Documentation for a newer release is available. View Latest

Bekerja dengan Boot Loader GRUB 2

indexterm:[GRUB 2,mengonfigurasi GRUB 2]indexterm:[GRUB 2,memasang ulang GRUB 2]indexterm:[GRUB 2,menyesuaikan GRUB 2]indexterm:[boot loader,GRUB 2 boot loader] Fedora Rawhide didistribusikan dengan boot loader GNU GRand Unified Boot loader (GRUB) versi 2, yang memungkinkan pengguna memilih suatu sistem operasi atau kernel yang akan dimuat saat boot sistem. GRUB 2 juga mengizinkan pengguna memberikan argumen ke kernel.

Perkenalan ke GRUB 2

GRUB 2 reads its configuration from the /boot/grub2/grub.cfg file on traditional BIOS-based machines and from the /boot/efi/EFI/fedora/grub.cfg file on UEFI machines. This file contains menu information.

Berkas konfigurasi GRUB 2, grub.cfg, dihasilkan selama instalasi, atau dengan memanggil utilitas /usr/sbin/grub2-mkconfig, dan secara otomatis diperbarui oleh grubby setiap kali kernel baru dipasang. Ketika dibuat ulang secara manual menggunakan grub2-mkconfig, berkas dihasilkan sesuai dengan berkas templat yang terletak di /etc/grub.d/, dan pengaturan khusus di berkas /etc/default/grub. Pengeditan grub.cfg akan hilang kapan saja grub2-mkconfig digunakan untuk meregenerasi berkas, jadi harus berhati-hati untuk mencerminkan perubahan manual apa pun di /etc/default/grub juga.

Normal operations on grub.cfg, such as the removal and addition of new kernels, should be done using the grubby tool and, for scripts, using new-kernel-pkg tool. If you use grubby to modify the default kernel the changes will be inherited when new kernels are installed. For more information on grubby, see Making Persistent Changes to a GRUB 2 Menu Using the grubby Tool.

Berkas /etc/default/grub digunakan oleh alat grub2-mkconfig, yang digunakan oleh anaconda saat membuat grub.cfg selama proses instalasi, dan dapat digunakan jika terjadi kegagalan sistem, misalnya jika konfigurasi boot loader perlu dibuat ulang. Secara umum, tidak disarankan untuk mengganti berkas grub.cfg dengan menjalankan grub2-mkconfig secara manual kecuali sebagai upaya terakhir. Perhatikan bahwa setiap perubahan manual ke /etc/default/grub memerlukan pembangunan kembali berkas grub.cfg.

Entri Menu di grub.cfg

Di antara berbagai cuplikan kode dan direktif, berkas konfigurasi grub.cfg berisi satu atau lebih blok menuentry, masing-masing mewakili satu entri menu boot GRUB 2. Blok-blok ini selalu dimulai dengan kata kunci menuentry diikuti dengan judul, daftar opsi, dan kurung kurawal pembuka, dan diakhiri dengan kurung kurawal penutup. Apa pun antara kurung pembuka dan penutup harus diindentasi. Misalnya, berikut ini adalah contoh blok menuentry untuk Fedora Rawhide dengan kernel Linux 3.17.4-301.fc21.x86_64:

menuentry 'Fedora, with Linux 3.17.4-301.fc21.x86_64' --class fedora --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.17.4-301.fc21.x86_64-advanced-effee860-8d55-4e4a-995e-b4c88f9ac9f0' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod ext2
        set root='hd0,msdos1'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1'  f19c92f4-9ead-4207-b46a-723b7a2c51c8
        else
          search --no-floppy --fs-uuid --set=root f19c92f4-9ead-4207-b46a-723b7a2c51c8
        fi
        linux16 /vmlinuz-3.17.4-301.fc21.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rhgb quiet LANG=en_US.UTF-8
        initrd16 /initramfs-3.17.4-301.fc21.x86_64.img
}

Setiap blok menuentry yang mewakili kernel Linux yang dipasang berisi linux pada IBM POWER Series 64-bit, linux16 pada sistem berbasis BIOS x86_64, dan linuxefi pada sistem berbasis UEFI. Kemudian direktif initrd diikuti oleh path ke kernel dan image initramfs masing-masing. Jika partisi /boot terpisah dibuat, path ke kernel dan image initramfs relatif terhadap /boot. Dalam contoh di atas, baris initrd /initramfs-3.17.4-301.fc21.x86_64.img berarti bahwa image initramfs sebenarnya terletak di /boot/initramfs-3.17.4-301.fc21.x86_64.img ketika sistem berkas root dikait, dan juga untuk path kernel.

Nomor versi kernel seperti yang diberikan pada baris linux16 /vmlinuz-kernel_version harus cocok dengan nomor versi image initramfs yang diberikan pada baris initrd /initramfs-kernel_version.img dari setiap blok menuentry. Untuk informasi lebih lanjut tentang cara memverifikasi image disk RAM awal, lihat Memverifikasi Image Initial RAM Disk.

Dalam blok menuentry, direktif initrd harus menunjuk ke lokasi (relatif terhadap direktori /boot/ jika berada di partisi terpisah) dari berkas initramfs yang sesuai dengan versi kernel yang sama. Direktif ini disebut initrd karena alat sebelumnya yang membuat image disk RAM awal, mkinitrd, menciptakan apa yang dikenal sebagai berkas initrd. Direktif grub.cfg tetap initrd untuk menjaga kompatibilitas dengan alat lain. Konvensi penamaan berkas sistem yang menggunakan utilitas dracut untuk membuat image disk RAM awal adalah initramfs-kernel_version.img.

Untuk informasi tentang menggunakan Dracut, lihat Memverifikasi Image Initial RAM Disk.

Mengonfigurasi Boot Loader GRUB 2

Perubahan pada menu GRUB 2 dapat dilakukan sementara pada saat boot, dibuat persisten untuk satu sistem saat sistem sedang berjalan, atau sebagai bagian dari pembuatan berkas konfigurasi GRUB 2 baru.

Membuat Perubahan Sementara pada Menu GRUB 2

Membuat Perubahan Sementara pada Entri Menu Kernel

Untuk mengubah parameter kernel hanya selama satu proses boot, lanjutkan sebagai berikut:

  1. Mulai sistem dan, pada layar boot GRUB 2, gerakkan kursor ke entri menu yang ingin Anda edit, dan tekan tombol e untuk mengedit.

  2. Pindahkan kursor ke bawah untuk menemukan baris perintah kernel. Baris perintah kernel dimulai dengan linux pada 64-Bit IBM Power Series, linux16 pada sistem berbasis BIOS x86-64, atau linuxefi pada sistem UEFI.

  3. Memindahkan kursor ke akhir baris.

Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.

  1. Edit parameter kernel sesuai kebutuhan. Misalnya, untuk menjalankan sistem dalam mode darurat, tambahkan parameter emergency di akhir baris linux16:

linux16      /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.md=0 rd.dm=0 rd.lvm.lv=fedora/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=fedora/root rhgb quiet emergency

Parameter rhgb dan quiet dapat dihapus untuk mengaktifkan pesan sistem.

These settings are not persistent and apply only for a single boot. To make persistent changes to a menu entry on a system, use the grubby tool. See Adding and Removing Arguments from a GRUB Menu Entry for more information on using grubby.

Membuat Perubahan Persisten pada Menu GRUB 2 Menggunakan Alat grubby

The grubby tool can be used to read information from, and make persistent changes to, the grub.cfg file. It enables, for example, changing GRUB menu entries to specify what arguments to pass to a kernel on system start and changing the default kernel.

In Red Hat Enterprise Linux 7, if grubby is invoked manually without specifying a GRUB configuration file, it defaults to searching for /etc/grub2.cfg, which is a symbolic link to the grub.cfg file, whose location is architecture dependent. If that file cannot be found it will search for an architecture dependent default.

Listing the Default Kernel

To find out the file name of the default kernel, enter a command as follows:

~]# grubby --default-kernel
/boot/vmlinuz-4.2.0-1.fc23.x86_64

To find out the index number of the default kernel, enter a command as follows:

~]# grubby --default-index
0
Mengubah Entri Boot Baku

To make a persistent change in the kernel designated as the default kernel, use the grubby command as follows:

~]# grubby --set-default /boot/vmlinuz-4.2.0-1.fc23.x86_64
Melihat Entri Menu GRUB untuk suatu Kernel

Untuk mencantumkan semua entri menu kernel, masukkan perintah sebagai berikut:

~]$ grubby --info=ALL

On UEFI systems, all grubby commands must be entered as root.

To view the GRUB menu entry for a specific kernel, enter a command as follows:

~]$ grubby --info /boot/vmlinuz-4.2.0-1.fc23.x86_64
index=0
kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap rhgb quiet LANG=en_US.UTF-8"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img
title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)

Try tab completion to see the available kernels within the /boot/ directory.

Menambahkan dan Menghapus Argumen dari Entri Menu GRUB

The --update-kernel option can be used to update a menu entry when used in combination with --args to add new arguments and --remove-arguments to remove existing arguments. These options accept a quoted space-separated list. The command to simultaneously add and remove arguments a from GRUB menu entry has the follow format:

grubby --remove-args="argX argY" --args="argA argB" --update-kernel /boot/kernel

To add and remove arguments from a kernel’s GRUB menu entry, use a command as follows:

~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel /boot/vmlinuz-4.2.0-1.fc23.x86_64

This command removes the Red Hat graphical boot argument, enables boot message to be seen, and adds a serial console. As the console arguments will be added at the end of the line, the new console will take precedence over any other consoles configured.

To review the changes, use the --info command option as follows:

~]# grubby --info /boot/vmlinuz-4.2.0-1.fc23.x86_64
index=0
kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64
args="ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap LANG=en_US.UTF-8 console=ttyS0,115200"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img
title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)
Memperbarui Semua Menu Kernel dengan Argumen yang Sama

Untuk menambahkan argumen boot kernel yang sama ke semua entri menu kernel, masukkan perintah sebagai berikut:

~]# grubby --update-kernel=ALL --args=console=ttyS0,115200

The --update-kernel parameter also accepts DEFAULT or a comma separated list of kernel index numbers.

Mengubah Argumen Kernel

To change a value in an existing kernel argument, specify the argument again, changing the value as required. For example, if the virtual console font size has been set to latarcyrheb-sun16 and you want to change the virtual console font size to 32, use a command as follows:

~]# grubby --args=vconsole.font=latarcyrheb-sun32 --update-kernel /boot/vmlinuz-4.2.0-1.fc23.x86_64
index=0
kernel=/boot/vmlinuz-4.2.0-1.fc23.x86_64
args="ro rd.lvm.lv=fedora/root crashkernel=auto  rd.lvm.lv=fedora/swap vconsole.font=latarcyrheb-sun32 vconsole.keymap=us LANG=en_US.UTF-8"
root=/dev/mapper/fedora-root
initrd=/boot/initramfs-4.2.0-1.fc23.x86_64.img
title=Fedora (4.2.0-1.fc23.x86_64) 23 (Workstation Edition)

Lihat halaman manual grubby(8) untuk opsi perintah lainnya.

Menyesuaikan Berkas Konfigurasi GRUB 2

GRUB 2 scripts search the user’s computer and build a boot menu based on what operating systems the scripts find. To reflect the latest system boot options, the boot menu is rebuilt automatically when the kernel is updated or a new kernel is added.

However, users may want to build a menu containing specific entries or to have the entries in a specific order. GRUB 2 allows basic customization of the boot menu to give users control of what actually appears on the screen.

GRUB 2 uses a series of scripts to build the menu; these are located in the /etc/grub.d/ directory. The following files are included:

  • 00_header, yang memuat pengaturan GRUB 2 dari berkas /etc/default/grub.

  • 01_users, yang dibuat hanya ketika kata sandi boot loader ditetapkan dalam berkas kickstart.

  • 10_linux, yang menempatkan kernel di partisi baku Fedora.

  • 30_os-prober, yang membangun entri untuk sistem operasi yang ditemukan di partisi lain.

  • 40_custom, templat, yang dapat digunakan untuk membuat entri menu tambahan.

Scripts from the /etc/grub.d/ directory are read in alphabetical order and can be therefore renamed to change the boot order of specific menu entries.

With the GRUB_TIMEOUT key set to 0 in the /etc/default/grub file, GRUB 2 does not display the list of bootable kernels when the system starts up. In order to display this list when booting, press and hold any alphanumeric key when the BIOS information is displayed; GRUB 2 will present you with the GRUB menu.

Mengubah Entri Boot Baku

Secara baku, kunci untuk direktif GRUB_DEFAULT di berkas /etc/default/grub adalah kata saved. Ini menginstruksikan GRUB 2 untuk memuat kernel yang ditentukan oleh direktif saved_entry dalam berkas lingkungan GRUB 2, yang terletak di /boot/grub2/grubenv. Anda dapat mengatur catatan GRUB lain menjadi baku, menggunakan perintah grub2-set-baku, yang akan memperbarui berkas lingkungan GRUB 2.

By default, the saved_entry value is set to the name of latest installed kernel of package type kernel. This is defined in /etc/sysconfig/kernel by the UPDATEDEFAULT and DEFAULTKERNEL directives. The file can be viewed by the root user as follows:

~]# cat /etc/sysconfig/kernel
# UPDATEDEFAULT specifies if new-kernel-pkg should make
# new kernels the default
UPDATEDEFAULT=yes

# DEFAULTKERNEL menentukan jenis paket kernel baku
DEFAULTKERNEL=kernel-core

Direktif DEFAULTKERNEL menentukan jenis paket apa yang akan digunakan sebagai baku. Memasang paket tipe kernel-debug tidak akan mengubah kernel baku saat DEFAULTKERNEL diatur ke tipe paket kernel.

GRUB 2 mendukung penggunaan nilai numerik sebagai kunci untuk direktif saved_entry untuk mengubah urutan baku di mana sistem operasi dimuat. Untuk menentukan sistem operasi mana yang harus dimuat terlebih dahulu, berikan nomornya ke perintah grub2-set-default. Misalnya:

~]# grub2-set-default 2

Note that the position of a menu entry in the list is denoted by a number starting with zero; therefore, in the example above, the third entry will be loaded. This value will be overwritten by the name of the next kernel to be installed.

To force a system to always use a particular menu entry, use the menu entry name as the key to the GRUB_DEFAULT directive in the /etc/default/grub file. To list the available menu entries, run the following command as root:

~]# awk -F\' '$1=="menuentry " {print $2}' /etc/grub2.cfg

The file name /etc/grub2.cfg is a symlink to the grub.cfg file, whose location is architecture dependent. For reliability reasons, the symlink is not used in other examples in this chapter. It is better to use absolute paths when writing to a file, especially when repairing a system.

Changes to /etc/default/grub require rebuilding the grub.cfg file as follows:

  • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Mengedit Entri Menu

If required to prepare a new GRUB 2 file with different parameters, edit the values of the GRUB_CMDLINE_LINUX key in the /etc/default/grub file. Note that you can specify multiple parameters for the GRUB_CMDLINE_LINUX key. For example:

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,9600n8"

Where console=tty0 is the first virtual terminal and console=ttyS0 is the serial terminal to be used.

Changes to /etc/default/grub require rebuilding the grub.cfg file as follows:

  • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Menambahkan Entri baru

When executing the grub2-mkconfig command, GRUB 2 searches for Linux kernels and other operating systems based on the files located in the /etc/grub.d/ directory. The /etc/grub.d/10_linux script searches for installed Linux kernels on the same partition. The /etc/grub.d/30_os-prober script searches for other operating systems. Menu entries are also automatically added to the boot menu when updating the kernel.

The 40_custom file located in the /etc/grub.d/ directory is a template for custom entries and looks as follows:

#!/bin/sh
exec tail -n +3 $0
# Berkas ini menyediakan cara mudah untuk menambahkan entri menu khusus.  Cukup ketik
# entri menu yang ingin Anda tambahkan setelah komentar ini.  Berhati-hatilah untuk
# tidak mengubah baris 'exec tail' di atas.

This file can be edited or copied. Note that as a minimum, a valid menu entry must include at least the following:

menuentry "<Title>"{
<Data>
}

Creating a Custom Menu

If you do not want menu entries to be updated automatically, you can create a custom menu.

Before proceeding, back up the contents of the /etc/grub.d/ directory in case you need to revert the changes later.

Note that modifying the /etc/default/grub file does not have any effect on creating custom menus.

  1. On BIOS-based machines, copy the contents of /boot/grub2/grub.cfg, or, on UEFI machines, copy the contents of /boot/efi/EFI/fedora/grub.cfg. Put the content of the grub.cfg into the /etc/grub.d/40_custom file below the existing header lines. The executable part of the 40_custom script has to be preserved.

  2. From the content put into the /etc/grub.d/40_custom file, only the menuentry blocks are needed to create the custom menu. The /boot/grub2/grub.cfg and /boot/efi/EFI/fedora/grub.cfg files might contain function specifications and other content above and below the menuentry blocks. If you put these unnecessary lines into the 40_custom file in the previous step, erase them.

This is an example of a custom 40_custom script:

#!/bin/sh
exec tail -n +3 $0
# Berkas ini menyediakan cara mudah untuk menambahkan entri menu khusus.  Cukup ketik
# entri menu yang ingin Anda tambahkan setelah komentar ini.  Berhati-hatilah untuk
# tidak mengubah baris 'exec tail' di atas.

menuentry 'First custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.2.0-1.fc23.x86_64-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {
        load_video
        set gfxpayload=keep
        insmod gzio
        insmod part_msdos
        insmod xfs
        set root='hd0,msdos1'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1'  7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        else
          search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        fi
        linux16 /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/swap vconsole.keymap=us crashkernel=auto rhgb quiet LANG=en_US.UTF-8
        initrd16 /initramfs-4.2.0-1.fc23.x86_64.img
}
menuentry 'Second custom entry' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c-advanced-32782dd0-4b47-4d56-a740-2076ab5e5976' {
        load_video
        insmod gzio
        insmod part_msdos
        insmod xfs
        set root='hd0,msdos1'
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1'  7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        else
          search --no-floppy --fs-uuid --set=root 7885bba1-8aa7-4e5d-a7ad-821f4f52170a
        fi
        linux16 /vmlinuz-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root vconsole.font=latarcyrheb-sun16 rd.lvm.lv=fedora/swap vconsole.keymap=us crashkernel=auto rhgb quiet
        initrd16 /initramfs-0-rescue-07f43f20a54c4ce8ada8b70d33fd001c.img
}
  1. Remove all files from the /etc/grub.d directory except the following:

    • 00_header,

    • 40_custom,

    • 01_users (if it exists),

    • dan README.

Alternatively, if you want to keep the files in the /etc/grub2.d/ directory, make them unexecutable by running the chmod a-x <file_name> command.

  1. Edit, add, or remove menu entries in the 40_custom file as desired.

  2. Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

    • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

GRUB 2 Password Protection

GRUB 2 supports both plain-text and encrypted passwords in the GRUB 2 template files. To enable the use of passwords, specify a superuser who can reach the protected entries. Other users can be specified to access these entries as well. Menu entries can be password-protected for booting by adding one or more users to the menu entry as described in Setting Up Users and Password Protection, Specifying Menu Entries. To use encrypted passwords, see Password Encryption.

If you do not use the correct format for the menu, or modify the configuration in an incorrect way, you might be unable to boot your system.

All menu entries can be password-protected against changes by setting superusers, which can be done in the /etc/grub.d/00_header or the /etc/grub.d/01_users file. The 00_header file is very complicated and, if possible, avoid making modifications in this file. Menu entries should be placed in the /etc/grub.d/40_custom and users in the /etc/grub.d/01_users file. The 01_users file is generated by the installation application anaconda when a grub boot loader password is used in a kickstart template (but it should be created and used it if it does not exist). Examples in this section adopt this policy.

Setting Up Users and Password Protection, Specifying Menu Entries

  1. To specify a superuser, add the following lines in the /etc/grub.d/01_users file, where john is the name of the user designated as the superuser, and johnspassword is the superuser’s password:

cat <<EOF
set superusers="john"
password john johnspassword
EOF
  1. To allow other users to access the menu entries, add additional lines per user at the end of the /etc/grub.d/01_users file.

cat <<EOF
set superusers="john"
password john johnspassword
password jane janespassword
EOF
  1. When the users and passwords are set up, specify the menu entries that should be password-protected in the /etc/grub.d/40_custom file in a similar fashion to the following:

menuentry 'Red Hat Enterprise Linux Server' --unrestricted {
set root=(hd0,msdos1)
linux   /vmlinuz
}

menuentry 'Fedora' --users jane {
set root=(hd0,msdos2)
linux   /vmlinuz
}

menuentry 'Red Hat Enterprise Linux Workstation' {
set root=(hd0,msdos3)
linux   /vmlinuz
}

Dalam contoh di atas:

  • john is the superuser and can therefore boot any menu entry, use the GRUB 2 command line, and edit items of the GRUB 2 menu during boot. In this case, john can access both Red Hat Enterprise Linux Server, Fedora, and Red Hat Enterprise Linux Workstation. Note that only john can access Red Hat Enterprise Linux Workstation because neither the --users nor --unrestricted options have been used.

  • User jane can boot Fedora since she was granted the permission in the configuration.

  • Anyone can boot Red Hat Enterprise Linux Server, because of the --unrestricted option, but only john can edit the menu entry as a superuser has been defined. When a superuser is defined then all records are protected against unauthorized changes and all records are protected for booting if they do not have the --unrestricted parameter

If you do not specify a user for a menu entry, or make use of the --unrestricted option, then only the superuser will have access to the system.

After you have made changes in the template file the GRUB 2 configuration file must be updated.

Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

  • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

Enkripsi Kata Sandi

By default, passwords are saved in plain text in GRUB 2 scripts. Although the files cannot be accessed on boot without the correct password, security can be improved by encrypting the password using the grub2-mkpasswd-pbkdf2 command. This command converts a desired password into a long hash, which is placed in the GRUB 2 scripts instead of the plain-text password.

  1. To generate an encrypted password, run the grub2-mkpasswd-pbkdf2 command on the command line as root.

  2. Enter the desired password when prompted and repeat it. The command then outputs your password in an encrypted form.

  3. Copy the hash, and paste it in the template file where you configured the users, that is, either in /etc/grub.d/01_users or /etc/grub.d/40_custom.

The following format applies for the 01_users file:

cat <<EOF
set superusers="john"
password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85
EOF

The following format applies for the 40_custom file:

set superusers="john"
password_pbkdf2 john grub.pbkdf2.sha512.10000.19074739ED80F115963D984BDCB35AA671C24325755377C3E9B014D862DA6ACC77BC110EED41822800A87FD3700C037320E51E9326188D53247EC0722DDF15FC.C56EC0738911AD86CEA55546139FEBC366A393DF9785A8F44D3E51BF09DB980BAFEF85281CBBC56778D8B19DC94833EA8342F7D73E3A1AA30B205091F1015A85

Reinstalling GRUB 2

Reinstalling GRUB 2 is a convenient way to fix certain problems usually caused by an incorrect installation of GRUB 2, missing files, or a broken system. Other reasons to reinstall GRUB 2 include the following:

  • Upgrading from the previous version of GRUB.

  • The user requires the GRUB 2 boot loader to control installed operating systems. However, some operating systems are installed with their own boot loaders. Reinstalling GRUB 2 returns control to the desired operating system.

  • Adding the boot information to another drive.

Reinstalling GRUB 2 on BIOS-Based Machines

When using the grub2-install command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.

Use the grub2-install device command to reinstall GRUB 2 if the system is operating normally. For example, if sda is your device:

~]# grub2-install /dev/sda

Reinstalling GRUB 2 on UEFI-Based Machines

When using the dnf reinstall grub2-efi shim command, the boot information is updated and missing files are restored. Note that the files are restored only if they are not corrupted.

Use the dnf reinstall grub2-efi shim command to reinstall GRUB 2 if the system is operating normally. For example:

~]# dnf reinstall grub2-efi shim

Resetting and Reinstalling GRUB 2

This method completely removes all GRUB 2 configuration files and system settings. Apply this method to reset all configuration settings to their default values. Removing of the configuration files and subsequent reinstalling of GRUB 2 fixes failures caused by corrupted files and incorrect configuration. To do so, as root, follow these steps:

  1. Jalankan perintah rm /etc/grub.d/*;

  2. Jalankan perintah rm /etc/sysconfig/grub;

  3. For EFI systems only, run the following command:

~]# dnf reinstall grub2-efi shim grub2-tools
  1. Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

    • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
  1. Now follow the procedure in Reinstalling GRUB 2 to restore GRUB2 on the /boot/ partition.

GRUB 2 over a Serial Console

If you use computers with no display or keyboard, it can be very useful to control the machines through serial communications.

Configuring the GRUB 2 Menu

To set the system to use a serial terminal only during a single boot process, when the GRUB 2 boot menu appears, move the cursor to the kernel you want to start, and press the e key to edit the kernel parameters. Remove the rhgb and quit parameters and add console parameters at the end of the linux16 line as follows:

linux16      /vmlinuz-4.2.0-1.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.md=0 rd.dm=0 rd.lvm.lv=fedora/swap crashkernel=auto rd.luks=0 vconsole.keymap=us rd.lvm.lv=fedora/root console=ttyS0,115200

These settings are not persistent and apply only for a single boot.

To make persistent changes to a menu entry on a system, use the grubby tool. For example, to update the entry for the default kernel, enter a command as follows:

~]# grubby --remove-args="rhgb quiet" --args=console=ttyS0,115200 --update-kernel=DEFAULT

The --update-kernel parameter also accepts the keyword ALL or a comma separated list of kernel index numbers. See Adding and Removing Arguments from a GRUB Menu Entry for more information on using grubby.

If required to build a new GRUB 2 configuration file, add the following two lines in the /etc/default/grub file:

GRUB_TERMINAL="serial"
GRUB_SERIAL_COMMAND="serial --speed=9600 --unit=0 --word=8 --parity=no --stop=1"

The first line disables the graphical terminal. Note that specifying the GRUB_TERMINAL key overrides values of GRUB_TERMINAL_INPUT and GRUB_TERMINAL_OUTPUT. On the second line, adjust the baud rate, parity, and other values to fit your environment and hardware. A much higher baud rate, for example 115200, is preferable for tasks such as following log files. Once you have completed the changes in the /etc/default/grub file, it is necessary to update the GRUB 2 configuration file.

Rebuild the grub.cfg file by running the grub2-mkconfig -o command as follows:

  • Pada mesin berbasis BIOS, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/grub2/grub.cfg
  • Pada komputer berbasis UEFI, jalankan perintah berikut sebagai root:

~]# grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

In order to access the grub terminal over a serial connection an additional option must be added to a kernel definition to make that particular kernel monitor a serial connection. For example:

console=ttyS0,9600n8

Where console=ttyS0 is the serial terminal to be used, 9600 is the baud rate, n is for no parity, and 8 is the word length in bits. A much higher baud rate, for example 115200, is preferable for tasks such as following log files.

For more information on serial console settings, see Installed Documentation

Using screen to Connect to the Serial Console

Alat screen berfungsi sebagai terminal serial yang mumpuni. Untuk memasangnya, jalankan sebagai root:

~]# dnf install screen

To connect to your machine using the serial console, use a command in the follow format:

screen /dev/console_port baud_rate

By default, if no option is specified, screen uses the standard 9600 baud rate. To set a higher baud rate, enter:

~]$ screen /dev/console_port 115200

Where console_port is ttyS0, or ttyUSB0, and so on.

To end the session in screen, press Ctrl+a, type :quit and press Enter.

See the screen(1) manual page for additional options and detailed information.

Terminal Menu Editing During Boot

Menu entries can be modified and arguments passed to the kernel on boot. This is done using the menu entry editor interface, which is triggered when pressing the e key on a selected menu entry in the boot loader menu. The Esc key discards any changes and reloads the standard menu interface. The c key loads the command line interface.

The command line interface is the most basic GRUB interface, but it is also the one that grants the most control. The command line makes it possible to type any relevant GRUB commands followed by the Enter key to execute them. This interface features some advanced features similar to shell, including Tab key completion based on context, and Ctrl+a to move to the beginning of a line and Ctrl+e to move to the end of a line. In addition, the arrow, Home, End, and Delete keys work as they do in the bash shell.

Boot ke Mode Penyelamatan

Rescue mode provides a convenient single-user environment and allows you to repair your system in situations when it is unable to complete a normal booting process. In rescue mode, the system attempts to mount all local file systems and start some important system services, but it does not activate network interfaces or allow more users to be logged into the system at the same time. In Fedora, rescue mode is equivalent to single user mode and requires the root password.

  1. To enter rescue mode during boot, on the GRUB 2 boot screen, press the e key for edit.

  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

systemd.unit=rescue.target

Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.

Note that equivalent parameters, 1, s, and single, can be passed to the kernel as well.

  1. Press Ctrl+x to boot the system with the parameter.

Boot ke Mode Darurat

Emergency mode provides the most minimal environment possible and allows you to repair your system even in situations when the system is unable to enter rescue mode. In emergency mode, the system mounts the root file system only for reading, does not attempt to mount any other local file systems, does not activate network interfaces, and only starts few essential services. In Fedora, emergency mode requires the root password.

  1. To enter emergency mode, on the GRUB 2 boot screen, press the e key for edit.

  2. Add the following parameter at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

systemd.unit=emergency.target

Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.

Note that equivalent parameters, emergency and -b, can be passed to the kernel as well.

  1. Press Ctrl+x to boot the system with the parameter.

Changing and Resetting the Root Password

Setting up the root password is a mandatory part of the Fedora installation. If you forget or lose the root password it is possible to reset it, however users who are members of the wheel group can change the root password as follows:

~]$ sudo passwd root

Note that in GRUB 2, resetting the password is no longer performed in single-user mode as it was in GRUB included in Fedora 15 and Red Hat Enterprise Linux 6. The root password is now required to operate in single-user mode as well as in emergency mode.

Two procedures for resetting the root password are shown here:

  • Resetting the Root Password Using an Installation Disk takes you to a shell prompt, without having to edit the grub menu. It is the shorter of the two procedures and it is also the recommended method. You can use a server boot disk or a netinstall installation disk.

  • Resetting the Root Password Using rd.break makes use of rd.break to interrupt the boot process before control is passed from initramfs to systemd. The disadvantage of this method is that it requires more steps, includes having to edit the GRUB menu, and involves choosing between a possibly time consuming SELinux file relabel or changing the SELinux enforcing mode and then restoring the SELinux security context for /etc/shadow/ when the boot completes.

Resetting the Root Password Using an Installation Disk
  1. Start the system and when BIOS information is displayed, select the option for a boot menu and select to boot from the installation disk.

  2. Choose Troubleshooting.

  3. Choose Rescue a Fedora-Server System.

  4. Choose Continue which is the default option. At this point you will be promoted for a passphrase if an encrypted file system is found.

  5. Press OK to acknowledge the information displayed until the shell prompt appears.

  6. Change the file system root as follows:

sh-4.2# chroot /mnt/sysimage
  1. Enter the passwd command and follow the instructions displayed on the command line to change the root password.

  2. Remove the autorelable file to prevent a time consuming SELinux relabel of the disk:

sh-4.2# rm -f /.autorelabel
  1. Enter the exit command to exit the chroot environment.

  2. Enter the exit command again to resume the initialization and finish the system boot.

Resetting the Root Password Using rd.break
  1. Start the system and, on the GRUB 2 boot screen, press the e key for edit.

  2. Remove the rhgb and quiet parameters from the end, or near the end, of the linux16 line, or linuxefi on UEFI systems.

Tekan Ctrl+a dan Ctrl+e masing-masing untuk melompat ke awal dan akhir baris. Pada beberapa sistem, Home dan End mungkin juga berfungsi.

The rhgb and quiet parameters must be removed in order to enable system messages.

  1. Add the following parameters at the end of the linux line on 64-Bit IBM Power Series, the linux16 line on x86-64 BIOS-based systems, or the linuxefi line on UEFI systems:

rd.break enforcing=0

Adding the enforcing=0 option enables omitting the time consuming SELinux relabeling process.

The initramfs will stop before passing control to the Linux kernel, enabling you to work with the root file system.

Note that the initramfs prompt will appear on the last console specified on the Linux line.

  1. Press Ctrl+x to boot the system with the changed parameters.

With an encrypted file system, a password is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

The initramfs switch_root prompt appears.

  1. The file system is mounted read-only on /sysroot/. You will not be allowed to change the password if the file system is not writable.

Remount the file system as writable:

switch_root:/# mount -o remount,rw /sysroot
  1. The file system is remounted with write enabled.

Change the file system’s root as follows:

switch_root:/# chroot /sysroot

The prompt changes to sh-4.2#.

  1. Enter the passwd command and follow the instructions displayed on the command line to change the root password.

Note that if the system is not writable, the passwd tool fails with the following error:

Kesalahan manipulasi token otentikasi
  1. Updating the password file results in a file with the incorrect SELinux security context. To relabel all files on next system boot, enter the following command:

sh-4.2# touch /.autorelabel

Alternatively, to save the time it takes to relabel a large disk, you can omit this step provided you included the enforcing=0 option in step 3.

  1. Remount the file system as read only:

sh-4.2# mount -o remount,ro /
  1. Enter the exit command to exit the chroot environment.

  2. Enter the exit command again to resume the initialization and finish the system boot.

With an encrypted file system, a pass word or phrase is required at this point. However the password prompt might not appear as it is obscured by logging messages. You can press and hold the Backspace key to see the prompt. Release the key and enter the password for the encrypted file system, while ignoring the logging messages.

Note that the SELinux relabeling process can take a long time. A system reboot will occur automatically when the process is complete.

  1. If you added the enforcing=0 option in step 3 and omitted the touch /.autorelabel command in step 8, enter the following command to restore the /etc/shadow file’s SELinux security context:

~]# restorcon /etc/shadow

Enter the following commands to turn SELinux policy enforcement back on and verify that it is on:

~]# setenforce 1
~]# getenforce
Enforcing

UEFI Secure Boot

The Secure Boot technology ensures that the system firmware checks whether the system boot loader is signed with a cryptographic key authorized by a database contained in the firmware. With signature verification in the next-stage boot loader, kernel, and, potentially, user space, it is possible to prevent the execution of unsigned code.

Secure Boot is the boot path validation component of the Unified Extensible Firmware Interface (UEFI) specification. The specification defines:

  • a programming interface for cryptographically protected UEFI variables in non-volatile storage,

  • how the trusted X.509 root certificates are stored in UEFI variables,

  • validation of UEFI applications like boot loaders and drivers,

  • procedures to revoke known-bad certificates and application hashes.

UEFI Secure Boot does not prevent the installation or removal of second-stage boot loaders, nor require explicit user confirmation of such changes. Signatures are verified during booting, not when the boot loader is installed or updated. Therefore, UEFI Secure Boot does not stop boot path manipulations, it simplifies the detection of changes and prevents the system from executing a modified boot path once such a modification has occurred.

UEFI Secure Boot Support in Fedora

Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.

If you want to load externally built drivers — drivers that are not provided on the Fedora Linux DVD — you must make sure these drivers are signed as well.

Sumber Daya Tambahan

Please see the following resources for more information on the GRUB 2 boot loader:

Dokumentasi Terpasang
  • /usr/share/doc/grub2-tools-<version-number> — This directory contains information about using and configuring GRUB 2. <version-number> corresponds to the version of the GRUB 2 package installed.

  • info grub2 — The GRUB 2 info page contains a tutorial, a user reference manual, a programmer reference manual, and a FAQ document about GRUB 2 and its usage.

  • grubby(8) — The manual page for the command-line tool for configuring GRUB and GRUB 2.

  • new-kernel-pkg(8) — The manual page for the tool to script kernel installation.

Dokumentasi Eksternal
  • Fedora Installation Guide — The Installation Guide provides basic information on GRUB 2, for example, installation, terminology, interfaces, and commands.