OpenStack
OpenStack and UEFI
I hadn't really noticed that OpenStack or, rather, libvirtd, boots everything with a legacy MBR boot disk.
What if we want, what if we need a UEFI boot?
I had a problem where pfSense 2.4.5 hung on boot which was variously pitched as a problem with missing kernel vty configuration. The putative fix for that required extracting the ISO, adding kern.vty="sc" into boot/loader.conf and rebuilding the ISO. That merely caused which symbol of the spinner to change when it hung. The other 2.4.5 fix is to boot under UEFI.
UEFI
We touched on UEFI for multiboot USB but here we're talking about virtual machines where we need to provision UEFI. In that context, what is UEFI?
There's two parts:
- some firmware
- some storage area, a form of nvram
The former, some firmware, is where most of the discomfort with UEFI seems to lie in that, well, we've no idea what that firmware is. It is probably drivers for various gizmos in your hardware. Probably. The motherboard vendor has provisioned the BIOS containing some UEFI firmware. The disk (or disks, probably) that the BIOS sees can contain some more firmware. By and large we've no idea what that firmware is doing. So, much like Intel's ME, an entire OS could be running under our feet and we haven't a clue.
OK, enough doom-mongering, what does it mean for us? We need that firmware and we need that storage space.
Modulo some licensing issues, the Open Source world has the Open Virtual Machine Firmware suite. It has tuples for the firmware and a template for storage for various architectures. In our case we'll use Gerd Hoffmann’s OVMF builds.
Warning
Be careful as CentOS 7 does have an OVMF package but rather oddly it is missing the default firmware for x86_64. Stick with Gerd's builds!
cd /etc/yum.repos.d wget https://www.kraxel.org/repos/firmware.repo yum-config-manager --disable qemu-firmware-jenkins yum --enablerepo=qemu-firmware-jenkins install edk2.git-ovmf-x64
That will add the firmware/templates into /usr/share/edk2.git. We need to divert a little from the advertised installation instruction because OpenStack forces our hand and wants vanilla locations:
# vi +/nvram /etc/libvirt/qemu.conf nvram = [ "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", ]
Of course, those vanilla locations don't exist so we need to create the directory and link in our firmware/template:
mkdir -p /usr/share/OVMF ln -s /usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd /usr/share/OVMF/OVMF_CODE.fd ln -s /usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd /usr/share/OVMF/OVMF_VARS.fd
Finally, restart libvirtd:
systemctl restart libvirtd
virt-install and virsh
Just because libvirtd knows about UEFI doesn't mean to say it will use it. To use UEFI you need an extra flag for virt-install:
virt-install ... --boot uefi
and when you come to undefine the instance you need the extra --nvram flag:
virsh undefine --nvram $INSTANCE
Using --nvram doesn't harm non-UEFI instances.
OpenStack
Now that libvirtd knows about UEFI we need to tell OpenStack to tell virsh to boot UEFI:
openstack image set --property hw_firmware_type=uefi $IMAGE
pfSense
FWIW, even with UEFI, the pfSense 2.4.5 ISO boot still hangs.
In fact it looks like the problem is with CPU flags and you need to emulate a Skylake CPU (or Nehalem, in my case).
Document Actions