How to add grub2 bootloader password in kickstart template for the host getting provisioned using Red Hat Satellite 6.

Solution Verified - Updated -

Environment

  • Red Hat Satellite 6.3

Issue

  • Adding bootloader password while provisioning hosts from the Satellite Server.
  • How to set a grub2 bootloader password on a kickstart for RHEL machine that is provisioned?

Resolution

  • On RHEL 7 Server, generate the PBKDF2 hash using the command grub2-mkpasswd-pbkdf2 as showed below:
# grub2-mkpasswd-pbkdf2 
Enter password: 
Reenter password: 
PBKDF2 hash of your password is 
grub.pbkdf2.sha512.10000.73BB35CF83C18DAE6C258CA38FD43F09223FB6452E19C216FFFC30115E982ABEE35EADA33C8B6D9CD11527B3858DDC3F2A556004063FEA289615F42B71FFAA43.5ABF7BFFDC9BF667E0E8E8841A54F1C5F1FB6E325EB30845C0D5BFE982BD0C7317B6CF6C650ABBB0109BFE193D45A91F42ED29A00961C825B19914D697E69A1D
  • Edit the kickstart template.
Login to "Satellite web UI" > Hosts > Provisioning Template > Search for Satellite Kickstart Default > Clone this template and give a new name.

Set the appropriate "Operating System" in the "Association" Tab followed by "Locations" and "Organizations".
  • Edit the cloned kickstart file and add the mentioned bootloader parameters to it.
Find the line bootloader --location=mbr --append="nofb quiet splash=quiet" <%= grub_pass %>

And add the "password" parameter to it.

bootloader --location=mbr --append="nofb quiet splash=quiet" <%= grub_pass %> --iscrypted --password=<the generated password from the grub2-mkpasswd-pbkdf2  command>
Example:

bootloader --location=mbr --append="nofb quiet splash=quiet" <%= grub_pass %> --iscrypted --password=grub.pbkdf2.sha512.10000.73BB35CF83C18DAE6C258CA38FD43F09223FB6452E19C216FFFC30115E982ABEE35EADA33C8B6D9CD11527B3858DDC3F2A556004063FEA289615F42B71FFAA43.5ABF7BFFDC9BF667E0E8E8841A54F1C5F1FB6E325EB30845C0D5BFE982BD0C7317B6CF6C650ABBB0109BFE193D45A91F42ED29A00961C825B19914D697E69A1D
  • Click on Submit.

  • After successful host provisioning while trying to edit the grub menu it will prompt for username and password (Use root as a user and the password set).

Diagnostic Steps

  • While provisioning, ensure the cloned template is visible when you resolve the kickstart templates.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

6 Comments

Hi! Shouldn't this be handled by the grub_pass function in foreman?

Hi Daniel,

This is from the Satellite point of view, you can use that option with the upstream one (foreman).

Hi,

Yes I know. way isen't that function added to satellite?

Hi,

You can use that function and try to render the provisioning template. As it's not defined in the documentation.

Hi,

No I cant. There is no way for me to define @host.grub_pass in satellite. the grub_pass part of te UI and API is missing.

Hi,

Yes, that's available in the upstream currently but not sure.