blob: ae53b8552d1a3753d942183a79d65892c3d91f79 [file] [log] [blame] [raw]
<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
Copyright 2013 Lennart Poettering
Copyright 2016 Zbigniew Jędrzejewski-Szmek
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="systemd.offline-updates">
<refentryinfo>
<title>systemd.offline-updates</title>
<productname>systemd</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Lennart</firstname>
<surname>Poettering</surname>
<email>lennart@poettering.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>systemd.offline-updates</refentrytitle>
<manvolnum>7</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd.offline-updates</refname>
<refpurpose>Implementation of offline updates in systemd</refpurpose>
</refnamediv>
<refsect1>
<title>Implementing Offline System Updates</title>
<para>This man page describes how to implement "offline" system updates with systemd. By "offline"
OS updates we mean package installations and updates that are run with the system booted into a
special system update mode, in order to avoid problems related to conflicts of libraries and
services that are currently running with those on disk. This document is inspired by this
<ulink url="https://wiki.gnome.org/Design/OS/SoftwareUpdates">GNOME design whiteboard</ulink>.
</para>
<para>The logic:</para>
<orderedlist>
<listitem>
<para>The package manager prepares system updates by downloading all (RPM or DEB or
whatever) packages to update off-line in a special directory
<filename noindex="true">/var/lib/system-update</filename> (or
another directory of the package/upgrade manager's choice).</para>
</listitem>
<listitem>
<para>When the user OK'ed the update, the symlink <filename>/system-update</filename> is
created that points to <filename noindex="true">/var/lib/system-update</filename> (or
wherever the directory with the upgrade files is located) and the system is rebooted. This
symlink is in the root directory, since we need to check for it very early at boot, at a
time where <filename>/var</filename> is not available yet.</para>
</listitem>
<listitem>
<para>Very early in the new boot
<citerefentry><refentrytitle>systemd-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
checks whether <filename>/system-update</filename> exists. If so, it (temporarily and for
this boot only) redirects (i.e. symlinks) <filename>default.target</filename> to
<filename>system-update.target</filename>, a special target that is pulls in the base system
(i.e. <filename>sysinit.target</filename>, so that all file systems are mounted but little
else) and the system update units.</para>
</listitem>
<listitem>
<para>The system now continues to boot into <filename>default.target</filename>, and thus
into <filename>system-update.target</filename>. This target pulls in the system update unit,
which starts the system update script after all file systems have been mounted.</para>
</listitem>
<listitem>
<para>As the first step, the update script should check if the
<filename>/system-update</filename> symlink points to the location used by that update
script. In case it does not exists or points to a different location, the script must exit
without error. It is possible for multiple update services to be installed, and for multiple
update scripts to be launched in parallel, and only the one that corresponds to the tool
that <emphasis>created</emphasis> the symlink before reboot should perform any actions. It
is unsafe to run multiple updates in parallel.</para>
</listitem>
<listitem>
<para>The update script should now do its job. If applicable and possible, it should
create a file system snapshot, then install all packages.
After completion (regardless whether the update succeeded or failed) the machine
must be rebooted, for example by calling <command>systemctl reboot</command>.
In addition, on failure the script should revert to the old file system snapshot
(without the symlink).</para>
</listitem>
<listitem>
<para>The system is rebooted. Since the <filename>/system-update</filename> symlink is gone,
the generator won't redirect <filename>default.target</filename> after reboot and the
system now boots into the default target again.</para>
</listitem>
</orderedlist>
</refsect1>
<refsect1>
<title>Recommendations</title>
<orderedlist>
<listitem>
<para>To make things a bit more robust we recommend hooking the update script into
<filename>system-update.target</filename> via a <filename noindex='true'>.wants/</filename>
symlink in the distribution package, rather than depending on <command>systemctl
enable</command> in the postinst scriptlets of your package. More specifically, for your
update script create a .service file, without [Install] section, and then add a symlink like
<filename noindex='true'>/usr/lib/systemd/system-update.target.wants/foobar.service</filename>
<filename noindex='true'>../foobar.service</filename> to your package.</para>
</listitem>
<listitem>
<para>Make sure to remove the <filename>/system-update</filename> symlink as early as
possible in the update script to avoid reboot loops in case the update fails.</para>
</listitem>
<listitem>
<para>Use <varname>FailureAction=reboot</varname> in the service file for your update script
to ensure that a reboot is automatically triggered if the update fails.
<varname>FailureAction=</varname> makes sure that the specified unit is activated if your
script exits uncleanly (by non-zero error code, or signal/coredump). If your script succeeds
you should trigger the reboot in your own code, for example by invoking logind's
<command>Reboot()</command> call or calling <command>systemct reboot</command>. See
<ulink url="http://www.freedesktop.org/wiki/Software/systemd/logind">logind dbus API</ulink>
for details.</para>
</listitem>
<listitem>
<para>The update service should declare <varname>DefaultDependencies=false</varname>,
and pull in any services it requires explicitly.</para>
</listitem>
</orderedlist>
</refsect1>
<refsect1>
<title>See also</title>
<para>
<ulink url="http://www.freedesktop.org/wiki/Software/systemd/SystemUpdates/">Implementing Offline System Updates</ulink>,
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>dnf.plugin.system-upgrade</refentrytitle><manvolnum>8</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>