Re: [pve-devel] [PATCH pve-kernel-meta/proxmox-ve v2] proxmox-boot: add kernel pinning functionality (#3761)

["Fabian Grünbichler" <f.gruenbichler@proxmox.com>]

On February 4, 2022 7:45 pm, Stoiko Ivanov wrote:
> changes v1->v2:
> * incorporated the feedback on the v1 (by Aaron and Fabian - huge thx!):
> ** a next-boot pin is now handled independently from a pin - i.e. if you
>    both pin a kernel and set one for the next-boot - the system afterwards
>    keeps the pinned version (instead of the latest)
> ** change from modifying /etc/default/grub to creating a snippet in
>    /etc/default/grub.d/proxmox-boot-pin.cfg - I did not see a need for having
>    two pinning files there (since they get written both at each relevant
>    invocation anyways - thus also no need for prefixing with y_ and z_
> ** the semantics of unpin changed (it now takes an optional argument to
>    remove the next-boot-pin only (made the cleanup-service cleaner)
> ** added a check to the apthook in proxmox-ve as Fabian suggested
> * changed the semantics of get_first_line - to check for file existence
>   itself, since it makes using it shorter at almost all call-sites
> * fixed two perlcritic warnings in the pve apthook (which is quite
>   independent of the series)
> 
> again tested on 3 VMs (ext4, zfs+uefi, zfs+legacy) - but would be grateful
> if you find some use-case apart from - pin permanent, pin next-boot, reboot,
> reboot.

some small things noted as replies to patches (might warrant a v3 - so 
I'll wait for your replies ;)), and the following proxmox-ve followups 
as discussed off-list:

diff --git a/debian/apthook/pve-apt-hook b/debian/apthook/pve-apt-hook
index 6de56c4..ff9877e 100755
--- a/debian/apthook/pve-apt-hook
+++ b/debian/apthook/pve-apt-hook
@@ -15,12 +15,12 @@ my $log = sub {
   print "W: ($hook_name) $line";
 };
 
-if (!defined $fd || $fd == 0) {
+if (!defined $fd || $fd == 0 || $fd !~ /^\d+$/) {
   $log->("APT_HOOK_INFO_FD not correctly defined, skipping apt-pve-hook checks\n");
   exit 0;
 }
 
-open(my $fh, q{<&=}, "${fd}") or die "E: could not open APT_HOOK_INFO_FD (${fd}) - $!\n";
+open(my $fh, "<&=", $fd) or die "E: could not open APT_HOOK_INFO_FD (${fd}) - $!\n";
 
 my $cleanup = sub {
   my ($rc, $confirm) = @_;
@@ -99,8 +99,8 @@ while (my $line = <$fh>) {
     if ($action eq '**REMOVE**') {
       my $next_boot_ver = $file_read_firstline->("/etc/kernel/next-boot-pin");
       my $pinned_ver = $file_read_firstline->("/etc/kernel/proxmox-boot-pin");
-      my $remove_pinned_ver = ($next_boot_ver && $pkg =~ /$next_boot_ver/);
-      $remove_pinned_ver ||= ($pinned_ver && $pkg =~ /$pinned_ver/);
+      my $remove_pinned_ver = ($next_boot_ver && $pkg =~ /${next_boot_ver}$/);
+      $remove_pinned_ver ||= ($pinned_ver && $pkg =~ /${pinned_ver}$/);
       if ($remove_pinned_ver) {
         $log->("!! WARNING !!\n");
         $log->("You are attempting to remove the currently pinned kernel '${pkg}'!\n");

> 
> 
> original cover letter of v1:
> The following series adds:
> * proxmox-boot-tool kernel pin <kabi-version> (to permanently set the
>   default entry of the respective bootloader)
> * proxmox-boot-tool kernel unpin (to undo a previous pin)
> * proxmox-boot-tool kernel next-boot (to do a pin+touch a file, which causes
>   an unpin on next boot)
> 
> This is the first functionality which is available for 'regular grub-setups'
> (i.e. systems setup with lvm-thin with our ISO or systems installed on top
> of plain debian) as well.
> 
> The first two patches are cleanup+refactoring (and should not change any
> functionality)
> 
> The choices (those I think might benefit from a bit of feedback) for this
> implementation were:
> * for grub - automaticially rewrite '/etc/default/grub' (as this is where
>   I'd look to check whether some default is set)
> * for systemd - set the entry in the loader.conf and not in the efivars
>   (`bootctl set-default/set-once`) - mostly from my bias towards config
>   files instead of UEFI vars (depending on implementation quality of the
>   UEFI) - another reason was to keep the implementation close for both
>   boot-loaders
> * for p-b-t booted systems the need to run `p-b-t refresh` manually
>   afterwards (following the behavior of `p-b-t kernel add/remove`) could
>   be changed to invoking the refresh directly (as with non-p-b-t booted
>   systems). Especially since it might make sense to 'add' multiple kernels
>   and then do the mount+copy+configupdate only once, whereas you can only
>   pin on version anyways
> 
> Tested on three VMs installed from the 7.1 ISO (UEFI+ZFS, legacy+ZFS,
> UEFI+lvm-thin).
> 
> 
> proxmox-kernel-meta:
> Stoiko Ivanov (4):
>   proxmox-boot: return empty if file does not exist in get_first_line
>   proxmox-boot: fix #3671 add pin/unpin for kernel-version
>   proxmox-boot: add kernel next-boot command
>   proxmox-boot: add pin/unpin functionality for non-p-b-t systems
> 
>  bin/proxmox-boot-tool                     | 76 ++++++++++++++++++++++-
>  debian/pve-kernel-helper.install          |  1 +
>  debian/rules                              |  3 +
>  proxmox-boot/Makefile                     |  4 ++
>  proxmox-boot/functions                    | 45 ++++++++++++++
>  proxmox-boot/proxmox-boot-cleanup.service | 13 ++++
>  proxmox-boot/zz-proxmox-boot              |  8 +++
>  7 files changed, 147 insertions(+), 3 deletions(-)
>  create mode 100644 proxmox-boot/proxmox-boot-cleanup.service
> 
> proxmox-ve:
> Stoiko Ivanov (2):
>   apt-hook: fix perlcritic warnings
>   apt-hook: add check preventing the removal of pinned kernels
> 
>  debian/apthook/pve-apt-hook | 34 ++++++++++++++++++++++++++++++++--
>  1 file changed, 32 insertions(+), 2 deletions(-)
> 
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>