Hibernation -> Resume -> Restart sequence causes grub2-once to prevent start of auditd.service

Hibernation -> Resume -> Restart sequence causes grub2-once to prevent start of auditd.service. It touches the infamous issue of systemd which made quite a few appearances here (PID1 reload during boot sequence). I don’t count on that being fixed soon.

So, two course of actions I can think of are:

a) re-mounting /var before auditd.service starts
b) prevent grub2-once from enabling grub2-once.service in the first place

I think option (b) is preferred. I don’t share any partitions among systems, so it shouldn’t need to force resuming the hibernated system. Or is there another reason to force it? Even if there’s a reason I’d likely resume from it anyways, but it doesn’t need to be imposed. If that’s a possible correction, how can I do that? I don’t want to just mask the service which probably would just prevent selecting another system for booting, but instead avoiding the change to grubenv during hibernation. As a last resort then I’d consider option (a).



$ journalctl -b -u auditd.service 
-- Logs begin at Tue 2020-02-18 11:44:33 -03, end at Tue 2020-04-14 11:45:23 -03. --
Apr 14 09:28:43 systemd[1]: Starting Security Auditing Service...
Apr 14 09:28:43 auditd[763]: Could not open dir /var/log/audit (No such file or directory)
Apr 14 09:28:43 auditd[763]: The audit daemon is exiting.
Apr 14 09:28:43 systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
Apr 14 09:28:43 systemd[1]: auditd.service: Failed with result 'exit-code'.
Apr 14 09:28:43 systemd[1]: Failed to start Security Auditing Service.


$ systemctl cat grub2-once.service 
# /usr/lib/systemd/system/grub2-once.service
[Unit]
Description=Restore grubenv
DefaultDependencies=no
After=local-fs.target
Before=sysinit.target shutdown.target
Conflicts=shutdown.target
ConditionPathIsReadWrite=/boot/grub2/grubenv

[Service]
Type=oneshot
ExecStart=-/usr/bin/grub2-editenv /boot/grub2/grubenv unset next_entry
ExecStartPost=-/usr/bin/systemctl disable grub2-once.service
StandardOutput=syslog

[Install]
WantedBy=sysinit.target


$ cat /etc/default/grub
# If you change this file, run 'grub2-mkconfig -o /boot/grub2/grub.cfg' afterwards to update
# /boot/grub2/grub.cfg.

# Uncomment to set your own custom distributor. If you leave it unset or empty, the default
# policy is to determine the value from /etc/os-release
GRUB_DISTRIBUTOR=
GRUB_DEFAULT=saved
GRUB_HIDDEN_TIMEOUT=0
GRUB_HIDDEN_TIMEOUT_QUIET=true
GRUB_TIMEOUT=0
GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=fa1f6c7a-fe02-4160-b6c4-1bc6ec4c9353 quiet mitigations=auto i8042.nopnp"
GRUB_CMDLINE_LINUX=""

# Uncomment to automatically save last booted menu entry in GRUB2 environment

# variable `saved_entry'
GRUB_SAVEDEFAULT="true"
#Uncomment to enable BadRAM filtering, modify to suit your needs

# This works with Linux (no patch required) and with any kernel that obtains
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
# GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
#Uncomment to disable graphical terminal (grub-pc only)

GRUB_TERMINAL="gfxterm"
# The resolution used on graphical terminal
#note that you can use only modes which your graphic card supports via VBE

# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE="auto"
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
# GRUB_DISABLE_LINUX_UUID=true
#Uncomment to disable generation of recovery mode menu entries

# GRUB_DISABLE_RECOVERY="true"
#Uncomment to get a beep at grub start

# GRUB_INIT_TUNE="480 440 1"
GRUB_BACKGROUND=
GRUB_THEME=/boot/grub2/themes/openSUSE/theme.txt
SUSE_BTRFS_SNAPSHOT_BOOTING="true"
GRUB_USE_LINUXEFI="true"
GRUB_DISABLE_OS_PROBER="false"
GRUB_ENABLE_CRYPTODISK="n"
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16"


$ cat /boot/grub2/grubenv
# GRUB Environment Block
# WARNING: Do not edit this file other than by grub2-editenv
env_block=512+1
saved_entry=openSUSE Tumbleweed
#################################################


$ etckeeper vcs diff | fancy
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
deleted: systemd/system/sysinit.target.wants/grub2-once.service
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
@ systemd/system/sysinit.target.wants/grub2-once.service:1 @
/usr/lib/systemd/system/grub2-once.service
\ No newline at end of file


$ sudo efibootmgr 
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0000,0009,000A,0001
Boot0000* Windows Boot Manager
Boot0001* Recovery
Boot0002* opensuse
Boot0009* Onboard NIC (IPV4)
Boot000A* Onboard NIC (IPV6)


$ df -T /boot/grub2
Filesystem     Type  1K-blocks     Used Available Use% Mounted on
/dev/nvme0n1p6 btrfs 267029504 18567608 246832360   7% / 
 

Additionally, from GNU GRUB Manual 2.12 I understand it shouldn’t work with btrfs:

For safety reasons, this storage is only available when installed on a plain disk (no LVM or RAID), using a non-checksumming filesystem (no ZFS), and using BIOS or EFI functions (no ATA, USB or IEEE1275).

I think both options I considered would be local solutions. There’s a third option that can work and can be submitted upstream: fiddle with grub2-once.service, either by keeping it always enabled on a condition, or postpone start until after boot, something along these lines…