From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 807701ABDA; Wed, 12 Nov 2025 22:18:03 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 89A921ABC0; Wed, 12 Nov 2025 22:17:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) by atuin.qyliss.net (Postfix) with ESMTPS id E9A021AB30 for ; Wed, 12 Nov 2025 22:17:54 +0000 (UTC) Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-787ff3f462bso12851587b3.0 for ; Wed, 12 Nov 2025 14:17:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762985873; x=1763590673; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=5tT+c8MTcqHpkG0srPuZem8kwm0BKd7kqvMMAPNZu1E=; b=Eme8vRWO5AQ+9Bsp1EYBsT+sWAn+YbJ0UNb6hW6mj76q5kfwc4/0Yv7YUalmWXogR+ lcl34CrV2zDFS8UK5CGc1L4/zuDeuN/9hYU1P6s64UzJaJmA7np/hJGReaTlPWDPHVh2 iYcuGWMSW5zASg9dL7VDCWynIoofl23Cht80iECJz2w9U3F057KSHzqjSLGZ0qIMlfGv A9PjrXT5i/7v+Zqa9uEhjb+eiwpRKwogn0FCg8aNKsDpIvkBRDhojqqxsjBF2zj5C517 vEJXBRqzKMF/TbV3c430QJ3LlI30jdPLRrcck96ULpnUY8cNHx6v/TXJRK98W5VZ9L0i 2mOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762985873; x=1763590673; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=5tT+c8MTcqHpkG0srPuZem8kwm0BKd7kqvMMAPNZu1E=; b=Mwc5BoSj/42hJLRDMBB2xSZh5G0CDqrUp7r7XcU4mSHwlnvBzH75LU1SkyK8DcEGJ6 LxkR7emHnyD8lCLT+/5NFoSkfYylUe6DGKVEY5qyWp4AhAGNKb7q5df5sh+28tFvlvf6 3hTGQ1LXJxQxPivXFEhWeqxwoIJESeQAiFLwFb/29LE8V/lsFvXyLPGgouLkQg+4jVps KWRRP405pPOMbHNPoD8KqAojtfkrZX03nP+oGjCn/5m69Zd2YubNnKFa+SIypi1y7uEA zTAeG+qsBos66pArxl8oeCMRNsulnnEyMNFr6XNI+hGEC2sdv1HUWgJTbQvyjEUF09sB PZKQ== X-Gm-Message-State: AOJu0Yxj9NLW2LzkUpu1lvrMsy0J/V0pqFQ10tTWgC72Z9nbLQAGmqmW CC46vj7emNmeylfxW/zCj/32MGZJqE09s1EDZ4GKNDRQRknGzgUM6jn92oI1Pmrg X-Gm-Gg: ASbGncvW5BegfPOCaXhuq2aF9won7fzjQeyKOIy5QdsE+yU/vqeqhYhsnRzcdzC8PID b4Wbw2cMwbNg4xH4WNKGdfW8UdoRW9Qw4hsjC0UzLHsUKWATH9bjv7arMoDSqrPstEVkA7gkYJc MphAC/tvV9Xv/f6Yydh8eGzJFlVobYYI2FpoEZthxeQcD+A+1S6pCkaCm5Hz0wKUYAbxpmoPIZX BVV9dMG41Be8qzO//l33at3VKWgnNoZgIE39V3UVsYXHfWDjM544VnPvbL8Szwfby2KG8dvhwMC LHAFpoaGTU6UhUEkC3ndxd9I6yU89ZiZGBrvnhaLT29D1L61BGq7ndItFEoZRMfAoQLwlWIbE4m OHR4JZGvHPf3PnzGpz7jmGwwboeD24m5DQBZIHC8nUnszuwOjXbKEJlvH6HXH0N2Ipe7W8xYYtC SHsZNtsv7BpgI6foFlq61EAtwQN5KZbcJrM1xy0Wc3Ou1rMkJ7vSzkvL6S3e0sesC2dUzKjXx7o eAZ6aFcRElhFzsrz5S8mlZo X-Google-Smtp-Source: AGHT+IFiHXbLHR3LUIUDNQ18EHrTDMR5NZ7kSVuOHofC7W7KmwYE2a1qpxq2TONlVL8Uaxq3EdCgZg== X-Received: by 2002:a05:690c:95:b0:786:8abd:bbcf with SMTP id 00721157ae682-788206e9ed1mr10764227b3.31.1762985872413; Wed, 12 Nov 2025 14:17:52 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 00721157ae682-78821de2c15sm1004757b3.1.2025.11.12.14.17.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Nov 2025 14:17:51 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v2 0/8] System updates based on systemd-sysupdate Date: Wed, 12 Nov 2025 17:14:54 -0500 Message-Id: <20251112-updates-v2-0-88d96bf81b79@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAN4GFWkC/z3OwW7DIAwG4FeJOI8JmwChp73H1IMhpkFamwzSa FXVdy9LpR5/y/7830XlkrmKQ3cXhbdc83xpAT86ESe6nFjmsWWBCo3yOMjrMtLKVXpk74feM2o QbXspnPLfLn0fW55yXedy2+EN/qe7AQr929hAKtkriBAYCSB8nc6Ufz7jfBbHxwst/HttrdaXL BZa49Q6HTpyxrK3vR5B2WQiGwoQggM9OJO8MRDINnYv977SmmxEJASt2PdsR+UDpUjBmTCg1cl aZmfa/8cTMTDhUx0BAAA= X-Change-ID: 20250928-updates-92e99849e231 In-Reply-To: <20251029-updates-v1-0-401c1be2a11b@gmail.com> References: <20251029-updates-v1-0-401c1be2a11b@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1762985694; l=5966; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=kGkwvsaKVliQLWHb2K4rOGb36r/kmsSZO2LGhwGw3/E=; b=+s2UZIYNAfjRBUB4FM3ocTc37fBVqA7H8ybSN+uxUvyvXm1kogumRaY76tAJmDFLdLJl72j6N 3gjE7SIFrPyDzFEu66UYYzOJL3STjlzOvMTE8xbLZIrwXLlt/VzvX2M X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: IGULGVD4XVZEI6HBP55NXVH2WOPCYLAR X-Message-ID-Hash: IGULGVD4XVZEI6HBP55NXVH2WOPCYLAR X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This implements updates via systemd-sysupdate. See individual commit messages for details. There are major changes to the image build process. Signed-off-by: Demi Marie Obenour --- Changes in v2: - updates-dir-check: - Do not check that there is a SHA256SUMS or SHA256SUMS.gpg file in the update directory. systemd-sysupdate will fail if it cannot find a manifest or its signature. - Follow symlinks in opening the directory. The path is from a trusted source and will always point to a BTRFS snapshot, never a symlink. The only exception is the last component, which is still checked to not be a symlink. - VM: - Link SHA256SUMS.sha256.asc to SHA256SUMS.gpg. Recent systemd-sysupdate seems to use the former name. - Get update URL from host. - Use an execline script instead of a shell script. - Update script: - Unmount shared directory if already mounted. This avoids errors when mounting it again. - Delete old snapshot if present. - Provide the VM information with a different directory layout. - Do not bind-mount the information passed into the VM into the shared VM folder. Instead rely on this folder being read-only to the guest. This is enforced by a read-only bind mount in virtiofs's mount namespace. - Testing: - Lots of manual update testing. - Disable the test for the live image as it doesn't work anymore. - Nix: - Move validation to a separate low-priority patch. - Documentation: - Document that updating the system is now possible. - Installer: - Remove the "Try Spectrum" button. - - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251029-updates-v1-0-401c1be2a11b@gmail.com --- Demi Marie Obenour (8): host/rootfs: Install all programs from util-linuxMinimal host/rootfs: Install systemd-pull tools: Add directory checker for updates Adjust partition layout to support updates release: Create directory with system update Support updates via systemd-sysupdate Documentation: Update support lib/config.nix: Validate configuration parameters Documentation/development/build-configuration.adoc | 11 ++ Documentation/installation/index.adoc | 3 +- Documentation/using-spectrum/index.adoc | 2 + Documentation/using-spectrum/updates.adoc | 29 +++++ host/efi.nix | 5 +- host/initramfs/Makefile | 12 +- host/initramfs/default.nix | 1 + host/initramfs/etc/init | 17 +-- host/initramfs/etc/probe | 20 +-- host/initramfs/shell.nix | 2 + host/rootfs/Makefile | 23 ++-- host/rootfs/busybox-config | 134 +++++++++++++++++++++ host/rootfs/busybox-config.license | 4 + host/rootfs/default.nix | 82 ++++++++----- host/rootfs/file-list.mk | 4 + host/rootfs/image/etc/fstab | 1 + .../image/etc/sysupdate.d/50-verity.transfer | 20 +++ host/rootfs/image/etc/sysupdate.d/60-root.transfer | 20 +++ .../image/etc/sysupdate.d/70-kernel.transfer | 20 +++ host/rootfs/image/usr/bin/update | 89 ++++++++++++++ host/rootfs/os-release.in | 13 ++ host/rootfs/os-release.in.license | 2 + host/rootfs/shell.nix | 2 + host/rootfs/updatevm-url-env | 3 + host/rootfs/vm-sysupdate.d/50-verity.transfer | 18 +++ host/rootfs/vm-sysupdate.d/60-root.transfer | 18 +++ host/rootfs/vm-sysupdate.d/70-kernel.transfer | 18 +++ img/app/Makefile | 2 +- img/app/default.nix | 1 + lib/config.default.nix | 3 + lib/config.nix | 41 ++++++- lib/fake-update-signing-key.gpg | 1 + lib/fake-update-signing-key.gpg.license | 2 + lib/kcmdline-utils.mk | 5 + release.nix | 2 + release/checks/integration/try.c | 4 + release/checks/no-roothash.nix | 2 +- release/combined/eosimages.nix | 14 ++- release/combined/grub.cfg.in | 5 - release/live/Makefile | 9 +- release/live/default.nix | 8 +- release/live/shell.nix | 4 +- release/update.nix | 30 +++++ scripts/format-uuid.awk | 35 ++++++ scripts/make-gpt.bash | 72 +++++++++++ scripts/make-gpt.sh | 67 +---------- scripts/make-live-image.sh | 43 +++++++ scripts/sfdisk-field.awk | 3 +- tools/default.nix | 1 + tools/meson.build | 4 + tools/updates-dir-check.c | 78 ++++++++++++ vm/app/updates.nix | 37 ++++++ vm/sys/net/Makefile | 2 +- vm/sys/net/default.nix | 1 + 54 files changed, 895 insertions(+), 154 deletions(-) --- base-commit: 001037d8841613f2858e79daee83a930799d2f6c change-id: 20250928-updates-92e99849e231 prerequisite-patch-id: a756e9643d106f5ce5ab1bb713875f9551ba6e2a prerequisite-patch-id: 33a6c22a2130e94e6d09bafcab75b8263f66ee75 -- Sincerely, Demi Marie Obenour (she/her/hers)