Hi all,
I’ve read https://en.opensuse.org/Portal:Aeon/Encryption and I understand that it’s strongly suggested to have a TPM2 chipset for default mode or have secureboot in fallback mode, but my old laptop (thinkpad e520) lacks both.
I have however installed Aeon on it. Went very smooth. BUT: when the system upgrades (after transactional upgrade) I am unable to boot in the upgraded image. I can enter the passphrase twice and then my device reboots. Doing a rollback makes my system available again.
Is this because I don’t meet the system requirements (e.g. TPM2 and/or secureboot) or is something else afoot?
Thanks.
@WimDeWinter it shouldn’t, perhaps this bug https://bugzilla.opensuse.org/show_bug.cgi?id=1238407 see the last comment for a possible work around.
Thank you for your reply.
I tried to implement the solution as menstioned in your post by doing:
sudo transactional-update run zypper al 'kernel*'
and reboot afterwards without issues. Then
sudo transactional-update run zypper dup
and reboot without issues. Then
sudo transactional-update run zypper rl 'kernel*'
and reboot without issues. Then
sudo transactional-update run zypper dup
And could not reboot; I had to roll back to the previous image. So basically I did an update excluding kernel-update. Probably didn’t do it by the book? (noob here, sorry)
@WimDeWinter So except for the final step, it’s booting into the correct snapshot?
Yes it is, it’s always booting after every step exept for the final step.
@WimDeWinter Please add comments to the bug report, you might need to collect logs… Same username/password for the forum to login to bugzilla.
1 Like
For future reference, I figured out a way to make the updates work (for now???). I was pointed to https://en.opensuse.org/SDB:Keep_multiple_kernel_versions by @malcolmlewis and changed the /etc/zypp/zypp.conf file as follows:
multiversion = provides:multiversion(kernel)
and
multiversion.kernels = latest,latest-1,latest-2,running
this seems to solve my problems (for now?)
Some further observations:
When I start the laptop and log in to gnome and let things run, the automatic updates are installed. A pop-up screen asks me to reboot. Doing that, the system fails at unlocking the encrypted partition. I am unable to use my latest image.
However, when I roll back to the last usable image and run sudo transactional-update run zypper dup and reboot afterwards, I can unnlock the encrypted partition and use my up-to-date system.
So, now my question, what’s the difference between an automatic update and an update using the command above?
By the way, no kernel-related packages were updated (I already removed the kernel lock by issuing sudo transactional-update run zypper rl 'kernel*') by the manual update.
It is rather difficult to guess without knowing what program performs automatic updates and what program generates this pop-up screen.
I don’t think it’s a program? My guess it’s a script checking for updates and pulling them in if available? https://en.opensuse.org/Portal:Aeon states
Always up-to-date: Updates install automatically, without impacting the running system. They take effect on next reboot, which you decide when that occurs.
More information here: Administering SUSE Linux Micro Using transactional-update
So sudo systemctl --now disable transactional-update.timer would disable the timer and thus prevent automatic updates and, hopefully, keep my system bootable?
this is my transactional-update.service file:
[Unit]
Description=Update the system
Documentation=man:transactional-update(8)
ConditionACPower=true
Wants=network.target
After=network.target
[Service]
Type=oneshot
Environment=UPDATE_METHOD=dup
EnvironmentFile=-/usr/etc/transactional-update.conf
EnvironmentFile=-/etc/transactional-update.conf
ExecStart=/usr/sbin/transactional-update cleanup ${UPDATE_METHOD} reboot
IOSchedulingClass=best-effort
IOSchedulingPriority=7
The only thing different to sudo transactional-update run zypper dup I notice is the cleanup option? Could this mess things up somehow?