UEFI Support in ROS

[jambajaar]

UEFI support is a replacement for the old-school BIOS; so that motherboard works alongside during boot. UEFI enables hardware trust for OS. So if OS detects someone plugs in something strange or non-compliant, it can react to secure the footprint of the devices. In use cases where Appliances will be sitting w/zero security so there’s concerns that when machine boots, all hell can break loose so having the trusted boot with UEFI would offer protection.

[jambajaar]

@allingeek -- could you clarify on the scope of what is needed?

What exactly doesn't work with UEFI?  I have ran rancheros on UEFI systems before.  Is it just install/boot loader configuration?

The description in the issue seems to indicate trusted boot support, which is a whole different animal than UEFI support.

[allingeek]

@jambajaar I just did a whole afternoon of reading on this subject to make sure I have a solid foundation for the request. We're really looking at two/three things. First, a native-UEFI boot loader at a minimum. As I understand it this will empower us to control firmware from the OS level. Second/third, secure boot and Static Root of Trust Measurements. These both require that Rancher implement code signing, etc. I'm not sure if this is something Rancher does today or if this is a business you're likely to get into.

[brod55]

@jambajaar RancherOS does run UEFI with legacy mode enabled, however "ros install" does not support installing on a UEFI nor create a UEFI partition to boot the machine. To demonstrate that it does boot with a UEFI partition when the BIOS is in UEFI only; mode we manually created a UEFI boot partition and reused other efi bootloaders to chain boot RancherOS. So additionally the request it to make "ros install" create an UEFI boot partition and add the appropriate boot loaders to that partition.

[jambajaar]

Thx @allingeek @brod55 for the details. We should have an update by next week.

[ekristen]

+1 to supporting it.

[WanpengQian]

I want to try RancherOS with FreeBSD/bhyve. and bhyve support UEFI。without UEFI installer, I cannot install RancherOS. Please consider adding UEFI installer ability. thanks.

[mkinney]

I struggled with this for a few days... but I have a viable "workaround". I borrow pieces from Ubuntu's UEFI boot and got it to work. Feel free to use any/all of this to improve Rancher OS.

See https://github.com/mkinney/myranch/blob/master/readme.MD

Let me know if there are any questions.

[evilhamsterman]

VMware is starting to move to UEFI as the default option for new VMs and RancherOS currently does not boot in this mode. It isn't difficult to change the mode back to BIOS, but UEFI is definitely the way forward

[dmichelin]

@mkinney I believe I followed your directions, but for some reason my networking won't start. Did you have this issue? The install image has networking, but the image that was installed does not.

[mkinney]

Can you double check the cloud-config.yml networking params?

What happens when you are on the console? Does ifconfig show anything? Can you start networking manually?

I wonder if you need network drivers.

[chrisjenx]

Yeah, I just ran into this on unRaid, the OVMF bios wouldn't see the boot partition, but changed to SeaBIOS booted straight away

[dmichelin]

@mkinney

rancher:
  services:
    agent:
      name:        agent
      image:       rancher/agent:v1.2.11
      command:     https://rancher.[nope]/v1/scripts:[nope]
      privileged:  true
      autodestroy: always
      volumes:
        - /var/run/docker.sock:/var/run/docker.sock
        - /var/lib/rancher/:/var/lib/rancher
      labels:
        io.rancher.os.after: docker

Is basically my cloud config. I currently can't ssh in to the side with Rancheros from GPT since networking is borked with that option. The strange thing is that selecting Install Rancheros as the boot option allows for networking. I can mount any of the logs from Rancheros from GPT or the filesystem itself, let me know if anything is going to be helpful. I'm on a Hades Canyon NUC fyi.

[mkinney]

I was thinking of the config file you used boot for for the ros install.

For instance:

hostname: apple.example.com

rancher:
  network:
    interfaces:
    eth*:
      dhcp: false
    eth0:
      address: 192.168.0.101/24
      gateway: 192.168.0.1
  dns:
    nameservers:
      - 192.168.0.171
      - 8.8.8.8

ssh_authorized_keys:
      - ssh-rsa AAAAB3NzaC...jJw== XXX

[dmichelin]

@mkinney Got it, the dhcp resolution was taking forever. My workaround was to preload the images and wait.

[Confusingboat]

+1 on supporting this. I run ROS on a bunch of bare metal servers and would like to also run it on some SBC that only support UEFI.

Update: I did some fiddling around to get some scripts working for @mkinney's install method and threw them up in a repo: https://github.com/Confusingboat/ros-uefi

[rouing]

2 years later....

[mkinney]

Somewhat weird... alpine (which I think what RancherOS is based on) has UEFI boot.

See https://wiki.alpinelinux.org/wiki/Alpine_and_UEFI

[brod55]

I have RancherOS working with UEFI. I build a GRUB based ESP file system and put RancherOS kernel/initrd on it. When there is a new kernel released I run an update script and puts the files in ESP partition and add entry to grub.cfg.

[rouing]

Well, I managed to install RancherOS to 2 machines using a hackey style build of the installer on a flash drive. Painful to do over KVM with Virtual Storage to be honest, but it works. Once I get my systems matching for my testing, I hope to actually make a PR with the proper scripting. Honestly, its not as hard as one might think.

Hopefully, after I get this going, we can make it official.