Feature #5633

Enable serial console on every lizard guest

Added by Tails 2013-07-18 07:43:47 . Updated 2015-01-10 10:34:52 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Infrastructure
Target version:
Start date:
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Enable serial console in every guest, to be able to connect from the host without setting up SSH authentication. While we’re at it, enable it for Grub and on the kernel cmdline + inittab to ease emergency maintenance.


Subtasks


History

#1 Updated by intrigeri 2013-12-29 04:02:18

  • Subject changed from enable serial console on every lizard guest to Enable serial console on every lizard guest
  • Starter set to No

#2 Updated by bertagaz 2014-12-29 15:50:37

  • Status changed from Confirmed to In Progress
  • Assignee set to bertagaz

To implement this, we have to improve Augeas[‘GRUB_CMDLINE_LINUX’] in local::node, which is used if $apparmor == true, to add console=ttyS0 anyway.

The patch would be lighter if we decide that every node on lizard is supposed to have apparmor installed.

Given not so many profiles are enforced at the moment in the VMs, and every nodes has it enabled at the moment, that wouldn’t be so invasive. Such an enforced default will probably not break something. So maybe we don’t mind in the end and can remove the $apparmor check?

#3 Updated by intrigeri 2014-12-30 10:03:03

> So maybe we don’t mind in the end and can remove the $apparmor check?

Agreed. I think this flexibility used to be needed back when we had a Squeeze VM, that didn’t support AppArmor.

#4 Updated by bertagaz 2014-12-30 14:36:10

  • Status changed from In Progress to Resolved
  • Assignee deleted (bertagaz)
  • % Done changed from 0 to 100

This is now implemented and deployed on every guests. It’s now possible to use `virsh console $vm` to connect to it, so closing this ticket.

#5 Updated by intrigeri 2015-01-01 16:21:19

  • Status changed from Resolved to In Progress
  • Assignee set to bertagaz
  • % Done changed from 100 to 80
  • QA Check set to Info Needed

Does that work for Jessies VMs, that are running systemd and thus don’t support inittab?

#6 Updated by bertagaz 2015-01-01 16:30:06

You’re right, it doesn’t work with Jessie VMs, good catch. Didn’t think of this corner case (yet to be the main one).

Any hints/pointers about how it works in systemd?

#8 Updated by bertagaz 2015-01-02 14:56:28

  • Assignee deleted (bertagaz)
  • % Done changed from 80 to 90
  • QA Check changed from Dev Needed to Ready for QA

Pushed and deployed a patch that install the correct systemd service in Jessie VMs to activate the console. Now they also work.

#9 Updated by intrigeri 2015-01-02 15:30:04

> Pushed and deployed a patch that install the correct systemd service in Jessie VMs to activate the console. Now they also work.

I don’t understand why we’re bothering enabling serial-getty@ttyS0.service by hand: systemd is supposed to do it automatically as long as console=ttyS0 is passed on the kernel cmdline. Doesn’t that work?

#10 Updated by intrigeri 2015-01-02 15:48:50

  • Category set to Infrastructure
  • Assignee set to bertagaz
  • QA Check changed from Ready for QA to Info Needed

#11 Updated by bertagaz 2015-01-06 13:26:49

  • Category deleted (Infrastructure)
  • Assignee changed from bertagaz to intrigeri
  • % Done changed from 90 to 80
  • QA Check changed from Info Needed to Ready for QA

You’re right, it wasn’t really necessary.

The serial console access to Jessie VM wasn’t setup automatically by systemd because only adding console=ttyS0 on the kernel cmd line isn’t enough, one also need to configure grub serial command correctly.

This is now deployed and seems to work on both Jessie and Wheezy VMs.

I’ve also included Lizard’s serial console configuration in our manifest.

#12 Updated by intrigeri 2015-01-06 15:42:52

  • Assignee changed from intrigeri to bertagaz
  • QA Check changed from Ready for QA to Info Needed

I see commit 093787c5 removes the serial-gettyttyS0.service@ service. Good. Did you manually revert the changes this service resource introduced earlier? (If not, it may be that you’re testing a combination of what our manifests deploy + unmanaged changes.)

#13 Updated by bertagaz 2015-01-06 16:22:41

  • Assignee changed from bertagaz to intrigeri
  • QA Check changed from Info Needed to Ready for QA

intrigeri wrote:
> I see commit 093787c5 removes the serial-gettyttyS0.service@ service. Good. Did you manually revert the changes this service resource introduced earlier?

yes, I did.

#14 Updated by intrigeri 2015-01-07 10:34:58

  • Category set to Infrastructure
  • Target version set to Tails_1.2.3

Awesome. I’ll test it soonish, and then will finally close this ticket as resolved :)

#15 Updated by intrigeri 2015-01-10 10:34:52

  • Status changed from In Progress to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 80 to 100
  • QA Check changed from Ready for QA to Pass

Works for me. Congrats!