Requirements:
- AWS Account with access to us-east-1 for using AMIs directly or copying.
- AlmaLinux OS 9.3 AMI with Secure Boot Enabled. (Get the latest AMI ID from here: https://almalinux.discourse.group/t/uefi-boot-for-aws-ami/3117/7)
- AWS CLI v2 installed and configured or Terraform for launching instances
- Security Group with inbound rule for SSH connection (22/TCP)
Environment:
- BIOS:
t2.small
from the T2 generation is used for BIOS-only boot mode. - UEFI:
m7i.large
andm7a.medium
are used for the M7 generation which is powered by the latest Intel and AMD CPUs.
Create an BIOS instance with custom volume size:
vol_size='42' # Any size you can chose in GiB
ami_id='' # ID of testing AMI
instance_type='t2.small'
key_name='' # Keypair name on AWS
sg_name='' # The name of the security group
name='almalinux_ami_testing_93_bios'
aws ec2 run-instances \
--block-device-mappings \
"DeviceName=/dev/sda1,Ebs={VolumeSize="$vol_size"}" \
--image-id "$ami_id" \
--instance-type "$instance_type" \
--key-name $key_name \
--security-groups "$sg_name" \
--tag-specifications \
"ResourceType=instance,Tags=[{Key=Name,Value="$name"}]" \
"ResourceType=network-interface,Tags=[{Key=Name,Value="$name"}]" \
"ResourceType=volume,Tags=[{Key=Name,Value="$name"}]"
Create an UEFI instance with custom volume size:
vol_size='42' # Any size you can chose in GiB
ami_id='' # ID of testing AMI
instance_type='m7i.large'
key_name='' # Keypair name on AWS
sg_name='' # The name of the security group
name='almalinux_ami_testing_93_uefi'
aws ec2 run-instances \
--block-device-mappings \
"DeviceName=/dev/sda1,Ebs={VolumeSize="$vol_size"}" \
--image-id "$ami_id" \
--instance-type "$instance_type" \
--key-name $key_name \
--security-groups "$sg_name" \
--tag-specifications \
"ResourceType=instance,Tags=[{Key=Name,Value="$name"}]" \
"ResourceType=network-interface,Tags=[{Key=Name,Value="$name"}]" \
"ResourceType=volume,Tags=[{Key=Name,Value="$name"}]"
1.1. Check if the space full allocated to the root partition and there is no unallocated space is exist.
BIOS:
[root@ip-%<->% ~]# parted -s -a optimal /dev/xvda -- unit MiB print
Model: Xen Virtual Block Device (xvd)
Disk /dev/xvda: 43008MiB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1.00MiB 2.00MiB 1.00MiB biosboot bios_grub
2 2.00MiB 202MiB 200MiB fat16 EFI System Partition boot, esp
3 202MiB 714MiB 512MiB xfs boot
4 714MiB 43008MiB 42294MiB xfs root
UEFI:
[root@ip-%<->% ~]# parted -s -a optimal /dev/nvme0n1 -- unit MiB print
Model: Amazon Elastic Block Store (nvme)
Disk /dev/nvme0n1: 43008MiB
Sector size (logical/physical): 512B/4096B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1.00MiB 2.00MiB 1.00MiB biosboot bios_grub
2 2.00MiB 202MiB 200MiB fat16 EFI System Partition boot, esp
3 202MiB 714MiB 512MiB xfs boot
4 714MiB 43008MiB 42294MiB xfs root
Expected Result: The partition number 4
extended to the end of the disk as it shows on the column of the "End" value is 43008MiB
1.2. Check if root filesystem is extended to the space of the partition number 4 on the previous output.
BIOS:
[root@ip-%<->% ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 977M 0 977M 0% /dev/shm
tmpfs 391M 11M 381M 3% /run
/dev/xvda4 42G 1.3G 41G 4% /
/dev/xvda3 508M 105M 404M 21% /boot
/dev/xvda2 200M 7.1M 193M 4% /boot/efi
tmpfs 196M 0 196M 0% /run/user/1000
UEFI:
[root@ip-%<->% ~]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 3.8G 0 3.8G 0% /dev/shm
tmpfs 1.6G 8.7M 1.6G 1% /run
/dev/nvme0n1p4 42G 1.3G 41G 3% /
/dev/nvme0n1p3 508M 107M 402M 21% /boot
/dev/nvme0n1p2 200M 7.1M 193M 4% /boot/efi
tmpfs 777M 0 777M 0% /run/user/1000
Expected Result: The "Size" column of the /
mountpoint is 42G
2.1. List all boot entries.
[ec2-user@ip-%<->% ~]# grubby --info=ALL
index=0
kernel="/boot/vmlinuz-5.14.0-362.8.1.el9_3.x86_64"
args="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295"
root="UUID=9593c9d7-c5b8-4074-9ade-ed3b3b0b94e1"
initrd="/boot/initramfs-5.14.0-362.8.1.el9_3.x86_64.img"
title="AlmaLinux (5.14.0-362.8.1.el9_3.x86_64) 9.3 (Shamrock Pampas Cat)"
id="ffffffffffffffffffffffffffffffff-5.14.0-362.8.1.el9_3.x86_64"
Expected Result: Boot entry of installed kernel must be listed
2.2. Check the default kernel for next boot:
[root@ip--%<->% ~]# grubby --info=DEFAULT
index=0
kernel="/boot/vmlinuz-5.14.0-362.8.1.el9_3.x86_64"
args="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295"
root="UUID=9593c9d7-c5b8-4074-9ade-ed3b3b0b94e1"
initrd="/boot/initramfs-5.14.0-362.8.1.el9_3.x86_64.img"
title="AlmaLinux (5.14.0-362.8.1.el9_3.x86_64) 9.3 (Shamrock Pampas Cat)"
id="ffffffffffffffffffffffffffffffff-5.14.0-362.8.1.el9_3.x86_64"
Expected Result: The single entry of the installed kernel should be default for the next boot.
2.3. Add CentOS 9 Stream repos for mocking kernel upgrade process.
dnf -y install --allowerasing \
https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-release-9.0-23.el9.noarch.rpm \
https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-gpg-keys-9.0-23.el9.noarch.rpm \
https://mirror.stream.centos.org/9-stream/BaseOS/x86_64/os/Packages/centos-stream-repos-9.0-23.el9.noarch.rpm
2.4. Upgrade the kernel
dnf clean all && dnf -y upgrade kernel*
2.5. List the boot entries after kernel upgrade:
[root@ip-%<->% ~]# grubby --info=ALL
index=0
kernel="/boot/vmlinuz-5.14.0-362.8.1.el9_3.x86_64"
args="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295"
root="UUID=9593c9d7-c5b8-4074-9ade-ed3b3b0b94e1"
initrd="/boot/initramfs-5.14.0-362.8.1.el9_3.x86_64.img"
title="AlmaLinux (5.14.0-362.8.1.el9_3.x86_64) 9.3 (Shamrock Pampas Cat)"
id="ffffffffffffffffffffffffffffffff-5.14.0-362.8.1.el9_3.x86_64"
index=1
kernel="/boot/vmlinuz-5.14.0-383.el9.x86_64"
args="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 $tuned_params"
root="UUID=9593c9d7-c5b8-4074-9ade-ed3b3b0b94e1"
initrd="/boot/initramfs-5.14.0-383.el9.x86_64.img $tuned_initrd"
title="CentOS Stream (5.14.0-383.el9.x86_64) 9"
id="ec256471d722a69a7a8e2a0f36cd7925-5.14.0-383.el9.x86_64"
Expected Result: Boot entry of the new kernel should be listed here
2.6. Check boot entry of the latest kernel is the default for the next boot:
[root@ip-%<->% ~]# grubby --info=DEFAULT
index=1
kernel="/boot/vmlinuz-5.14.0-383.el9.x86_64"
args="console=ttyS0,115200n8 console=tty0 net.ifnames=0 rd.blacklist=nouveau nvme_core.io_timeout=4294967295 $tuned_params"
root="UUID=9593c9d7-c5b8-4074-9ade-ed3b3b0b94e1"
initrd="/boot/initramfs-5.14.0-383.el9.x86_64.img $tuned_initrd"
title="CentOS Stream (5.14.0-383.el9.x86_64) 9"
id="ec256471d722a69a7a8e2a0f36cd7925-5.14.0-383.el9.x86_64"
2.7. Reboot the instance and check which kernel you are on
uname -a
Expected Result: The new installed should be default on the output of grubby and it should used on the next reboot
If Secure Boot disabled on AMI:
[root@ip-%<->% ~]# mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode
Expected Result: The Secure Boot is disabled.
If Secure Boot enabled on AMI:
[root@ip-%<->% ~]# mokutil --sb-state
SecureBoot enabled
[root@ip-%<->% ~]# journalctl | grep -Ei 'secure'
Nov 14 23:28:50 localhost kernel: secureboot: Secure boot enabled
Nov 14 23:28:50 localhost kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
Nov 14 23:28:50 localhost kernel: secureboot: Secure boot enabled
[root@ip-%<->% ~]# dmesg | grep -Ei 'secure'
[ 0.000000] secureboot: Secure boot enabled
[ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
[ 0.006311] secureboot: Secure boot enabled