Autorun workflow not blessing target volume

[chilcote]

Trying out the new autorun settings, and I've run into an issue with the target volume not being blessed.

My objective is to trigger a netboot and autorun image workflow by running bless --netboot --server bsdp://xx.xx.xx.xxx on the client, and to not have any firstboot scripts run (no LoginLog; no extra reboot).

If I strip down the imagr_config.plist to contain only the type and url keys under components, the system will not successfully bless the target volume.

However, if I include the computer_name key under components, it will successfully bless the target volume.

Looking through the code, I can't figure out where this is failing. I'm guessing it's in this block: https://github.com/grahamgilbert/imagr/blob/master/Imagr/MainController.py#L501-L518. But it seems to me that self.blessTarget should be True with either of these plists: https://gist.github.com/chilcote/318a5dbdf4a05981d23a

Steps to reproduce:

1. Make sure csrutil is configured for the netboot server (ip-helpers, etc).
2. Add the imagr_config.plist linked above "imagr_autorun_fail"
3. Run bless --netboot --server bsdp://xx.xx.xx.xxx
4. It'll reboot to the netboot server
5. (Optionally enter the password. I have this there as a failsafe for my testing)
6. Let it run the autorun workflow

Expected result:
It should boot to the internal volume

Actual result:
It boots to the netboot server again (nvram -p shows the efi-boot-device settings still have the netboot server info)

If I use the imagr_config.plist linked ("imagr_autorun_succeed") it works.

My Imagr.nbi is being created with the latest build Makefile, and using a 10.11.3 install app as the source.

I can't find anything interesting in system.log when netbooted either.

If you can point me in the right direction I can test and submit a PR perhaps.

[grahamgilbert]

You're in the right place. Actual blessing happens https://github.com/grahamgilbert/imagr/blob/master/Imagr/MainController.py#L1110-L1118

Not sure why it's failing, I'm not seeing anything obvious. Are you renaming the volume via your asr restore? That shouldn't affect it, but I'm grasping at straws...

[groob]

Seeing the same issue here.

[groob]

Setting bless_target to true doesn't seem to have an effect either it seems.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>password</key>
        <string>b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86</string>
        <key>workflows</key>
        <array>
            <dict>
                <key>name</key>
                <string>Munki ElCap</string>
                <key>description</key>
                <string>Deploys a 10.11.3 image with Munki Tools and its configuration.</string>
                <key>components</key>
                <array>
                    <dict>
                        <key>type</key>
                        <string>image</string>
                        <key>url</key>
                        <string>http://imagr/dmgs/production-10.11.3-15D21.hfs.dmg</string>
                    </dict>
                </array>
                <key>restart_action</key>
                <string>restart</string>
                <key>bless_target</key>
                <true/>
            </dict>
        </array>
    </dict>
</plist>

[sheagcraig]

FWIW, I'm seeing this too.

[grahamgilbert]

I don't have access to physical test hardware at the moment and this is pretty hard to troubleshoot in VMs. I would really really appreciate help here.

[sheagcraig]

Hey @grahamgilbert I'm testing this out this morning.

I am using an AutoImgrNBI built image, built from 10.11.3, to install; here's what I'm seeing.

When the workflow is done, I have it restart. I immediately see the "blinking globe", which due to issues with our networking config at the moment doesn't actually work. After not too long it times out and then boots the imaged volume (and annoyingly it does not skip the setup assistant, despite that being part of the AutoImagrNBI).

I have tried adding the computer_name key to the workflow, but it doesn't change things. (Tried it with auto only, and auto + serial_number). I'm going to look at @chilcote 's and see if I can make it work that way. Of note, unlike him, I'm not having it be set to autorun.

[sheagcraig]

I stripped the workflow down to just the components listed as working by @chilcote, and it still doesn't boot to the correct volume. I'm going to try using a different OS X installer next.

[sheagcraig]

Okay-last one: I could not get the bless to work at all with AutoImagrNBIs. I switched to just using the Imagr make and it blesses with both having and not having a name component.

[grahamgilbert]

So a problem with AutoImagrNBI? What say you @macmule ?

[macmule]

@grahamgilbert, AutoImagrNBI creates an OS based on an OS.dmg.

The EFI is the same as a booted Mac, maybe this is SIP's bless change.

Recently this came up on Slack. Is bless needed if installing an OS via ASR?

[macmule]

FWIW, AutoCasperNBI does not have have this issue.

Casper Imaging might have at some point, but JAMF resolved.

Not trolling, just mentioning as the NBI creation in both AutoImagrNBI & AutoCasperNBI is the same.

[grahamgilbert]

Depends. If you've netbooted using the N key, I don't think so, but if you've chosen the startup disk or some other way of remote netbooting you probably would.

[macmule]

https://macadmins.slack.com/archives/general/p1457112572011685

Seems like systemsetup might be the solution.

[grahamgilbert]

Now we're cooking with gas. Hopefully this is in NBI's made with AutoNBI.

[sheagcraig]

I'm having to bless and then option boot because the Netinstall service isn't showing up in Startup Disk for me right now.

[gregneagle]

If:

1. The (net)booted OS is El Capitan, and
2. The "normal" kernel is part of the OS, then:

"bless" won't be able to set the startup disk.
AutoNBI uses the "special" kernel that isn't restricted by SIP. AutoImagrNBI may be using the "normal" kernel.

[macmule]

@gregneagle, yep it's the normal SIP enabled kernel.

I suppose I could pull the kernel from the Recovery partition of the OS.dmg supplied when creating the NBI.

I haven't yet as haven't had good cause to, well maybe I do.

[gregneagle]

I'd say that's good cause.

[macmule]

Yea. AutoImagrNBI needs some love. My plan was 1 release to bring it on par with ACNBI. Then another to add the new things for Imagr.

I guess I should crack on with it.

[grahamgilbert]

All satisfied that this isn't an Imagr issue then?

[groob]

Not sure about that, when I reported the issue above, I was using AutoNBI.

[gregneagle]

We need to confirm that a 10.11.x AutoNBI boot image has the SIP-disabled kernel. I believe that is the case, but I have not checked/confirmed that it does.

[bruienne]

I can confirm that since AutoNBI calls the Apple-provided scripts in the SIU XPC helper the NBI created by it contains the bootbase.efi kernel, i.e. the SIP-disabled version.

To check:

# A kernel with SIP disabled will contain "bootbase" in the executable
$ strings /path/to/Imagr.nbi/i386/booter | grep -c bootbase
2

# A kernel with SIP enabled will *not* contain "bootbase" in the executable
$ strings /path/to/Imagr.nbi/i386/booter | grep -c bootbase
0

[chilcote]

Just to be clear, the problem I originally reported wasn't due to SIP.

If SIP precluded bless in imagr, then bless in imagr wouldn't work under any of the relevant circumstances. I only had a failure when I removed the firstboot scripts.

Not saying there isn't a different problem, but that's not why this issue was submitted.

I hope to have some time to test tomorrow.

[macmule]

Right, given the above from @chilcote & @groob mentioning using AutoNBI... I'm leaving AutoImagrNBI using a SIP enabled EFI as don't think that change will help this issue.

[grahamgilbert]

I'd say it's still worth verifying. Can bless be used by hand in an autoimagrnbi nbi?

Sent from my iPhone

On Wed, Mar 9, 2016 at 12:49 PM -0800, "macmule" notifications@github.com wrote:

Right, given the above from @chilcote & @groob mentioning using AutoNBI... I'm leaving AutoImagrNBI using a SIP enabled EFI as don't think that change will help this issue.

—
Reply to this email directly or view it on GitHub.

[macmule]

If SIP was the issue. AutoImagrNBI created Images would never have worked when running 10.11.

Either via a NetBoot or USB.

What @chilcote is saying is that with AutoNBI (non-SIP enabled), some workflows fail.. Others do not.

If we can get it working 100% under a non-SIP enabled environment like a NetInstall, then I can test AutoImagrNBI.

Regards,

Ben.

On 9 Mar 2016, at 20:50, Graham Gilbert notifications@github.com wrote:

I'd say it's still worth verifying. Can bless be used by hand in an autoimagrnbi nbi?

Sent from my iPhone

On Wed, Mar 9, 2016 at 12:49 PM -0800, "macmule" notifications@github.com wrote:

Right, given the above from @chilcote & @groob mentioning using AutoNBI... I'm leaving AutoImagrNBI using a SIP enabled EFI as don't think that change will help this issue.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub.

[clburlison]

So this issue has kind of gone all over the place trying to determine what the root issue is. I'll try to summary the main points below.

Description of Issue/Question

The root issue is El Captain's new interaction with the bless command thanks to SIP. Imagr will currently bless a target two separate ways:

• "/usr/sbin/bless", "--device", self.deviceidentifier, "--setBoot" or
• "/usr/sbin/bless", "--mount", self.mountpoint, "--setBoot"

The --device flag is no longer properly blessing a target in 10.11. This flag is currently only used when your workflow contains no firstboot components.

However, the --mount flag does work which is why the majority of Imagr users aren't seeing this issue. This flag is used when adding multiple components for processing via the firstboot script. IE - scripts, packages, computer_name components with firstboot set to true.

Setup

1. Use the following attached config file
2. You MUST set a new startup disk target via:
   • bless --netboot --server bsdp://xx.xx.xx.xxx
   • Option booting. Select external drive/NBI. Hold control on new mount. Enter.
   • sudo systemsetup -setstartupdisk /Volumes/external_drive
   • SysPref > Startup Disk.
3. Run though a workflow that should set the bless target via "/usr/sbin/bless", "--device", self.deviceidentifier, "--setBoot"

imagr_config.txt

Steps to Reproduce Issue

Full error logging from a NBICreator NBI that has SIP disabled - blessing_error.txt

You can reproduce the issue with the attached imagr_config file. However this can also be done by calling bless while booted into an NBI that has a kernel that disables SIP (NBICreator & AutoNBI at this time).

# This fails
/usr/sbin/bless --device disk0s2 --setBoot --verbose

# This works
/usr/sbin/bless --mount "/Volumes/Macintosh HD" --setBoot --verbose

NOTE: to verify that the target is being properly set you need to use:

• /usr/sbin/bless --getBoot --verbose
• or nvram -p and look in the efi-boot-device array

Versions Report

Imagr current (1.1.1) and all past versions when using 10.11 as the NBI boot source.

The Fix

We should modify Imagr to always call bless --mount against the restored volume.

[grahamgilbert]

Good work. Looks like a reasonably simple fix thankfully. I'll try to nail this during my airport time this week.

[erikng]

Oddly enough I have a base image that auto runs and have not seen this on virtual and physical machines. The image is literally an AutoDMG 10.11.5 base. No first boot package.

Using AutoNBI though.

On Jun 5, 2016, at 11:59 AM, Graham Gilbert notifications@github.com wrote:

Good work. Looks like a reasonably simple fix thankfully. I'll try to nail this during my airport time this week.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[erikng]

Never mind, I saw the other thread. I have a restart action (shutdown).

On Jun 5, 2016, at 11:59 AM, Graham Gilbert notifications@github.com wrote:

Good work. Looks like a reasonably simple fix thankfully. I'll try to nail this during my airport time this week.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[grahamgilbert]

Alright, just pushed the code that makes the changes @clburlison suggested. It's working ok here (i.e. not crashing). I won't have real hardware to test on until next week now, so would appreciate if someone could test and see if it's been resolved.

[clburlison]

This has been resolved for me. Hopefully someone else can verify.

[chilcote]

I can verify that this fixes the issue. Thanks @clburlison and crew!