CP-12082 Install and configure systemd-boot during appliance image build

CP-12084 Enable EFI firmware boot for ESX
CP-12483 Handle upgrade scenarios, EFI to EFI and BIOS to BIOS

PR URL: https://www.github.com/delphix/appliance-build/pull/816

Author: tonynguien

live-build/config/hooks/vm-artifacts/90-raw-disk-image.binary

@@ -89,17 +89,16 @@ truncate -s "${RAW_DISK_SIZE_GB}G" "$ARTIFACT_NAME.img"
 sgdisk --zap-all "$ARTIFACT_NAME.img"
 
 #
-# Here we're creating the boot partition. When installing grub, this
-# partition will be used and automatically detected by "grub-install"
-# based on the partitions typecode. This partition is required since we're
-# partitioning using GPT; if we used MBR, an explicit boot partition
-# wouldn't be required. Also we leave the first 1MB unallocated since
-# some clouds (i.e. Azure)  may require space for their own internal
-# purposes.
+# Here we're creating the boot partition. A 250MB EFI boot partition should
+# be sufficient to store 5 initrd and vmlinuz versions (if necessary). GRUB
+# files are ~11MB, initrd and vmlinuz are ~40MB, and all boot loaders EFI
+# directory are under 500K.
 #
-sgdisk "$ARTIFACT_NAME.img" \
-	--set-alignment=1 --new=2:1m:+1m --typecode=2:EF02
-
+# Also we leave the first 1MB unallocated since some clouds (i.e. Azure) may
+# require space for their own internal purposes.
+#
+sgdisk "$ARTIFACT_NAME.img" --set-alignment=1 \
+	--new=2:1m:+250m --typecode=2:EF00 -c:2:"EFI Boot"
 #
 # Now we create the partition that we'll use for the zpool that will be
 # used for the root pool. We use a generic typecode for this partition
@@ -293,6 +292,9 @@ mount -t zfs "$FSNAME/ROOT/$FSNAME/vartmp" "$DIRECTORY/var/tmp"
 mkdir -p "/var/crash"
 mount -t zfs "$FSNAME/crashdump" "/var/crash"
 
+# Make the vfat partition
+mkfs.vfat -F32 /dev/mapper/${LOOPNAME}p2
+
 #
 # Populate the root filesystem with the contents of the "binary" directory
 # that (we assume) was previously generated by live-build.
@@ -343,13 +345,46 @@ for dir in /dev /proc /sys; do
 done
 
 #
-# We need to use the dedicated grub dataset when running "grub-install"
-# and "grub-mkconfig", so we need to mount this dataset first.
+# Mount /boot/efi and do grub and bootctl install
 #
-chroot "$DIRECTORY" mount -t zfs "$FSNAME/grub" /mnt
-chroot "$DIRECTORY" grub-install --root-directory=/mnt "/dev/$LOOPNAME"
-chroot "$DIRECTORY" grub-mkconfig -o /mnt/boot/grub/grub.cfg
-chroot "$DIRECTORY" umount /mnt
+EFI_DIR="/mnt/boot/efi"
+chroot "$DIRECTORY" mkdir -p $EFI_DIR
+chroot "$DIRECTORY" mount /dev/mapper/${LOOPNAME}p2 $EFI_DIR
+
+# Copy the latest kernel into EFI boot directory
+chroot "$DIRECTORY" cp /boot/initrd.img $EFI_DIR
+chroot "$DIRECTORY" cp /boot/vmlinuz $EFI_DIR
+chroot "$DIRECTORY" bootctl --esp-path=$EFI_DIR install --no-variables
+
+# Use GRUB_CMDLINE_LINUX_DEFAULT boot options
+source $DIRECTORY/etc/default/grub.d/override.cfg
+cat <<-EOF >"${DIRECTORY}/${EFI_DIR}/loader/entries/delphix.conf"
+title   Delphix Engine
+linux   /vmlinuz
+initrd  /initrd.img
+options root=ZFS=rpool/ROOT/${FSNAME}/root ro $GRUB_CMDLINE_LINUX_DEFAULT
+EOF
+
+# Single user mode. Need the console options from GRUB
+console_options=$(awk -F'"' '/console=tty/ {print $2}' $DIRECTORY/etc/default/grub.d/override.cfg)
+cat <<-EOF >"${DIRECTORY}/${EFI_DIR}/loader/entries/delphix-single.conf"
+title   Delphix Engine Single User mode
+linux   /vmlinuz
+initrd  /initrd.img
+options root=ZFS=rpool/ROOT/${FSNAME}/root ro single ${console_options} nomodeset dis_ucode_ldr
+EOF
+
+# Set loader configurations
+cat <<-EOF >"${DIRECTORY}/${EFI_DIR}/loader/loader.conf"
+timeout 10
+console-mode max
+default delphix.conf
+editor yes
+auto-entries yes
+auto-firmware yes
+EOF
+
+chroot "$DIRECTORY" umount $EFI_DIR
 
 for dir in /dev /proc /sys; do
 	retry 5 10 umount -R "${DIRECTORY}${dir}"

live-build/config/hooks/vm-artifacts/template.ovf

@@ -132,7 +132,8 @@
       </Item>
       <vmw:Config ovf:required="false" vmw:key="cpuHotAddEnabled" vmw:value="true"/>
       <vmw:Config ovf:required="false" vmw:key="cpuHotRemoveEnabled" vmw:value="false"/>
-      <vmw:Config ovf:required="false" vmw:key="firmware" vmw:value="bios"/>
+      <vmw:Config ovf:required="false" vmw:key="firmware" vmw:value="efi"/>
+      <vmw:Config ovf:required="false" vmw:key="bootOptions.efiSecureBootEnabled" vmw:value="false"/>
       <vmw:Config ovf:required="false" vmw:key="virtualICH7MPresent" vmw:value="false"/>
       <vmw:Config ovf:required="false" vmw:key="virtualSMCPresent" vmw:value="false"/>
       <vmw:Config ovf:required="false" vmw:key="memoryHotAddEnabled" vmw:value="true"/>

upgrade/upgrade-scripts/common.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2018 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,6 +19,8 @@
 UPDATE_DIR="/var/dlpx-update"
 LOG_DIRECTORY="/var/tmp/delphix-upgrade"
 HOTFIX_PATH="/etc/hotfix"
+EFI_DIR="/boot/efi"
+EFI_PARTITION_UUID="c12a7328-f81f-11d2-ba4b-00a0c93ec93b"
 
 #
 # The virtualization service uses a different umask than the default. Thus to
@@ -376,6 +378,10 @@ function verify_upgrade_not_in_progress() {
 	[[ -z "$UPGRADE_TYPE" ]] || die "upgrade currently in-progress"
 }
 
+function is_bootmode_uefi() {
+	[ -d /sys/firmware/efi/efivars ] && return 0 || return 1
+}
+
 function mask_service() {
 	local svc="$1"
 	local container="$2"

upgrade/upgrade-scripts/rootfs-container

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2019 Delphix
+# Copyright 2019, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -83,15 +83,19 @@ function get_bootloader_devices() {
 	# devices. We determine this by listing the devices used by the
 	# rpool. Additionally, we have to filter out devices that could
 	# be attached to the rpool, but would never be used for the
-	# bootloader. Finally, we need to strip off any parition
+	# bootloader. Finally, we need to strip off any partition
 	# information, since we want to install the bootloader directly
 	# to the device, rather than to a partition of the device.
 	#
 	zpool list -vH rpool |
 		awk '! /rpool|mirror|replacing|spare/ {print $1}' |
 		while read -r part; do
+		  # Skip if device doesn't exist or is not a block device
+			[[ -e "/dev/$dev" ]] || continue
+			[[ -b "/dev/$dev" ]] || continue
+
 			#
-			# If the rpool is not installed a parition, we throw
+			# If the rpool is not installed a partition, we throw
 			# an error. We expect this to never happen, and the
 			# calling code is likely untested in that case, so we
 			# throw an error rather than try to handle it.
@@ -102,6 +106,44 @@ function get_bootloader_devices() {
 		done
 }
 
+function mount_efi() {
+  #
+  # Find and mount the device and partition with EFI UUID
+  #
+  for dev in $(get_bootloader_devices); do
+    for part in $(lsblk -ln -o NAME,FSTYPE,PARTTYPE "/dev/$dev" | grep vfat | awk '{print $1}'); do
+      part_path="/dev/$part"
+      part_type=$(blkid -s PARTTYPE -o value "$part_path")
+      if [[ "$part_type" == $EFI_PARTITION_UUID ]]; then
+        mount $part_path $EFI_DIR
+          return
+      fi
+    done
+  done
+}
+
+function update_systemd_boot_entries() {
+	cp "${EFI_DIR}/loader/entries/delphix.conf" "${EFI_DIR}/loader/entries/delphix.conf.bak"
+	cp "${EFI_DIR}/loader/entries/delphix-single.conf" "${EFI_DIR}/loader/entries/delphix-single.conf.bak"
+
+	# Update default and single user entries
+	source /etc/default/grub.d/override.cfg
+	cat <<-EOF >"${EFI_DIR}/loader/entries/delphix.conf"
+	title   Delphix Engine
+	linux   /vmlinuz
+	initrd  /initrd.img
+	options root=ZFS=rpool/ROOT/${CONTAINER}/root ro $GRUB_CMDLINE_LINUX_DEFAULT
+	EOF
+
+	# Single user entry
+	cat <<-EOF >"${EFI_DIR}/loader/entries/delphix-single.conf"
+	title   Delphix Engine Single User mode
+	linux   /vmlinuz
+	initrd  /initrd.img
+	options root=ZFS=rpool/ROOT/${CONTAINER}/root ro single nomodeset dis_ucode_ldr
+	EOF
+}
+
 function set_bootfs_not_mounted_cleanup() {
 	umount "/var/lib/machines/$CONTAINER/mnt" ||
 		warn "'umount' of '/var/lib/machines/$CONTAINER/mnt' failed"
@@ -147,30 +189,33 @@ function set_bootfs_not_mounted() {
 
 	PLATFORM=$(get-appliance-platform)
 
-	for dev in $(get_bootloader_devices); do
-		[[ -e "/dev/$dev" ]] ||
-			die "bootloader device '/dev/$dev' not found"
-
-		[[ -b "/dev/$dev" ]] ||
-			die "bootloader device '/dev/$dev' not block device"
-
-		opts="--root-directory=/mnt"
-
-		if [[ "$PLATFORM" == "esx" ]] || [[ "$PLATFORM" == "oci" ]]; then
-			opts+=" --debug-image=all"
-			opts+=" -v"
-		fi
+	# If using EFI firmware, update boot entries, vmlinuz, initrd, and bootloader
+	if is_bootmode_uefi; then
+    mount_efi()
+		update_systemd_boot_entries
+		cp "/var/lib/machines/${CONTAINER}/boot/initrd.img" "$EFI_DIR"
+		cp "/var/lib/machines/${CONTAINER}/boot/vmlinuz" "$EFI_DIR"
+		chroot "/var/lib/machines/$CONTAINER" bootctl update
+		umount $EFI_DIR
+	else
+		for dev in $(get_bootloader_devices); do
+			opts="--root-directory=/mnt"
+
+			if [[ "$PLATFORM" == "esx" ]] || [[ "$PLATFORM" == "oci" ]]; then
+				opts+=" --debug-image=all"
+				opts+=" -v"
+			fi
+
+			# shellcheck disable=SC2086
+			chroot "/var/lib/machines/$CONTAINER" \
+				grub-install $opts "/dev/$dev" ||
+				die "'grub-install' for '$dev' failed in '$CONTAINER'"
+		done
 
-		# shellcheck disable=SC2086
 		chroot "/var/lib/machines/$CONTAINER" \
-			grub-install $opts "/dev/$dev" ||
-			die "'grub-install' for '$dev' failed in '$CONTAINER'"
-	done
-
-	chroot "/var/lib/machines/$CONTAINER" \
-		grub-mkconfig -o /mnt/boot/grub/grub.cfg ||
-		die "'grub-mkconfig' failed in '$CONTAINER'"
-
+			grub-mkconfig -o /mnt/boot/grub/grub.cfg ||
+			die "'grub-mkconfig' failed in '$CONTAINER'"
+	fi
 	set_bootfs_not_mounted_cleanup
 	trap - EXIT
 
@@ -211,28 +256,31 @@ function set_bootfs_mounted() {
 
 	PLATFORM=$(get-appliance-platform)
 
-	for dev in $(get_bootloader_devices); do
-		[[ -e "/dev/$dev" ]] ||
-			die "bootloader device '/dev/$dev' not found"
-
-		[[ -b "/dev/$dev" ]] ||
-			die "bootloader device '/dev/$dev' not block device"
-
-		opts="--root-directory=/mnt"
-
-		if [[ "$PLATFORM" == "esx" ]] || [[ "$PLATFORM" == "oci" ]]; then
-			opts+=" --debug-image=all"
-			opts+=" -v"
-		fi
-
-		# shellcheck disable=SC2086
-		grub-install $opts "/dev/$dev" ||
-			die "'grub-install' for '$dev' failed in '$CONTAINER'"
-	done
-
-	grub-mkconfig -o /mnt/boot/grub/grub.cfg ||
-		die "'grub-mkconfig' failed in '$CONTAINER'"
+	# If using EFI firmware, update boot entries, vmlinuz, initrd, and bootloader
+	if is_bootmode_uefi; then
+	  mount_efi()
+		update_systemd_boot_entries
+		cp /boot/initrd.img "$EFI_DIR"
+		cp /boot/vmlinuz "$EFI_DIR"
+		bootctl update
+		umount $EFI_DIR
+	else
+		for dev in $(get_bootloader_devices); do
+			opts="--root-directory=/mnt"
+
+			if [[ "$PLATFORM" == "esx" ]] || [[ "$PLATFORM" == "oci" ]]; then
+				opts+=" --debug-image=all"
+				opts+=" -v"
+			fi
+
+			# shellcheck disable=SC2086
+			grub-install $opts "/dev/$dev" ||
+				die "'grub-install' for '$dev' failed in '$CONTAINER'"
+		done
 
+		grub-mkconfig -o /mnt/boot/grub/grub.cfg ||
+			die "'grub-mkconfig' failed in '$CONTAINER'"
+	fi
 	set_bootfs_mounted_cleanup
 	trap - EXIT
 }
@@ -367,7 +415,7 @@ set-bootfs)
 	# We only have a single bootloader on any given appliance, so we
 	# need to ensure that only a single process is attempting to
 	# update the bootloader at any given time. The locking done here
-	# is to help prevent accidential corruption of the bootloader,
+	# is to help prevent accidental corruption of the bootloader,
 	# by ensuring only a single invocation of this script can set
 	# the boot filesystem at any given time.
 	#