1SYSUPDATE.D(5) sysupdate.d SYSUPDATE.D(5)
2
3
4
6 sysupdate.d - Transfer Definition Files for Automatic Updates
7
9 /etc/sysupdate.d/*.conf
10 /run/sysupdate.d/*.conf
11 /usr/lib/sysupdate.d/*.conf
12
13
15 sysupdate.d/*.conf files describe how specific resources on the local
16 system shall be updated from a remote source. Each such file defines
17 one such transfer: typically a remote HTTP/HTTPS resource as source;
18 and a local file, directory or partition as target. This may be used as
19 a simple, automatic, atomic update mechanism for the OS itself, for
20 containers, portable services or system extension images — but in fact
21 may be used to update any kind of file from a remote source.
22
23 The systemd-sysupdate(8) command reads these files and uses them to
24 determine which local resources should be updated, and then executes
25 the update.
26
27 Both the remote HTTP/HTTPS source and the local target typically exist
28 in multiple, concurrent versions, in order to implement flexible update
29 schemes, e.g. A/B updating (or a superset thereof, e.g. A/B/C, A/B/C/D,
30 ...).
31
32 Each *.conf file defines one transfer, i.e. describes one resource to
33 update. Typically, multiple of these files (i.e. multiple of such
34 transfers) are defined together, and are bound together by a common
35 version identifier in order to update multiple resources at once on
36 each update operation, for example to update a kernel, a root file
37 system and a Verity partition in a single, combined, synchronized
38 operation, so that only a combined update of all three together
39 constitutes a complete update.
40
41 Each *.conf file contains three sections: [Transfer], [Source] and
42 [Target].
43
45 Disk-image based OS updates typically consist of multiple different
46 resources that need to be updated together, for example a secure OS
47 update might consist of a root file system image to drop into a
48 partition, a matching Verity integrity data partition image, and a
49 kernel image prepared to boot into the combination of the two
50 partitions. The first two resources are files that are downloaded and
51 placed in a disk partition, the latter is a file that is downloaded and
52 placed in a regular file in the boot file system (e.g. EFI system
53 partition). Hence, during an update of a hypothetical operating system
54 "foobarOS" to a hypothetical version 47 the following operations should
55 take place:
56
57 1. A file "https://download.example.com/foobarOS_47.root.xz" should be
58 downloaded, decompressed and written to a previously unused
59 partition with GPT partition type UUID
60 4f68bce3-e8cd-4db1-96e7-fbcaf984b709 for x86-64, as per
61 Discoverable Partitions Specification[1].
62
63 2. Similarly, a file
64 "https://download.example.com/foobarOS_47.verity.xz" should be
65 downloaded, decompressed and written to a previously empty
66 partition with GPT partition type UUID of
67 2c7357ed-ebd2-46d9-aec1-23d437ec2bf5 (i.e. the partition type for
68 Verity integrity information for x86-64 root file systems).
69
70 3. Finally, a file "https://download.example.com/foobarOS_47.efi.xz"
71 (a unified kernel, as per Boot Loader Specification[2] Type #2)
72 should be downloaded, decompressed and written to the ESP file
73 system, i.e. to EFI/Linux/foobarOS_47.efi in the ESP.
74
75 The version-independent generalization of this would be (using the
76 special marker "@v" as wildcard for the version identifier):
77
78 1. A transfer of a file
79 "https://download.example.com/foobarOS_@v.root.xz" → a local,
80 previously empty GPT partition of type
81 4f68bce3-e8cd-4db1-96e7-fbcaf984b709, with the label to be set to
82 "foobarOS_@v".
83
84 2. A transfer of a file
85 "https://download.example.com/foobarOS_@v.verity.xz" → a local,
86 previously empty GPT partition of type
87 2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, with the label to be set to
88 "foobarOS_@v_verity".
89
90 3. A transfer of a file
91 "https://download.example.com/foobarOS_@v.efi.xz" → a local file
92 /efi/EFI/Linux/foobarOS_@v.efi.
93
94 An update can only complete if the relevant URLs provide their
95 resources for the same version, i.e. for the same value of "@v".
96
97 The above may be translated into three *.conf files in sysupdate.d/,
98 one for each resource to transfer. The *.conf files configure the type
99 of download, and what place to write the download to (i.e. whether to a
100 partition or a file in the file system). Most importantly these files
101 contain the URL, partition name and filename patterns shown above that
102 describe how these resources are called on the source and how they
103 shall be called on the target.
104
105 In order to enumerate available versions and figuring out candidates to
106 update to, a mechanism is necessary to list suitable files:
107
108 • For partitions: the surrounding GPT partition table contains a list
109 of defined partitions, including a partition type UUID and a
110 partition label (in this scheme the partition label plays a role
111 for the partition similar to the filename for a regular file).
112
113 • For regular files: the directory listing of the directory the files
114 are contained in provides a list of existing files in a
115 straightforward way.
116
117 • For HTTP/HTTPS sources a simple scheme is used: a manifest file
118 SHA256SUMS, following the format defined by sha256sum(1), lists
119 file names and their SHA256 hashes.
120
121 Transfers are done in the alphabetical order of the .conf file names
122 they are defined in. First, the resource data is downloaded directly
123 into a target file/directory/partition. Once this is completed for all
124 defined transfers, in a second step the files/directories/partitions
125 are renamed to their final names as defined by the target
126 MatchPattern=, again in the order the .conf transfer file names
127 dictate. This step is not atomic, however it is guaranteed to be
128 executed strictly in order with suitable disk synchronization in place.
129 Typically, when updating an OS one of the transfers defines the entry
130 point when booting. Thus it is generally a good idea to order the
131 resources via the transfer configuration file names so that the entry
132 point is written last, ensuring that any abnormal termination does not
133 leave an entry point around whose backing is not established yet. In
134 the example above it would hence make sense to establish the EFI kernel
135 image last and thus give its transfer configuration file the
136 alphabetically last name.
137
138 See below for an extended, more specific example based on the above.
139
141 Each transfer file defines one source resource to transfer to one
142 target resource. The following resource types are supported:
143
144 1. Resources of type "url-file" encapsulate a file on a web server,
145 referenced via a HTTP or HTTPS URL. When an update takes place, the
146 file is downloaded and decompressed and then written to the target
147 file or partition. This resource type is only available for
148 sources, not for targets. The list of available versions of
149 resources of this type is encoded in SHA256SUMS manifest files,
150 accompanied by SHA256SUMS.gpg detached signatures.
151
152 2. The "url-tar" resource type is similar, but the file must be a .tar
153 archive. When an update takes place, the file is decompressed and
154 unpacked into a directory or btrfs subvolume. This resource type is
155 only available for sources, not for targets. Just like "url-file",
156 "url-tar" version enumeration makes use of SHA256SUMS files,
157 authenticated via SHA256SUMS.gpg.
158
159 3. The "regular-file" resource type encapsulates a local regular file
160 on disk. During updates the file is uncompressed and written to the
161 target file or partition. This resource type is available both as
162 source and as target. When updating no integrity or authentication
163 verification is done for resources of this type.
164
165 4. The "partition" resource type is similar to "regular-file", and
166 encapsulates a GPT partition on disk. When updating, the partition
167 must exist already, and have the correct GPT partition type. A
168 partition whose GPT partition label is set to "_empty" is
169 considered empty, and a candidate to place a newly downloaded
170 resource in. The GPT partition label is used to store version
171 information, once a partition is updated. This resource type is
172 only available for target resources.
173
174 5. The "tar" resource type encapsulates local .tar archive files. When
175 an update takes place, the files are uncompressed and unpacked into
176 a target directory or btrfs subvolume. Behaviour of "tar" and
177 "url-tar" is generally similar, but the latter downloads from
178 remote sources, and does integrity and authentication checks while
179 the former does not. The "tar" resource type is only available for
180 source resources.
181
182 6. The "directory" resource type encapsulates local directory trees.
183 This type is available both for source and target resources. If an
184 update takes place on a source resource of this type, a recursive
185 copy of the directory is done.
186
187 7. The "subvolume" resource type is identical to "directory", except
188 when used as the target, in which case the file tree is placed in a
189 btrfs subvolume instead of a plain directory, if the backing file
190 system supports it (i.e. is btrfs).
191
192 As already indicated, only a subset of source and target resource type
193 combinations are supported:
194
195 Table 1. Resource Types
196 ┌─────────────┬─────────────┬───────────┬───────────────┬────────────────┬───────────────┬───────────┬──────────────┐
197 │Identifier │ Description │ Usable as │ When Used │ When Used │ When Used │ Usable as │ When Used │
198 │ │ │ Source │ as │ as │ as │ Target │ as │
199 │ │ │ │ Source: │ Source: │ Source: │ │ Target: │
200 │ │ │ │ Compatible │ Integrity │ Decompression │ │ Compatible │
201 │ │ │ │ Targets │ + │ │ │ Sources │
202 │ │ │ │ │ Authentication │ │ │ │
203 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
204 │url-file │ HTTP/HTTPS │ yes │ regular-file, │ yes │ yes │ no │ - │
205 │ │ files │ │ partition │ │ │ │ │
206 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
207 │url-tar │ HTTP/HTTPS │ yes │ directory, │ yes │ yes │ no │ - │
208 │ │ .tar │ │ subvolume │ │ │ │ │
209 │ │ archives │ │ │ │ │ │ │
210 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
211 │regular-file │ Local files │ yes │ regular-file, │ no │ yes │ yes │ url-file, │
212 │ │ │ │ partition │ │ │ │ regular-file │
213 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
214 │partition │ Local GPT │ no │ - │ - │ - │ yes │ url-file, │
215 │ │ partitions │ │ │ │ │ │ regular-file │
216 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
217 │tar │ Local .tar │ yes │ directory, │ no │ yes │ no │ - │
218 │ │ archives │ │ subvolume │ │ │ │ │
219 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
220 │directory │ Local │ yes │ directory, │ no │ no │ yes │ url-tar, │
221 │ │ directories │ │ subvolume │ │ │ │ tar, │
222 │ │ │ │ │ │ │ │ directory, │
223 │ │ │ │ │ │ │ │ subvolume │
224 ├─────────────┼─────────────┼───────────┼───────────────┼────────────────┼───────────────┼───────────┼──────────────┤
225 │subvolume │ Local btrfs │ yes │ directory, │ no │ no │ yes │ url-tar, │
226 │ │ subvolumes │ │ subvolume │ │ │ │ tar, │
227 │ │ │ │ │ │ │ │ directory, │
228 │ │ │ │ │ │ │ │ subvolume │
229 └─────────────┴─────────────┴───────────┴───────────────┴────────────────┴───────────────┴───────────┴──────────────┘
230
232 Both the source and target resources typically exist in multiple
233 versions concurrently. An update operation is done whenever the newest
234 of the source versions is newer than the newest of the target versions.
235 To determine the newest version of the resources a directory listing,
236 partition listing or manifest listing is used, a subset of qualifying
237 entries selected from that, and the version identifier extracted from
238 the file names or partition labels of these selected entries. Subset
239 selection and extraction of the version identifier (plus potentially
240 other metadata) is done via match patterns, configured in MatchPattern=
241 in the [Source] and [Target] sections. These patterns are strings that
242 describe how files or partitions are named, with named wildcards for
243 specific fields such as the version identifier. The following wildcards
244 are defined:
245
246 Table 2. Match Pattern Wildcards
247 ┌─────────┬──────────────────┬──────────────────┬───────────────────┐
248 │Wildcard │ Description │ Format │ Notes │
249 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
250 │"@v" │ Version │ Valid version │ Mandatory │
251 │ │ identifier │ string │ │
252 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
253 │"@u" │ GPT partition │ Valid 128-Bit │ Only relevant if │
254 │ │ UUID │ UUID string │ target resource │
255 │ │ │ │ type chosen as │
256 │ │ │ │ partition │
257 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
258 │"@f" │ GPT partition │ Formatted │ Only relevant if │
259 │ │ flags │ hexadecimal │ target resource │
260 │ │ │ integer │ type chosen as │
261 │ │ │ │ partition │
262 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
263 │"@a" │ GPT partition │ Either "0" or │ Controls NoAuto │
264 │ │ flag NoAuto │ "1" │ bit of the GPT │
265 │ │ │ │ partition flags, │
266 │ │ │ │ as per │
267 │ │ │ │ Discoverable │
268 │ │ │ │ Partitions │
269 │ │ │ │ Specification[1]; │
270 │ │ │ │ only relevant if │
271 │ │ │ │ target resource │
272 │ │ │ │ type chosen as │
273 │ │ │ │ partition │
274 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
275 │"@g" │ GPT partition │ Either "0" or │ Controls │
276 │ │ flag │ "1" │ GrowFileSystem │
277 │ │ GrowFileSystem │ │ bit of the GPT │
278 │ │ │ │ partition flags, │
279 │ │ │ │ as per │
280 │ │ │ │ Discoverable │
281 │ │ │ │ Partitions │
282 │ │ │ │ Specification[1]; │
283 │ │ │ │ only relevant if │
284 │ │ │ │ target resource │
285 │ │ │ │ type chosen as │
286 │ │ │ │ partition │
287 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
288 │"@r" │ Read-only flag │ Either "0" or │ Controls ReadOnly │
289 │ │ │ "1" │ bit of the GPT │
290 │ │ │ │ partition flags, │
291 │ │ │ │ as per │
292 │ │ │ │ Discoverable │
293 │ │ │ │ Partitions │
294 │ │ │ │ Specification[1] │
295 │ │ │ │ and other output │
296 │ │ │ │ read-only flags, │
297 │ │ │ │ see ReadOnly= │
298 │ │ │ │ below │
299 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
300 │"@t" │ File │ Formatted │ Only relevant if │
301 │ │ modification │ decimal integer, │ target resource │
302 │ │ time │ µs since UNIX │ type chosen as │
303 │ │ │ epoch Jan 1st │ regular-file │
304 │ │ │ 1970 │ │
305 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
306 │"@m" │ File access mode │ Formatted octal │ Only relevant if │
307 │ │ │ integer, in UNIX │ target resource │
308 │ │ │ fashion │ type chosen as │
309 │ │ │ │ regular-file │
310 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
311 │"@s" │ File size after │ Formatted │ Useful for │
312 │ │ decompression │ decimal integer │ measuring │
313 │ │ │ │ progress and to │
314 │ │ │ │ improve partition │
315 │ │ │ │ allocation logic │
316 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
317 │"@d" │ Tries done │ Formatted │ Useful when │
318 │ │ │ decimal integer │ operating with │
319 │ │ │ │ kernel image │
320 │ │ │ │ files, as per │
321 │ │ │ │ Automatic Boot │
322 │ │ │ │ Assessment[3] │
323 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
324 │"@l" │ Tries left │ Formatted │ Useful when │
325 │ │ │ decimal integer │ operating with │
326 │ │ │ │ kernel image │
327 │ │ │ │ files, as per │
328 │ │ │ │ Automatic Boot │
329 │ │ │ │ Assessment[3] │
330 ├─────────┼──────────────────┼──────────────────┼───────────────────┤
331 │"@h" │ SHA256 hash of │ 64 hexadecimal │ The SHA256 hash │
332 │ │ compressed file │ characters │ of the compressed │
333 │ │ │ │ file; not useful │
334 │ │ │ │ for url-file or │
335 │ │ │ │ url-tar where the │
336 │ │ │ │ SHA256 hash is │
337 │ │ │ │ already included │
338 │ │ │ │ in the manifest │
339 │ │ │ │ file anyway │
340 └─────────┴──────────────────┴──────────────────┴───────────────────┘
341
342 Of these wildcards only "@v" must be present in a valid pattern, all
343 other wildcards are optional. Each wildcard may be used at most once in
344 each pattern. A typical wildcard matching a file system source image
345 could be "MatchPattern=foobar_@v.raw.xz", i.e. any file whose name
346 begins with "foobar_", followed by a version ID and suffixed by
347 ".raw.xz".
348
349 Do not confuse the "@" pattern matching wildcard prefix with the "%"
350 specifier expansion prefix. The former encapsulate a variable part of a
351 match pattern string, the latter are simple shortcuts that are expanded
352 while the drop-in files are parsed. For details about specifiers, see
353 below.
354
356 This section defines general properties of this transfer:
357
358 MinVersion=
359 Specifies the minimum version to require for this transfer to take
360 place. If the source or target patterns in this transfer definition
361 match files older than this version they will be considered
362 obsolete, and never be considered for the update operation.
363
364 ProtectVersion=
365 Takes one or more version strings to mark as "protected". Protected
366 versions are never removed while making room for new, updated
367 versions. This is useful to ensure that the currently booted OS
368 version (or auxiliary resources associated with it) is not
369 replaced/overwritten during updates, in order to avoid runtime file
370 system corruptions.
371
372 Like many of the settings in these configuration files this setting
373 supports specifier expansion. It's particularly useful to set this
374 setting to one of the "%A", "%B" or "%w" specifiers to
375 automatically refer to the current OS version of the running
376 system. See below for details on supported specifiers.
377
378 Verify=
379 Takes a boolean, defaults to yes. Controls whether to
380 cryptographically verify downloaded resources (specifically:
381 validate the GPG signatures for downloaded SHA256SUMS manifest
382 files, via their detached signature files SHA256SUMS.gpg in
383 combination with the system keyring
384 /usr/lib/systemd/import-pubring.gpg or
385 /etc/systemd/import-pubring.gpg).
386
387 This option is essential to provide integrity guarantees for
388 downloaded resources and thus should be left enabled, outside of
389 test environments.
390
391 Note that the downloaded payload files are unconditionally checked
392 against the SHA256 hashes listed in the manifest. This option only
393 controls whether the signatures of these manifests are verified.
394
395 This option only has an effect if the source resource type is
396 selected as url-file or url-tar, as integrity and authentication
397 checking is only available for transfers from remote sources.
398
400 This section defines properties of the transfer source:
401
402 Type=
403 Specifies the resource type of the source for the transfer. Takes
404 one of url-file, url-tar, tar, regular-file, directory or
405 subvolume. For details about the resource types, see above. This
406 option is mandatory.
407
408 Note that only some combinations of source and target resource
409 types are supported, see above.
410
411 Path=
412 Specifies where to find source versions of this resource.
413
414 If the source type is selected as url-file or url-tar this must be
415 a HTTP/HTTPS URL. The URL is suffixed with /SHA256SUMS to acquire
416 the manifest file, with /SHA256SUMS.gpg to acquire the detached
417 signature file for it, and with the file names listed in the
418 manifest file in case an update is executed and a resource shall be
419 downloaded.
420
421 For all other source resource types this must be a local path in
422 the file system, referring to a local directory to find the
423 versions of this resource in.
424
425 MatchPattern=
426 Specifies one or more file name match patterns that select the
427 subset of files that are update candidates as source for this
428 transfer. See above for details on match patterns.
429
430 This option is mandatory. Any pattern listed must contain at least
431 the "@v" wildcard, so that a version identifier may be extracted
432 from the filename. All other wildcards are optional.
433
435 This section defines properties of the transfer target:
436
437 Type=
438 Specifies the resource type of the target for the transfer. Takes
439 one of partition, regular-file, directory or subvolume. For details
440 about the resource types, see above. This option is mandatory.
441
442 Note that only some combinations of source and target resource
443 types are supported, see above.
444
445 Path=
446 Specifies a file system path where to look for already installed
447 versions or place newly downloaded versions of this configured
448 resource. If Type= is set to partition, expects a path to a (whole)
449 block device node, or the special string "auto" in which case the
450 block device which contains the root file system of the currently
451 booted system is automatically determined and used. If Type= is set
452 to regular-file, directory or subvolume, must refer to a path in
453 the local file system referencing the directory to find or place
454 the version files or directories under.
455
456 Note that this mechanism cannot be used to create or remove
457 partitions, in case Type= is set to partition. Partitions must
458 exist already, and a special partition label "_empty" is used to
459 indicate empty partitions. To automatically generate suitable
460 partitions on first boot, use a tool such as systemd-repart(8).
461
462 MatchPattern=
463 Specifies one or more file name or partition label match patterns
464 that select the subset of files or partitions that are update
465 candidates as targets for this transfer. See above for details on
466 match patterns.
467
468 This option is mandatory. Any pattern listed must contain at least
469 the "@v" wildcard, so that a version identifier may be extracted
470 from the filename. All other wildcards are optional.
471
472 This pattern is both used for matching existing installed versions
473 and for determining the name of new versions to install. If
474 multiple patterns are specified, the first specified is used for
475 naming newly installed versions.
476
477 MatchPartitionType=
478 When the target Type= is chosen as partition, specifies the GPT
479 partition type to look for. Only partitions of this type are
480 considered, all other partitions are ignored. If not specified, the
481 GPT partition type linux-generic is used. Accepts either a literal
482 type UUID or a symbolic type identifier. For a list of supported
483 type identifiers, see the Type= setting in repart.d(5).
484
485 PartitionUUID=, PartitionFlags=, PartitionNoAuto=,
486 PartitionGrowFileSystem=
487 When the target Type= is picked as partition, selects the GPT
488 partition UUID and partition flags to use for the updated
489 partition. Expects a valid UUID string, a hexadecimal integer, or
490 booleans, respectively. If not set, but the source match pattern
491 includes wildcards for these fields (i.e. "@u", "@f", "@a", or
492 "@g"), the values from the patterns are used. If neither configured
493 with wildcards or these explicit settings, the values are left
494 untouched. If both the overall PartitionFlags= flags setting and
495 the individual flag settings PartitionNoAuto= and
496 PartitionGrowFileSystem= are used (or the wildcards for them), then
497 the latter override the former, i.e. the individual flag bit
498 overrides the overall flags value. See Discoverable Partitions
499 Specification[1] for details about these flags.
500
501 Note that these settings are not used for matching, they only have
502 effect on newly written partitions in case a transfer takes place.
503
504 ReadOnly=
505 Controls whether to mark the resulting file, subvolume or partition
506 read-only. If the target type is partition this controls the
507 ReadOnly partition flag, as per Discoverable Partitions
508 Specification[1], similar to the PartitionNoAuto= and
509 PartitionGrowFileSystem= flags described above. If the target type
510 is regular-file, the writable bit is removed from the access mode.
511 If the the target type is subvolume, the subvolume will be marked
512 read-only as a whole. Finally, if the target Type= is selected as
513 directory, the "immutable" file attribute is set, see chattr(1) for
514 details.
515
516 Mode=
517 The UNIX file access mode to use for newly created files in case
518 the target resource type is picked as regular-file. Expects an
519 octal integer, in typical UNIX fashion. If not set, but the source
520 match pattern includes a wildcard for this field (i.e. "@t"), the
521 value from the pattern is used.
522
523 Note that this setting is not used for matching, it only has an
524 effect on newly written files when a transfer takes place.
525
526 TriesDone=, TriesLeft=
527 These options take positive, decimal integers, and control the
528 number of attempts done and left for this file. These settings are
529 useful for managing kernel images, following the scheme defined in
530 Automatic Boot Assessment[3], and only have an effect if the target
531 pattern includes the "@d" or "@l" wildcards.
532
533 InstancesMax=
534 Takes a decimal integer equal to or greater than 2. This configures
535 how many concurrent versions of the resource to keep. Whenever a
536 new update is initiated it is made sure that no more than the
537 number of versions specified here minus one exist in the target.
538 Any excess versions are deleted (in case the target Type= of
539 regular-file, directory, subvolume is used) or emptied (in case the
540 target Type= of partition is used; emptying in this case simply
541 means to set the partition label to the special string "_empty";
542 note that no partitions are actually removed). After an update is
543 completed the number of concurrent versions of the target resources
544 is equal to or below the number specified here.
545
546 Note that this setting may be set differently for each transfer.
547 However, it generally is advisable to keep this setting the same
548 for all transfers, since otherwise incomplete combinations of files
549 or partitions will be left installed.
550
551 If the target Type= is selected as partition, the number of
552 concurrent versions to keep is additionally restricted by the
553 number of partition slots of the right type in the partition table.
554 i.e. if there are only 2 partition slots for the selected partition
555 type, setting this value larger than 2 is without effect, since no
556 more than 2 concurrent versions could be stored in the image
557 anyway.
558
559 RemoveTemporary=
560 Takes a boolean argument. If this option is enabled (which is the
561 default) before initiating an update, all left-over, incomplete
562 updates from a previous attempt are removed from the target
563 directory. This only has an effect if the target resource Type= is
564 selected as regular-file, directory or subvolume.
565
566 CurrentSymlink=
567 Takes a symlink name as argument. If this option is used, as the
568 last step of the update a symlink under the specified name is
569 created/updated pointing to the completed update. This is useful in
570 to provide a stable name always pointing to the newest version of
571 the resource. This is only supported if the target resource Type=
572 is selected as regular-file, directory or subvolume.
573
575 Specifiers may be used in the MinVersion=, ProtectVersion=, Path=,
576 MatchPattern= and CurrentSymlink= settings. The following expansions
577 are understood:
578
579 Table 3. Specifiers available
580 ┌──────────┬─────────────────────┬────────────────────────┐
581 │Specifier │ Meaning │ Details │
582 ├──────────┼─────────────────────┼────────────────────────┤
583 │"%a" │ Architecture │ A short string │
584 │ │ │ identifying the │
585 │ │ │ architecture of the │
586 │ │ │ local system. A │
587 │ │ │ string such as x86, │
588 │ │ │ x86-64 or arm64. │
589 │ │ │ See the │
590 │ │ │ architectures │
591 │ │ │ defined for │
592 │ │ │ ConditionArchitecture= │
593 │ │ │ in systemd.unit(5) │
594 │ │ │ for a full list. │
595 ├──────────┼─────────────────────┼────────────────────────┤
596 │"%A" │ Operating system │ The operating system │
597 │ │ image version │ image version │
598 │ │ │ identifier of the │
599 │ │ │ running system, as │
600 │ │ │ read from the │
601 │ │ │ IMAGE_VERSION= field │
602 │ │ │ of /etc/os-release. If │
603 │ │ │ not set, resolves to │
604 │ │ │ an empty string. See │
605 │ │ │ os-release(5) for more │
606 │ │ │ information. │
607 ├──────────┼─────────────────────┼────────────────────────┤
608 │"%b" │ Boot ID │ The boot ID of the │
609 │ │ │ running system, │
610 │ │ │ formatted as string. │
611 │ │ │ See random(4) for more │
612 │ │ │ information. │
613 ├──────────┼─────────────────────┼────────────────────────┤
614 │"%B" │ Operating system │ The operating system │
615 │ │ build ID │ build identifier of │
616 │ │ │ the running system, as │
617 │ │ │ read from the │
618 │ │ │ BUILD_ID= field of │
619 │ │ │ /etc/os-release. If │
620 │ │ │ not set, resolves to │
621 │ │ │ an empty string. See │
622 │ │ │ os-release(5) for more │
623 │ │ │ information. │
624 ├──────────┼─────────────────────┼────────────────────────┤
625 │"%H" │ Host name │ The hostname of the │
626 │ │ │ running system. │
627 ├──────────┼─────────────────────┼────────────────────────┤
628 │"%l" │ Short host name │ The hostname of the │
629 │ │ │ running system, │
630 │ │ │ truncated at the first │
631 │ │ │ dot to remove any │
632 │ │ │ domain component. │
633 ├──────────┼─────────────────────┼────────────────────────┤
634 │"%m" │ Machine ID │ The machine ID of the │
635 │ │ │ running system, │
636 │ │ │ formatted as string. │
637 │ │ │ See machine-id(5) for │
638 │ │ │ more information. │
639 ├──────────┼─────────────────────┼────────────────────────┤
640 │"%M" │ Operating system │ The operating system │
641 │ │ image identifier │ image identifier of │
642 │ │ │ the running system, as │
643 │ │ │ read from the │
644 │ │ │ IMAGE_ID= field of │
645 │ │ │ /etc/os-release. If │
646 │ │ │ not set, resolves to │
647 │ │ │ an empty string. See │
648 │ │ │ os-release(5) for more │
649 │ │ │ information. │
650 ├──────────┼─────────────────────┼────────────────────────┤
651 │"%o" │ Operating system ID │ The operating system │
652 │ │ │ identifier of the │
653 │ │ │ running system, as │
654 │ │ │ read from the ID= │
655 │ │ │ field of │
656 │ │ │ /etc/os-release. See │
657 │ │ │ os-release(5) for more │
658 │ │ │ information. │
659 ├──────────┼─────────────────────┼────────────────────────┤
660 │"%v" │ Kernel release │ Identical to uname -r │
661 │ │ │ output. │
662 ├──────────┼─────────────────────┼────────────────────────┤
663 │"%w" │ Operating system │ The operating system │
664 │ │ version ID │ version identifier of │
665 │ │ │ the running system, as │
666 │ │ │ read from the │
667 │ │ │ VERSION_ID= field of │
668 │ │ │ /etc/os-release. If │
669 │ │ │ not set, resolves to │
670 │ │ │ an empty string. See │
671 │ │ │ os-release(5) for more │
672 │ │ │ information. │
673 ├──────────┼─────────────────────┼────────────────────────┤
674 │"%W" │ Operating system │ The operating system │
675 │ │ variant ID │ variant identifier of │
676 │ │ │ the running system, as │
677 │ │ │ read from the │
678 │ │ │ VARIANT_ID= field of │
679 │ │ │ /etc/os-release. If │
680 │ │ │ not set, resolves to │
681 │ │ │ an empty string. See │
682 │ │ │ os-release(5) for more │
683 │ │ │ information. │
684 ├──────────┼─────────────────────┼────────────────────────┤
685 │"%T" │ Directory for │ This is either /tmp or │
686 │ │ temporary files │ the path "$TMPDIR", │
687 │ │ │ "$TEMP" or "$TMP" are │
688 │ │ │ set to. (Note that the │
689 │ │ │ directory may be │
690 │ │ │ specified without a │
691 │ │ │ trailing slash.) │
692 ├──────────┼─────────────────────┼────────────────────────┤
693 │"%V" │ Directory for │ This is either │
694 │ │ larger and │ /var/tmp or the path │
695 │ │ persistent │ "$TMPDIR", "$TEMP" or │
696 │ │ temporary files │ "$TMP" are set to. │
697 │ │ │ (Note that the │
698 │ │ │ directory may be │
699 │ │ │ specified without a │
700 │ │ │ trailing slash.) │
701 ├──────────┼─────────────────────┼────────────────────────┤
702 │"%%" │ Single percent sign │ Use "%%" in place of │
703 │ │ │ "%" to specify a │
704 │ │ │ single percent sign. │
705 └──────────┴─────────────────────┴────────────────────────┘
706
707 Do not confuse the "%" specifier expansion prefix with the "@" pattern
708 matching wildcard prefix. The former are simple shortcuts that are
709 expanded while the drop-in files are parsed, the latter encapsulate a
710 variable part of a match pattern string. For details about pattern
711 matching wildcards, see above.
712
714 Example 1. Updates for a Verity Enabled Secure OS
715
716 With the following three files we define a root file system partition,
717 a matching Verity partition, and a unified kernel image to update as
718 one. This example is an extension of the example discussed earlier in
719 this man page.
720
721 # /usr/lib/sysupdate.d/50-verity.conf
722 [Transfer]
723 ProtectVersion=%A
724
725 [Source]
726 Type=url-file
727 Path=https://download.example.com/
728 MatchPattern=foobarOS_@v_@u.verity.xz
729
730 [Target]
731 Type=partition
732 Path=auto
733 MatchPattern=foobarOS_@v_verity
734 MatchPartitionType=root-verity
735 PartitionFlags=0
736 PartitionReadOnly=1
737
738 The above defines the update mechanism for the Verity partition of the
739 root file system. Verity partition images are downloaded from
740 "https://download.example.com/foobarOS_@v_@u.verity.xz" and written to
741 a suitable local partition, which is marked read-only. Under the
742 assumption this update is run from the image itself the current image
743 version (i.e. the "%A" specifier) is marked as protected, to ensure it
744 is not corrupted while booted. Note that the partition UUID for the
745 target partition is encoded in the source file name. Fixating the
746 partition UUID can be useful to ensure that "roothash=" on the kernel
747 command line is sufficient to pinpoint both the Verity and root file
748 system partition, and also encode the Verity root level hash (under the
749 assumption the UUID in the file names match their top-level hash, the
750 way systemd-gpt-auto-generator(8) suggests).
751
752 # /usr/lib/sysupdate.d/60-root.conf
753 [Transfer]
754 ProtectVersion=%A
755
756 [Source]
757 Type=url-file
758 Path=https://download.example.com/
759 MatchPattern=foobarOS_@v_@u.root.xz
760
761 [Target]
762 Type=partition
763 Path=auto
764 MatchPattern=foobarOS_@v
765 MatchPartitionType=root
766 PartitionFlags=0
767 PartitionReadOnly=1
768
769 The above defines a matching transfer definition for the root file
770 system.
771
772 # /usr/lib/sysupdate.d/70-kernel.conf
773 [Transfer]
774 ProtectVersion=%A
775
776 [Source]
777 Type=url-file
778 Path=https://download.example.com/
779 MatchPattern=foobarOS_@v.efi.xz
780
781 [Target]
782 Type=regular-file
783 Path=/efi/EFI/Linux
784 MatchPattern=foobarOS_@v+@l-@d.efi \
785 foobarOS_@v+@l.efi \
786 foobarOS_@v.efi
787 Mode=0444
788 TriesLeft=3
789 TriesDone=0
790 InstancesMax=2
791
792 The above installs a unified kernel image into the ESP (which is
793 mounted to /efi/), as per Boot Loader Specification[2] Type #2. This
794 defines three possible patterns for the names of the kernel images, as
795 per Automatic Boot Assessment[3], and ensures when installing new
796 kernels, they are set up with 3 tries left. No more than two parallel
797 kernels are kept.
798
799 With this setup the web server would serve the following files, for a
800 hypothetical version 7 of the OS:
801
802 • SHA256SUMS – The manifest file, containing available files and
803 their SHA256 hashes
804
805 • SHA256SUMS.gpg – The detached cryptographic signature for the
806 manifest file
807
808 • foobarOS_7_8b8186b1-2b4e-4eb6-ad39-8d4d18d2a8fb.verity.xz – The
809 Verity image for version 7
810
811 • foobarOS_7_f4d1234f-3ebf-47c4-b31d-4052982f9a2f.root.xz – The root
812 file system image for version 7
813
814 • foobarOS_7_efi.xz – The unified kernel image for version 7
815
816 For each new OS release a new set of the latter three files would be
817 added, each time with an updated version. The SHA256SUMS manifest
818 should then be updated accordingly, listing all files for all versions
819 that shall be offered for download.
820
821 Example 2. Updates for Plain Directory Container Image
822
823 [Source]
824 Type=url-tar
825 Path=https://download.example.com/
826 MatchPattern=myContainer_@v.tar.gz
827
828 [Target]
829 Type=subvolume
830 Path=/var/lib/machines
831 MatchPattern=myContainer_@v
832 CurrentSymlink=myContainer
833
834 On updates this downloads
835 "https://download.example.com/myContainer_@v.tar.gz" and
836 decompresses/unpacks it to /var/lib/machines/myContainer_@v. After each
837 update a symlink /var/lib/machines/myContainer is created/updated
838 always pointing to the most recent update.
839
841 systemd(1), systemd-sysupdate(8), systemd-repart(8)
842
844 1. Discoverable Partitions Specification
845 https://systemd.io/DISCOVERABLE_PARTITIONS
846
847 2. Boot Loader Specification
848 https://systemd.io/BOOT_LOADER_SPECIFICATION
849
850 3. Automatic Boot Assessment
851 https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
852
853
854
855systemd 251 SYSUPDATE.D(5)