Bug 340837

Summary: YOU Kernel Update Can Leave System Unbootable & /boot Unmountable
Product: [openSUSE] openSUSE 11.0 Reporter: Robert Davies <rob.opensuse.linux>
Component: YaST2Assignee: Josef Reidinger <jreidinger>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P2 - High CC: jplack
Version: Alpha 2plus   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Davies 2007-11-10 00:14:55 UTC 
There seems not to be enough sanity checking, and error handling in YOU kernel update, this update ran without comment (text mode YaST->Online Update), appearing to complete successfully).

The /boot partion was unmounted, so there was a /boot directory but it was empty without any kernel, initrd, map files nor a boot loader (grub); so parts of the update script must have received runtime errors.

To reproduce :

1) Make /boot an empty directory, for instance unmounting a /boot partition, though probably mount --bind /some/empty/dir /bind would do the job.

2) Update new kernel with YOU, "forgetting" to make real /boot accessible.

I noticed no error messages, nor any warning indication from YaST YOU of an issue or problem.

New kernel files in /boot contained in root partion, were present.  The running kernel module files were deleted!

Module for ext2 partion therefore unloadable making /boot unmountable, booting to Rescue CD was therefore necessary.

Off Live CD, it was possible to mount / & /boot, and copy in new kernel files, then update /boot/grub/menu.lst.


Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb5               489900    186616    303284  39% /

Deleting /lib/module/`uname -r` and the old kernel entries, before successfully rebooting when there is plenty of disk space, seems rather aggressive and fragile.  That also means that installing a kernel update accidentally, forces a reboot of system, in order to load modules for features not yet used since boot.


A good precaution would be to allow the Adminstrator to nominate a fallback 'trusted' kernel, with entry in boot menu that is never removed, so that kernel upgrade cannot leave system unbootable.

The update should be a transaction, that only completes if all steps to install   
new kernel succeeded, including boot menu changes.

Safer to only delete files from previous kernel, after a successful boot, or even leave this as a task to be done by weekly maintenance script.  Unused kernel files could then be deleted after a month or so, and each boot of kernel-`uname -r` recorded by boot script using touch <path>/lastboot/kernel-`uname-r`

Kernel installation is a critical task, which should be done very carefully, and procedure ought be conservative.  The auto update mechanism loses value if the Admin cannot trust it to be careful.

Greater robustness would also protect SuSE's name in event of a troublesome kernel update, causing unforeseen problems at very many sites.
Comment 1 Joachim Plack 2008-03-14 15:52:43 UTC 
So this is a hidden feature request, I see.
Will consider this to be done in some 11.x release
Comment 2 Joachim Plack 2008-03-20 04:14:01 UTC 
reevaluate for SLE11
Comment 3 Joachim Plack 2008-07-15 11:22:12 UTC 
assign to yast2-bootloader maintainer
Comment 4 Jozef Uhliarik 2008-09-17 14:04:26 UTC 
IMO kernel update is the perl-Bootloader task
Comment 5 Josef Reidinger 2008-09-18 08:24:25 UTC 
fixed in svn. Will be in perl-Bootloader 0.4.71. Fix is that in perl-Bootloader I check if /boot is mounted and if not, then I exit bootloader post-install script for kernel, so installation and also uninstallation is stopped. Thats everything I can do. Multiple kernel is supported by bootloader, you can test it vie rpm -i. If you think, that more can be done, please fill feature request for kernel (pre)-post-install scripts.
Comment 6 Josef Reidinger 2008-09-19 13:57:41 UTC 
0.4.71 released (maybe it need some time to synchronize)