Commit 39193456 authored by Emanuele Aina's avatar Emanuele Aina

system-updates-and-rollback: Fixes and clarifications

Improve the document thanks to the feedback provided by Daniela and Sudarshan.
Signed-off-by: Emanuele Aina's avatarEmanuele Aina <emanuele.aina@collabora.com>
parent 09dae26f
......@@ -39,6 +39,20 @@ know-good state if needed.
The update process should be robust against power losses and low voltage
situations, loss of connectivity, storage exhaustion, etc.
### Typical system update
The user can update his system to run the latest published version of
the software. This can be triggered either via periodic polling, upon
user request, or any other suitable mean.
### Critical security update
In the case of a critical security issue, the OEM could push an "update
available" message to some component in the device that would in turn trigger
the update. This requires an infrastructure to reference all devices on the OEM
side. The benefit compared to periodic polling is that the delay between the
update publication and the update trigger is shortened.
### Applications and base OS with different release cadence
Base OS releases involve many moving parts while application releases are
......@@ -74,6 +88,12 @@ An hardware failure has damaged the flash storage or another core hardware
component and the system is no longer able to boot. Compensating for hardware
failures is not part of the system update mechanism.
## Unrecoverable filesystem corruption
The filesystem became corrupted due to a software bug or other failure and is
not able to automatically correct the error. How to recover from that situation
is not part of the system update and rollback mechanism.
### Development
Developers need to modify and customize their environment in a way that often
......@@ -123,7 +143,9 @@ Applications must be kept separated to be able to roll back the base OS while
preserving them or to roll them back while keeping the base OS unchanged.
The policy deciding what to roll back and when is product-specific and must
be customizable.
be customizable. For instance, some products may chose to only roll back the
base OS and keep applications untouched, some other products may choose to roll
applications back as well.
### Reset to clean state
......@@ -147,7 +169,7 @@ management is not required for final users of Apertis. For example:
- No support for update roll back. If there is some package breakage, or broken
upgrade, the only way to solve the issue is manually tracking the broken
package and downgrading to a previous version, solving dependencies along the
way. This can be an error prone manual process and might not be acocmplished
way. This can be an error prone manual process and might not be accomplished
cleanly.
### ChromeOS
......@@ -199,7 +221,7 @@ applications and user data are stored, is also recommended.
![](media/storage_layout.svg)
More complex schemas can be used can be used for instance by combining OSTree
More complex schemas can be used for instance by combining OSTree
with read-only fallback partitions to handle filesystem corruption on the main
system partition, but this document focuses on a OSTree-only setup that
provides a good balance between complexity and robustness.
......@@ -222,6 +244,9 @@ provides a good balance between complexity and robustness.
- It is designed to implement fully atomic and resilient upgrades. If the
system crashes or power is lost at any point during the update process,
you will have either the old system, or the new one.
- It clearly separate the OS from the device configuration and user data, so
resetting the system to a clean state simply involves deleting some
directories and their contents.
- OSTree is implemented as a shared library, making it very easy to build higher
level projects or tools on top of it.
- OSTree has no impact on startup performance, nor does increase resource usage
......@@ -234,10 +259,10 @@ provides a good balance between complexity and robustness.
over HTTPS via GPG signatures and using SHA256 hash checksums.
- The mechanism to apply partial updates or full updates is exactly the same,
the only difference is how the updates are generated on the server side.
- OSTree can be used for both the base OS and applications and can deduplicate
identical contents between the two, keeping them independent with minimal
impact on the needed storage. The Flatpak application framework is already
based on OSTree.
- OSTree can be used for both the base OS and applications, and its built-in
hardlink-based deduplication mechanism allow to share identical contents
between the two, to keep them independent while having minimal impact on the
needed storage. The Flatpak application framework is already based on OSTree.
### The OSTree model
......@@ -529,7 +554,7 @@ the main storage.
If for any reason the update process fails to complete, the update will
be blacklisted to avoid re-attempting it. Another update won't be
automatically attempted until a newer update is available.
automatically attempted until a newer update is made available.
It is possible that an update is successfully installed yet fail to
boot, resulting in a rollback. In the event of a rollback the update
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment