-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the ESP by creating a tmpdir and RENAME_EXCHANGE #454
Comments
|
The cost here is write amplification; because FAT doesn't have reflinks, every update to the ESP would require rewriting every file, and a transient doubling of disk space. |
It looks like
It calls |
So the logic would be:
|
Fixes coreos#454 See Timothée's comment coreos#454 (comment)
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) logic is like this: - `cp -a fedora fedora.tmp` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `fedora.tmp` with the new binaries - Exchange `fedora.tmp` -> `fedora` - Remove now "old" `fedora.tmp` If we have a file not in a directory in `EFI`, then we can copy it to `foo.tmp` and then act on it and finally rename it. No need to copy the entire `EFI`. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
See Timothée's comment coreos#454 (comment) Reuse `TMP_PREFIX`, logic is like this: - `cp -a fedora .btmp.fedora` - We start with a copy to make sure to keep all other files that we do not explicitly track in bootupd - Update the content of `.btmp.fedora` with the new binaries - Exchange `.btmp.fedora` -> `fedora` - Remove now "old" `.btmp.fedora` If we have a file not in a directory in `EFI`, then we can copy it to `.btmp.foo` and then act on it and finally rename it. No need to copy the entire `EFI`. And use `insert()` instead of `push()` to match `starts_with()` when scanning temp files & dirs. Fixes coreos#454
One thing I wanted to note here that's pretty important is: #669 (comment) Basically the PR we landed made this "safer" but still not transactional. |
Could you help to create a new issue for this and it would be better to add more instructions / pointers ? |
It's indeed an issue if a shim update, which is applied first ( For example if a signing key is removed from shim and thus the GRUB bootloader has to be signed by a newer key. What happend in Fedora was that GRUB was signed by both the old and new key for a while, so a failing update would not have caused breakage. Only systems that would move directly from an release without the new key to a release with only the new key would be impacted. Has such events are rare (signing key rotation in shim), I think it's reasonable to expect that they are covered by other means (barrier updates in Fedora CoreOS for example). |
That's just it though, the barriers are I think as you know a perfect example of something that only applies to FCOS and just heavily conflicts with containers as Source of Truth. But yes. Hmmm....maybe bootupd could learn to distinguish these cases. I guess the action item here is to update the README.md to more precisely describe the safety. |
Coming back to this, I don't think my previous assessment was correct. What I had not realized is that we have shim & grub in the same folder in the ESP, so given that we now update using an atomic folder switch, they will always be updated together at the same time atomically:
The boot entries in the EFI firmware always point to the one in the
Thus if an update fails midway, the content of the I now think that the only case where such an update could result to a failing system is if
Then this gets into how If it then directly EFI chainboot(?) to the GRUB in the Overall, I think at this point this is very unlikely to ever happen and we should focus on #440 which would help the case where the new shim binary fails to boot. |
Not sure my understanding is correct, if update fails midway, for example |
Yes, as we only update the bootloader on boot right now, if an update both introduces a new signing key for the kernel in shim and removes the old key then the system would fail to boot the new deployment as it would not have the new key yet. But the previous deployment should still be bootable so overall the system is not completely broken. To account for that case, we should try to update the bootloader from the pending deployment during an update or at finalization time. This is tracked in #108 and relates to #440. But note that fully switching the signing key in one update means that it would break booting the previous (current) deployment as well, so there should be a period of overlap where both keys are available in shim. |
Since Linux v6.0 the vfat filesystem has support for
renameat2(..., RENAME_EXCHANGE)
:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da87e1725ae2
So
bootupd
could instead of applying the diff files one by one to the destination dir, it could create a temporary dir that is a copy of the existing ESP, apply the diff to that temp dir and finally do an atomic rename exchange of the two directories.That way, the update mechanism will be safer since it would only require a single
renameat2()
system call.The text was updated successfully, but these errors were encountered: