Re: Update OpenBSD Remotely
On Tue, May 19, 2015 at 06:47:59AM BST, Doug Hogan wrote: On Sun, May 17, 2015 at 11:52:19PM +0100, Raf Czlonka wrote: There are several things which this script does not check for - some of those are on my TODO list: I didn't review your script, but I did ctrl+s... TODO item #0 should be to use signify with SHA256.sig rather than checking SHA256 directly. There's an example in the man page. :) SHA-256 checks if the files were downloaded properly, but it does not check if the files are from us. signify with SHA256.sig provides both integrity and authentication. Hi Doug, Well, I relied on the fact that the installer does that anyway... but you are right, given the fact that we now have signify, it is the right approach - it is also cleaner than what I had before. Thanks for the tip! Raf
Re: Update OpenBSD Remotely
On Sun, May 17, 2015, at 08:08 AM, Peter Leber wrote: I want to build a test system based on OpenBSD 5.7 which updates in an automated fashion. The goal is to have a remotely located machine which runs OpenBSD 5.7 and is constantly updated. While restarting the machine remotely via SSH is perfectly fine to me, I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm fine with following -stable and -current alike. I recognize that there's m:tier's binary patching service (https://stable.mtier.org), but the packages are signed by m:tier rather than the OpenBSD project. While following m:tier's binary patches is a good compromise to me, it's not a perfect solution. I'm perfectly fine with running the -current flavour of OpenBSD feature- and stability-wise, but I did not have the success of remotely triggering a script, rebooting the machine and have an up and running updated machine. While I did find the autoinstall(8) feature, which, since 5.7, should be able to trigger an automatic upgrade if the file /auto_upgrade.conf is present, I did not see an effect in the bootup messages on the virtual machine I'm using for testing things out. Furthermore, I did find a tool named snap, aiming at making running -current more enjoyable (see https://github.com/qbit/snap), but it does also seem to be relying on the user to manually start the upgrading process on system reboot, if I got everything correctly. Author of snap here. It depends, you can have it run things automatically for you.. or it can just install the sets. By default it will only install the sets. It's specifically designed to run with no external dependencies (nothing needs to be installed from ports) and can be run from cron. If you do use it via cron don't forget to run sysmerge! Let me know if you have any questions :D Is there someone aware of a procedure which could help me solving my problem? I thank you very much in advance. Peter
Re: Update OpenBSD Remotely
On Sun, May 17, 2015 at 11:52:19PM +0100, Raf Czlonka wrote: There are several things which this script does not check for - some of those are on my TODO list: I didn't review your script, but I did ctrl+s... TODO item #0 should be to use signify with SHA256.sig rather than checking SHA256 directly. There's an example in the man page. :) SHA-256 checks if the files were downloaded properly, but it does not check if the files are from us. signify with SHA256.sig provides both integrity and authentication.
Re: Update OpenBSD Remotely
On 17-05-2015 11:08, Peter Leber wrote: I recognize that there's m:tier's binary patching service (https://stable.mtier.org), but the packages are signed by m:tier rather than the OpenBSD project. While following m:tier's binary patches is a good compromise to me, it's not a perfect solution. I'm perfectly fine with running the -current flavour of OpenBSD feature- and stability-wise, but I did not have the success of remotely triggering a script, rebooting the machine and have an up and running updated machine. While I did find the autoinstall(8) feature, which, since 5.7, should be able to trigger an automatic upgrade if the file /auto_upgrade.conf is present, I did not see an effect in the bootup messages on the virtual machine I'm using for testing things out. Furthermore, I did find a tool named snap, aiming at making running -current more enjoyable (see https://github.com/qbit/snap), but it does also seem to be relying on the user to manually start the upgrading process on system reboot, if I got everything correctly. Do you really need to follow -current? Because I've been using m:tier and their openup tool for years to follow -stable with no problems. I don't like the idea of automatic update + reboot. But it's doable with openup. I personally have it setup to run with -c from cron so it will mail me what changed. Following -current on a production or critical environment will prove to be a challenge. Unless you carefully test each snapshot and then have some tool like puppet to automate the upgrade with snap or other tool. Even with autoinstall(8). Cheers, Giancarlo Razzolini
Re: Update OpenBSD Remotely
On 2015-05-17 10:08, Peter Leber wrote: I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm not sure what you're talking about here... Is there someone aware of a procedure which could help me solving my problem? I have a dedicated system in a remote datacenter without console access. I simply follow the FAQ to build from source and install that way. I suppose the whole thing could be automated if you were that adventurous. I prefer to keep an eye on what it's doing. Tim.
Re: Update OpenBSD Remotely
I think you can setup KVM for remote control ... On Sun, May 17, 2015 at 7:38 PM, Peter Leber leberpe...@web.de wrote: I want to build a test system based on OpenBSD 5.7 which updates in an automated fashion. The goal is to have a remotely located machine which runs OpenBSD 5.7 and is constantly updated. While restarting the machine remotely via SSH is perfectly fine to me, I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm fine with following -stable and -current alike. I recognize that there's m:tier's binary patching service (https://stable.mtier.org), but the packages are signed by m:tier rather than the OpenBSD project. While following m:tier's binary patches is a good compromise to me, it's not a perfect solution. I'm perfectly fine with running the -current flavour of OpenBSD feature- and stability-wise, but I did not have the success of remotely triggering a script, rebooting the machine and have an up and running updated machine. While I did find the autoinstall(8) feature, which, since 5.7, should be able to trigger an automatic upgrade if the file /auto_upgrade.conf is present, I did not see an effect in the bootup messages on the virtual machine I'm using for testing things out. Furthermore, I did find a tool named snap, aiming at making running -current more enjoyable (see https://github.com/qbit/snap), but it does also seem to be relying on the user to manually start the upgrading process on system reboot, if I got everything correctly. Is there someone aware of a procedure which could help me solving my problem? I thank you very much in advance. Peter
Re: Update OpenBSD Remotely
On Sun, May 17, 2015 at 10:43:09AM -0400, trondd wrote: On 2015-05-17 10:08, Peter Leber wrote: I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm not sure what you're talking about here... Is there someone aware of a procedure which could help me solving my problem? I have a dedicated system in a remote datacenter without console access. I simply follow the FAQ to build from source and install that way. I suppose the whole thing could be automated if you were that adventurous. I prefer to keep an eye on what it's doing. As Peter asked about both the -stable and -current flavors of the OS, this should be clarified: FAQ 5.2 states: If you are compiling -current from source, it is HIGHLY recommended that you only do so from a machine which you have full console access to. There will be times in the development process where the mismatch between your new kernel and your old userland may render the system inaccessible via network. This is not an issue when properly building -stable.
Re: Update OpenBSD Remotely
On Sun, May 17, 2015 at 03:08:43PM BST, Peter Leber wrote: Hi Peter, Is there someone aware of a procedure which could help me solving my problem? Like Atanas, I use a procedure suggested by Sébastien Marie[0]. There are several things which this script does not check for - some of those are on my TODO list: 1. If you're upgrading from -stable to -current, then you'll need to adjust '/etc/pkg.conf' file accordingly beforehand. 2. Your '/usr/src' directory needs to exist and contain the source code. 3. Sometimes a new snapshot might get published mid-download - you'll simply need to re-run the script or you may simply wrap it in a loop. 4. You'll need to adjust the 'sets' manually. 5. Since it is aimed at frequent snapshot upgrades, it assumes you are running GENERIC{.MP} kernel. 6. If you are already using '/etc/boot.conf' then you'll need to adjust the script. 7. /dev/vnd0 is hard-coded and there's no logic there to check whether it is in use - the same goes for '/tmp'. 8. You can add 'sysmerge', 'pkg_add -u', etc. to 'rc.firsttime' if you like. - #!/bin/sh arch=$(machine) kernel=$(uname -v | cut -d '#' -f 1) release=$(uname -r) version=$(uname -r | tr -d '.') sets=base${version}.tgz comp${version}.tgz game${version}.tgz \ man${version}.tgz xbase${version}.tgz xfont${version}.tgz \ xserv${version}.tgz xshare${version}.tgz _snapshot() { dir=/${release}/${arch} test -d $dir || mkdir -p $dir get=ftp -V -o site=$(awk '/^installpath/ { print $3 }' /etc/pkg.conf | rev | cut -d '/' -f 1-2,4- | rev) case $kernel in GENERIC) bsd=bsd ;; GENERIC.MP) bsd=bsd bsd.mp ;; esac cd $dir for i in SHA256 SHA256.sig ; do \ $get ${dir}/${i} ${site}${i} /dev/null 21 ; done for i in INSTALL.${arch} bsd.rd $bsd $sets ; do test -f $i || $get ${dir}/${i} ${site}${i} /dev/null 21 ; \ first=$(awk '/\('$i'\)/ { print $NF ; }' SHA256) ; second=$(sha256 -q $i) ; test $first = $second || \ $get ${dir}/${i} ${site}${i} /dev/null 21 ; done diff -q ${dir}/bsd.rd /bsd.rd /dev/null 21 || \ ( mv -f /bsd.rd /obsd.rd cp -f ${dir}/bsd.rd /bsd.rd \ cd /usr/src/distrib/common \ cc -o /tmp/rdsetroot elf32.c elf64.c elfrdsetroot.c \ cd /tmp /tmp/rdsetroot -x /bsd.rd ramdisk.img \ vnconfig vnd0 ramdisk.img mount /dev/vnd0a /mnt \ echo 'Location of sets = disk Is the disk partition already mounted = yes' /mnt/auto_upgrade.conf \ umount /dev/vnd0a vnconfig -u vnd0 \ /tmp/rdsetroot /bsd.rd ramdisk.img rm ramdisk.img \ echo 'boot bsd.rd' /etc/boot.conf \ echo '#!/bin/sh rm -f /etc/boot.conf' /upgrade.site chmod 0755 /upgrade.site \ echo There's a new snapshot. ) } _snapshot - It's a bit crufty but it works for me :^) Regards, Raf
Re: Update OpenBSD Remotely
On 17.05.2015 17:08, Peter Leber wrote: I want to build a test system based on OpenBSD 5.7 which updates in an automated fashion. The goal is to have a remotely located machine which runs OpenBSD 5.7 and is constantly updated. While restarting the machine remotely via SSH is perfectly fine to me, I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm fine with following -stable and -current alike. I recognize that there's m:tier's binary patching service (https://stable.mtier.org), but the packages are signed by m:tier rather than the OpenBSD project. While following m:tier's binary patches is a good compromise to me, it's not a perfect solution. I'm perfectly fine with running the -current flavour of OpenBSD feature- and stability-wise, but I did not have the success of remotely triggering a script, rebooting the machine and have an up and running updated machine. While I did find the autoinstall(8) feature, which, since 5.7, should be able to trigger an automatic upgrade if the file /auto_upgrade.conf is present, I did not see an effect in the bootup messages on the virtual machine I'm using for testing things out. Furthermore, I did find a tool named snap, aiming at making running -current more enjoyable (see https://github.com/qbit/snap), but it does also seem to be relying on the user to manually start the upgrading process on system reboot, if I got everything correctly. Is there someone aware of a procedure which could help me solving my problem? I thank you very much in advance. Peter Hi, autoinstall(8) is your friend: [ns]~/upgrade$ cat download #!/bin/sh rd=bsd.rd #URL=http://mirror.telepoint.bg/OpenBSD/snapshots/amd64/ #URL=http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/ URL=http://ftp5.eu.openbsd.org/ftp/pub/OpenBSD/snapshots/amd64/ #URL=http://ftp2.eu.openbsd.org/pub/OpenBSD/snapshots/amd64/ wget -r -N -l1 -nd -R.gif,.html -Abs*,.tgz,index.txt,SHA*,INS* $URL sudo cp $rd /tmp # build rdsetroot ( cd /usr/src/distrib/common cc -o /tmp/rdsetroot elf32.c elf64.c elfrdsetroot.c ) # extract ramdisk from bsd.rd /tmp/rdsetroot -x /tmp/bsd.rd /tmp/ramdisk.img # mount ramdisk sudo vnconfig vnd0 /tmp/ramdisk.img sudo mount /dev/vnd0a /mnt # copy config file sudo cp /auto_upgrade.conf /mnt/auto_upgrade.conf # umount ramdisk sudo umount /dev/vnd0a sudo vnconfig -u vnd0 # put modified ramdisk in bsd.rd sudo /tmp/rdsetroot /tmp/bsd.rd /tmp/ramdisk.img # backup /bsd to /obsd sudo mv /bsd /obsd # cleanup sudo rm /tmp/ramdisk.img sudo mv /tmp/bsd.rd /bsd #EOF [ns]~/upgrade$ cat /auto_upgrade.conf Which disk is the root disk = sd2 Root filesystem = sd2a Force checking of clean non-root filesystems = no Location of sets = disk Is the disk partition already mounted = yes Pathname to the sets = /mnt/home/vlado/upgrade #EOF Run download script, reboot and you are up-to-date!
Re: Update OpenBSD Remotely
On May 17, 2015, at 10:08 AM, Peter Leber leberpe...@web.de wrote: I want to build a test system based on OpenBSD 5.7 which updates in an automated fashion. The goal is to have a remotely located machine which runs OpenBSD 5.7 and is constantly updated. While restarting the machine remotely via SSH is perfectly fine to me, I do not want to access the machine locally in order to interrupt the automatic reboot in order to trigger the manual upgrading process. I'm fine with following -stable and -current alike. snip Peter, Have you looked into flashrd? http://nmedia.net/flashrd https://github.com/yellowman/flashrd/ See the section in the FAQ on how to upgrade a running system: http://www.nmedia.net/flashrd/flashrd-faq.html Itâs a matter of copying over three files and re-booting. Iâve done remote upgrades many times, but have not scripted the process. Hope this helps. âPaul [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]