[thirdparty/systemd.git] / man / systemd.offline-updates.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd.offline-updates">
  <refentryinfo>
    <title>systemd.offline-updates</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.offline-updates</refentrytitle>
    <manvolnum>7</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.offline-updates</refname>
    <refpurpose>Implementation of offline updates in systemd</refpurpose>
  </refnamediv>

  <refsect1>
    <title>Implementing Offline System Updates</title>

    <para>This man page describes how to implement "offline" system updates with systemd. By "offline"
    OS updates we mean package installations and updates that are run with the system booted into a
    special system update mode, in order to avoid problems related to conflicts of libraries and
    services that are currently running with those on disk. This document is inspired by this
    <ulink url="https://wiki.gnome.org/Design/OS/SoftwareUpdates">GNOME design whiteboard</ulink>.
    </para>

    <para>The logic:</para>

    <orderedlist>
      <listitem>
        <para>The package manager prepares system updates by downloading all (.rpm or .deb or
        whatever) packages to update off-line in a special directory
        <filename index="false">/var/lib/system-update</filename> (or
        another directory of the package/upgrade manager's choice).</para>
      </listitem>

      <listitem>
        <para>When the user OK'ed the update, the symlink <filename>/system-update</filename> or
        <filename>/etc/system-update</filename> is created that points to
        <filename index="false">/var/lib/system-update</filename> (or wherever the directory with
        the upgrade files is located) and the system is rebooted. This symlink is in the root
        directory, since we need to check for it very early at boot, at a time where
        <filename>/var/</filename> is not available yet.</para>
      </listitem>

      <listitem>
        <para>Very early in the new boot
        <citerefentry><refentrytitle>systemd-system-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        checks whether <filename>/system-update</filename> or
        <filename>/etc/system-update</filename> exists. If so, it (temporarily and for this boot
        only) redirects (i.e. symlinks) <filename>default.target</filename> to
        <filename>system-update.target</filename>, a special target that pulls in the base system
        (i.e. <filename>sysinit.target</filename>, so that all file systems are mounted but little
        else) and the system update units.</para>
      </listitem>

      <listitem>
        <para>The system now continues to boot into <filename>default.target</filename>, and
        thus into <filename>system-update.target</filename>. This target pulls in all system
        update units. Only one service should perform an update (see the next point), and all
        the other ones should exit cleanly with a "success" return code and without doing
        anything. Update services should be ordered after <filename>sysinit.target</filename>
        so that the update starts after all file systems have been mounted.</para>
      </listitem>

      <listitem>
        <para>As the first step, an update service should check if the
        <filename>/system-update</filename> or <filename>/etc/system-update</filename> symlink
        points to the location used by that update service. In case it does not exist or points to a
        different location, the service must exit without error. It is possible for multiple update
        services to be installed, and for multiple update services to be launched in parallel, and
        only the one that corresponds to the tool that <emphasis>created</emphasis> the symlink
        before reboot should perform any actions. It is unsafe to run multiple updates in
        parallel.</para>
      </listitem>

      <listitem>
        <para>The update service should now do its job. If applicable and possible, it should
        create a file system snapshot, then install all packages.  After completion (regardless
        whether the update succeeded or failed) the machine must be rebooted, for example by
        calling <command>systemctl reboot</command>. In addition, on failure the script should
        revert to the old file system snapshot (without the symlink).</para>
      </listitem>

      <listitem>
        <para>The update scripts should exit only after the update is finished. It is expected
        that the service which performs the update will cause the machine to reboot after it
        is done. If the <filename>system-update.target</filename> is successfully reached, i.e.
        all update services have run, and the <filename>/system-update</filename> or
        <filename>/etc/system-update</filename> symlink still exists, it will be removed and
        the machine rebooted as a safety measure.</para>
      </listitem>

      <listitem>
        <para>After a reboot, now that the <filename>/system-update</filename> and
        <filename>/etc/system-update</filename> symlink is gone, the generator won't redirect
        <filename>default.target</filename> anymore and the system now boots into the default
        target again.</para>
      </listitem>
    </orderedlist>
  </refsect1>

  <refsect1>
    <title>Recommendations</title>

    <orderedlist>
      <listitem>
        <para>To make things a bit more robust we recommend hooking the update script into
        <filename>system-update.target</filename> via a <filename index="false">.wants/</filename>
        symlink in the distribution package, rather than depending on <command>systemctl
        enable</command> in the postinst scriptlets of your package. More specifically, for your
        update script create a .service file, without [Install] section, and then add a symlink like
        <filename index="false">/usr/lib/systemd/system/system-update.target.wants/foobar.service</filename>
        → <filename index="false">../foobar.service</filename> to your package.</para>
      </listitem>

      <listitem>
        <para>Make sure to remove the <filename>/system-update</filename> and
        <filename>/etc/system-update</filename> symlinks as early as possible in the update
        script to avoid reboot loops in case the update fails.</para>
      </listitem>

      <listitem>
        <para>Use <varname>FailureAction=reboot</varname> in the service file for your update script
        to ensure that a reboot is automatically triggered if the update fails.
        <varname>FailureAction=</varname> makes sure that the specified unit is activated if your
        script exits uncleanly (by non-zero error code, or signal/coredump). If your script succeeds
        you should trigger the reboot in your own code, for example by invoking logind's
        <command>Reboot()</command> call or calling <command>systemctl reboot</command>. See
        <citerefentry><refentrytitle>org.freedesktop.login1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
        for details about the logind D-Bus API.</para>
      </listitem>

      <listitem>
        <para>The update service should declare <varname>DefaultDependencies=no</varname>,
        <varname>Requires=sysinit.target</varname>, <varname>After=sysinit.target</varname>,
        <varname>After=system-update-pre.target</varname>, <varname>Before=system-update.target</varname>
        and explicitly pull in any other services it requires.</para>
      </listitem>

      <listitem>
        <para>It may be desirable to always run an auxiliary unit when booting
        into offline-updates mode, which itself does not install updates. To
        do this create a .service file with
        <varname>Wants=system-update-pre.target</varname> and
        <varname>Before=system-update-pre.target</varname> and add a symlink
        to that file under
        <filename index="false">/usr/lib/systemd/system-update.target.wants</filename>
        .</para>
      </listitem>
    </orderedlist>
  </refsect1>

  <refsect1>
    <title>See Also</title>

    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-system-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry project='mankier'><refentrytitle>dnf.plugin.system-upgrade</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>
</refentry>
Commit	Line	Data
c5915c63	1	<?xml version='1.0'?> <!---nxml--->
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
c5915c63 ZJS	5
	6	<refentry id="systemd.offline-updates">
	7	<refentryinfo>
	8	<title>systemd.offline-updates</title>
	9	<productname>systemd</productname>
c5915c63 ZJS	10	</refentryinfo>
	11
	12	<refmeta>
	13	<refentrytitle>systemd.offline-updates</refentrytitle>
	14	<manvolnum>7</manvolnum>
	15	</refmeta>
	16
	17	<refnamediv>
	18	<refname>systemd.offline-updates</refname>
	19	<refpurpose>Implementation of offline updates in systemd</refpurpose>
	20	</refnamediv>
	21
	22	<refsect1>
	23	<title>Implementing Offline System Updates</title>
	24
45f0c64e	25	<para>This man page describes how to implement "offline" system updates with systemd. By "offline"
c5915c63 ZJS	26	OS updates we mean package installations and updates that are run with the system booted into a
	27	special system update mode, in order to avoid problems related to conflicts of libraries and
	28	services that are currently running with those on disk. This document is inspired by this
	29	<ulink url="https://wiki.gnome.org/Design/OS/SoftwareUpdates">GNOME design whiteboard</ulink>.
	30	</para>
	31
	32	<para>The logic:</para>
	33
	34	<orderedlist>
	35	<listitem>
e9dd6984	36	<para>The package manager prepares system updates by downloading all (.rpm or .deb or
c5915c63	37	whatever) packages to update off-line in a special directory
b0343f8c	38	<filename index="false">/var/lib/system-update</filename> (or
c5915c63 ZJS	39	another directory of the package/upgrade manager's choice).</para>
	40	</listitem>
	41
	42	<listitem>
b9dac418 EC	43	<para>When the user OK'ed the update, the symlink <filename>/system-update</filename> or
	44	<filename>/etc/system-update</filename> is created that points to
	45	<filename index="false">/var/lib/system-update</filename> (or wherever the directory with
	46	the upgrade files is located) and the system is rebooted. This symlink is in the root
	47	directory, since we need to check for it very early at boot, at a time where
	48	<filename>/var/</filename> is not available yet.</para>
c5915c63 ZJS	49	</listitem>
	50
	51	<listitem>
45f0c64e	52	<para>Very early in the new boot
2ac5fe95	53	<citerefentry><refentrytitle>systemd-system-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
b9dac418 EC	54	checks whether <filename>/system-update</filename> or
	55	<filename>/etc/system-update</filename> exists. If so, it (temporarily and for this boot
	56	only) redirects (i.e. symlinks) <filename>default.target</filename> to
fec0ccea	57	<filename>system-update.target</filename>, a special target that pulls in the base system
45f0c64e ZJS	58	(i.e. <filename>sysinit.target</filename>, so that all file systems are mounted but little
45f0c64e ZJS	59	else) and the system update units.</para>
c5915c63 ZJS	60	</listitem>
	61
	62	<listitem>
2b656050 ZJS	63	<para>The system now continues to boot into <filename>default.target</filename>, and
	64	thus into <filename>system-update.target</filename>. This target pulls in all system
	65	update units. Only one service should perform an update (see the next point), and all
	66	the other ones should exit cleanly with a "success" return code and without doing
	67	anything. Update services should be ordered after <filename>sysinit.target</filename>
301a21a8	68	so that the update starts after all file systems have been mounted.</para>
45f0c64e ZJS	69	</listitem>
	70
	71	<listitem>
2b656050	72	<para>As the first step, an update service should check if the
b9dac418 EC	73	<filename>/system-update</filename> or <filename>/etc/system-update</filename> symlink
	74	points to the location used by that update service. In case it does not exist or points to a
	75	different location, the service must exit without error. It is possible for multiple update
	76	services to be installed, and for multiple update services to be launched in parallel, and
	77	only the one that corresponds to the tool that <emphasis>created</emphasis> the symlink
	78	before reboot should perform any actions. It is unsafe to run multiple updates in
	79	parallel.</para>
c5915c63 ZJS	80	</listitem>
	81
	82	<listitem>
2b656050 ZJS	83	<para>The update service should now do its job. If applicable and possible, it should
	84	create a file system snapshot, then install all packages. After completion (regardless
	85	whether the update succeeded or failed) the machine must be rebooted, for example by
	86	calling <command>systemctl reboot</command>. In addition, on failure the script should
	87	revert to the old file system snapshot (without the symlink).</para>
c5915c63 ZJS	88	</listitem>
	89
	90	<listitem>
e9dd6984 ZJS	91	<para>The update scripts should exit only after the update is finished. It is expected
e9dd6984 ZJS	92	that the service which performs the update will cause the machine to reboot after it
953bf460	93	is done. If the <filename>system-update.target</filename> is successfully reached, i.e.
b9dac418 EC	94	all update services have run, and the <filename>/system-update</filename> or
	95	<filename>/etc/system-update</filename> symlink still exists, it will be removed and
	96	the machine rebooted as a safety measure.</para>
2b656050 ZJS	97	</listitem>
	98
	99	<listitem>
b9dac418 EC	100	<para>After a reboot, now that the <filename>/system-update</filename> and
	101	<filename>/etc/system-update</filename> symlink is gone, the generator won't redirect
	102	<filename>default.target</filename> anymore and the system now boots into the default
	103	target again.</para>
c5915c63 ZJS	104	</listitem>
	105	</orderedlist>
	106	</refsect1>
	107
	108	<refsect1>
	109	<title>Recommendations</title>
	110
	111	<orderedlist>
	112	<listitem>
	113	<para>To make things a bit more robust we recommend hooking the update script into
b0343f8c	114	<filename>system-update.target</filename> via a <filename index="false">.wants/</filename>
c5915c63 ZJS	115	symlink in the distribution package, rather than depending on <command>systemctl
	116	enable</command> in the postinst scriptlets of your package. More specifically, for your
	117	update script create a .service file, without [Install] section, and then add a symlink like
0215f04a	118	<filename index="false">/usr/lib/systemd/system/system-update.target.wants/foobar.service</filename>
b0343f8c	119	→ <filename index="false">../foobar.service</filename> to your package.</para>
c5915c63 ZJS	120	</listitem>
	121
	122	<listitem>
b9dac418 EC	123	<para>Make sure to remove the <filename>/system-update</filename> and
	124	<filename>/etc/system-update</filename> symlinks as early as possible in the update
	125	script to avoid reboot loops in case the update fails.</para>
c5915c63 ZJS	126	</listitem>
	127
	128	<listitem>
45f0c64e ZJS	129	<para>Use <varname>FailureAction=reboot</varname> in the service file for your update script
	130	to ensure that a reboot is automatically triggered if the update fails.
	131	<varname>FailureAction=</varname> makes sure that the specified unit is activated if your
	132	script exits uncleanly (by non-zero error code, or signal/coredump). If your script succeeds
	133	you should trigger the reboot in your own code, for example by invoking logind's
b17649ee	134	<command>Reboot()</command> call or calling <command>systemctl reboot</command>. See
21006e0e ZJS	135	<citerefentry><refentrytitle>org.freedesktop.login1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
21006e0e ZJS	136	for details about the logind D-Bus API.</para>
c5915c63	137	</listitem>
45f0c64e ZJS	138
45f0c64e ZJS	139	<listitem>
964c4eda	140	<para>The update service should declare <varname>DefaultDependencies=no</varname>,
2b656050	141	<varname>Requires=sysinit.target</varname>, <varname>After=sysinit.target</varname>,
a18d83c2	142	<varname>After=system-update-pre.target</varname>, <varname>Before=system-update.target</varname>
2b656050	143	and explicitly pull in any other services it requires.</para>
45f0c64e	144	</listitem>
bc3c5e16 HG	145
	146	<listitem>
	147	<para>It may be desirable to always run an auxiliary unit when booting
	148	into offline-updates mode, which itself does not install updates. To
	149	do this create a .service file with
	150	<varname>Wants=system-update-pre.target</varname> and
	151	<varname>Before=system-update-pre.target</varname> and add a symlink
	152	to that file under
b0343f8c	153	<filename index="false">/usr/lib/systemd/system-update.target.wants</filename>
bc3c5e16 HG	154	.</para>
bc3c5e16 HG	155	</listitem>
c5915c63 ZJS	156	</orderedlist>
	157	</refsect1>
	158
	159	<refsect1>
59b44379	160	<title>See Also</title>
c5915c63	161
13a69c12 DT	162	<para><simplelist type="inline">
	163	<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	164	<member><citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
	165	<member><citerefentry><refentrytitle>systemd-system-update-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	166	<member><citerefentry project='mankier'><refentrytitle>dnf.plugin.system-upgrade</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	167	</simplelist></para>
c5915c63 ZJS	168	</refsect1>
c5915c63 ZJS	169	</refentry>