1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
|
'\" t
.TH "SYSUPDATE\&.D" "5" "" "systemd 254" "sysupdate.d"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
sysupdate.d \- Transfer Definition Files for Automatic Updates
.SH "SYNOPSIS"
.PP
.nf
/etc/sysupdate\&.d/*\&.conf
/run/sysupdate\&.d/*\&.conf
/usr/lib/sysupdate\&.d/*\&.conf
.fi
.SH "DESCRIPTION"
.PP
sysupdate\&.d/*\&.conf
files describe how specific resources on the local system shall be updated from a remote source\&. Each such file defines one such transfer: typically a remote HTTP/HTTPS resource as source; and a local file, directory or partition as target\&. This may be used as a simple, automatic, atomic update mechanism for the OS itself, for containers, portable services or system extension images \(em but in fact may be used to update any kind of file from a remote source\&.
.PP
The
\fBsystemd-sysupdate\fR(8)
command reads these files and uses them to determine which local resources should be updated, and then executes the update\&.
.PP
Both the remote HTTP/HTTPS source and the local target typically exist in multiple, concurrent versions, in order to implement flexible update schemes, e\&.g\&. A/B updating (or a superset thereof, e\&.g\&. A/B/C, A/B/C/D, \&...)\&.
.PP
Each
*\&.conf
file defines one transfer, i\&.e\&. describes one resource to update\&. Typically, multiple of these files (i\&.e\&. multiple of such transfers) are defined together, and are bound together by a common version identifier in order to update multiple resources at once on each update operation, for example to update a kernel, a root file system and a Verity partition in a single, combined, synchronized operation, so that only a combined update of all three together constitutes a complete update\&.
.PP
Each
*\&.conf
file contains three sections: [Transfer], [Source] and [Target]\&.
.SH "BASIC MODE OF OPERATION"
.PP
Disk\-image based OS updates typically consist of multiple different resources that need to be updated together, for example a secure OS update might consist of a root file system image to drop into a partition, a matching Verity integrity data partition image, and a kernel image prepared to boot into the combination of the two partitions\&. The first two resources are files that are downloaded and placed in a disk partition, the latter is a file that is downloaded and placed in a regular file in the boot file system (e\&.g\&. EFI system partition)\&. Hence, during an update of a hypothetical operating system "foobarOS" to a hypothetical version 47 the following operations should take place:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
A file
"https://download\&.example\&.com/foobarOS_47\&.root\&.xz"
should be downloaded, decompressed and written to a previously unused partition with GPT partition type UUID 4f68bce3\-e8cd\-4db1\-96e7\-fbcaf984b709 for x86\-64, as per
\m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
Similarly, a file
"https://download\&.example\&.com/foobarOS_47\&.verity\&.xz"
should be downloaded, decompressed and written to a previously empty partition with GPT partition type UUID of 2c7357ed\-ebd2\-46d9\-aec1\-23d437ec2bf5 (i\&.e\&. the partition type for Verity integrity information for x86\-64 root file systems)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
Finally, a file
"https://download\&.example\&.com/foobarOS_47\&.efi\&.xz"
(a unified kernel, as per
\m[blue]\fBBoot Loader Specification\fR\m[]\&\s-2\u[2]\d\s+2
Type #2) should be downloaded, decompressed and written to the $BOOT file system, i\&.e\&. to
EFI/Linux/foobarOS_47\&.efi
in the ESP or XBOOTLDR partition\&.
.RE
.PP
The version\-independent generalization of this would be (using the special marker
"@v"
as wildcard for the version identifier):
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
A transfer of a file
"https://download\&.example\&.com/foobarOS_@v\&.root\&.xz"
→ a local, previously empty GPT partition of type 4f68bce3\-e8cd\-4db1\-96e7\-fbcaf984b709, with the label to be set to
"foobarOS_@v"\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
A transfer of a file
"https://download\&.example\&.com/foobarOS_@v\&.verity\&.xz"
→ a local, previously empty GPT partition of type 2c7357ed\-ebd2\-46d9\-aec1\-23d437ec2bf5, with the label to be set to
"foobarOS_@v_verity"\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
A transfer of a file
"https://download\&.example\&.com/foobarOS_@v\&.efi\&.xz"
→ a local file
$BOOT/EFI/Linux/foobarOS_@v\&.efi\&.
.RE
.PP
An update can only complete if the relevant URLs provide their resources for the same version, i\&.e\&. for the same value of
"@v"\&.
.PP
The above may be translated into three
*\&.conf
files in
sysupdate\&.d/, one for each resource to transfer\&. The
*\&.conf
files configure the type of download, and what place to write the download to (i\&.e\&. whether to a partition or a file in the file system)\&. Most importantly these files contain the URL, partition name and filename patterns shown above that describe how these resources are called on the source and how they shall be called on the target\&.
.PP
In order to enumerate available versions and figuring out candidates to update to, a mechanism is necessary to list suitable files:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For partitions: the surrounding GPT partition table contains a list of defined partitions, including a partition type UUID and a partition label (in this scheme the partition label plays a role for the partition similar to the filename for a regular file)\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For regular files: the directory listing of the directory the files are contained in provides a list of existing files in a straightforward way\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
For HTTP/HTTPS sources a simple scheme is used: a manifest file
SHA256SUMS, following the format defined by
\fBsha256sum\fR(1), lists file names and their SHA256 hashes\&.
.RE
.PP
Transfers are done in the alphabetical order of the
\&.conf
file names they are defined in\&. First, the resource data is downloaded directly into a target file/directory/partition\&. Once this is completed for all defined transfers, in a second step the files/directories/partitions are renamed to their final names as defined by the target
\fIMatchPattern=\fR, again in the order the
\&.conf
transfer file names dictate\&. This step is not atomic, however it is guaranteed to be executed strictly in order with suitable disk synchronization in place\&. Typically, when updating an OS one of the transfers defines the entry point when booting\&. Thus it is generally a good idea to order the resources via the transfer configuration file names so that the entry point is written last, ensuring that any abnormal termination does not leave an entry point around whose backing is not established yet\&. In the example above it would hence make sense to establish the EFI kernel image last and thus give its transfer configuration file the alphabetically last name\&.
.PP
See below for an extended, more specific example based on the above\&.
.SH "RESOURCE TYPES"
.PP
Each transfer file defines one source resource to transfer to one target resource\&. The following resource types are supported:
.sp
.RS 4
.ie n \{\
\h'-04' 1.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 1." 4.2
.\}
Resources of type
"url\-file"
encapsulate a file on a web server, referenced via a HTTP or HTTPS URL\&. When an update takes place, the file is downloaded and decompressed and then written to the target file or partition\&. This resource type is only available for sources, not for targets\&. The list of available versions of resources of this type is encoded in
SHA256SUMS
manifest files, accompanied by
SHA256SUMS\&.gpg
detached signatures\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 2.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 2." 4.2
.\}
The
"url\-tar"
resource type is similar, but the file must be a
\&.tar
archive\&. When an update takes place, the file is decompressed and unpacked into a directory or btrfs subvolume\&. This resource type is only available for sources, not for targets\&. Just like
"url\-file",
"url\-tar"
version enumeration makes use of
SHA256SUMS
files, authenticated via
SHA256SUMS\&.gpg\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 3.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 3." 4.2
.\}
The
"regular\-file"
resource type encapsulates a local regular file on disk\&. During updates the file is uncompressed and written to the target file or partition\&. This resource type is available both as source and as target\&. When updating no integrity or authentication verification is done for resources of this type\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 4.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 4." 4.2
.\}
The
"partition"
resource type is similar to
"regular\-file", and encapsulates a GPT partition on disk\&. When updating, the partition must exist already, and have the correct GPT partition type\&. A partition whose GPT partition label is set to
"_empty"
is considered empty, and a candidate to place a newly downloaded resource in\&. The GPT partition label is used to store version information, once a partition is updated\&. This resource type is only available for target resources\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 5.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 5." 4.2
.\}
The
"tar"
resource type encapsulates local
\&.tar
archive files\&. When an update takes place, the files are uncompressed and unpacked into a target directory or btrfs subvolume\&. Behaviour of
"tar"
and
"url\-tar"
is generally similar, but the latter downloads from remote sources, and does integrity and authentication checks while the former does not\&. The
"tar"
resource type is only available for source resources\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 6.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 6." 4.2
.\}
The
"directory"
resource type encapsulates local directory trees\&. This type is available both for source and target resources\&. If an update takes place on a source resource of this type, a recursive copy of the directory is done\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04' 7.\h'+01'\c
.\}
.el \{\
.sp -1
.IP " 7." 4.2
.\}
The
"subvolume"
resource type is identical to
"directory", except when used as the target, in which case the file tree is placed in a btrfs subvolume instead of a plain directory, if the backing file system supports it (i\&.e\&. is btrfs)\&.
.RE
.PP
As already indicated, only a subset of source and target resource type combinations are supported:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.B Table\ \&1.\ \&Resource Types
.TS
allbox tab(:);
lB lB lB lB lB lB lB lB.
T{
Identifier
T}:T{
Description
T}:T{
Usable as Source
T}:T{
When Used as Source: Compatible Targets
T}:T{
When Used as Source: Integrity + Authentication
T}:T{
When Used as Source: Decompression
T}:T{
Usable as Target
T}:T{
When Used as Target: Compatible Sources
T}
.T&
l l l l l l l l
l l l l l l l l
l l l l l l l l
l l l l l l l l
l l l l l l l l
l l l l l l l l
l l l l l l l l.
T{
\fBurl\-file\fR
T}:T{
HTTP/HTTPS files
T}:T{
yes
T}:T{
\fBregular\-file\fR, \fBpartition\fR
T}:T{
yes
T}:T{
yes
T}:T{
no
T}:T{
\-
T}
T{
\fBurl\-tar\fR
T}:T{
HTTP/HTTPS \&.tar archives
T}:T{
yes
T}:T{
\fBdirectory\fR, \fBsubvolume\fR
T}:T{
yes
T}:T{
yes
T}:T{
no
T}:T{
\-
T}
T{
\fBregular\-file\fR
T}:T{
Local files
T}:T{
yes
T}:T{
\fBregular\-file\fR, \fBpartition\fR
T}:T{
no
T}:T{
yes
T}:T{
yes
T}:T{
\fBurl\-file\fR, \fBregular\-file\fR
T}
T{
\fBpartition\fR
T}:T{
Local GPT partitions
T}:T{
no
T}:T{
\-
T}:T{
\-
T}:T{
\-
T}:T{
yes
T}:T{
\fBurl\-file\fR, \fBregular\-file\fR
T}
T{
\fBtar\fR
T}:T{
Local \&.tar archives
T}:T{
yes
T}:T{
\fBdirectory\fR, \fBsubvolume\fR
T}:T{
no
T}:T{
yes
T}:T{
no
T}:T{
\-
T}
T{
\fBdirectory\fR
T}:T{
Local directories
T}:T{
yes
T}:T{
\fBdirectory\fR, \fBsubvolume\fR
T}:T{
no
T}:T{
no
T}:T{
yes
T}:T{
\fBurl\-tar\fR, \fBtar\fR, \fBdirectory\fR, \fBsubvolume\fR
T}
T{
\fBsubvolume\fR
T}:T{
Local btrfs subvolumes
T}:T{
yes
T}:T{
\fBdirectory\fR, \fBsubvolume\fR
T}:T{
no
T}:T{
no
T}:T{
yes
T}:T{
\fBurl\-tar\fR, \fBtar\fR, \fBdirectory\fR, \fBsubvolume\fR
T}
.TE
.sp 1
.SH "MATCH PATTERNS"
.PP
Both the source and target resources typically exist in multiple versions concurrently\&. An update operation is done whenever the newest of the source versions is newer than the newest of the target versions\&. To determine the newest version of the resources a directory listing, partition listing or manifest listing is used, a subset of qualifying entries selected from that, and the version identifier extracted from the file names or partition labels of these selected entries\&. Subset selection and extraction of the version identifier (plus potentially other metadata) is done via match patterns, configured in
\fIMatchPattern=\fR
in the [Source] and [Target] sections\&. These patterns are strings that describe how files or partitions are named, with named wildcards for specific fields such as the version identifier\&. The following wildcards are defined:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.B Table\ \&2.\ \&Match Pattern Wildcards
.TS
allbox tab(:);
lB lB lB lB.
T{
Wildcard
T}:T{
Description
T}:T{
Format
T}:T{
Notes
T}
.T&
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l
l l l l.
T{
"@v"
T}:T{
Version identifier
T}:T{
Valid version string
T}:T{
Mandatory
T}
T{
"@u"
T}:T{
GPT partition UUID
T}:T{
Valid 128\-Bit UUID string
T}:T{
Only relevant if target resource type chosen as \fBpartition\fR
T}
T{
"@f"
T}:T{
GPT partition flags
T}:T{
Formatted hexadecimal integer
T}:T{
Only relevant if target resource type chosen as \fBpartition\fR
T}
T{
"@a"
T}:T{
GPT partition flag NoAuto
T}:T{
Either "0" or "1"
T}:T{
Controls NoAuto bit of the GPT partition flags, as per \m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2; only relevant if target resource type chosen as \fBpartition\fR
T}
T{
"@g"
T}:T{
GPT partition flag GrowFileSystem
T}:T{
Either "0" or "1"
T}:T{
Controls GrowFileSystem bit of the GPT partition flags, as per \m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2; only relevant if target resource type chosen as \fBpartition\fR
T}
T{
"@r"
T}:T{
Read\-only flag
T}:T{
Either "0" or "1"
T}:T{
Controls ReadOnly bit of the GPT partition flags, as per \m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2 and other output read\-only flags, see \fIReadOnly=\fR below
T}
T{
"@t"
T}:T{
File modification time
T}:T{
Formatted decimal integer, μs since UNIX epoch Jan 1st 1970
T}:T{
Only relevant if target resource type chosen as \fBregular\-file\fR
T}
T{
"@m"
T}:T{
File access mode
T}:T{
Formatted octal integer, in UNIX fashion
T}:T{
Only relevant if target resource type chosen as \fBregular\-file\fR
T}
T{
"@s"
T}:T{
File size after decompression
T}:T{
Formatted decimal integer
T}:T{
Useful for measuring progress and to improve partition allocation logic
T}
T{
"@d"
T}:T{
Tries done
T}:T{
Formatted decimal integer
T}:T{
Useful when operating with kernel image files, as per \m[blue]\fBAutomatic Boot Assessment\fR\m[]\&\s-2\u[3]\d\s+2
T}
T{
"@l"
T}:T{
Tries left
T}:T{
Formatted decimal integer
T}:T{
Useful when operating with kernel image files, as per \m[blue]\fBAutomatic Boot Assessment\fR\m[]\&\s-2\u[3]\d\s+2
T}
T{
"@h"
T}:T{
SHA256 hash of compressed file
T}:T{
64 hexadecimal characters
T}:T{
The SHA256 hash of the compressed file; not useful for \fBurl\-file\fR or \fBurl\-tar\fR where the SHA256 hash is already included in the manifest file anyway
T}
.TE
.sp 1
.PP
Of these wildcards only
"@v"
must be present in a valid pattern, all other wildcards are optional\&. Each wildcard may be used at most once in each pattern\&. A typical wildcard matching a file system source image could be
"MatchPattern=foobar_@v\&.raw\&.xz", i\&.e\&. any file whose name begins with
"foobar_", followed by a version ID and suffixed by
"\&.raw\&.xz"\&.
.PP
Do not confuse the
"@"
pattern matching wildcard prefix with the
"%"
specifier expansion prefix\&. The former encapsulate a variable part of a match pattern string, the latter are simple shortcuts that are expanded while the drop\-in files are parsed\&. For details about specifiers, see below\&.
.SH "[TRANSFER] SECTION OPTIONS"
.PP
This section defines general properties of this transfer\&.
.PP
\fIMinVersion=\fR
.RS 4
Specifies the minimum version to require for this transfer to take place\&. If the source or target patterns in this transfer definition match files older than this version they will be considered obsolete, and never be considered for the update operation\&.
.RE
.PP
\fIProtectVersion=\fR
.RS 4
Takes one or more version strings to mark as "protected"\&. Protected versions are never removed while making room for new, updated versions\&. This is useful to ensure that the currently booted OS version (or auxiliary resources associated with it) is not replaced/overwritten during updates, in order to avoid runtime file system corruptions\&.
.sp
Like many of the settings in these configuration files this setting supports specifier expansion\&. It\*(Aqs particularly useful to set this setting to one of the
"%A",
"%B"
or
"%w"
specifiers to automatically refer to the current OS version of the running system\&. See below for details on supported specifiers\&.
.RE
.PP
\fIVerify=\fR
.RS 4
Takes a boolean, defaults to yes\&. Controls whether to cryptographically verify downloaded resources (specifically: validate the GPG signatures for downloaded
SHA256SUMS
manifest files, via their detached signature files
SHA256SUMS\&.gpg
in combination with the system keyring
/usr/lib/systemd/import\-pubring\&.gpg
or
/etc/systemd/import\-pubring\&.gpg)\&.
.sp
This option is essential to provide integrity guarantees for downloaded resources and thus should be left enabled, outside of test environments\&.
.sp
Note that the downloaded payload files are unconditionally checked against the SHA256 hashes listed in the manifest\&. This option only controls whether the signatures of these manifests are verified\&.
.sp
This option only has an effect if the source resource type is selected as
\fBurl\-file\fR
or
\fBurl\-tar\fR, as integrity and authentication checking is only available for transfers from remote sources\&.
.RE
.SH "[SOURCE] SECTION OPTIONS"
.PP
This section defines properties of the transfer source\&.
.PP
\fIType=\fR
.RS 4
Specifies the resource type of the source for the transfer\&. Takes one of
\fBurl\-file\fR,
\fBurl\-tar\fR,
\fBtar\fR,
\fBregular\-file\fR,
\fBdirectory\fR
or
\fBsubvolume\fR\&. For details about the resource types, see above\&. This option is mandatory\&.
.sp
Note that only certain combinations of source and target resource types are supported, see above\&.
.RE
.PP
\fIPath=\fR
.RS 4
Specifies where to find source versions of this resource\&.
.sp
If the source type is selected as
\fBurl\-file\fR
or
\fBurl\-tar\fR
this must be a HTTP/HTTPS URL\&. The URL is suffixed with
/SHA256SUMS
to acquire the manifest file, with
/SHA256SUMS\&.gpg
to acquire the detached signature file for it, and with the file names listed in the manifest file in case an update is executed and a resource shall be downloaded\&.
.sp
For all other source resource types this must be a local path in the file system, referring to a local directory to find the versions of this resource in\&.
.RE
.PP
\fIMatchPattern=\fR
.RS 4
Specifies one or more file name match patterns that select the subset of files that are update candidates as source for this transfer\&. See above for details on match patterns\&.
.sp
This option is mandatory\&. Any pattern listed must contain at least the
"@v"
wildcard, so that a version identifier may be extracted from the filename\&. All other wildcards are optional\&.
.RE
.SH "[TARGET] SECTION OPTIONS"
.PP
This section defines properties of the transfer target\&.
.PP
\fIType=\fR
.RS 4
Specifies the resource type of the target for the transfer\&. Takes one of
\fBpartition\fR,
\fBregular\-file\fR,
\fBdirectory\fR
or
\fBsubvolume\fR\&. For details about the resource types, see above\&. This option is mandatory\&.
.sp
Note that only certain combinations of source and target resource types are supported, see above\&.
.RE
.PP
\fIPath=\fR
.RS 4
Specifies a file system path where to look for already installed versions or place newly downloaded versions of this configured resource\&. If
\fIType=\fR
is set to
\fBpartition\fR, expects a path to a (whole) block device node, or the special string
"auto"
in which case the block device which contains the root file system of the currently booted system is automatically determined and used\&. If
\fIType=\fR
is set to
\fBregular\-file\fR,
\fBdirectory\fR
or
\fBsubvolume\fR, must refer to a path in the local file system referencing the directory to find or place the version files or directories under\&.
.sp
Note that this mechanism cannot be used to create or remove partitions, in case
\fIType=\fR
is set to
\fBpartition\fR\&. Partitions must exist already, and a special partition label
"_empty"
is used to indicate empty partitions\&. To automatically generate suitable partitions on first boot, use a tool such as
\fBsystemd-repart\fR(8)\&.
.RE
.PP
\fIPathRelativeTo=\fR
.RS 4
Specifies what partition
\fIPath=\fR
should be relative to\&. Takes one of
\fBroot\fR,
\fBesp\fR,
\fBxbootldr\fR, or
\fBboot\fR\&. If unspecified, defaults to
\fBroot\fR\&.
.sp
If set to
\fBboot\fR, the specified
\fIPath=\fR
will be resolved relative to the mount point of the $BOOT partition (i\&.e\&. the ESP or XBOOTLDR), as defined by the
\m[blue]\fBBoot Loader Specification\fR\m[]\&\s-2\u[2]\d\s+2\&.
.sp
The values
\fBesp\fR,
\fBxbootldr\fR, and
\fBboot\fR
are only supported when
\fIType=\fR
is set to
\fBregular\-file\fR
or
\fBdirectory\fR\&.
.RE
.PP
\fIMatchPattern=\fR
.RS 4
Specifies one or more file name or partition label match patterns that select the subset of files or partitions that are update candidates as targets for this transfer\&. See above for details on match patterns\&.
.sp
This option is mandatory\&. Any pattern listed must contain at least the
"@v"
wildcard, so that a version identifier may be extracted from the filename\&. All other wildcards are optional\&.
.sp
This pattern is both used for matching existing installed versions and for determining the name of new versions to install\&. If multiple patterns are specified, the first specified is used for naming newly installed versions\&.
.RE
.PP
\fIMatchPartitionType=\fR
.RS 4
When the target
\fIType=\fR
is chosen as
\fBpartition\fR, specifies the GPT partition type to look for\&. Only partitions of this type are considered, all other partitions are ignored\&. If not specified, the GPT partition type
\fBlinux\-generic\fR
is used\&. Accepts either a literal type UUID or a symbolic type identifier\&. For a list of supported type identifiers, see the
\fIType=\fR
setting in
\fBrepart.d\fR(5)\&.
.RE
.PP
\fIPartitionUUID=\fR, \fIPartitionFlags=\fR, \fIPartitionNoAuto=\fR, \fIPartitionGrowFileSystem=\fR
.RS 4
When the target
\fIType=\fR
is picked as
\fBpartition\fR, selects the GPT partition UUID and partition flags to use for the updated partition\&. Expects a valid UUID string, a hexadecimal integer, or booleans, respectively\&. If not set, but the source match pattern includes wildcards for these fields (i\&.e\&.
"@u",
"@f",
"@a", or
"@g"), the values from the patterns are used\&. If neither configured with wildcards or these explicit settings, the values are left untouched\&. If both the overall
\fIPartitionFlags=\fR
flags setting and the individual flag settings
\fIPartitionNoAuto=\fR
and
\fIPartitionGrowFileSystem=\fR
are used (or the wildcards for them), then the latter override the former, i\&.e\&. the individual flag bit overrides the overall flags value\&. See
\m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2
for details about these flags\&.
.sp
Note that these settings are not used for matching, they only have effect on newly written partitions in case a transfer takes place\&.
.RE
.PP
\fIReadOnly=\fR
.RS 4
Controls whether to mark the resulting file, subvolume or partition read\-only\&. If the target type is
\fBpartition\fR
this controls the ReadOnly partition flag, as per
\m[blue]\fBDiscoverable Partitions Specification\fR\m[]\&\s-2\u[1]\d\s+2, similar to the
\fIPartitionNoAuto=\fR
and
\fIPartitionGrowFileSystem=\fR
flags described above\&. If the target type is
\fBregular\-file\fR, the writable bit is removed from the access mode\&. If the target type is
\fBsubvolume\fR, the subvolume will be marked read\-only as a whole\&. Finally, if the target
\fIType=\fR
is selected as
\fBdirectory\fR, the "immutable" file attribute is set, see
\fBchattr\fR(1)
for details\&.
.RE
.PP
\fIMode=\fR
.RS 4
The UNIX file access mode to use for newly created files in case the target resource type is picked as
\fBregular\-file\fR\&. Expects an octal integer, in typical UNIX fashion\&. If not set, but the source match pattern includes a wildcard for this field (i\&.e\&.
"@t"), the value from the pattern is used\&.
.sp
Note that this setting is not used for matching, it only has an effect on newly written files when a transfer takes place\&.
.RE
.PP
\fITriesDone=\fR, \fITriesLeft=\fR
.RS 4
These options take positive, decimal integers, and control the number of attempts done and left for this file\&. These settings are useful for managing kernel images, following the scheme defined in
\m[blue]\fBAutomatic Boot Assessment\fR\m[]\&\s-2\u[3]\d\s+2, and only have an effect if the target pattern includes the
"@d"
or
"@l"
wildcards\&.
.RE
.PP
\fIInstancesMax=\fR
.RS 4
Takes a decimal integer equal to or greater than 2\&. This configures how many concurrent versions of the resource to keep\&. Whenever a new update is initiated it is made sure that no more than the number of versions specified here minus one exist in the target\&. Any excess versions are deleted (in case the target
\fIType=\fR
of
\fBregular\-file\fR,
\fBdirectory\fR,
\fBsubvolume\fR
is used) or emptied (in case the target
\fIType=\fR
of
\fBpartition\fR
is used; emptying in this case simply means to set the partition label to the special string
"_empty"; note that no partitions are actually removed)\&. After an update is completed the number of concurrent versions of the target resources is equal to or below the number specified here\&.
.sp
Note that this setting may be set differently for each transfer\&. However, it generally is advisable to keep this setting the same for all transfers, since otherwise incomplete combinations of files or partitions will be left installed\&.
.sp
If the target
\fIType=\fR
is selected as
\fBpartition\fR, the number of concurrent versions to keep is additionally restricted by the number of partition slots of the right type in the partition table\&. I\&.e\&. if there are only 2 partition slots for the selected partition type, setting this value larger than 2 is without effect, since no more than 2 concurrent versions could be stored in the image anyway\&.
.RE
.PP
\fIRemoveTemporary=\fR
.RS 4
Takes a boolean argument\&. If this option is enabled (which is the default) before initiating an update, all left\-over, incomplete updates from a previous attempt are removed from the target directory\&. This only has an effect if the target resource
\fIType=\fR
is selected as
\fBregular\-file\fR,
\fBdirectory\fR
or
\fBsubvolume\fR\&.
.RE
.PP
\fICurrentSymlink=\fR
.RS 4
Takes a symlink name as argument\&. If this option is used, as the last step of the update a symlink under the specified name is created/updated pointing to the completed update\&. This is useful in to provide a stable name always pointing to the newest version of the resource\&. This is only supported if the target resource
\fIType=\fR
is selected as
\fBregular\-file\fR,
\fBdirectory\fR
or
\fBsubvolume\fR\&.
.RE
.SH "SPECIFIERS"
.PP
Specifiers may be used in the
\fIMinVersion=\fR,
\fIProtectVersion=\fR,
\fIPath=\fR,
\fIMatchPattern=\fR
and
\fICurrentSymlink=\fR
settings\&. The following expansions are understood:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.B Table\ \&3.\ \&Specifiers available
.TS
allbox tab(:);
lB lB lB.
T{
Specifier
T}:T{
Meaning
T}:T{
Details
T}
.T&
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l
l l l.
T{
"%a"
T}:T{
Architecture
T}:T{
A short string identifying the architecture of the local system\&. A string such as \fBx86\fR, \fBx86\-64\fR or \fBarm64\fR\&. See the architectures defined for \fIConditionArchitecture=\fR in \fBsystemd.unit\fR(5) for a full list\&.
T}
T{
"%A"
T}:T{
Operating system image version
T}:T{
The operating system image version identifier of the running system, as read from the \fIIMAGE_VERSION=\fR field of /etc/os\-release\&. If not set, resolves to an empty string\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%b"
T}:T{
Boot ID
T}:T{
The boot ID of the running system, formatted as string\&. See \fBrandom\fR(4) for more information\&.
T}
T{
"%B"
T}:T{
Operating system build ID
T}:T{
The operating system build identifier of the running system, as read from the \fIBUILD_ID=\fR field of /etc/os\-release\&. If not set, resolves to an empty string\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%H"
T}:T{
Host name
T}:T{
The hostname of the running system\&.
T}
T{
"%l"
T}:T{
Short host name
T}:T{
The hostname of the running system, truncated at the first dot to remove any domain component\&.
T}
T{
"%m"
T}:T{
Machine ID
T}:T{
The machine ID of the running system, formatted as string\&. See \fBmachine-id\fR(5) for more information\&.
T}
T{
"%M"
T}:T{
Operating system image identifier
T}:T{
The operating system image identifier of the running system, as read from the \fIIMAGE_ID=\fR field of /etc/os\-release\&. If not set, resolves to an empty string\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%o"
T}:T{
Operating system ID
T}:T{
The operating system identifier of the running system, as read from the \fIID=\fR field of /etc/os\-release\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%v"
T}:T{
Kernel release
T}:T{
Identical to \fBuname \-r\fR output\&.
T}
T{
"%w"
T}:T{
Operating system version ID
T}:T{
The operating system version identifier of the running system, as read from the \fIVERSION_ID=\fR field of /etc/os\-release\&. If not set, resolves to an empty string\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%W"
T}:T{
Operating system variant ID
T}:T{
The operating system variant identifier of the running system, as read from the \fIVARIANT_ID=\fR field of /etc/os\-release\&. If not set, resolves to an empty string\&. See \fBos-release\fR(5) for more information\&.
T}
T{
"%T"
T}:T{
Directory for temporary files
T}:T{
This is either /tmp or the path "$TMPDIR", "$TEMP" or "$TMP" are set to\&. (Note that the directory may be specified without a trailing slash\&.)
T}
T{
"%V"
T}:T{
Directory for larger and persistent temporary files
T}:T{
This is either /var/tmp or the path "$TMPDIR", "$TEMP" or "$TMP" are set to\&. (Note that the directory may be specified without a trailing slash\&.)
T}
T{
"%%"
T}:T{
Single percent sign
T}:T{
Use "%%" in place of "%" to specify a single percent sign\&.
T}
.TE
.sp 1
.PP
Do not confuse the
"%"
specifier expansion prefix with the
"@"
pattern matching wildcard prefix\&. The former are simple shortcuts that are expanded while the drop\-in files are parsed, the latter encapsulate a variable part of a match pattern string\&. For details about pattern matching wildcards, see above\&.
.SH "EXAMPLES"
.PP
\fBExample\ \&1.\ \&Updates for a Verity Enabled Secure OS\fR
.PP
With the following three files we define a root file system partition, a matching Verity partition, and a unified kernel image to update as one\&. This example is an extension of the example discussed earlier in this man page\&.
.PP
.if n \{\
.RS 4
.\}
.nf
# /usr/lib/sysupdate\&.d/50\-verity\&.conf
[Transfer]
ProtectVersion=%A
[Source]
Type=url\-file
Path=https://download\&.example\&.com/
MatchPattern=foobarOS_@v_@u\&.verity\&.xz
[Target]
Type=partition
Path=auto
MatchPattern=foobarOS_@v_verity
MatchPartitionType=root\-verity
PartitionFlags=0
PartitionReadOnly=1
.fi
.if n \{\
.RE
.\}
.PP
The above defines the update mechanism for the Verity partition of the root file system\&. Verity partition images are downloaded from
"https://download\&.example\&.com/foobarOS_@v_@u\&.verity\&.xz"
and written to a suitable local partition, which is marked read\-only\&. Under the assumption this update is run from the image itself the current image version (i\&.e\&. the
"%A"
specifier) is marked as protected, to ensure it is not corrupted while booted\&. Note that the partition UUID for the target partition is encoded in the source file name\&. Fixating the partition UUID can be useful to ensure that
"roothash="
on the kernel command line is sufficient to pinpoint both the Verity and root file system partition, and also encode the Verity root level hash (under the assumption the UUID in the file names match their top\-level hash, the way
\fBsystemd-gpt-auto-generator\fR(8)
suggests)\&.
.PP
.if n \{\
.RS 4
.\}
.nf
# /usr/lib/sysupdate\&.d/60\-root\&.conf
[Transfer]
ProtectVersion=%A
[Source]
Type=url\-file
Path=https://download\&.example\&.com/
MatchPattern=foobarOS_@v_@u\&.root\&.xz
[Target]
Type=partition
Path=auto
MatchPattern=foobarOS_@v
MatchPartitionType=root
PartitionFlags=0
PartitionReadOnly=1
.fi
.if n \{\
.RE
.\}
.PP
The above defines a matching transfer definition for the root file system\&.
.PP
.if n \{\
.RS 4
.\}
.nf
# /usr/lib/sysupdate\&.d/70\-kernel\&.conf
[Transfer]
ProtectVersion=%A
[Source]
Type=url\-file
Path=https://download\&.example\&.com/
MatchPattern=foobarOS_@v\&.efi\&.xz
[Target]
Type=regular\-file
Path=/EFI/Linux
PathRelativeTo=boot
MatchPattern=foobarOS_@v+@l\-@d\&.efi \e
foobarOS_@v+@l\&.efi \e
foobarOS_@v\&.efi
Mode=0444
TriesLeft=3
TriesDone=0
InstancesMax=2
.fi
.if n \{\
.RE
.\}
.PP
The above installs a unified kernel image into the $BOOT partition, as per
\m[blue]\fBBoot Loader Specification\fR\m[]\&\s-2\u[2]\d\s+2
Type #2\&. This defines three possible patterns for the names of the kernel images, as per
\m[blue]\fBAutomatic Boot Assessment\fR\m[]\&\s-2\u[3]\d\s+2, and ensures when installing new kernels, they are set up with 3 tries left\&. No more than two parallel kernels are kept\&.
.PP
With this setup the web server would serve the following files, for a hypothetical version 7 of the OS:
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
SHA256SUMS
\(en The manifest file, containing available files and their SHA256 hashes
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
SHA256SUMS\&.gpg
\(en The detached cryptographic signature for the manifest file
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
foobarOS_7_8b8186b1\-2b4e\-4eb6\-ad39\-8d4d18d2a8fb\&.verity\&.xz
\(en The Verity image for version 7
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
foobarOS_7_f4d1234f\-3ebf\-47c4\-b31d\-4052982f9a2f\&.root\&.xz
\(en The root file system image for version 7
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
foobarOS_7_efi\&.xz
\(en The unified kernel image for version 7
.RE
.PP
For each new OS release a new set of the latter three files would be added, each time with an updated version\&. The
SHA256SUMS
manifest should then be updated accordingly, listing all files for all versions that shall be offered for download\&.
.PP
\fBExample\ \&2.\ \&Updates for Plain Directory Container Image\fR
.PP
.if n \{\
.RS 4
.\}
.nf
[Source]
Type=url\-tar
Path=https://download\&.example\&.com/
MatchPattern=myContainer_@v\&.tar\&.gz
[Target]
Type=subvolume
Path=/var/lib/machines
MatchPattern=myContainer_@v
CurrentSymlink=myContainer
.fi
.if n \{\
.RE
.\}
.PP
On updates this downloads
"https://download\&.example\&.com/myContainer_@v\&.tar\&.gz"
and decompresses/unpacks it to
/var/lib/machines/myContainer_@v\&. After each update a symlink
/var/lib/machines/myContainer
is created/updated always pointing to the most recent update\&.
.SH "SEE ALSO"
.PP
\fBsystemd\fR(1),
\fBsystemd-sysupdate\fR(8),
\fBsystemd-repart\fR(8)
.SH "NOTES"
.IP " 1." 4
Discoverable Partitions Specification
.RS 4
\%https://uapi-group.org/specifications/specs/discoverable_partitions_specification
.RE
.IP " 2." 4
Boot Loader Specification
.RS 4
\%https://uapi-group.org/specifications/specs/boot_loader_specification
.RE
.IP " 3." 4
Automatic Boot Assessment
.RS 4
\%https://systemd.io/AUTOMATIC_BOOT_ASSESSMENT
.RE
|