password.

    Note that if the system is not writable, the passwd tool fails with the following error:

    Authentication token manipulation error
  8. Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:

    sh-4.2# touch /.autorelabel

    Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3.

  9. Remount the file system as read only:

    sh-4.2# mount -o remount,ro /
  10. Enter the exit command to exit the chroot environment.
  11. Enter the exit command again to resume the initialization and finish the system boot.

    With an encrypted file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

    Note

    Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete.

  12. If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file’s SELinux security context:

    ~]# restorecon /etc/shadow

    Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:

    ~]# setenforce 1
    ~]# getenforce
    Enforcing

26.11. Unified Extensible Firmware Interface (UEFI) Secure Boot

The Unified Extensible Firmware Interface (UEFI) Secure Boot technology ensures that the system firmware checks whether the system boot loader is signed with a cryptographic key authorized by a database of public keys contained in the firmware. With signature verification in the next-stage boot loader and kernel, it is possible to prevent the execution of kernel space code which has not been signed by a trusted key.

A chain of trust is established from the firmware to the signed drivers and kernel modules as follows. The first-stage boot loader, shim.efi, is signed by a UEFI private key and authenticated by a public key, signed by a certificate authority (CA), stored in the firmware database. The shim.efi contains the Red Hat public key, "Red Hat Secure Boot (CA key 1)", which is used to authenticate both the GRUB 2 boot loader, grubx64.efi, and the Red Hat kernel. The kernel in turn contains public keys to authenticate drivers and modules.

Secure Boot is the boot path validation component of the Unified Extensible Firmware Interface (UEFI) specification. The specification defines:

  • a programming interface for cryptographically protected UEFI variables in non-volatile storage,
  • how the trusted X.509 root certificates are stored in UEFI variables,
  • validation of UEFI applications like boot loaders and drivers,
  • procedures to revoke known-bad certificates and application hashes.

UEFI Secure Boot does not prevent the installation or removal of second-stage boot loaders, nor require explicit user confirmation of such changes. Signatures are verified during booting, not when the boot loader is installed or updated. Therefore, UEFI Secure Boot does not stop boot path manipulations, it helps in the detection of unauthorized changes. A new boot loader or kernel will work as long as it is signed by a key trusted by the system.

26.11.1. UEFI Secure Boot Support in Red Hat Enterprise Linux 7

Red Hat Enterprise Linux 7 includes support for the UEFI Secure Boot feature, which means that Red Hat Enterprise Linux 7 can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a trusted key, otherwise the system will not accept them. All drivers provided by Red Hat are signed by one of Red Hat’s private keys and authenticated by the corresponding Red Hat public key in the kernel.

If you want to load externally built drivers, drivers that are not provided on the Red Hat Enterprise Linux DVD, you must make sure these drivers are signed as well.

Information on signing custom drivers is available in Red Hat Enterprise Linux 7 Kernel Administration Guide.

Restrictions Imposed by UEFI Secure Boot

As UEFI Secure Boot support in Red Hat Enterprise Linux 7 is designed to ensure that the system only runs kernel mode code after its signature has been properly authenticated, certain restrictions exist.

GRUB 2 module loading is disabled as there is no infrastructure for signing and verification of GRUB 2 modules, which means allowing them to be loaded would constitute execution of untrusted code inside the security perimeter that Secure Boot defines. Instead, Red Hat provides a signed GRUB 2 binary that has all the modules supported on Red Hat Enterprise Linux 7 already included.

More detailed information is available in the Red Hat Knowledgebase article Restrictions Imposed by UEFI Secure Boot.

26.12. Additional Resources

Please see the following resources for more information on the GRUB 2 boot loader:

Installed Documentation

  • /usr/share/doc/grub2-tools-version-number/ — This directory contains information about using and configuring GRUB 2. version-number corresponds to the version of the GRUB 2 package installed.
  • info grub2 — The GRUB 2 info page contains a tutorial, a user reference manual, a programmer reference manual, and a FAQ document about GRUB 2 and its usage.
  • grubby(8) — The manual page for the command-line tool for configuring GRUB and GRUB 2.
  • new-kernel-pkg(8) — The manual page for the tool to script kernel installation.

Installable and External Documentation

  • /usr/share/doc/kernel-doc-kernel_version/Documentation/serial-console.txt — This file, which is provided by the kernel-doc package, contains information on the serial console. Before accessing the kernel documentation, you must run the following command as root:

    ~]# yum install kernel-doc
  • Red Hat Installation Guide — The Installation Guide provides basic information on GRUB 2, for example, installation, terminology, interfaces, and commands.