Add hook to automate removal of --root-dev-only

technowhizz · technowhizz · commit 3d1b96c7dfc5 · 2024-10-25T18:28:24.000+01:00
diff --git a/doc/source/operations/upgrading-openstack.rst b/doc/source/operations/upgrading-openstack.rst
@@ -145,7 +145,8 @@ Known issues
   <https://access.redhat.com/security/cve/CVE-2023-4001>`__, the operating
   system can become unbootable (boot will stop at a ``grub>`` prompt). Remove
   the ``--root-dev-only`` option from ``/boot/efi/EFI/rocky/grub.cfg`` after
-  applying package updates.
+  applying package updates. This will happen automatically as a post hook when
+  running the ``kayobe overcloud host package update`` command.
 
 Security baseline
 =================
diff --git a/etc/kayobe/ansible/fix-grub-rl9.yml b/etc/kayobe/ansible/fix-grub-rl9.yml
@@ -0,0 +1,15 @@
+---
+- name: Remove "--root-dev-only" from grub.cfg if OS is Rocky Linux 9
+  hosts: overcloud
+  become: yes
+  gather_facts: true
+
+  tasks:
+    - name: Remove "--root-dev-only" from /boot/efi/EFI/rocky/grub.cfg
+      ansible.builtin.replace:
+        path: /boot/efi/EFI/rocky/grub.cfg
+        regexp: '--root-dev-only\s?'
+        replace: ''
+      when:
+        - ansible_facts['distribution'] == 'Rocky'
+        - ansible_facts['distribution_major_version'] == '9'
diff --git a/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml b/etc/kayobe/hooks/overcloud-host-package-update/post.d/10-fix-grub-rl9.yml
@@ -0,0 +1 @@
+../../../ansible/fix-grub-rl9.yml
