metropolis: implement A/B updates
This implements an A/B update mechanism using two slots, A and B.
This is realized with two system partitions as well as two EFI
loaders/kernels.
The A/B system relies on two EFI loader entries. This has the advantage
that there is no preloader required, which makes the system more
reliable as well as avoiding the complexity of having an un-updatable
preloader (CoreOS has this issue where their GRUB2 crashed booting newer
kernels, sadly the issue seems lost with the migration to Fedora
CoreOS). It also means that the operator can easily override the slot
being booted via the boot loader entries. Primary disadvantage is that
it relies on EFI working somewhat to spec.
New versions are booted into only once by setting NextBoot, if the
bootup doesn't succeed, i.e. if the boot doesn't get to a cluster rejoin
the next boot will be the old slot. Once it gets to this stage the
permanent BootOrder is changed.
The EFI loaders don't know if they are slot A or B because they are
identical and relying on OptionalData in the boot entry to indicate the
slot means that if the EFI boot entries go away, recovering is very hard.
Thus the loaders look at their own file name to determine what slot they
are in. If no slot could be determined, they default to booting slot A.
It is planned to eventually use Authenticode Stamping (passing data in
fake certificates) to stamp the slot into the loader without affecting
the TPM hash logged.
Change-Id: I40de2df8ff7ff660c17d2c97f3d9eb1bd4ddf5bc
Reviewed-on: https://review.monogon.dev/c/monogon/+/1874
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/core/localstorage/crypt/blockdev.go b/metropolis/node/core/localstorage/crypt/blockdev.go
index 0dadb6d..532033e 100644
--- a/metropolis/node/core/localstorage/crypt/blockdev.go
+++ b/metropolis/node/core/localstorage/crypt/blockdev.go
@@ -27,6 +27,7 @@
"github.com/google/uuid"
"golang.org/x/sys/unix"
+ "source.monogon.dev/metropolis/node/core/update"
"source.monogon.dev/metropolis/pkg/blockdev"
"source.monogon.dev/metropolis/pkg/efivarfs"
"source.monogon.dev/metropolis/pkg/gpt"
@@ -38,9 +39,16 @@
// data partition.
var NodeDataPartitionType = uuid.MustParse("9eeec464-6885-414a-b278-4305c51f7966")
+var (
+ SystemAType = uuid.MustParse("ee96054b-f6d0-4267-aaaa-724b2afea74c")
+ SystemBType = uuid.MustParse("ee96054b-f6d0-4267-bbbb-724b2afea74c")
+)
+
const (
- ESPDevicePath = "/dev/esp"
- NodeDataRawPath = "/dev/data-raw"
+ ESPDevicePath = "/dev/esp"
+ NodeDataRawPath = "/dev/data-raw"
+ SystemADevicePath = "/dev/system-a"
+ SystemBDevicePath = "/dev/system-b"
)
// nodePathForPartitionType returns the device node path
@@ -51,6 +59,10 @@
return ESPDevicePath
case NodeDataPartitionType:
return NodeDataRawPath
+ case SystemAType:
+ return SystemADevicePath
+ case SystemBType:
+ return SystemBDevicePath
}
return ""
}
@@ -58,7 +70,7 @@
// MakeBlockDevices looks for the ESP and the node data partition and maps them
// to ESPDevicePath and NodeDataCryptPath respectively. This doesn't fail if it
// doesn't find the partitions, only if something goes catastrophically wrong.
-func MakeBlockDevices(ctx context.Context) error {
+func MakeBlockDevices(ctx context.Context, updateSvc *update.Service) error {
espUUID, err := efivarfs.ReadLoaderDevicePartUUID()
if err != nil {
supervisor.Logger(ctx).Warningf("No EFI variable for the loader device partition UUID present")
@@ -70,7 +82,7 @@
}
for _, blockDev := range blockDevs {
- if err := handleBlockDevice(blockDev.Name(), blockDevs, espUUID); err != nil {
+ if err := handleBlockDevice(blockDev.Name(), blockDevs, espUUID, updateSvc); err != nil {
supervisor.Logger(ctx).Errorf("Failed to create block device %s: %w", blockDev.Name(), err)
}
}
@@ -80,7 +92,7 @@
// handleBlockDevice reads the uevent data and continues to iterate over all
// partitions to create all required device nodes.
-func handleBlockDevice(diskBlockDev string, blockDevs []os.DirEntry, espUUID uuid.UUID) error {
+func handleBlockDevice(diskBlockDev string, blockDevs []os.DirEntry, espUUID uuid.UUID, updateSvc *update.Service) error {
data, err := readUEvent(diskBlockDev)
if err != nil {
return err
@@ -120,7 +132,7 @@
seenTypes := make(map[uuid.UUID]bool)
for _, dev := range blockDevs {
- if err := handlePartition(diskBlockDev, dev.Name(), table, seenTypes); err != nil {
+ if err := handlePartition(diskBlockDev, dev.Name(), table, seenTypes, updateSvc); err != nil {
return fmt.Errorf("when creating partition %s: %w", dev.Name(), err)
}
}
@@ -128,7 +140,7 @@
return nil
}
-func handlePartition(diskBlockDev string, partBlockDev string, table *gpt.Table, seenTypes map[uuid.UUID]bool) error {
+func handlePartition(diskBlockDev string, partBlockDev string, table *gpt.Table, seenTypes map[uuid.UUID]bool, updateSvc *update.Service) error {
// Skip all blockdev that dont share the same name/prefix,
// also skip the blockdev itself.
if !strings.HasPrefix(partBlockDev, diskBlockDev) || partBlockDev == diskBlockDev {
@@ -152,6 +164,8 @@
part := table.Partitions[pi.partNumber-1]
+ updateSvc.ProvideESP("/esp", part.ID, uint32(pi.partNumber))
+
nodePath := nodePathForPartitionType(part.Type)
if nodePath == "" {
// Ignore partitions with an unknown type.