Software updates with OSTree Why and how
by Anton Gerasimov
At: FOSDEM 2017
Security reasons and market demands dictate that software in a connectedembedded Linux device should be updated regularly. Update on a package basisthat is used by PC Linux distributions can be a security threat by itself onembedded devices. On the other hand, full fylesystem upgrade that is common inembedded field can be too wasteful for systems constrained in network bandwithand disk space. OSTree is a tool that allows for upgrades that are bothincremental and atomic and as such perfectly fits the needs of embedded world.
Software updating is an essential feature for a connected embedded Linuxdevice, even if it is not required by end users of the device, since responceto newly discovered vulnerabilities in critical Linux software should be asfast as possible. One approach that is widely used in Linux world is using apackage manager that will download a package and take care of all thedependencies. Unfortunately, some dependencies and/or conflicts with otherpackages can not be noticed by repository mantainers. On a PC it would justlead to the necessity to revert the package back to the working version, buton an embedded device with no human operator it is not possible.Theoretically, number of system configurations is an exponent of number ofpackages one can install, which means that it is practically impossible tomake sure that no combination will result in a broken system. In embeddedworld it is more common to update whole file system image atomically. Thus wecan test system configuration before we distribute it to the devices. To allowfor atomic switching between file tree versions, dual disk partitioning schemeis used: while Linux is running on a root file system stored in one partition,updates are written to another. When the whole new file system image isdownloaded, Linux can switch atomically to it. The main drawback of thisapproach is that you actually have to download the whole file tree (which canbe 100-800MB large in modern devices) for every update. You also can use onlyhalf of your available disk space at once.
OSTree was developed by GNOME team for the GNOME Continuous project and wasnot initialy intended to be used in embedded Linux. It stores all the data ina git-like object repository, but unlike git it is designed to store binarydata and can deploy data as hardlinks to the objects in the repository, thussaving significant amount of disk space. Like git it allows to incrementallytransfer data between repositories, thus making distribution of softwareupdates possible. OSTree repository contains roughly three kinds of objects:commit, directory and file object. Every commit points to a directory tree andrepresents a version of file system tree. Commits can then be deployed to adedicated area and the system can switch to a deployed file tree much the sameway it would switch to another partition in dual-partition scheme. Sincedeploying files just creates hard links to the file objects in the repository,there is no data duplication.
These benefits come at a price: since deployed files are just hardlinks toobjects in a repository, they can't be changed, as it would corrupt therepository and other deployed file systems. Therefore, a clear separationshould be mantained between read-only data, such as executables and resourcesand writable data, such as temporary files, logs, configuration stored in/etc. These requirements are not too restrictive, for most use-cases it willjust involve putting data in correct directories. An image class thatthansforms an OSTree-ignorant file tree to appropriate form and BSP packagesfor some popular platforms (Raspberry Pi, Porter board, QEMU; minnowboardcoming soon) were integrated into Yocto build process and are now available asa separate Yocto layer on Github [https://github.com/advancedtelematic/meta-updater]. It allows you to create OSTree-enabled image and a commit in yourOSTree repository as a part of your normal build process (simply 'bitbakeyour_image').
Room: UD2.120 (Chavanne)
Scheduled start: 2017-02-04 16:30:00
Видео Software updates with OSTree Why and how канала FOSDEM
At: FOSDEM 2017
Security reasons and market demands dictate that software in a connectedembedded Linux device should be updated regularly. Update on a package basisthat is used by PC Linux distributions can be a security threat by itself onembedded devices. On the other hand, full fylesystem upgrade that is common inembedded field can be too wasteful for systems constrained in network bandwithand disk space. OSTree is a tool that allows for upgrades that are bothincremental and atomic and as such perfectly fits the needs of embedded world.
Software updating is an essential feature for a connected embedded Linuxdevice, even if it is not required by end users of the device, since responceto newly discovered vulnerabilities in critical Linux software should be asfast as possible. One approach that is widely used in Linux world is using apackage manager that will download a package and take care of all thedependencies. Unfortunately, some dependencies and/or conflicts with otherpackages can not be noticed by repository mantainers. On a PC it would justlead to the necessity to revert the package back to the working version, buton an embedded device with no human operator it is not possible.Theoretically, number of system configurations is an exponent of number ofpackages one can install, which means that it is practically impossible tomake sure that no combination will result in a broken system. In embeddedworld it is more common to update whole file system image atomically. Thus wecan test system configuration before we distribute it to the devices. To allowfor atomic switching between file tree versions, dual disk partitioning schemeis used: while Linux is running on a root file system stored in one partition,updates are written to another. When the whole new file system image isdownloaded, Linux can switch atomically to it. The main drawback of thisapproach is that you actually have to download the whole file tree (which canbe 100-800MB large in modern devices) for every update. You also can use onlyhalf of your available disk space at once.
OSTree was developed by GNOME team for the GNOME Continuous project and wasnot initialy intended to be used in embedded Linux. It stores all the data ina git-like object repository, but unlike git it is designed to store binarydata and can deploy data as hardlinks to the objects in the repository, thussaving significant amount of disk space. Like git it allows to incrementallytransfer data between repositories, thus making distribution of softwareupdates possible. OSTree repository contains roughly three kinds of objects:commit, directory and file object. Every commit points to a directory tree andrepresents a version of file system tree. Commits can then be deployed to adedicated area and the system can switch to a deployed file tree much the sameway it would switch to another partition in dual-partition scheme. Sincedeploying files just creates hard links to the file objects in the repository,there is no data duplication.
These benefits come at a price: since deployed files are just hardlinks toobjects in a repository, they can't be changed, as it would corrupt therepository and other deployed file systems. Therefore, a clear separationshould be mantained between read-only data, such as executables and resourcesand writable data, such as temporary files, logs, configuration stored in/etc. These requirements are not too restrictive, for most use-cases it willjust involve putting data in correct directories. An image class thatthansforms an OSTree-ignorant file tree to appropriate form and BSP packagesfor some popular platforms (Raspberry Pi, Porter board, QEMU; minnowboardcoming soon) were integrated into Yocto build process and are now available asa separate Yocto layer on Github [https://github.com/advancedtelematic/meta-updater]. It allows you to create OSTree-enabled image and a commit in yourOSTree repository as a part of your normal build process (simply 'bitbakeyour_image').
Room: UD2.120 (Chavanne)
Scheduled start: 2017-02-04 16:30:00
Видео Software updates with OSTree Why and how канала FOSDEM
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
Why Linus Torvalds doesn't use Ubuntu or Debian
“Designing OSTree based embedded Linux systems with the Yocto Project” by Sergio Prado
btw, i use ostree
Lightning Webinar: Securing device updates with OSTree
Cinnamon Desktop in 120 Seconds - Linux
Fedora Silverblue: is this the FUTURE of Linux? - Project of the Month
Uplift your Linux systems programming skills with systemd and D-Bus Practical examples and best pra…
OSTree CLI for OS management
What is Yocto? (2021) | Learn Technology in 5 Minutes
GNOME 40, Blur Effect on Application Windows (with Shell Extension)
Designing OSTree based embedded Linux systems with the Yocto Project
Neat Tools To Visualise Linux Processes & Package Dependencies
RHEL for Edge Part 7: rpm-ostree Filesystem
Fedora Kinoite![[LEE2] Designing OSTree based embedded Linux systems](https://i.ytimg.com/vi/37ZqLfGyhYo/default.jpg)
[LEE2] Designing OSTree based embedded Linux systems
Btrfs: The Butter of Fedora - DevConf.CZ 2021
Why containers?
Learn CentOS Part 1 - Introduction and Installation
Fedora Silverblue 30/31 - Kinoite Setup (Additional OSTree Desktops)