This implements updates via systemd-sysupdate. See individual commit messages for details. This depends on "Move verity and EFI creation to separate Nix derivations", at <https://spectrum-os.org/lists/archives/spectrum-devel/20251126-refactor-verity-v6-0-f09555546a85@gmail.com>. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- Changes in v5: - Fix broken shell.nix files in intermediate patches. - See individual patches messages for more details. - Link to v4: https://spectrum-os.org/lists/archives/spectrum-devel/20251121-updates-v4-0-... Changes in v4: - Fix build errors in intermediate patches. - Apply suggestions from code review. - Link to v3: https://spectrum-os.org/lists/archives/spectrum-devel/20251119-updates-v3-0-... Changes in v3: - See individual commits for details. There are too many to mention here. - Link to v2: https://spectrum-os.org/lists/archives/spectrum-devel/20251112-updates-v2-0-... Changes in v2: - updates-dir-check: - Do not check that there is a SHA256SUMS or SHA256SUMS.gpg file in the update directory. systemd-sysupdate will fail if it cannot find a manifest or its signature. - Follow symlinks in opening the directory. The path is from a trusted source and will always point to a BTRFS snapshot, never a symlink. The only exception is the last component, which is still checked to not be a symlink. - VM: - Link SHA256SUMS.sha256.asc to SHA256SUMS.gpg. Recent systemd-sysupdate seems to use the former name. - Get update URL from host. - Use an execline script instead of a shell script. - Update script: - Unmount shared directory if already mounted. This avoids errors when mounting it again. - Delete old snapshot if present. - Provide the VM information with a different directory layout. - Do not bind-mount the information passed into the VM into the shared VM folder. Instead rely on this folder being read-only to the guest. This is enforced by a read-only bind mount in virtiofs's mount namespace. - Testing: - Lots of manual update testing. - Disable the test for the live image as it doesn't work anymore. - Nix: - Move validation to a separate low-priority patch. - Documentation: - Document that updating the system is now possible. - Installer: - Remove the "Try Spectrum" button. - Link to v1: https://spectrum-os.org/lists/archives/spectrum-devel/20251029-updates-v1-0-... --- Demi Marie Obenour (13): tools: Add directory checker for updates scripts: port make-gpt.sh to bash scripts/make-gpt.sh: Allow specifying partition size Port scripts/format-uuid.sh to awk Use set and a command substitution to set UUID variables scripts: Use shell expansion to get partition path release: Compress installation images and remove live image Use OS version to set partition labels and UKI name Add B partitions to installation images release: Create directory with system update Support updates via systemd-sysupdate Documentation: Update support Validate configuration parameters Documentation/development/build-configuration.adoc | 15 +++ Documentation/development/index.adoc | 2 + Documentation/development/updates.adoc | 42 +++++++ Documentation/development/uuid-reference.adoc | 8 ++ Documentation/installation/getting-spectrum.adoc | 44 ++++--- Documentation/installation/index.adoc | 6 +- host/initramfs/Makefile | 18 +-- host/initramfs/etc/probe | 20 --- host/initramfs/shell.nix | 2 + host/rootfs/Makefile | 27 ++++- host/rootfs/default.nix | 21 +++- host/rootfs/file-list.mk | 7 ++ host/rootfs/image/etc/fstab | 1 + .../image/etc/sysupdate.d/50-verity.transfer | 20 +++ host/rootfs/image/etc/sysupdate.d/60-root.transfer | 20 +++ .../image/etc/sysupdate.d/70-kernel.transfer | 20 +++ .../image/etc/vm-sysupdate.d/50-verity.transfer | 18 +++ .../image/etc/vm-sysupdate.d/60-root.transfer | 18 +++ .../image/etc/vm-sysupdate.d/70-kernel.transfer | 18 +++ host/rootfs/image/usr/bin/spectrum-update | 92 ++++++++++++++ host/rootfs/os-release.in | 15 +++ host/rootfs/shell.nix | 2 + img/app/Makefile | 2 +- lib/config.default.nix | 3 + lib/config.nix | 27 ++++- lib/fake-update-signing-key.gpg | 3 + release.nix | 2 + release/checks/integration/meson.build | 2 +- release/checks/integration/try.c | 29 ----- release/combined/eosimages.nix | 8 +- release/combined/grub.cfg.in | 5 - release/live/Makefile | 17 ++- release/live/default.nix | 5 +- release/live/shell.nix | 3 +- release/update.nix | 33 +++++ scripts/format-uuid.awk | 19 +++ scripts/format-uuid.sh | 19 --- scripts/make-gpt.sh | 30 ++--- tools/default.nix | 1 + tools/meson.build | 4 + tools/updates-dir-check.c | 134 +++++++++++++++++++++ vm/app/systemd-sysupdate/default.nix | 26 ++++ vm/app/systemd-sysupdate/download-update | 68 +++++++++++ vm/sys/net/Makefile | 2 +- 44 files changed, 733 insertions(+), 145 deletions(-) --- base-commit: 64131d7c2c0e5af7ee3a8ee45f3003ba7b71a771 change-id: 20250928-updates-92e99849e231 prerequisite-patch-id: b4c17d0046f0e413bc57eaf795fcf65825839480 prerequisite-patch-id: 08a5517294d2bc746bc555820ed44cf3d2cfe8d0 -- Sincerely, Demi Marie Obenour (she/her/hers)