Conditional sysupgrade

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Conditional sysupgrade

Marco Bonetti
Hello folks,

First of all congratulations on a new OpenBSD release and thanks for
introducing sysupgrade in -current.

Before sysupgrade, I was using a custom script for achieving the same
result with only difference that I was checking if a new snapshot (or
release) is available by looking at BUILDINFO before starting the
upgrade process.

Patch below introduce the same behaviour using SHA256.sig as control
file. If you believe there is a valid use case for reinstalling already
applied sets to the running system please let me know and I can add a
-f force option.

Cheers,
Marco

Index: usr.sbin/sysupgrade/sysupgrade.8
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
retrieving revision 1.2
diff -u -p -u -r1.2 sysupgrade.8
--- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
+++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
@@ -28,7 +28,7 @@
 .Nm
 is a utility to upgrade
 .Ox
-to the next release or a new snapshot.
+to the next release or a new snapshot if available.
 .Pp
 .Nm
 downloads the necessary files to

Index: usr.sbin/sysupgrade/sysupgrade.sh
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
retrieving revision 1.6
diff -u -p -u -r1.6 sysupgrade.sh
--- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
+++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
@@ -110,7 +110,19 @@ fi
 
 cd ${SETSDIR}
 
-unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
+unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
+TMP_SHA=$(sha256 -q SHA256.sig.tmp)
+
+unpriv touch SHA256.sig
+CUR_SHA=$(sha256 -q SHA256.sig)
+
+if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
+ rm SHA256.sig.tmp
+ return 0
+fi
+
+unpriv cat SHA256.sig.tmp >SHA256.sig
+rm SHA256.sig.tmp
 
 _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
 _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Andreas Kusalananda Kähäri-4
On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:

> Hello folks,
>
> First of all congratulations on a new OpenBSD release and thanks for
> introducing sysupgrade in -current.
>
> Before sysupgrade, I was using a custom script for achieving the same
> result with only difference that I was checking if a new snapshot (or
> release) is available by looking at BUILDINFO before starting the
> upgrade process.
>
> Patch below introduce the same behaviour using SHA256.sig as control
> file. If you believe there is a valid use case for reinstalling already
> applied sets to the running system please let me know and I can add a
> -f force option.
>
> Cheers,
> Marco

I was going to suggest something similar.

See comment below.

>
> Index: usr.sbin/sysupgrade/sysupgrade.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> retrieving revision 1.2
> diff -u -p -u -r1.2 sysupgrade.8
> --- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
> +++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
> @@ -28,7 +28,7 @@
>  .Nm
>  is a utility to upgrade
>  .Ox
> -to the next release or a new snapshot.
> +to the next release or a new snapshot if available.
>  .Pp
>  .Nm
>  downloads the necessary files to
>
> Index: usr.sbin/sysupgrade/sysupgrade.sh
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> retrieving revision 1.6
> diff -u -p -u -r1.6 sysupgrade.sh
> --- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
> +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> @@ -110,7 +110,19 @@ fi
>  
>  cd ${SETSDIR}
>  
> -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> +
> +unpriv touch SHA256.sig
> +CUR_SHA=$(sha256 -q SHA256.sig)
> +
> +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then

Why compare checksums?

    if cmp -s SHA256.sig SHA256.sig.tmp; then

> + rm SHA256.sig.tmp
> + return 0
> +fi
> +
> +unpriv cat SHA256.sig.tmp >SHA256.sig
> +rm SHA256.sig.tmp
>  
>  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
>  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub

--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Florian Obser-2
In reply to this post by Marco Bonetti
On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:

> Hello folks,
>
> First of all congratulations on a new OpenBSD release and thanks for
> introducing sysupgrade in -current.
>
> Before sysupgrade, I was using a custom script for achieving the same
> result with only difference that I was checking if a new snapshot (or
> release) is available by looking at BUILDINFO before starting the
> upgrade process.
>
> Patch below introduce the same behaviour using SHA256.sig as control
> file. If you believe there is a valid use case for reinstalling already
> applied sets to the running system please let me know and I can add a
> -f force option.

I see a need for the feature and also for the -f flag. One idea was if
you messed up your shared libs you just type sysupgrade to
unbreak things. (Doesn't quite work since not all the tools are
statically linked).

I'm not happy with comparing the sha256 file, could you please use
what(1) to compare the downloaded kernel with the running kernel?

$ sysctl -n kern.version | head -1
OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019
$ what /home/_sysupgrade/bsd.mp | tail -1
        OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019

You need to check if you are running MP or SP though.

I have also suggested this to Mischa, added to Cc.

>
> Cheers,
> Marco
>
> Index: usr.sbin/sysupgrade/sysupgrade.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> retrieving revision 1.2
> diff -u -p -u -r1.2 sysupgrade.8
> --- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
> +++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
> @@ -28,7 +28,7 @@
>  .Nm
>  is a utility to upgrade
>  .Ox
> -to the next release or a new snapshot.
> +to the next release or a new snapshot if available.
>  .Pp
>  .Nm
>  downloads the necessary files to
>
> Index: usr.sbin/sysupgrade/sysupgrade.sh
> ===================================================================
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> retrieving revision 1.6
> diff -u -p -u -r1.6 sysupgrade.sh
> --- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
> +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> @@ -110,7 +110,19 @@ fi
>  
>  cd ${SETSDIR}
>  
> -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> +
> +unpriv touch SHA256.sig
> +CUR_SHA=$(sha256 -q SHA256.sig)
> +
> +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
> + rm SHA256.sig.tmp
> + return 0
> +fi
> +
> +unpriv cat SHA256.sig.tmp >SHA256.sig
> +rm SHA256.sig.tmp
>  
>  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
>  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
>

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Christian Weisgerber
In reply to this post by Marco Bonetti
On 2019-04-27, Marco Bonetti <[hidden email]> wrote:

> +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> +
> +unpriv touch SHA256.sig

This fails if SHA256.sig doesn't exist yet.  The unprivileged user
cannot create files in $SETSDIR.

> +unpriv cat SHA256.sig.tmp >SHA256.sig

Do you understand that the I/O redirection is performed before
calling unpriv?

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Mischa-2
In reply to this post by Florian Obser-2
On 27 Apr at 17:52, Florian Obser <[hidden email]> wrote:

> On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:
> > Hello folks,
> >
> > First of all congratulations on a new OpenBSD release and thanks for
> > introducing sysupgrade in -current.
> >
> > Before sysupgrade, I was using a custom script for achieving the same
> > result with only difference that I was checking if a new snapshot (or
> > release) is available by looking at BUILDINFO before starting the
> > upgrade process.
> >
> > Patch below introduce the same behaviour using SHA256.sig as control
> > file. If you believe there is a valid use case for reinstalling already
> > applied sets to the running system please let me know and I can add a
> > -f force option.
>
> I see a need for the feature and also for the -f flag. One idea was if
> you messed up your shared libs you just type sysupgrade to
> unbreak things. (Doesn't quite work since not all the tools are
> statically linked).
>
> I'm not happy with comparing the sha256 file, could you please use
> what(1) to compare the downloaded kernel with the running kernel?
>
> $ sysctl -n kern.version | head -1
> OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019
> $ what /home/_sysupgrade/bsd.mp | tail -1
> OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019
>
> You need to check if you are running MP or SP though.
>
> I have also suggested this to Mischa, added to Cc.

As Florian suggested I compared kern.version to what from both bsd and bsd.mp.
I personally don't like repetition in the code, but I don't know how to do this more elegantly.

The other thing that might need to be adjuested is when to compare, I choose to do this all the way at the end before bsd.rd gets copied to bsd.upgrade.

Let me know if this needs more work. Love the idea of sysupgrade!

--- /usr/sbin/sysupgrade        Fri Apr 26 18:23:15 2019
+++ sysupgrade  Sat Apr 27 17:50:15 2019
@@ -149,6 +149,19 @@

 unpriv signify -C -p "${SIGNIFY_KEY}" -x SHA256.sig ${SETS}

+VERSION=$(sysctl -n kern.version | head -1)
+BSDSP=$(what /home/_sysupgrade/bsd | tail -1 | awk '{$1=$1;print}')
+BSDMP=$(what /home/_sysupgrade/bsd.mp | tail -1 | awk '{$1=$1;print}')
+
+if [[ ${VERSION} = ${BSDMP} ]]; then
+       echo "No update needed"
+       exit 1
+fi
+if [[ ${VERSION} = ${BSDSP} ]]; then
+       echo "No update needed"
+       exit 1
+fi
+
 cp bsd.rd /nbsd.upgrade
 ln /nbsd.upgrade /bsd.upgrade
 rm /nbsd.upgrade


Mischa

>
> >
> > Cheers,
> > Marco
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.8
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> > retrieving revision 1.2
> > diff -u -p -u -r1.2 sysupgrade.8
> > --- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
> > +++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
> > @@ -28,7 +28,7 @@
> >  .Nm
> >  is a utility to upgrade
> >  .Ox
> > -to the next release or a new snapshot.
> > +to the next release or a new snapshot if available.
> >  .Pp
> >  .Nm
> >  downloads the necessary files to
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.sh
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> > retrieving revision 1.6
> > diff -u -p -u -r1.6 sysupgrade.sh
> > --- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
> > +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> > @@ -110,7 +110,19 @@ fi
> >  
> >  cd ${SETSDIR}
> >  
> > -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > +
> > +unpriv touch SHA256.sig
> > +CUR_SHA=$(sha256 -q SHA256.sig)
> > +
> > +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
> > + rm SHA256.sig.tmp
> > + return 0
> > +fi
> > +
> > +unpriv cat SHA256.sig.tmp >SHA256.sig
> > +rm SHA256.sig.tmp
> >  
> >  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
> >  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
> >
>
> --
> I'm not entirely sure you are real.
>

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Theo de Raadt-2
> As Florian suggested I compared kern.version to what from both bsd and bsd.mp.

Do not do that.

kern.version in snapshots and releases are completely arbitrary, based on
whether I delete an obj tree, then the version numbers begin anew.  This
heuristic will false-positive.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Florian Obser-2
It has the date and time with seconds resolution in there. Not just the built number.

On April 27, 2019 9:57:59 PM GMT+02:00, Theo de Raadt <[hidden email]> wrote:

>> As Florian suggested I compared kern.version to what from both bsd
>and bsd.mp.
>
>Do not do that.
>
>kern.version in snapshots and releases are completely arbitrary, based
>on
>whether I delete an obj tree, then the version numbers begin anew.
>This
>heuristic will false-positive.
Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Theo de Raadt-2
Florian Obser <[hidden email]> wrote:

> It has the date and time with seconds resolution in there. Not just the built number.

Yes from KARL on one machine, and snapshot/release builds on a different
machine.

Could this not false-positive?

> On April 27, 2019 9:57:59 PM GMT+02:00, Theo de Raadt <[hidden email]> wrote:
> >> As Florian suggested I compared kern.version to what from both bsd
> >and bsd.mp.
> >
> >Do not do that.
> >
> >kern.version in snapshots and releases are completely arbitrary, based
> >on
> >whether I delete an obj tree, then the version numbers begin anew.
> >This
> >heuristic will false-positive.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Theo Buehler-4
On Sat, Apr 27, 2019 at 02:16:26PM -0600, Theo de Raadt wrote:
> Florian Obser <[hidden email]> wrote:
>
> > It has the date and time with seconds resolution in there. Not just the built number.
>
> Yes from KARL on one machine, and snapshot/release builds on a different
> machine.
>
> Could this not false-positive?

I thought vers.o is deliberately not newly generated by reorder_kernel's
Makefile targets.

So as long as the snapshot/release building machines does not go
backward in time, this should not cause false positives.

Syspatch kernels built by robert or me and self-built stable kernels can
probably be dealt with by looking at the version number.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Florian Obser-2
In reply to this post by Mischa-2
On Sat, Apr 27, 2019 at 09:53:08PM +0200, Mischa Peters wrote:
> Let me know if this needs more work. Love the idea of sysupgrade!

Please shelf this for now, there is a lot of churn going on in the
tool in private and we are moving very fast.

There are more subtleties to consider.

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Mischa-2
On 27 Apr at 22:57, Florian Obser <[hidden email]> wrote:
> On Sat, Apr 27, 2019 at 09:53:08PM +0200, Mischa Peters wrote:
> > Let me know if this needs more work. Love the idea of sysupgrade!
>
> Please shelf this for now, there is a lot of churn going on in the
> tool in private and we are moving very fast.
>
> There are more subtleties to consider.

Ok. Did get some good suggestions on my shell use, so might be able to put them to use at a later stage.

Mischa

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Marco Bonetti
In reply to this post by Florian Obser-2
On 04/27, Florian Obser wrote:

> On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:
> > Hello folks,
> >
> > First of all congratulations on a new OpenBSD release and thanks for
> > introducing sysupgrade in -current.
> >
> > Before sysupgrade, I was using a custom script for achieving the same
> > result with only difference that I was checking if a new snapshot (or
> > release) is available by looking at BUILDINFO before starting the
> > upgrade process.
> >
> > Patch below introduce the same behaviour using SHA256.sig as control
> > file. If you believe there is a valid use case for reinstalling already
> > applied sets to the running system please let me know and I can add a
> > -f force option.
>
> I see a need for the feature and also for the -f flag. One idea was if
> you messed up your shared libs you just type sysupgrade to
> unbreak things. (Doesn't quite work since not all the tools are
> statically linked).

Added

>
> I'm not happy with comparing the sha256 file, could you please use
> what(1) to compare the downloaded kernel with the running kernel?
>
> $ sysctl -n kern.version | head -1
> OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019
> $ what /home/_sysupgrade/bsd.mp | tail -1
> OpenBSD 6.5-current (GENERIC.MP) #32: Fri Apr 26 10:37:48 MDT 2019
>
> You need to check if you are running MP or SP though.
>
> I have also suggested this to Mischa, added to Cc.

This has already been mentioned in the rest of the thread and doesn't
feel too right for me: the kernel can be modified and as a rule of thumb
a package manager or similar doesn't upgrade something if you changed
the content of a file locally. On the other hand if you applied local
modifications and run sysupgrade you robably want to overwrite the disk
contents :)

Maybe the -f option is enough for this?

Anyway, following patches also incorporate suggestions from the rest of
the thread.

Index: usr.sbin/sysupgrade/sysupgrade.8
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
retrieving revision 1.2
diff -u -p -u -r1.2 sysupgrade.8
--- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
+++ usr.sbin/sysupgrade/sysupgrade.8 28 Apr 2019 22:59:52 -0000
@@ -23,12 +23,13 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl c
+.Op Fl f
 .Op Ar installurl
 .Sh DESCRIPTION
 .Nm
 is a utility to upgrade
 .Ox
-to the next release or a new snapshot.
+to the next release or a new snapshot if available.
 .Pp
 .Nm
 downloads the necessary files to
@@ -52,6 +53,10 @@ The default is to find out if the system
 In case of release
 .Nm
 downloads the next release.
+.It Fl f
+force an already applied upgrade.
+The default is to upgrade to latest snapshot only if available.
+This option has no effect on releases.
 .El
 .Sh FILES
 .Bl -tag -width "/home/_sysupgrade" -compact

Index: usr.sbin/sysupgrade/sysupgrade.sh
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
retrieving revision 1.7
diff -u -p -u -r1.7 sysupgrade.sh
--- usr.sbin/sysupgrade/sysupgrade.sh 28 Apr 2019 07:21:28 -0000 1.7
+++ usr.sbin/sysupgrade/sysupgrade.sh 28 Apr 2019 22:59:45 -0000
@@ -63,10 +63,12 @@ rmel() {
 }
 
 CURRENT=false
+FORCE=false
 
-while getopts c arg; do
+while getopts cf arg; do
         case ${arg} in
         c)      CURRENT=true;;
+        f)      FORCE=true;;
         *)      usage;;
         esac
 done
@@ -110,7 +112,21 @@ fi
 
 cd ${SETSDIR}
 
-unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
+unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
+TMP_SHA=$(sha256 -q SHA256.sig.tmp)
+
+if [[ ! -f SHA256.sig ]]; then
+ unpriv -f SHA256.sig touch SHA256.sig
+fi
+CUR_SHA=$(sha256 -q SHA256.sig)
+
+if [[ "${TMP_SHA}" = "${CUR_SHA}"  && ${FORCE} != "true" ]]; then
+ rm SHA256.sig.tmp
+ return 0
+fi
+
+cat SHA256.sig.tmp >SHA256.sig
+rm SHA256.sig.tmp
 
 _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
 _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub

Enjoy,
Marco

>
> >
> > Cheers,
> > Marco
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.8
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> > retrieving revision 1.2
> > diff -u -p -u -r1.2 sysupgrade.8
> > --- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
> > +++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
> > @@ -28,7 +28,7 @@
> >  .Nm
> >  is a utility to upgrade
> >  .Ox
> > -to the next release or a new snapshot.
> > +to the next release or a new snapshot if available.
> >  .Pp
> >  .Nm
> >  downloads the necessary files to
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.sh
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> > retrieving revision 1.6
> > diff -u -p -u -r1.6 sysupgrade.sh
> > --- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
> > +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> > @@ -110,7 +110,19 @@ fi
> >  
> >  cd ${SETSDIR}
> >  
> > -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > +
> > +unpriv touch SHA256.sig
> > +CUR_SHA=$(sha256 -q SHA256.sig)
> > +
> > +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
> > + rm SHA256.sig.tmp
> > + return 0
> > +fi
> > +
> > +unpriv cat SHA256.sig.tmp >SHA256.sig
> > +rm SHA256.sig.tmp
> >  
> >  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
> >  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
> >
>
> --
> I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Marco Bonetti
In reply to this post by Christian Weisgerber
On 04/27, Christian Weisgerber wrote:

> On 2019-04-27, Marco Bonetti <[hidden email]> wrote:
>
> > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > +
> > +unpriv touch SHA256.sig
>
> This fails if SHA256.sig doesn't exist yet.  The unprivileged user
> cannot create files in $SETSDIR.
>
> > +unpriv cat SHA256.sig.tmp >SHA256.sig
>
> Do you understand that the I/O redirection is performed before
> calling unpriv?
>
> --
> Christian "naddy" Weisgerber                          [hidden email]
>

Thanks for the suggestions, I've incorporated them in the new version of the
patch.

Cheers,
Marco

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Marco Bonetti
In reply to this post by Andreas Kusalananda Kähäri-4
On 04/27, Andreas Kusalananda K?h?ri wrote:

> On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:
> > Hello folks,
> >
> > First of all congratulations on a new OpenBSD release and thanks for
> > introducing sysupgrade in -current.
> >
> > Before sysupgrade, I was using a custom script for achieving the same
> > result with only difference that I was checking if a new snapshot (or
> > release) is available by looking at BUILDINFO before starting the
> > upgrade process.
> >
> > Patch below introduce the same behaviour using SHA256.sig as control
> > file. If you believe there is a valid use case for reinstalling already
> > applied sets to the running system please let me know and I can add a
> > -f force option.
> >
> > Cheers,
> > Marco
>
> I was going to suggest something similar.
>
> See comment below.
>
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.8
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> > retrieving revision 1.2
> > diff -u -p -u -r1.2 sysupgrade.8
> > --- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
> > +++ usr.sbin/sysupgrade/sysupgrade.8 27 Apr 2019 11:54:40 -0000
> > @@ -28,7 +28,7 @@
> >  .Nm
> >  is a utility to upgrade
> >  .Ox
> > -to the next release or a new snapshot.
> > +to the next release or a new snapshot if available.
> >  .Pp
> >  .Nm
> >  downloads the necessary files to
> >
> > Index: usr.sbin/sysupgrade/sysupgrade.sh
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> > retrieving revision 1.6
> > diff -u -p -u -r1.6 sysupgrade.sh
> > --- usr.sbin/sysupgrade/sysupgrade.sh 26 Apr 2019 21:52:39 -0000 1.6
> > +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> > @@ -110,7 +110,19 @@ fi
> >  
> >  cd ${SETSDIR}
> >  
> > -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > +
> > +unpriv touch SHA256.sig
> > +CUR_SHA=$(sha256 -q SHA256.sig)
> > +
> > +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
>
> Why compare checksums?
>
>     if cmp -s SHA256.sig SHA256.sig.tmp; then

cmp exits 1 on different files, thus killing the script

>
> > + rm SHA256.sig.tmp
> > + return 0
> > +fi
> > +
> > +unpriv cat SHA256.sig.tmp >SHA256.sig
> > +rm SHA256.sig.tmp
> >  
> >  _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
> >  _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
>
> --
> Andreas Kusalananda K?h?ri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Stuart Henderson
On 2019/04/29 00:21, Marco Bonetti wrote:

> > > +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> > > @@ -110,7 +110,19 @@ fi
> > >  
> > >  cd ${SETSDIR}
> > >  
> > > -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> > > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > > +
> > > +unpriv touch SHA256.sig
> > > +CUR_SHA=$(sha256 -q SHA256.sig)
> > > +
> > > +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
> >
> > Why compare checksums?
> >
> >     if cmp -s SHA256.sig SHA256.sig.tmp; then
>
> cmp exits 1 on different files, thus killing the script

That's not the case:

     -e      Errexit.  Exit the shell immediately should an error occur or a
             command fail.  For pipelines and && and || constructs, only exit
             if the last component fails.  Errexit is ignored for while,
             until, if, and elif lists and pipelines beginning ‘!’.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Marco Bonetti
On 04/29, Stuart Henderson wrote:

> On 2019/04/29 00:21, Marco Bonetti wrote:
> > > > +++ usr.sbin/sysupgrade/sysupgrade.sh 27 Apr 2019 11:54:48 -0000
> > > > @@ -110,7 +110,19 @@ fi
> > > >  
> > > >  cd ${SETSDIR}
> > > >  
> > > > -unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
> > > > +unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
> > > > +TMP_SHA=$(sha256 -q SHA256.sig.tmp)
> > > > +
> > > > +unpriv touch SHA256.sig
> > > > +CUR_SHA=$(sha256 -q SHA256.sig)
> > > > +
> > > > +if [[ "${TMP_SHA}" = "${CUR_SHA}" ]]; then
> > >
> > > Why compare checksums?
> > >
> > >     if cmp -s SHA256.sig SHA256.sig.tmp; then
> >
> > cmp exits 1 on different files, thus killing the script
>
> That's not the case:
>
>      -e      Errexit.  Exit the shell immediately should an error occur or a
>              command fail.  For pipelines and && and || constructs, only exit
>              if the last component fails.  Errexit is ignored for while,
>              until, if, and elif lists and pipelines beginning ???!???.
>

Right, my bad: I tested the suggeswtion using "if unpriv cmp ...",
triggering -e inside the unpriv function.

Patch below nukes the shasum comparison and switches to cmp.

Index: usr.sbin/sysupgrade/sysupgrade.8
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
retrieving revision 1.2
diff -u -p -u -r1.2 sysupgrade.8
--- usr.sbin/sysupgrade/sysupgrade.8 26 Apr 2019 05:54:49 -0000 1.2
+++ usr.sbin/sysupgrade/sysupgrade.8 29 Apr 2019 21:05:33 -0000
@@ -23,12 +23,13 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl c
+.Op Fl f
 .Op Ar installurl
 .Sh DESCRIPTION
 .Nm
 is a utility to upgrade
 .Ox
-to the next release or a new snapshot.
+to the next release or a new snapshot if available.
 .Pp
 .Nm
 downloads the necessary files to
@@ -52,6 +53,10 @@ The default is to find out if the system
 In case of release
 .Nm
 downloads the next release.
+.It Fl f
+force an already applied upgrade.
+The default is to upgrade to latest snapshot only if available.
+This option has no effect on releases.
 .El
 .Sh FILES
 .Bl -tag -width "/home/_sysupgrade" -compact
Index: usr.sbin/sysupgrade/sysupgrade.sh
===================================================================
RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
retrieving revision 1.7
diff -u -p -u -r1.7 sysupgrade.sh
--- usr.sbin/sysupgrade/sysupgrade.sh 28 Apr 2019 07:21:28 -0000 1.7
+++ usr.sbin/sysupgrade/sysupgrade.sh 29 Apr 2019 21:05:43 -0000
@@ -63,10 +63,12 @@ rmel() {
 }
 
 CURRENT=false
+FORCE=false
 
-while getopts c arg; do
+while getopts cf arg; do
         case ${arg} in
         c)      CURRENT=true;;
+        f)      FORCE=true;;
         *)      usage;;
         esac
 done
@@ -110,7 +112,19 @@ fi
 
 cd ${SETSDIR}
 
-unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
+unpriv -f SHA256.sig.tmp ftp -Vmo SHA256.sig.tmp ${URL}SHA256.sig
+
+if [[ ! -f SHA256.sig ]]; then
+ unpriv -f SHA256.sig touch SHA256.sig
+fi
+
+if cmp -s SHA256.sig SHA256.sig.tmp; then
+ rm SHA256.sig.tmp
+ return 0
+fi
+
+cat SHA256.sig.tmp >SHA256.sig
+rm SHA256.sig.tmp
 
 _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
 _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub

Cheers,
Marco

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Florian Obser
In reply to this post by Marco Bonetti
On Sat, Apr 27, 2019 at 01:23:20PM +0100, Marco Bonetti wrote:

> Hello folks,
>
> First of all congratulations on a new OpenBSD release and thanks for
> introducing sysupgrade in -current.
>
> Before sysupgrade, I was using a custom script for achieving the same
> result with only difference that I was checking if a new snapshot (or
> release) is available by looking at BUILDINFO before starting the
> upgrade process.
>
> Patch below introduce the same behaviour using SHA256.sig as control
> file. If you believe there is a valid use case for reinstalling already
> applied sets to the running system please let me know and I can add a
> -f force option.
>
> Cheers,
> Marco

With a recent commit the installer helps us out by keeping the last
used SHA256.sig around. I have been convinced that that is indeed the
correct way of doing this.

With the help of the installer Marco's diff is much simpler now.

OK?

diff --git sysupgrade.8 sysupgrade.8
index 88c8a43b034..d4454d1c4e3 100644
--- sysupgrade.8
+++ sysupgrade.8
@@ -23,12 +23,13 @@
 .Sh SYNOPSIS
 .Nm
 .Op Fl c
+.Op Fl f
 .Op Ar installurl
 .Sh DESCRIPTION
 .Nm
 is a utility to upgrade
 .Ox
-to the next release or a new snapshot.
+to the next release or a new snapshot if available.
 .Pp
 .Nm
 downloads the necessary files to
@@ -52,6 +53,10 @@ The default is to find out if the system is running a release or a snapshot.
 In case of release
 .Nm
 downloads the next release.
+.It Fl f
+force an already applied upgrade.
+The default is to upgrade to latest snapshot only if available.
+This option has no effect on releases.
 .El
 .Sh FILES
 .Bl -tag -width "/home/_sysupgrade" -compact
diff --git sysupgrade.sh sysupgrade.sh
index e532d7f94d1..5e868791a8b 100644
--- sysupgrade.sh
+++ sysupgrade.sh
@@ -33,7 +33,7 @@ ug_err()
 
 usage()
 {
- ug_err "usage: ${0##*/} [-c] [installurl]"
+ ug_err "usage: ${0##*/} [-cf] [installurl]"
 }
 
 unpriv()
@@ -63,12 +63,14 @@ rmel() {
 }
 
 CURRENT=false
-
-while getopts c arg; do
-        case ${arg} in
-        c)      CURRENT=true;;
-        *)      usage;;
-        esac
+FORCE=false
+
+while getopts cf arg; do
+ case ${arg} in
+ c) CURRENT=true;;
+ f) FORCE=true;;
+ *) usage;;
+ esac
 done
 
 set -A _KERNV -- $(sysctl -n kern.version |
@@ -112,6 +114,10 @@ cd ${SETSDIR}
 
 unpriv -f SHA256.sig ftp -Vmo SHA256.sig ${URL}SHA256.sig
 
+if cmp -s /var/db/installed.SHA256.sig SHA256.sig && ! $FORCE; then
+ ug_err "Already on latest snapshot."
+fi
+
 _KEY=openbsd-${_KERNV[0]%.*}${_KERNV[0]#*.}-base.pub
 _NEXTKEY=openbsd-${NEXT_VERSION%.*}${NEXT_VERSION#*.}-base.pub
 


--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: Conditional sysupgrade

Klemens Nanni-2
OK kn