XO in-field upgrades

Mike C. Fletcher mcfletch at vrplumber.com
Tue Jun 26 17:47:33 EDT 2007


Alexander Larsson wrote:
> On Mon, 2007-06-25 at 15:38 -0400, Noah Kantrowitz wrote:
>   
...
> I still don't understand at all how vserver can be used to upgrade the
> main image. Yes, one can clone the main image into a chroot, and use
> vserver to boot into that. One can also enable some COW stuff so that we
> can change that into the new version. 
>
> But, how do we apply this new image (which is a copy of the root +
> applied updates) to be the new master image the next time we boot? i.e.
> when the kernel boots it will launch /bin/init,
> not /vserver/updated_image/bin/init.
>   
Any COW/overlay system used for the root file system requires a 
boot-time operation that sets up the root file system image, similar to 
an initrd based system.  This operation can be extremely simple with 
Ivan's two-version-only operation:

    if key_down( 'esc' ):
        load_readonly_root /rootfs/previous/bin/init
    else:
        load_readonly_root /rootfs/latest/bin/init +
    /rootfs/previous/bin/init

It's the same basic idea as a bootable CD where the initrd constructs a 
virtual root of a tmpfs and the CD image on disk, save that it allows 
for an interaction in which a keyboard operation changes the set of 
overlays used to construct the root fs.  Eventually there might be a UI 
for selecting overlays to strip them back one-by-one until you get a 
working system, but that's been tabled as an idea.

In the two-level approach, the upgrade system would have to first 
compress down the two levels of the current image before it began the 
update (since there's no provision for a third or higher level of overlay):

    * def update():
          o download_update into /roofts/unverified-version
          o if verify( /rootfs/unverified-version ):
                + assert no-activity-running-on-old-version
                + # merging moves the files from the one overlay
                  directory to the other
                + # applying deletions and the like. Can be atomic for
                  each file, hard-link
                + # the files rather than copying so that open files are
                  not disturbed
                + merge /rootfs/latest into /rootfs/previous
                + # make sure running activities still see the previous
                  version...
                + for each running core service and activity, remount
                  remount fs tree to remove /rootfs/latest
                      # (in aufs, for instance use the "del" option on
                        /rootfs/latest branch)
                + assert /rootfs/latest empty
                + move /rootfs/unverified-version to /rootfs/latest
          o else:
                + delete /rootfs/unverified-version

I may be missing an operation or two in there, but I *think* that's the 
intention.  That is, there's an ultimate loading level that sits outside 
the standard root to make it all work.  That loading level could be in 
the BIOS or on an initrd, but there does need to be a level to manage 
the ultimate overlay-based structure AFAIK.  And at normal boot, 
something has to set up the overlays, regardless of what overlay set is 
loaded.  That level of access is where the update manager has to sit to 
be able to do the updates AFAICS.  That is to accomplish a merge or 
remount of the core fs we need a way to ask the overlay manager to do 
some work for us at the update-manager level.
> Btw. I don't see why we would have to use vserver and COW for doing
> this, we just have to do the hardlink copy, and then apply the update on
> that, carefully always changing files so that hardlinks are broken (i.e.
> no in-place updates, just replace the files). However, that still gets
> us into the same situation, with a copy of the new image in a
> subdirectory that is not the main image.
>   
Yes, same basic effect, something outside the root needs to be able to 
switch to the root you choose, you could have a UI element that allows 
you to select the root, or you could have the service switch the name of 
the directories so that the new version is called "latest" and the last 
one "previous".  Basically the same problem, you need a way to ask 
something at a higher level of access to do the promotion.  The 
promotion could be something as simple as writing a file at the root 
that says "root=myversion" for the next boot, letting the boot-time 
process read that file in order to choose which root to boot.

BTW, reading the two descriptions, the hardlink-copy version is easier 
than the overlay AFAICS.  You don't have to remount the running 
services/activities (as you do if you require that there be a maximum of 
1 overlay).  Other than that the operations are essentially identical, 
you replace the merge with a recursive hard-linking copy (how does that 
work for soft links, incidentally, I gather you recreate them rather 
than hard-linking?)  Something at boot time then decides what to load, 
with some operation setting the default to the new version.  The 
advantages for the overlay system only start when you begin considering 
many small overlays, user-authored overlays and the like.

Anyway, just my fuzzy understanding,
Mike

-- 
________________________________________________
  Mike C. Fletcher
  Designer, VR Plumber, Coder
  http://www.vrplumber.com
  http://blog.vrplumber.com




More information about the Devel mailing list