Bekerja dengan Boot Loader GRUB 2
Perkenalan ke GRUB 2
GRUB 2 reads its configuration from the /boot/grub2/grub.cfg
file on traditional BIOS-based machines and from the /boot/efi/EFI/fedora/grub.cfg
file on UEFI machines. This file contains menu information.
Berkas konfigurasi GRUB 2, grub.cfg
, dihasilkan selama instalasi, atau dengan memanggil utilitas /usr/sbin/grub2-mkconfig, dan secara otomatis diperbarui oleh grubby setiap kali kernel baru dipasang. Ketika dibuat ulang secara manual menggunakan grub2-mkconfig, berkas dihasilkan sesuai dengan berkas templat yang terletak di /etc/grub.d/
, dan pengaturan khusus di berkas /etc/default/grub
. Pengeditan grub.cfg
akan hilang kapan saja grub2-mkconfig digunakan untuk meregenerasi berkas, jadi harus berhati-hati untuk mencerminkan perubahan manual apa pun di /etc/default/grub
juga.
Normal operations on grub.cfg
, such as the removal and addition of new kernels, should be done using the grubby tool and, for scripts, using new-kernel-pkg tool. If you use grubby to modify the default kernel the changes will be inherited when new kernels are installed. For more information on grubby, see Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool.
Berkas /etc/default/grub
digunakan oleh alat grub2-mkconfig, yang digunakan oleh anaconda
saat membuat grub.cfg
selama proses instalasi, dan dapat digunakan jika terjadi kegagalan sistem, misalnya jika konfigurasi boot loader perlu dibuat ulang. Secara umum, tidak disarankan untuk mengganti berkas grub.cfg
dengan menjalankan grub2-mkconfig
secara manual kecuali sebagai upaya terakhir. Perhatikan bahwa setiap perubahan manual ke /etc/default/grub
memerlukan pembangunan kembali berkas grub.cfg
.
Di antara berbagai cuplikan kode dan direktif, berkas konfigurasi grub.cfg
berisi satu atau lebih blok menuentry
, masing-masing mewakili satu entri menu boot GRUB 2. Blok-blok ini selalu dimulai dengan kata kunci menuentry
diikuti dengan judul, daftar opsi, dan kurung kurawal pembuka, dan diakhiri dengan kurung kurawal penutup. Apa pun antara kurung pembuka dan penutup harus diindentasi. Misalnya, berikut ini adalah contoh blok menuentry
untuk Fedora Rawhide dengan kernel Linux 3.17.4-301.fc21.x86_64:
menuentry 'Fedora, with Linux 3.17.4-301.fc21.x86_64' --class fedora --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.17.4-301.fc21.x86_64-advanced-effee860-8d55-4e4a-995e-b4c88f9ac9f0' { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod ext2 set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' f19c92f4-9ead-4207-b46a-723b7a2c51c8 else search --no-floppy --fs-uuid --set=root f19c92f4-9ead-4207-b46a-723b7a2c51c8 fi linux16 /vmlinuz-3.17.4-301.fc21.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rhgb quiet LANG=en_US.UTF-8 initrd16 /initramfs-3.17.4-301.fc21.x86_64.img }
Setiap blok menuentry
yang mewakili kernel Linux yang dipasang berisi linux
pada IBM POWER Series 64-bit, linux16
pada sistem berbasis BIOS x86_64, dan linuxefi
pada sistem berbasis UEFI. Kemudian direktif initrd
diikuti oleh path ke kernel dan image initramfs
masing-masing. Jika partisi /boot
terpisah dibuat, path ke kernel dan image initramfs
relatif terhadap /boot
. Dalam contoh di atas, baris initrd /initramfs-3.17.4-301.fc21.x86_64.img
berarti bahwa image initramfs
sebenarnya terletak di /boot/initramfs-3.17.4-301.fc21.x86_64.img
ketika sistem berkas root
dikait, dan juga untuk path kernel.
Nomor versi kernel seperti yang diberikan pada baris linux16 /vmlinuz-kernel_version
harus cocok dengan nomor versi image initramfs
yang diberikan pada baris initrd /initramfs-kernel_version.img
dari setiap blok menuentry
. Untuk informasi lebih lanjut tentang cara memverifikasi image disk RAM awal, lihat Memverifikasi Image Initial RAM Disk.
Dalam blok Untuk informasi tentang menggunakan Dracut, lihat Memverifikasi Image Initial RAM Disk. |
Mengonfigurasi Boot Loader GRUB 2
Perubahan pada menu GRUB 2 dapat dilakukan sementara pada saat boot, dibuat persisten untuk satu sistem saat sistem sedang berjalan, atau sebagai bagian dari pembuatan berkas konfigurasi GRUB 2 baru.
-
To make non-persistent changes to the GRUB 2 menu, see Making Temporary Changes to a GRUB 2 Menu.
-
To make persistent changes to a running system, see Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool.
-
For information on making and customizing a GRUB 2 configuration file, see Customizing the GRUB 2 Configuration File.
Membuat Perubahan Sementara pada Menu GRUB 2
Untuk mengubah parameter kernel hanya selama satu proses boot, lanjutkan sebagai berikut:
-
Mulai sistem dan, pada layar boot GRUB 2, gerakkan kursor ke entri menu yang ingin Anda edit, dan tekan tombol e untuk mengedit.
-
Pindahkan kursor ke bawah untuk menemukan baris perintah kernel. Baris perintah kernel dimulai dengan
linux
pada 64-Bit IBM Power Series,linux16
pada sistem berbasis BIOS x86-64, ataulinuxefi
pada sistem UEFI. -
Memindahkan kursor ke akhir baris.
Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.
-
Edit parameter kernel sesuai kebutuhan. Misalnya, untuk menjalankan sistem dalam mode darurat, tambahkan parameter emergency di akhir baris
linux16
:
linux16 /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.md=0 rd.dm=0 rd.lvm.lv=fedora/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=fedora/root rhgb quiet emergency
Parameter rhgb
dan quiet
dapat dihapus untuk mengaktifkan pesan sistem.
These settings are not persistent and apply only for a single boot. To make persistent changes to a menu entry on a system, use the grubby tool. See Adding and Removing Arguments from a GRUB Menu Entry for more information on using grubby.
Membuat Perubahan Persisten pada Menu GRUB 2 Menggunakan Alat grubby
The grubby tool can be used to read information from, and make persistent changes to, the grub.cfg
file. It enables, for example, changing GRUB menu entries to specify what arguments to pass to a kernel on system start and changing the default kernel.
In Red Hat Enterprise Linux 7, if grubby is invoked manually without specifying a GRUB configuration file, it defaults to searching for /etc/grub2.cfg
, which is a symbolic link to the grub.cfg
file, whose location is architecture dependent. If that file cannot be found it will search for an architecture dependent default.
To find out the file name of the default kernel, enter a command as follows:
~]# grubby --default-kernel /boot/vmlinuz-4.2.0-1.fc23.x86_64
To find out the index number of the default kernel, enter a command as follows:
~]# grubby --default-index 0
To make a persistent change in the kernel designated as the default kernel, use the grubby command as follows:
~]# grubby --set-default /boot/vmlinuz-4.2.0-1.fc23.x86_64
Untuk mencantumkan semua entri menu kernel, masukkan perintah sebagai berikut:
~]$ grubby --info=ALL
On UEFI systems, all grubby commands must be entered as root
.
To view the GRUB menu entry for a specific kernel, enter a command as follows:
~]$ grubby --info /boot/vmlinuz-4.2.0-1.fc23.x86_64 index=0 kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64 args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap rhgb quiet LANG=en_US.UTF-8" root=/dev/mapper/fedora-root initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)
Try tab completion to see the available kernels within the /boot/
directory.
The --update-kernel
option can be used to update a menu entry when used in combination with --args
to add new arguments and --remove-arguments
to remove existing arguments. These options accept a quoted space-separated list. The command to simultaneously add and remove arguments a from GRUB menu entry has the follow format:
grubby --remove-args="argX argY" --args="argA argB" --update-kernel /boot/kernel
To add and remove arguments from a kernel’s GRUB menu entry, use a command as follows:
~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel /boot/vmlinuz-4.2.0-1.fc23.x86_64
This command removes the Red Hat graphical boot argument, enables boot message to be seen, and adds a serial console. As the console arguments will be added at the end of the line, the new console will take precedence over any other consoles configured.
To review the changes, use the --info
command option as follows:
~]# grubby --info /boot/vmlinuz-4.2.0-1.fc23.x86_64 index=0 kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64 args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap LANG=en_US.UTF-8 console=ttyS0,115200" root=/dev/mapper/fedora-root initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)
Untuk menambahkan argumen boot kernel yang sama ke semua entri menu kernel, masukkan perintah sebagai berikut:
~]# grubby --update-kernel=ALL --args=console=ttyS0,115200
The --update-kernel
parameter also accepts DEFAULT or a comma separated list of kernel index numbers.
To change a value in an existing kernel argument, specify the argument again, changing the value as required. For example, if the virtual console font size has been set to latarcyrheb-sun16
and you want to change the virtual console font size to 32
, use a command as follows:
~]# grubby --args=vconsole.font=latarcyrheb-sun32 --update-kernel /boot/vmlinuz-4.2.0-1.fc23.x86_64 index=0 kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64 args="ro rd.lvm.lv=fedora/root crashkernel=auto rd.lvm.lv=fedora/swap vconsole.font=latarcyrheb-sun32 vconsole.keymap=us LANG=en_US.UTF-8" root=/dev/mapper/fedora-root initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)
Lihat halaman manual grubby(8)
untuk opsi perintah lainnya.
Menyesuaikan Berkas Konfigurasi GRUB 2
GRUB 2 scripts search the user’s computer and build a boot menu based on what operating systems the scripts find. To reflect the latest system boot options, the boot menu is rebuilt automatically when the kernel is updated or a new kernel is added.
However, users may want to build a menu containing specific entries or to have the entries in a specific order. GRUB 2 allows basic customization of the boot menu to give users control of what actually appears on the screen.
GRUB 2 uses a series of scripts to build the menu; these are located in the /etc/grub.d/
directory. The following files are included:
-
00_header
, yang memuat pengaturan GRUB 2 dari berkas/etc/default/grub
. -
01_users
, yang dibuat hanya ketika kata sandi boot loader ditetapkan dalam berkas kickstart. -
10_linux
, yang menempatkan kernel di partisi baku Fedora. -
30_os-prober
, yang membangun entri untuk sistem operasi yang ditemukan di partisi lain. -
40_custom
, templat, yang dapat digunakan untuk membuat entri menu tambahan.
Scripts from the /etc/grub.d/
directory are read in alphabetical order and can be therefore renamed to change the boot order of specific menu entries.
With the |
Mengubah Entri Boot Baku
Secara baku, kunci untuk direktif GRUB_DEFAULT
di berkas /etc/default/grub
adalah kata saved
. Ini menginstruksikan GRUB 2 untuk memuat kernel yang ditentukan oleh direktif saved_entry
dalam berkas lingkungan GRUB 2, yang terletak di /boot/grub2/grubenv
. Anda dapat mengatur catatan GRUB lain menjadi baku, menggunakan perintah grub2-set-baku, yang akan memperbarui berkas lingkungan GRUB 2.
By default, the saved_entry
value is set to the name of latest installed kernel of package type kernel. This is defined in /etc/sysconfig/kernel
by the UPDATEDEFAULT
and DEFAULTKERNEL
directives. The file can be viewed by the root
user as follows:
~]# cat /etc/sysconfig/kernel # UPDATEDEFAULT specifies if new-kernel-pkg should make # new kernels the default UPDATEDEFAULT=yes # DEFAULTKERNEL menentukan jenis paket kernel baku DEFAULTKERNEL=kernel-core
Direktif DEFAULTKERNEL
menentukan jenis paket apa yang akan digunakan sebagai baku. Memasang paket tipe kernel-debug tidak akan mengubah kernel baku saat DEFAULTKERNEL
diatur ke tipe paket kernel.
GRUB 2 mendukung penggunaan nilai numerik sebagai kunci untuk direktif saved_entry
untuk mengubah urutan baku di mana sistem operasi dimuat. Untuk menentukan sistem operasi mana yang harus dimuat terlebih dahulu, berikan nomornya ke perintah grub2-set-default. Misalnya:
~]# grub2-set-default 2
Note that the position of a menu entry in the list is denoted by a number starting with zero; therefore, in the example above, the third entry will be loaded. This value will be overwritten by the name of the next kernel to be installed.
To force a system to always use a particular menu entry, use the menu entry name as the key to the GRUB_DEFAULT
directive in the /etc/default/grub
file. To list the available menu entries, run the following command as root
:
~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg
The file name /etc/grub2.cfg
is a symlink to the grub.cfg
file, whose location is architecture dependent. For reliability reasons, the symlink is not used in other examples in this chapter. It is better to use absolute paths when writing to a file, especially when repairing a system.
Changes to /etc/default/grub
require rebuilding the grub.cfg
file as follows:
-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
Mengedit Entri Menu
If required to prepare a new GRUB 2 file with different parameters, edit the values of the GRUB_CMDLINE_LINUX
key in the /etc/default/grub
file. Note that you can specify multiple parameters for the GRUB_CMDLINE_LINUX
key. For example:
GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,9600n8"
Where console=tty0
is the first virtual terminal and console=ttyS0
is the serial terminal to be used.
Changes to /etc/default/grub
require rebuilding the grub.cfg
file as follows:
-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
Menambahkan Entri baru
When executing the grub2-mkconfig command, GRUB 2 searches for Linux kernels and other operating systems based on the files located in the /etc/grub.d/
directory. The /etc/grub.d/10_linux
script searches for installed Linux kernels on the same partition. The /etc/grub.d/30_os-prober
script searches for other operating systems. Menu entries are also automatically added to the boot menu when updating the kernel.
The 40_custom
file located in the /etc/grub.d/
directory is a template for custom entries and looks as follows:
#!/bin/sh exec tail -n +3 $0 # Berkas ini menyediakan cara mudah untuk menambahkan entri menu khusus. Cukup ketik # entri menu yang ingin Anda tambahkan setelah komentar ini. Berhati-hatilah untuk # tidak mengubah baris 'exec tail' di atas.
This file can be edited or copied. Note that as a minimum, a valid menu entry must include at least the following:
menuentry "<Title>"{ <Data> }
Creating a Custom Menu
If you do not want menu entries to be updated automatically, you can create a custom menu.
Before proceeding, back up the contents of the |
Note that modifying the |
-
On BIOS-based machines, copy the contents of
/boot/grub2/grub.cfg
, or, on UEFI machines, copy the contents of/boot/efi/EFI/fedora/grub.cfg
. Put the content of thegrub.cfg
into the/etc/grub.d/40_custom
file below the existing header lines. The executable part of the40_custom
script has to be preserved. -
From the content put into the
/etc/grub.d/40_custom
file, only themenuentry
blocks are needed to create the custom menu. The/boot/grub2/grub.cfg
and/boot/efi/EFI/fedora/grub.cfg
files might contain function specifications and other content above and below themenuentry
blocks. If you put these unnecessary lines into the40_custom
file in the previous step, erase them.
This is an example of a custom 40_custom
script:
#!/bin/sh exec tail -n +3 $0 # Berkas ini menyediakan cara mudah untuk menambahkan entri menu khusus. Cukup ketik # entri menu yang ingin Anda tambahkan setelah komentar ini. Berhati-hatilah untuk # tidak mengubah baris 'exec tail' di atas. menuentry 'First custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.2.0-1.fc23.x86_64-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' { load_video set gfxpayload=keep insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a else search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a fi linux16 /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/swap vconsole.keymap=us crashkernel=auto rhgb quiet LANG=en_US.UTF-8 initrd16 /initramfs-4.2.0-1.fc23.x86_64.img } menuentry 'Second custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' { load_video insmod gzio insmod part_msdos insmod xfs set root='hd0,msdos1' if [ x$feature_platform_search_hint = xy ]; then search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 7885bba1-8aa7-4e5d-a7ad-821f4f52170a else search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a fi linux16 /vmlinuz-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/swap vconsole.keymap=us crashkernel=auto rhgb quiet initrd16 /initramfs-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c.img }
-
Remove all files from the
/etc/grub.d
directory except the following:-
00_header
, -
40_custom
, -
01_users
(if it exists), -
dan
README
.
-
Alternatively, if you want to keep the files in the /etc/grub2.d/
directory, make them unexecutable by running the chmod a-x <file_name> command.
-
Edit, add, or remove menu entries in the
40_custom
file as desired. -
Rebuild the
grub.cfg
file by running the grub2-mkconfig -o command as follows:-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
-
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
GRUB 2 Password Protection
GRUB 2 supports both plain-text and encrypted passwords in the GRUB 2 template files. To enable the use of passwords, specify a superuser who can reach the protected entries. Other users can be specified to access these entries as well. Menu entries can be password-protected for booting by adding one or more users to the menu entry as described in Setting Up Users and Password Protection, Specifying Menu Entries. To use encrypted passwords, see Password Encryption.
If you do not use the correct format for the menu, or modify the configuration in an incorrect way, you might be unable to boot your system. |
All menu entries can be password-protected against changes by setting superusers, which can be done in the /etc/grub.d/00_header
or the /etc/grub.d/01_users
file. The 00_header
file is very complicated and, if possible, avoid making modifications in this file. Menu entries should be placed in the /etc/grub.d/40_custom
and users in the /etc/grub.d/01_users
file. The 01_users
file is generated by the installation application anaconda when a grub boot loader password is used in a kickstart template (but it should be created and used it if it does not exist). Examples in this section adopt this policy.
Setting Up Users and Password Protection, Specifying Menu Entries
-
To specify a superuser, add the following lines in the
/etc/grub.d/01_users
file, wherejohn
is the name of the user designated as the superuser, andjohnspassword
is the superuser’s password:
cat <<EOF set superusers="john" password john johnspassword EOF
-
To allow other users to access the menu entries, add additional lines per user at the end of the
/etc/grub.d/01_users
file.
cat <<EOF set superusers="john" password john johnspassword password jane janespassword EOF
-
When the users and passwords are set up, specify the menu entries that should be password-protected in the
/etc/grub.d/40_custom
file in a similar fashion to the following:
menuentry 'Red Hat Enterprise Linux Server' --unrestricted { set root=(hd0,msdos1) linux /vmlinuz } menuentry 'Fedora' --users jane { set root=(hd0,msdos2) linux /vmlinuz } menuentry 'Red Hat Enterprise Linux Workstation' { set root=(hd0,msdos3) linux /vmlinuz }
Dalam contoh di atas:
-
john
is thesuperuser
and can therefore boot any menu entry, use the GRUB 2 command line, and edit items of the GRUB 2 menu during boot. In this case,john
can access both Red Hat Enterprise Linux Server, Fedora, and Red Hat Enterprise Linux Workstation. Note that onlyjohn
can access Red Hat Enterprise Linux Workstation because neither the--users
nor--unrestricted
options have been used. -
User
jane
can boot Fedora since she was granted the permission in the configuration. -
Anyone can boot Red Hat Enterprise Linux Server, because of the
--unrestricted
option, but onlyjohn
can edit the menu entry as a superuser has been defined. When a superuser is defined then all records are protected against unauthorized changes and all records are protected for booting if they do not have the--unrestricted
parameter
If you do not specify a user for a menu entry, or make use of the --unrestricted
option, then only the superuser will have access to the system.
After you have made changes in the template file the GRUB 2 configuration file must be updated.
Rebuild the grub.cfg
file by running the grub2-mkconfig -o command as follows:
-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
Enkripsi Kata Sandi
By default, passwords are saved in plain text in GRUB 2 scripts. Although the files cannot be accessed on boot without the correct password, security can be improved by encrypting the password using the grub2-mkpasswd-pbkdf2 command. This command converts a desired password into a long hash, which is placed in the GRUB 2 scripts instead of the plain-text password.
-
To generate an encrypted password, run the grub2-mkpasswd-pbkdf2 command on the command line as
root
. -
Enter the desired password when prompted and repeat it. The command then outputs your password in an encrypted form.
-
Copy the hash, and paste it in the template file where you configured the users, that is, either in
/etc/grub.d/01_users
or/etc/grub.d/40_custom
.
The following format applies for the 01_users
file:
cat <<EOF set superusers="john" password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85 EOF
The following format applies for the 40_custom
file:
set superusers="john" password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
Reinstalling GRUB 2
Reinstalling GRUB 2 is a convenient way to fix certain problems usually caused by an incorrect installation of GRUB 2, missing files, or a broken system. Other reasons to reinstall GRUB 2 include the following:
-
Upgrading from the previous version of GRUB.
-
The user requires the GRUB 2 boot loader to control installed operating systems. However, some operating systems are installed with their own boot loaders. Reinstalling GRUB 2 returns control to the desired operating system.
-
Adding the boot information to another drive.
Reinstalling GRUB 2 on BIOS-Based Machines
When using the grub2-install command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.
Use the grub2-install device command to reinstall GRUB 2 if the system is operating normally. For example, if sda
is your device:
~]# grub2-install /dev/sda
Reinstalling GRUB 2 on UEFI-Based Machines
When using the dnf reinstall grub2-efi shim command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.
Use the dnf reinstall grub2-efi shim command to reinstall GRUB 2 if the system is operating normally. For example:
~]# dnf reinstall grub2-efi shim
Resetting and Reinstalling GRUB 2
This method completely removes all GRUB 2 configuration files and system settings. Apply this method to reset all configuration settings to their default values. Removing of the configuration files and subsequent reinstalling of GRUB 2 fixes failures caused by corrupted files and incorrect configuration. To do so, as root
, follow these steps:
-
Jalankan perintah rm /etc/grub.d/*;
-
Jalankan perintah rm /etc/sysconfig/grub;
-
For EFI systems only, run the following command:
~]# dnf reinstall grub2-efi shim grub2-tools
-
Rebuild the
grub.cfg
file by running the grub2-mkconfig -o command as follows:-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
-
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
-
Now follow the procedure in Reinstalling GRUB 2 to restore GRUB2 on the
/boot/
partition.
GRUB 2 over a Serial Console
If you use computers with no display or keyboard, it can be very useful to control the machines through serial communications.
Configuring the GRUB 2 Menu
To set the system to use a serial terminal only during a single boot process, when the GRUB 2 boot menu appears, move the cursor to the kernel you want to start, and press the e key to edit the kernel parameters. Remove the rhgb
and quit
parameters and add console parameters at the end of the linux16
line as follows:
linux16 /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.md=0 rd.dm=0 rd.lvm.lv=fedora/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=fedora/root console=ttyS0,115200
These settings are not persistent and apply only for a single boot.
To make persistent changes to a menu entry on a system, use the grubby tool. For example, to update the entry for the default kernel, enter a command as follows:
~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel=DEFAULT
The --update-kernel
parameter also accepts the keyword ALL
or a comma separated list of kernel index numbers. See Adding and Removing Arguments from a GRUB Menu Entry for more information on using grubby.
If required to build a new GRUB 2 configuration file, add the following two lines in the /etc/default/grub
file:
GRUB_TERMINAL="serial" GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"
The first line disables the graphical terminal. Note that specifying the GRUB_TERMINAL
key overrides values of GRUB_TERMINAL_INPUT
and GRUB_TERMINAL_OUTPUT
. On the second line, adjust the baud rate, parity, and other values to fit your environment and hardware. A much higher baud rate, for example 115200
, is preferable for tasks such as following log files. Once you have completed the changes in the /etc/default/grub
file, it is necessary to update the GRUB 2 configuration file.
Rebuild the grub.cfg
file by running the grub2-mkconfig -o command as follows:
-
Pada mesin berbasis BIOS, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/grub2/grub.cfg
-
Pada komputer berbasis UEFI, jalankan perintah berikut sebagai
root
:
~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
In order to access the grub terminal over a serial connection an additional option must be added to a kernel definition to make that particular kernel monitor a serial connection. For example: console=ttyS0,9600n8 Where For more information on serial console settings, see Installed Documentation |
Using screen to Connect to the Serial Console
Alat screen berfungsi sebagai terminal serial yang mumpuni. Untuk memasangnya, jalankan sebagai root
:
~]# dnf install screen
To connect to your machine using the serial console, use a command in the follow format:
screen /dev/console_port baud_rate
By default, if no option is specified, screen uses the standard 9600 baud rate. To set a higher baud rate, enter:
~]$ screen /dev/console_port
115200
Where console_port is ttyS0
, or ttyUSB0
, and so on.
To end the session in screen, press Ctrl+a, type :quit
and press Enter.
See the screen(1)
manual page for additional options and detailed information.
Terminal Menu Editing During Boot
Menu entries can be modified and arguments passed to the kernel on boot. This is done using the menu entry editor interface, which is triggered when pressing the e key on a selected menu entry in the boot loader menu. The Esc key discards any changes and reloads the standard menu interface. The c key loads the command line interface.
The command line interface is the most basic GRUB interface, but it is also the one that grants the most control. The command line makes it possible to type any relevant GRUB commands followed by the Enter key to execute them. This interface features some advanced features similar to shell, including Tab key completion based on context, and Ctrl+a to move to the beginning of a line and Ctrl+e to move to the end of a line. In addition, the arrow, Home, End, and Delete keys work as they do in the bash shell.
Boot ke Mode Penyelamatan
Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. In Fedora, rescue mode is equivalent to single user mode and requires the root
password.
-
To enter rescue mode during boot, on the GRUB 2 boot screen, press the e key for edit.
-
Add the following parameter at the end of the
linux
line on 64-Bit IBM Power Series, thelinux16
line on x86-64 BIOS-based systems, or thelinuxefi
line on UEFI systems:
systemd.unit=rescue.target
Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.
Note that equivalent parameters, 1
, s
, and single
, can be passed to the kernel as well.
-
Press Ctrl+x to boot the system with the parameter.
Boot ke Mode Darurat
Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root
file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts few essential services. In Fedora, emergency mode requires the root
password.
-
To enter emergency mode, on the GRUB 2 boot screen, press the e key for edit.
-
Add the following parameter at the end of the
linux
line on 64-Bit IBM Power Series, thelinux16
line on x86-64 BIOS-based systems, or thelinuxefi
line on UEFI systems:
systemd.unit=emergency.target
Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.
Note that equivalent parameters, emergency
and -b
, can be passed to the kernel as well.
-
Press Ctrl+x to boot the system with the parameter.
Changing and Resetting the Root Password
Setting up the root
password is a mandatory part of the Fedora installation. If you forget or lose the root
password it is possible to reset it, however users who are members of the wheel group can change the root
password as follows:
~]$ sudo passwd root
Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The root
password is now required to operate in single-user
mode as well as in emergency
mode.
Two procedures for resetting the root
password are shown here:
-
Resetting the Root Password Using an Installation Disk takes you to a shell prompt, without having to edit the grub menu. It is the shorter of the two procedures and it is also the recommended method. You can use a server boot disk or a netinstall installation disk.
-
Resetting the Root Password Using rd.break makes use of rd.break to interrupt the boot process before control is passed from
initramfs
tosystemd
. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for/etc/shadow/
when the boot completes.
-
Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.
-
Choose
Troubleshooting
. -
Choose
Rescue a Fedora-Server System
. -
Choose
Continue
which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found. -
Press OK to acknowledge the information displayed until the shell prompt appears.
-
Change the file system
root
as follows:
sh-4.2# chroot /mnt/sysimage
-
Enter the passwd command and follow the instructions displayed on the command line to change the
root
password. -
Remove the
autorelable
file to prevent a time consuming SELinux relabel of the disk:
sh-4.2# rm -f /.autorelabel
-
Enter the exit command to exit the chroot environment.
-
Enter the exit command again to resume the initialization and finish the system boot.
-
Start the system and, on the GRUB 2 boot screen, press the e key for edit.
-
Remove the
rhgb
andquiet
parameters from the end, or near the end, of thelinux16
line, orlinuxefi
on UEFI systems.
Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.
The |
-
Add the following parameters at the end of the
linux
line on 64-Bit IBM Power Series, thelinux16
line on x86-64 BIOS-based systems, or thelinuxefi
line on UEFI systems:
rd.break enforcing=0
Adding the enforcing=0
option enables omitting the time consuming SELinux relabeling process.
The initramfs
will stop before passing control to the Linux kernel, enabling you to work with the root
file system.
Note that the initramfs
prompt will appear on the last console specified on the Linux line.
-
Press Ctrl+x to boot the system with the changed parameters.
With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
The initramfs
switch_root
prompt appears.
-
The file system is mounted read-only on
/sysroot/
. You will not be allowed to change the password if the file system is not writable.
Remount the file system as writable:
switch_root:/# mount -o remount,rw /sysroot
-
The file system is remounted with write enabled.
Change the file system’s root
as follows:
switch_root:/# chroot /sysroot
The prompt changes to sh-4.2#
.
-
Enter the passwd command and follow the instructions displayed on the command line to change the
root
password.
Note that if the system is not writable, the passwd tool fails with the following error:
Kesalahan manipulasi token otentikasi
-
Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:
sh-4.2# touch /.autorelabel
Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0
option in step 3.
-
Remount the file system as read only:
sh-4.2# mount -o remount,ro /
-
Enter the exit command to exit the chroot environment.
-
Enter the exit command again to resume the initialization and finish the system boot.
With an encrypted file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.
Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete. |
-
If you added the
enforcing=0
option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the/etc/shadow
file’s SELinux security context:
~]# restorcon /etc/shadow
Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:
~]# setenforce 1 ~]# getenforce Enforcing
UEFI Secure Boot
The Secure Boot technology ensures that the system firmware checks whether the system boot loader is signed with a cryptographic key authorized by a database contained in the firmware. With signature verification in the next-stage boot loader, kernel, and, potentially, user space, it is possible to prevent the execution of unsigned code.
Secure Boot is the boot path validation component of the Unified Extensible Firmware Interface (UEFI) specification. The specification defines:
-
a programming interface for cryptographically protected UEFI variables in non-volatile storage,
-
how the trusted X.509 root certificates are stored in UEFI variables,
-
validation of UEFI applications like boot loaders and drivers,
-
procedures to revoke known-bad certificates and application hashes.
UEFI Secure Boot does not prevent the installation or removal of second-stage boot loaders, nor require explicit user confirmation of such changes. Signatures are verified during booting, not when the boot loader is installed or updated. Therefore, UEFI Secure Boot does not stop boot path manipulations, it simplifies the detection of changes and prevents the system from executing a modified boot path once such a modification has occurred.
UEFI Secure Boot Support in Fedora
Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.
If you want to load externally built drivers — drivers that are not provided on the Fedora Linux DVD — you must make sure these drivers are signed as well.
Sumber Daya Tambahan
Please see the following resources for more information on the GRUB 2 boot loader:
-
/usr/share/doc/grub2-tools-<version-number>
— This directory contains information about using and configuring GRUB 2.<version-number>
corresponds to the version of the GRUB 2 package installed. -
info grub2 — The GRUB 2 info page contains a tutorial, a user reference manual, a programmer reference manual, and a FAQ document about GRUB 2 and its usage.
-
grubby(8)
— The manual page for the command-line tool for configuring GRUB and GRUB 2. -
new-kernel-pkg(8)
— The manual page for the tool to script kernel installation.
-
Fedora Installation Guide — The Installation Guide provides basic information on GRUB 2, for example, installation, terminology, interfaces, and commands.
Want to help? Learn how to contribute to Fedora Docs ›