From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id D9C551C993; Sat, 29 Nov 2025 09:51:12 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id F17291C8F4; Sat, 29 Nov 2025 09:51:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-yx1-xb131.google.com (mail-yx1-xb131.google.com [IPv6:2607:f8b0:4864:20::b131]) by atuin.qyliss.net (Postfix) with ESMTPS id E0FD11C86D for ; Sat, 29 Nov 2025 09:51:04 +0000 (UTC) Received: by mail-yx1-xb131.google.com with SMTP id 956f58d0204a3-63f996d4e1aso2573920d50.0 for ; Sat, 29 Nov 2025 01:51:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764409862; x=1765014662; darn=spectrum-os.org; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:from:to:cc:subject:date:message-id :reply-to; bh=D6cUo1CC0DsERv/kLj/3aUOXzz4i0+pKrIIZ2t20iqI=; b=ixfDnQ2kPXKw5G6WVNb0F+PPgFAnrniUMbax9Y4dyxO/jXht+JHof95QJz9RhG1C8H Azvn7oZk+k6S1y8Giy4LJ4uIKfHhxDVclLZwS9A4gx0LoHo2BWnhyoUAu2Rrb0FbpsFC KB2Ks4p3I8yd8k7Q+DRkSuY/aK4ZvW3AKr/VFw6Jc2bam0HUiRmNpRjZglovpROpyI8D vDKOtBr22+EIxuVPaSOHGIcrX1/SxOksf4GfSx9zQiXH+Rc+Ia64Bo44diJ8vIQmNYJE GyGSSJDN9md98jN80enTEbk8AVXan2TjXcJTpbepl1wVXGmcyIzE0/1SCYGHBgmd4YuE nk/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764409862; x=1765014662; h=cc:to:references:in-reply-to:content-transfer-encoding:mime-version :message-id:date:subject:from:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=D6cUo1CC0DsERv/kLj/3aUOXzz4i0+pKrIIZ2t20iqI=; b=Bzc12HFh2YyQ3B8LUUjD/TSsquz6NviN5baGQg5DrZY+E3H84ag6pNqto4aQa1Cahu G2r2UE8szXH1dnEp4d244ppmwf0Zsb6vXk7jXfQV/PwJG+UUSbn1RbuUlSCZIkK+ssCS E80WZ536/OEflKjyJZaO9VmTNsdaAaXbhxc+672fafQ5e0DRVhH0U6KFA1O4Ks4wgZ3Y iYNxp7axiYV/o2PzMifWxeFBZmrrdNVIgZ1PhW3jcZWe5Dav7ZgE5bB4kMy9TCMjp8EP 3dNcYgb72YlHqTG/oIK5dndXGA0ateLDvbtTkUNVXtVchDEUBMAe15eGjh5d5bF2Yr+1 qxPw== X-Gm-Message-State: AOJu0Yw/Id6g2iJcV9DBH4/83AyciACJ5P3E3oevjNJ12YaJyqSocvTN ODZsBReif2ezSRUn1vJoyvl/znY3Drx1U5dvkEuNGCWKnyCT9uZSmFCNDjb1zw== X-Gm-Gg: ASbGncvs5+B1joheDjusw4txs2rK5STU1TCoHXD7kcitnt9VcPJZdJ9BfaQTNKJ+wXa CAUfV9yA/yBnUGonWbsthutPb0dZVwh/QsC3ax8COb+VWyoQ3tcmcip9xq01anC4rp5ANTvJYaU lIFwyqWP/T1qdIInR29W7os11ayM0JBQ+KM9LJXEl7qDXHnphYSY0UZgu6JxEE8dby11RJXs+/b kQPJwesqGldGI8/OcjQs2s6M7GQweT4HfQ4L041P9kXYxZ42/WhFiCOVc6cEYTzpJJjUN+llTDJ jEy8lfcsMkzcbHKzepXWZhWELroXh4vL3VKc5oKciu6/nspiAma5wF+1PM+Z1low2f03bfGdSlj N+V/ppej3sdYnsFjVrQ2nobCDeqCb1nEavQqfH+nMeeilt4x2gUqD7FlkPWC7VprTWJsB3OAOdz my52fupHmD6EMuzaFhi4eeLKfN306npGRL6FMEAtVmbvonYcZQ3WvIYuGbfhqspkFwLsBbtoPOz 64vSahjHmpDyetacOe9SYSDx3OoU1XYaeA= X-Google-Smtp-Source: AGHT+IGB7w8G+801JGVTFmunHPXhEyl/GV+hB4XgaB9Ga1GPAQx/Kghq/zzwksCz4KTjSAuHUhiHzw== X-Received: by 2002:a53:c646:0:b0:640:cfa4:e8d2 with SMTP id 956f58d0204a3-64302aea606mr17938520d50.68.1764409861632; Sat, 29 Nov 2025 01:51:01 -0800 (PST) Received: from localhost.localdomain (h96-60-249-169.cncrtn.broadband.dynamic.tds.net. [96.60.249.169]) by smtp.gmail.com with UTF8SMTPSA id 956f58d0204a3-6433c443d2dsm2406465d50.16.2025.11.29.01.50.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 29 Nov 2025 01:51:00 -0800 (PST) From: Demi Marie Obenour Subject: [PATCH v6 0/8] System updates based on systemd-sysupdate Date: Sat, 29 Nov 2025 04:49:57 -0500 Message-Id: <20251129-updates-v6-0-9edb87a2e509@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-B4-Tracking: v=1; b=H4sIAMXBKmkC/13QSW7DMAwF0KsEWteFSI3MqvcoutBAJQKaobZjt Ahy9yoOEBtZUtD7Ev9VDNxXHsR2cxU9T3Wop2Mb7NtGpH047riruc0CJRpJ6LvLOYeRh46Qibw mRgWi3T73XOrvnPT51eZ9HcZT/zcHT3A/nTNAIj0zJuhkpyUkiIwBIH7sDqF+v6fTQdwzJlwcA C4Om/M+k43FQ3T06tTard5TzUXvAxGBafu8Or1yCIvTzWVtLCSNzll+dWbt7OJMcyU7bZ32hWN eu9ujtJ5/Lq318dGcOIcx7Vvn2w0pidKxUzllQBcNto2jVdGxZQiUMmfIEObyn8obTlJbSYUCS WYKGaH9QFljlLeFFaWSDbf3b//eChyg/QEAAA== X-Change-ID: 20250928-updates-92e99849e231 In-Reply-To: <20251126-updates-v5-0-fd746748febd@gmail.com> References: <20251126-updates-v5-0-fd746748febd@gmail.com> To: Spectrum OS Development X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1764409797; l=6036; i=demiobenour@gmail.com; s=20250729; h=from:subject:message-id; bh=+XvZbUlfg9eBJXsknn6DpDCSxCXBBtKk9v014jU0ITM=; b=sfEGaN2lr0ZDbNe1m6jXLZzr0x5fwOeefLMelLMZKwTqaBS1tMHXCwTlpR21RWbyjFfIK8XX5 UxMfS7dKp8KDqh7AvxsDRAkzeRvq7gYB3GqZ7FQdBGYJwBTYi77KWQ9 X-Developer-Key: i=demiobenour@gmail.com; a=ed25519; pk=X57Q4/YQDj9t4SBeKaDwvXYKB6quZJVx/DE2Ly2out0= Message-ID-Hash: XO464GKSWFBRZIK6PGWDPLFSI3PCRF75 X-Message-ID-Hash: XO464GKSWFBRZIK6PGWDPLFSI3PCRF75 X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Demi Marie Obenour , Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This implements updates via systemd-sysupdate. See individual commit messages for details. Signed-off-by: Demi Marie Obenour --- Changes in v6: - Remove build system changes that are not needed by the updater. - Rely on Alyssa's patches for partition size control. - Minor changes to individual patches. - Drop link to patchset that has already been applied. - Link to v5: https://spectrum-os.org/lists/archives/spectrum-devel/20251126-updates-v5-0-fd746748febd@gmail.com Changes in v5: - Fix broken shell.nix files in intermediate patches. - See individual patches messages for more details. - Link to v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251121-updates-v4-0-d4561c42776e@gmail.com Changes in v4: - Fix build errors in intermediate patches. - Apply suggestions from code review. - Link to v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251119-updates-v3-0-b88a99915509@gmail.com Changes in v3: - See individual commits for details. There are too many to mention here. - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251112-updates-v2-0-88d96bf81b79@gmail.com Changes in v2: - updates-dir-check: - Do not check that there is a SHA256SUMS or SHA256SUMS.gpg file in the update directory. systemd-sysupdate will fail if it cannot find a manifest or its signature. - Follow symlinks in opening the directory. The path is from a trusted source and will always point to a BTRFS snapshot, never a symlink. The only exception is the last component, which is still checked to not be a symlink. - VM: - Link SHA256SUMS.sha256.asc to SHA256SUMS.gpg. Recent systemd-sysupdate seems to use the former name. - Get update URL from host. - Use an execline script instead of a shell script. - Update script: - Unmount shared directory if already mounted. This avoids errors when mounting it again. - Delete old snapshot if present. - Provide the VM information with a different directory layout. - Do not bind-mount the information passed into the VM into the shared VM folder. Instead rely on this folder being read-only to the guest. This is enforced by a read-only bind mount in virtiofs's mount namespace. - Testing: - Lots of manual update testing. - Disable the test for the live image as it doesn't work anymore. - Nix: - Move validation to a separate low-priority patch. - Documentation: - Document that updating the system is now possible. - Installer: - Remove the "Try Spectrum" button. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251029-updates-v1-0-401c1be2a11b@gmail.com --- Demi Marie Obenour (8): tools: Add directory checker for updates release: Compress installation images and remove live image Use OS version to set partition labels and UKI name Add B partitions to installation images release: Create directory with system update Support updates via systemd-sysupdate Documentation: Update support Validate configuration parameters Documentation/development/build-configuration.adoc | 15 +++ Documentation/development/index.adoc | 2 + Documentation/development/updates.adoc | 42 +++++++ Documentation/development/uuid-reference.adoc | 8 ++ Documentation/installation/getting-spectrum.adoc | 44 ++++--- Documentation/installation/index.adoc | 6 +- host/initramfs/Makefile | 12 +- host/initramfs/etc/probe | 20 --- host/initramfs/shell.nix | 2 + host/rootfs/Makefile | 21 +++- host/rootfs/default.nix | 21 +++- host/rootfs/file-list.mk | 7 ++ host/rootfs/image/etc/fstab | 1 + .../image/etc/sysupdate.d/50-verity.transfer | 20 +++ host/rootfs/image/etc/sysupdate.d/60-root.transfer | 20 +++ .../image/etc/sysupdate.d/70-kernel.transfer | 20 +++ .../image/etc/vm-sysupdate.d/50-verity.transfer | 18 +++ .../image/etc/vm-sysupdate.d/60-root.transfer | 18 +++ .../image/etc/vm-sysupdate.d/70-kernel.transfer | 18 +++ host/rootfs/image/usr/bin/spectrum-update | 87 +++++++++++++ host/rootfs/os-release.in | 15 +++ host/rootfs/shell.nix | 2 + lib/config.default.nix | 3 + lib/config.nix | 27 ++++- lib/fake-update-signing-key.gpg | 3 + release.nix | 2 + release/checks/integration/meson.build | 2 +- release/checks/integration/try.c | 29 ----- release/combined/eosimages.nix | 8 +- release/combined/grub.cfg.in | 5 - release/installer/run-vm.nix | 2 +- release/live/Makefile | 8 +- release/live/default.nix | 3 + release/live/shell.nix | 4 +- release/update.nix | 33 +++++ tools/default.nix | 1 + tools/meson.build | 4 + tools/updates-dir-check.c | 134 +++++++++++++++++++++ vm/app/systemd-sysupdate/default.nix | 26 ++++ vm/app/systemd-sysupdate/download-update | 68 +++++++++++ 40 files changed, 681 insertions(+), 100 deletions(-) --- base-commit: d76e9b29aea9f31238d07e21db50d3fe6a80da5a change-id: 20250928-updates-92e99849e231 prerequisite-patch-id: 930207e73dcd127b5288db63b7e6e1a9cded1d1a prerequisite-patch-id: 85ec04609f9a90ee9ad21d743655386fe39cfd5e -- Sincerely, Demi Marie Obenour (she/her/hers)