From: "Jan Lübbe" <jlu@pengutronix.de>
To: Brian Hutchinson <b.hutchman@gmail.com>
Cc: rauc@pengutronix.de
Subject: Re: [RAUC] Stumped, have a appfs partition that is encrypted, how to get RAUC to update it
Date: Fri, 30 Jul 2021 18:29:18 +0200 [thread overview]
Message-ID: <7a45d808c119e373c55163492003751229b4aab0.camel@pengutronix.de> (raw)
In-Reply-To: <CAFZh4h-c4fL=Z2W8NQKV+swCqMtM7cQq1-zp5TqMhni6nfzmmA@mail.gmail.com>
Hi Brian,
On Fri, 2021-07-30 at 10:20 -0400, Brian Hutchinson wrote:
> > 100% Installing failed.
> > LastError: Installation error: Failed updating slot appfs.1: failed to run
> > mkfs.ext4: Child process exited with code 1
> > Installing `/tmp/./update-myboard.raucb` failed
> >
> > But yet I can do mkfs.ext4 /dev/mapper/crypt_appfs2 and mount it and the
> > filesystem is fine.
> >
> > Looks like I'm missing something still.
Hmm, you should have more logs on the rauc service side, possible also with an
error message from mkfs.ext4.
>
> So I think my issue was because I was nfs booted. Slot A was activated but not
> booted. But it looks like maybe it was using slot A /etc/rauc/system.conf
> instead of the currently running nfs instance /etc/rauc/system.conf because what
> I tried before worked once I mounted /dev/mmcblk2gp0p2 and changed that
> /etc/rauc/system.conf to:
It should use /etc/rauc/system.conf from the mounted rootfs, so NFS in your
case.
> [slot.appfs.1]
> device=/dev/mapper/crypt_appfs2
> type=ext4
> parent=rootfs.1
>
> So this brings up a question. If I have boards out in the field and appfs goes
> from plain ext4 to encrypted, I somehow need to update the currently running
> /etc/rauc/system.conf file first before performing an update??? How to handle
> system.conf changes?
The system.conf contents should describe the details of the system than don't
change during updates. Generally, partitioning changes are not possible in an
atomic A/B way, so those are not really in scope for RAUC. :/
Getting such a migration correct in the field is difficult. Something you could
use, though.
The device= properties will follow symlinks. So you could handle the switch
between unencrypted and encrypted in a script before starting the rauc service
and before mounting the current appfs.
For both sides, you'd check if it already contains a luks header. If not, it's
an old version which doesn't support encryption yet, so you link /dev/mmcblk...
to /dev/appfs[12].
If if already contains that header, attach the crypt device. The setup the
/dev/appfs[12] link to /dev/mapper/crypt_appfs[12]).
The system.conf would then point to device=/dev/appfs[12].
Then add a pre-install handler:
https://rauc.readthedocs.io/en/latest/using.html#system-based-customization-handlers
It can check if the target slot link still points to the unencrypted device. In
that case, it can setup the crypt device and change the link. RAUC should(*)
then follow the updated link to the encrypted device when installing.
Hope that helps... :)
You can also join us in #rauc on libera.chat or via matrix.org.
Jan
(*) I'm not 100% sure right now when the symlink resolution happens. So you
should check the source. :)
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
RAUC mailing list
next prev parent reply other threads:[~2021-07-30 16:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 12:11 Brian Hutchinson
2021-07-22 12:16 ` Jan Lübbe
[not found] ` <CAFZh4h8Hd+sBBNz9m1ZJvnHEg9hsL4R19cmKJ21Y9Asiss2B5Q@mail.gmail.com>
2021-07-23 12:45 ` Brian Hutchinson
2021-07-23 13:40 ` Jan Lübbe
2021-07-30 13:33 ` Brian Hutchinson
2021-07-30 14:20 ` Brian Hutchinson
2021-07-30 16:29 ` Jan Lübbe [this message]
2021-08-02 15:22 ` Brian Hutchinson
2021-08-02 15:39 ` Jan Lübbe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7a45d808c119e373c55163492003751229b4aab0.camel@pengutronix.de \
--to=jlu@pengutronix.de \
--cc=b.hutchman@gmail.com \
--cc=rauc@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox