Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

packaging: add a systemd unit to run every boot #716

Closed
wants to merge 1 commit into from

Conversation

jbtrystram
Copy link
Contributor

This enables bootloader updates automatically on boot. Note that the service is intentionally not enabled by default, it should be up to the distribution to add a systemd preset if auto-update for the bootloader is desired.

Right now RAID setups are not supported but see [1] for an example in coreos.

[1] coreos/fedora-coreos-config#3042

Copy link
Member

@travier travier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@travier
Copy link
Member

travier commented Sep 3, 2024

I'll do some manual testing.

This enables bootloader updates automatically on boot.
Note that the service is intentionally not enabled by default,
it should be up to the distribution to add a systemd preset if
auto-update for the bootloader is desired.

Right now RAID setups are not supported but see [1] for an example
in coreos.

[1] coreos/fedora-coreos-config#3042
@jbtrystram
Copy link
Contributor Author

I built a RPM and tested in a fcos build.
After enabling the service and rebooting :

[core@cosa-devsh ~]$ systemctl status bootupctl-update.service 
● bootupctl-update.service - Update Bootloader on boot
     Loaded: loaded (/usr/lib/systemd/system/bootupctl-update.service; enabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (exited) since Tue 2024-09-03 15:15:56 UTC; 23s ago
       Docs: https://github.com/coreos/bootupd
    Process: 1099 ExecStart=/usr/bin/bootupctl update (code=exited, status=0/SUCCESS)
   Main PID: 1099 (code=exited, status=0/SUCCESS)
        CPU: 9ms

Sep 03 15:15:56 localhost systemd[1]: Starting bootupctl-update.service - Update Bootloader on boot...
Sep 03 15:15:56 localhost bootupctl[1099]: No update available for any component.
Sep 03 15:15:56 localhost systemd[1]: Finished bootupctl-update.service - Update Bootloader on boot.

[Unit]
Description=Update Bootloader on boot
Documentation=https://github.com/coreos/bootupd
ConditionPathExists=/dev/disk/by-label/EFI-SYSTEM
Copy link
Member

@travier travier Sep 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add as well:

ConditionPathExists=|/dev/disk/by-partlabel/EFI\x20System\x20Partition

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's already also ConditionFirmware=uefi

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That said we need to support BIOS too...so probably the best would be e.g.

RequiresMountsFor=/boot
ConditionPathExists=/boot/bootupd-state.json

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ConditionPathExists=/boot/bootupd-state.json
wouldn't that prevent it to run on atomic desktops as bootupd was not enabled until now ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but that's by design in bootupd today; there is bootupctl adopt-and-update but that's a distinct thing intended only for explicit invocation in tested scenarios, distinct from a "bootupd -> bootupd" update.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am OK with ConditionFirmware=uefi, can remove it until we add adopt-and-update for BIOS later.
One minor suggestion, should we add ConditionKernelCommandLine=ostree to skip this for live boots like coreos/rpm-ostree#4944 ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think the overall agreement was to close this PR and carry this in the distribution

[Unit]
Description=Update Bootloader on boot
Documentation=https://github.com/coreos/bootupd
ConditionPathExists=/dev/disk/by-label/EFI-SYSTEM
Copy link
Member

@travier travier Sep 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ConditionPathExists=/dev/disk/by-label/EFI-SYSTEM
ConditionPathExists=|/dev/disk/by-partlabel/EFI-SYSTEM

As that's what's used in https://github.com/coreos/bootupd/blob/main/src/efi.rs#L39

@travier
Copy link
Member

travier commented Sep 3, 2024

@travier
Copy link
Member

travier commented Sep 3, 2024

With those changes, that works for me on Silverblue

@cgwalters
Copy link
Member

I'm not opposed to this but the reason I didn't do this until now is basically I think what we really want is more like #108 which means the thing doing the OS updates drives bootupd itself by default.

@@ -41,6 +41,9 @@ install-grub-static:
install -m 644 -D -t ${DESTDIR}$(PREFIX)/lib/bootupd/grub2-static src/grub2/*.cfg
install -m 755 -d ${DESTDIR}$(PREFIX)/lib/bootupd/grub2-static/configs.d

install-systemd-unit:
install -m 644 -D -t "${DESTDIR}$(PREFIX)/lib/systemd/system/" contrib/packaging/bootupctl-update.service
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An overall challenge here is that we'll have come full circle since #663 ...and then e.g. people maintaining SELinux policy are still going to come by and say "oh hey there's a systemd service, we need to write a policy for it...".

With this combined I would probably say that instead of this we should implement bootupd support into rpm-ostree and bootc.

(This also relates to #432 )

Copy link
Member

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Marking as requested-changes per #716 (comment) but not a hard blocker for me, if you or someone wants to do this in the interim I'm OK, but it does basically clash and I think longer term it'll be more understandable for users; we'd have to maintain this newly introduced service unit here ~forever.

@travier
Copy link
Member

travier commented Sep 3, 2024

I would really like to get this into Atomic Desktops for F41 as we desperately need it there. So I can carry it there in the mean time until we get a cleaner solution here.

Agree that #108 feels like an improvement but I don't think it should hold us from doing this one in the mean time?

@cgwalters
Copy link
Member

I would really like to get this into Atomic Desktops for F41 as we desperately need it there.

Isn't what is desperately needed more something like automatic blocking of OS updates when the bootloader state is too old? I think we could turn around an implementation of that in a few days.

@cgwalters
Copy link
Member

One thing this is also basically sweeping under the rug of an on-by-default systemd unit is the rationale stated in https://github.com/coreos/bootupd?tab=readme-ov-file#questions-and-answers from the very start of this project. Yes the problem stinks, and the rename_exchage work probably makes it better, but still...the semantics here are going to be that during the middle of OS bootup we do this (potentially) unsafe operation with zero warning about that unsafety.

@travier
Copy link
Member

travier commented Sep 4, 2024

An overall challenge here is that we'll have come full circle since #663 ...and then e.g. people maintaining SELinux policy are still going to come by and say "oh hey there's a systemd service, we need to write a policy for it...".

The initial issue was that bootupd looked-like a daemon program with a service unit. At this point, I don't know if we'll be able to go back to no policy module.

Isn't what is desperately needed more something like automatic blocking of OS updates when the bootloader state is too old? I think we could turn around an implementation of that in a few days.

If we did that, we would have to surface that somehow to the user in the interface. I find it very unlikely that we'll have something ready for Fedora 41 for all Atomic Desktops, even just GNOME & KDE.

fwupd already has a mechanism to hold updates if the system is not on AC or doesn't have enough battery so that could be a good place to look at as well as that is already integrated in Plasma Discover & GNOME Software.

We also don't have barrier releases either like Fedora CoreOS so we can't do one shot updates before major releases.

One thing this is also basically sweeping under the rug of an on-by-default systemd unit is the rationale stated in coreos/bootupd#questions-and-answers from the very start of this project. Yes the problem stinks, and the rename_exchage work probably makes it better, but still...the semantics here are going to be that during the middle of OS bootup we do this (potentially) unsafe operation with zero warning about that unsafety.

I think that the residual unsafety [1] [2] remaining after the work on #669 is more theoretical than practical.

So far, we have had a lot of issues due to the fact that we are not updating the bootloaders and those impacted a very significant chunk of our users. I don't expect this kind of widespread trouble from this safety gap. We are already far safer than what classic package mode systems do during updates.

With this combined I would probably say that instead of this we should implement bootupd support into rpm-ostree and bootc.

we'd have to maintain this newly introduced service unit here ~forever.

Why do you thing we would have to support it forever? I think it should be fine to migrate systems to a better way once we have it ready.

@cgwalters
Copy link
Member

fwupd already has a mechanism to hold updates if the system is not on AC or doesn't have enough battery so that could be a good place to look at as well as that is already integrated in Plasma Discover & GNOME Software.

I like this idea, it makes sense to me to encourage grouping of these two things, even if technically they are distinct.

@cgwalters
Copy link
Member

Anyways to your larger point...fair. I am OK to merge but let's at least get https://github.com/coreos/bootupd/pull/716/files#r1742591590 changed?

@@ -0,0 +1,13 @@
[Unit]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's name this unit bootloader-update.service as its what will be user visible and users ideally should not have to know about bootupd.

@@ -0,0 +1,13 @@
[Unit]
Description=Update Bootloader on boot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Description=Update Bootloader on boot
Description=Update bootloader on boot

@travier
Copy link
Member

travier commented Sep 4, 2024

Anyways to your larger point...fair. I am OK to merge but let's at least get #716 (files) changed?

I think we should keep this check as broad as possible. We can not require ConditionPathExists=/boot/bootupd-state.json as we explicitly want to also adopt and update systems that are not yet using bootupd.
I'm installing a BIOS system again to check the partitions.

@jbtrystram
Copy link
Contributor Author

I think we should keep this check as broad as possible. We can not require ConditionPathExists=/boot/bootupd-state.json as we explicitly want to also adopt and update systems that are not yet using bootupd. I'm installing a BIOS system again to check the partitions.

So i guess we should add a script and do adopt-and-update when applicable ? (no bootupd-state.json)

@travier
Copy link
Member

travier commented Sep 4, 2024

I can't find a way to select BIOS systems in https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionFirmware=.

And an installed Silverblue system does not have a distinct partition to select on, so we can't match that.

@travier travier self-requested a review September 4, 2024 17:06
@travier
Copy link
Member

travier commented Sep 4, 2024

OK, it looks like this requires different trade-offs and conditions check depending on which system is installed right now so it might be better downstream. I've made: https://pagure.io/workstation-ostree-config/pull-request/571

@cgwalters
Copy link
Member

I'm OK with that too, though the tradeoff is it's just going to get copy-pasted again by IoT...

@jlebon
Copy link
Member

jlebon commented Sep 4, 2024

Isn't what is desperately needed more something like automatic blocking of OS updates when the bootloader state is too old? I think we could turn around an implementation of that in a few days.

If we did that, we would have to surface that somehow to the user in the interface.

Hmm, I think if we did that in rpm-ostree in a way that literally prevented Deploy() from working, that should surface, no? (As an rpm-ostree error?) Obviously not pretty, but wouldn't require any changes to g-s/KDE.

@jlebon
Copy link
Member

jlebon commented Sep 4, 2024

Basically, something like:

# rpm-ostreed.conf
[Daemon]
RequireUpdatedBootloader=true

When true (default is false), rpm-ostree does bootupctl status --json, checks for updatable if it's at-latest-version, and if not, error out with something like:

error: RequireUpdatedBootloader is enabled and bootloader is out of date. Please run bootupctl update

?

I guess the question is whether that error message would percolate up into the UIs in full so the user understands what they need to do.

@jlebon
Copy link
Member

jlebon commented Sep 5, 2024

Hmm, I think if we did that in rpm-ostree in a way that literally prevented Deploy() from working, that should surface, no? (As an rpm-ostree error?)

Chatting with @travier, it doesn't seem to be the case. See e.g. https://gitlab.gnome.org/GNOME/gnome-software/-/issues/2000.

Obviously, there's nothing that prevents us from adding it now, and then improving it during the f41 cycle.

@travier
Copy link
Member

travier commented Sep 5, 2024

Looks like we never implemented adoption for BIOS systems so we will have to make this EFI only 😞

@jbtrystram
Copy link
Contributor Author

I feel the general agreement here is that this would be better carried in the distribution side. I'll close this

@jbtrystram jbtrystram closed this Sep 11, 2024
@HuijingHei
Copy link
Member

One thing I am concern is if booting with BIOS, is it necessary to also update UEFI (on x86_64)? Can we update the current boot firmware, like install, eg 5ee0483

But first thing, will add adoption for BIOS.

karuboniru pushed a commit to karuboniru/karuboniru-server that referenced this pull request Oct 30, 2024
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
travier pushed a commit to travier/bootupd that referenced this pull request Dec 18, 2024
Add a systemd service unit to trigger an adoption and update on every
boot.

Note that the service is intentionally not enabled by default as it
should be up to the distribution to add a systemd preset if auto-update
for the bootloader is desired.

This unit does not come with any specific restrictions (i.e. EFI or BIOS
only). For an assesment of the safety of updates as performed by
bootupd, see coreos#454.

Distributiuons should also apply the restrictions (i.e. EFI or BIOS only
for example) as needed as unit files overrides.

Notably, Fedora CoreOS can not yet enable automatic updates until we get
support for the multiple EFI partitions for RAID setups.

See: coreos/fedora-coreos-tracker#1468
See: coreos/fedora-coreos-config#3042

Initial version from: coreos#716
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2332868
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants