I know very little about debian-installer, but here's a guess based on what I found in the puppet repo:

% git grep grub-installer/bootdev
modules/install_server/files/autoinstall/common.cfg:d-i grub-installer/bootdev  string  /dev/sda
modules/install_server/files/autoinstall/partman/ms-be-legacy.cfg:d-i   grub-installer/bootdev  string  /dev/sdm /dev/sdn
modules/install_server/files/autoinstall/partman/ms-be.cfg:d-i  grub-installer/bootdev  string  /dev/sda /dev/sdb
modules/install_server/files/autoinstall/virtual.cfg:d-i    grub-installer/bootdev  string default

The particular config used on thumbor2002 was raid1-lvm-ext4-srv.cfg, which -- although it sets up RAID1 between sda and sdb -- does not override the grub-installer/bootdev param from common.cfg.

Assumption 1: the partman-auto-raid directive exactly correlates with our use of Linux software RAID in production.
Assumption 2: in order to have a working grub install on each mirror, software RAID1/10 configs must override grub-installer/bootdev to list all the relevant disks.

If both of those are true, we have a lot of configs to update (35!). Only ms-be and ms-be-legacy seem to set grub-installer/bootdev.

Please note this is related to T156955.

Change 490404 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] partman: grub-install on all RAID{1,10} drives

https://gerrit.wikimedia.org/r/490404

@Joe made me aware of the existence of partman configs present on install1002 that are not in Puppet.

The good news is that almost all such files are either editor backup files (ending in ~ or .bak), or files once in Puppet but since deleted from git:

cdanis@cdanis ~/gits/puppet/modules/install_server/files/autoinstall/partman % comm -1 -3 \
  <(cat <(ls *.cfg) \
        <(git log --no-renames --diff-filter=D --summary -- . :/modules/install-server/files/autoinstall/partman :files/autoinstall/partman \
          | grep ' *delete mode ' | cut -d/ -f6) \
    | sort | uniq) \
  <(ssh install1002.wikimedia.org ls '/srv/autoinstall/partman/*.cfg' | cut -d/ -f5)

labvirt-ssd-sdb.cfg

That file dates from Oct 2015. The only meaningful diffs between it and labvirt-ssd.cfg is using sdb instead of sda for /. There are 0 labvirt/cloudvirt machines in the fleet for which this looks required:

cdanis@cumin1001.eqiad.wmnet ~ % sudo cumin -p95 'cloudvirt*,labvirt*' "df /boot | tail -n1 | cut -f1 -d' '"
36 hosts will be targeted:
cloudvirt[2001-2003]-dev.codfw.wmnet,cloudvirt[1009,1012-1030].eqiad.wmnet,cloudvirtan[1001-1005].eqiad.wmnet,labvirt[1001-1008].eqiad.wmnet
Confirm to continue [y/n]? y
===== NODE GROUP =====                                                                                                                                                 
(32) cloudvirt[1009,1012-1019,1021-1030].eqiad.wmnet,cloudvirtan[1001-1005].eqiad.wmnet,labvirt[1001-1008].eqiad.wmnet
----- OUTPUT of 'df /boot | tail -n1 | cut -f1 -d' '' -----
/dev/sda1
===== NODE GROUP =====                                                                                                                                                 
(3) cloudvirt[2001-2003]-dev.codfw.wmnet                                                                                                                               
----- OUTPUT of 'df /boot | tail -n1 | cut -f1 -d' '' -----
/dev/md0

(cloudvirt1020 skipped as it currently needs a reimage but should also use sda)

So, all of these files seem to be now-unnecessary cruft.

I am pretty sure we should be setting purge => true on the /srv/autoinstall File object installed by preseed_server.pp.

Change 491756 had a related patch set uploaded (by CDanis; owner: CDanis):
[operations/puppet@production] install_server: purge old files from /srv/autoinstall

https://gerrit.wikimedia.org/r/491756

Change 491756 merged by CDanis:
[operations/puppet@production] install_server: purge old files from /srv/autoinstall

https://gerrit.wikimedia.org/r/491756

Change 490404 merged by CDanis:
[operations/puppet@production] partman: grub-install on all RAID{1,10} drives

https://gerrit.wikimedia.org/r/490404

Buster failed to install on my md install for 2552d12fe15ec1 with "grub install sda sdb failed, cannot install on sda". I cannot be sure it is that change because buster, and because there is weird hybrid software raid + hw raid going on, and it could be a question of using the wrong recipe because of the extra disk, but FYI.

In T215183#5496348, @jcrespo wrote:

Buster failed to install on my md install for 2552d12fe15ec1 with "grub install sda sdb failed, cannot install on sda". I cannot be sure it is that change because buster, and because there is weird hybrid software raid + hw raid going on, and it could be a question of using the wrong recipe because of the extra disk, but FYI.

Jaime, if you have a spare host in this hardware configuration, I could try reimaging and gathering logs.

An update: as of now, 20.8% of the fleet (or 30% of hosts with software RAID enabled) have redundant bootloaders. This is just from fixing the partman configs and waiting for reimages to happen 'naturally'. That's about all the work I'm going to do on this for the time being; I figure improvements will continue as services need to move to Buster.

Jaime, if you have a spare host in this hardware configuration, I could try reimaging and gathering logs.

@CDanis I was able to install it in the end, it was a conflict with other drive (hw RAID, in addition to the sw one) what caused issues, not the recipe. Sorry for the misreporting.

In T215183#5575143, @CDanis wrote:

An update: as of now, 20.8% of the fleet (or 30% of hosts with software RAID enabled) have redundant bootloaders. This is just from fixing the partman configs and waiting for reimages to happen 'naturally'. That's about all the work I'm going to do on this for the time being; I figure improvements will continue as services need to move to Buster.

Current stats as of April 27:

• 1405 physical machines
• 1 machine broken (mw1280)
• 357/1405 (~25%) don't use software RAID, so are out of scope
• 711 machines use software RAID, and have bootloaders on all their drive replicas (51% of fleet, 68% of SW RAID machines)
• 336 machines use software RAID, but don't have properly replicated bootloaders (24% of fleet, 32% of SW RAID machines)

Here's a list of the bad machines:

Going to continue to let this linger; natural reimaging activity is solving the problem well.

@CDanis backup2002 was recently installed into buster (apparently, wrongly), but it already contains data. Would a simple:

grub-install /dev/sdb

(I am assuming sda already has it) fix the issue?

In T215183#6087811, @jcrespo wrote:

@CDanis backup2002 was recently installed into buster (apparently, wrongly), but it already contains data. Would a simple:

grub-install /dev/sdb

(I am assuming sda already has it) fix the issue?

That ought to take care of it, yeah. I confirm it is sdb that is missing grub.

I'm not sure how backup2002 wound up in that state -- AFAIK the partman files should have been fixed since Buster was available, and I see that you reimaged on Apr 15... so it's strange that it happened.

In T215183#6089160, @CDanis wrote:

I'm not sure how backup2002 wound up in that state -- AFAIK the partman files should have been fixed since Buster was available, and I see that you reimaged on Apr 15... so it's strange that it happened.

backup* hosts don't use the new standard partman recipes :-)

Ah, I see, no-srv-format.cfg doesn't set up any SW RAID at all, which means debian-installer of course won't know to install grub on both disks. I'm guessing you set up the RAID for / manually? So then this state is expected.

no-srv-format.cfg is the (wrong) recipe we use for forcing a failure so stateful services don't get accidentally reimaged (as it happened once) :-D.

Backup hosts use normally custom/backup-format.cfg when setup for the first time. This is custom because it sets up both a sw RAID and a hw RAID in the same host.

It is true, however, that I installed this one manually as we had an unrelated issue on install (not related to partman, but to dhcp server reimage).

Ah okay. It does look like backup-format.cfg contains the necessary incantations for replicated GRUB.

I've corrected manually backup2002, db1115, db2093 and will ask Manuel about the proxies, some of those are just being decommissioned or will be reimaged soon. Arguably we will not have lots of servers affected because most of ours use hw raid with a single virtual sda, not md.

Thanks for the help!

Hello people, I found this task after dealing with /dev/sda failed in a raid1 array. I thought that I had to do grub-install on /dev/sdb via d-i rescue, but then I noticed that the partman recipe was already fixed and the host was reimaged recently, so I checked in the BIOS. There is an option called Hard disk failover, that it was set to Disabled, preventing the host to try another disk if the first one listed is missing. After setting it to enabled I was able to boot correctly (before that the host went directly to PXE every time). I am writing this in here to warn other people that might get into my position in the future :D

Is there a way to audit this option and see how many hosts have it set disabled? After all this work it seems something that we'd want to keep enabled..

Is there a way to audit this option and see how many hosts have it set disabled? After all this work it seems something that we'd want to keep enabled..

If there is a way to get/set the parameter via ipmitool we could add it to spicerack and create a cookbook. however from a quick scan of ipmitool i couldn't see a way to get this information

I agree we should audit it. I think that with redfish API it should be doable, adding @crusnov as they've worked on it last Q.

In T215183#6719053, @Volans wrote:

I agree we should audit it. I think that with redfish API it should be doable, adding @crusnov as they've worked on it last Q.

Indeed. I don't know if there's a direct Redfish end point for it, but that setting does show up in the Server Configuration Profile, for example:

{ "Name": "HddFailover",
  "Value": "Disabled",
  "Set On Import": "True",
  "Comment": "Read and Write" },

This quarter I'll be working on Spicerack support for manipulating these settings, but in the mean time I have some little tools that can manipulate them if needed.

For context, the Server Configuration Profile is a Dell specific interface to setting BIOS settings across the available BIOSen in a particular box. It can be manipulated via Redfish or via other interfaces.

Has there been any progress toward goal #2? I didn't see where anything had been added to the mentioned runbook.

For context: We replaced sda in aqs1012 recently (T396970) and were (I believe) bit by this issue. It would seem to have been reimaged since the partman recipe was fixed, and it does not appear in the April 2020 list posted in T215183#6086396, so I'm wondering if a prior replacement didn't get the bootloader installed.

As a follow-up, I did find a device with a missing bootloader: aqs1014, which went up after it's partman recipe was fixed (it has had SSDs replaced in the years since though)

Footnotes

†: Generated with: cumin -p99 'F:virtual = physical' 'test -b /dev/md0 && (echo md0; head -c512 /dev/sdb|grep -q GRUB && echo sdb || echo nope) || echo no-md0'

Something else worth pointing out. Given how fast-and-loose Linux plays with device ordering, this probably isn't going to work in every case.

And not all hosts are booting from a RAID1, the aqs cluster at least uses a RAID10, which combined with variability of device ordering makes it trickier still to find the candidates.

In T215183#11014363, @Eevans wrote:

Has there been any progress toward goal #2? I didn't see where anything had been added to the mentioned runbook.

Good question, I think probably not. @RobH or @wiki_willy is this on your radar?

For context: We replaced sda in aqs1012 recently (T396970) and were (I believe) bit by this issue. It would seem to have been reimaged since the partman recipe was fixed, and it does not appear in the April 2020 list posted in T215183#6086396, so I'm wondering if a prior replacement didn't get the bootloader installed.

@Eevans, can you check in the BIOS settings of aqs1012 to see if a setting like "Hard drive failover" exists, per T215183#6718961 ?

I also never spent much time looking at or thinking about RAID10 hosts, as you said. Honestly I don't remember what debian-installer does in the first place for RAID10 and bootloaders.

In T215183#11014691, @CDanis wrote:

In T215183#11014363, @Eevans wrote:

[ ... ]

For context: We replaced sda in aqs1012 recently (T396970) and were (I believe) bit by this issue. It would seem to have been reimaged since the partman recipe was fixed, and it does not appear in the April 2020 list posted in T215183#6086396, so I'm wondering if a prior replacement didn't get the bootloader installed.

@Eevans, can you check in the BIOS settings of aqs1012 to see if a setting like "Hard drive failover" exists, per T215183#6718961 ?

It does, and I set it enabled after the device had been replaced and wouldn't boot (hint: it still didn't :( ).

aqs1014 was missing a bootloader for sdb as well (I've since fixed that), so if it had subsequently lost sda (like aqs1012), I think it would have manifested exactly the same.

In T215183#11014691, @CDanis wrote:

In T215183#11014363, @Eevans wrote:

[ ... ]

I also never spent much time looking at or thinking about RAID10 hosts, as you said. Honestly I don't remember what debian-installer does in the first place for RAID10 and bootloaders.

This config uses modules/install_server/files/autoinstall/partman/custom/aqs-cassandra-8ssd-2srv.cfg which you fixed back in 2019, it should be using all of /dev/sd[a-d]. For most of the aqs hosts that would seem to be the case, too. Now I'm wondering what the other 6 devices (it's supposed to have 8, but one had been replaced, and another failed) looked like. You would think that even with generous reordering, chances would be very good you'd find at least one bootloader among the first 4!

In T215183#11014363, @Eevans wrote:

Has there been any progress toward goal #2? I didn't see where anything had been added to the mentioned runbook.

For context: We replaced sda in aqs1012 recently (T396970) and were (I believe) bit by this issue. It would seem to have been reimaged since the partman recipe was fixed, and it does not appear in the April 2020 list posted in T215183#6086396, so I'm wondering if a prior replacement didn't get the bootloader installed.

Answering myself here: I see now that T220842 is a subtask, and that it has been closed as resolved (with https://wikitech.wikimedia.org/wiki/SRE/Dc-operations/Sw_raid_rebuild_directions cited as the result), but I don't see anything there with respect to installing the bootloader. I'm happy to take a stab at adding something —assuming this is the canonical location, and that we're in agreement on what should be done..

Ok, so in an attempt to summarize things:

• It seems that goal no. 1 is complete, all partman preseeds have been updated
• Goal no. 3 might need to be revisited with a mind toward all of the hosts that have been reimaged, but have since had disks replaced, and didn't get a bootloader (re)installed. This is Real™, I've already found examples during spot-checking. Anyone doing so should be aware that the cumin copypasta in the description is only an approximation (for example it assumes raid1, and it doesn't take into account any reordering of devices)
• Bonus: bulk update the fleet for the BIOS setting that enables boot device failover
• Last (but definitely not least), make sure that the runbook prominently covers the installation of a bootloader when an applicable device is replaced. It probably also makes sense to document the BIOS setting in this context (see point above)

Thinking out loud here, but I wonder if there would be any harm in putting a bootloader on all storage devices? If not, it would be pretty simple to put together a cookbook that iterated storage devices and invoked grub-install $dev for each.