-
Notifications
You must be signed in to change notification settings - Fork 2
Updates
Mangos uses Systemd's systemd-sysupdate (henceforth referred to as sd-sysupdate) for its update mechanism. sd-sysupdate can pull updates from a filesystem or over http(s). To enumerate available artifacts, sd-sysupdate expects to find a SHA256SUMS at the root of the update source, listing all available artifacts and their sha256sum for integrity verification.
sd-sysupdate also fetches SHA256SUMS.asc, a detached PGP signature, which is verified against the trusted keyring (/usr/lib/systemd/import-pubring.gpg) for authenticity verification.
Systemd ships with a keyring containing a set of Fedora keys, a Ubuntu key, and an openSUSE key. When building Mangos, this keyring is replaced with a keyring containing only your gnupg key.
At the moment, we use the default systemd-sysupdate.timer unit which triggers the update process on this schedule:
- 15 min after boot
- Every 2-6 hours (randomized to avoid everyone doing it all at once)
If a node is only running sporadically, it may miss all the regularly scheduled updates. To address this, there is also a persistent trigger each Saturday. If the node wakes up and sd-sysupdate determines it has missed a persistent trigger, it is invoked.
If your update URL is http://updates.example.com, sd-sysupdate will look at:
-
http://updates.example.com/sysupdate/mangosfor Mangos images, -
http://updates.example.com/sysupdate/vaultfor Vault updates, - etc.