On 11/03/2016 12:31 PM, Chris Murphy wrote:
On Thu, Nov 3, 2016 at 8:35 AM, Stephen Gallagher
<sgallagh(a)redhat.com> wrote:
> So, good news! This is in fact already possible to do today, as I just tested.
> The following set of commands does exactly this:
>
> ```
> pkcon refresh force
> pkcon update --only-download
> pkcon offline-trigger
> systemctl isolate system-update.target
> ```
>
> This all runs in the current boot and will trigger a reboot immediately after
> the update completes. All of this should be easily possible to do for
> Workstation within GNOME Software if we agree that's easier on the end-user.
Cool. Are the sysfs leak concerns by systemd folks considered minor?
Is there any advantage to running this in an nspawn container if
that's a cleaner environment?
Sorry, I think you made some assumptions there that I can't follow. What
advantage would nspawn provide? Would those advantages outweigh the complexity
of dealing with namespacing?
I asked about this on the ostree list and it looks like they're
doing
this with bubblewrap, although I can't comment on the qualitative
difference, if any.
https://mail.gnome.org/archives/ostree-list/2016-October/msg00021.html
I'm not sure what bubblewrap actually does. Does it provide an isolated
environment for running %post scripts without root privilege? I'm not sure
that's relevant to this discussion.
>> There's also kexec: with recent kernels kexec does not work for me anymore
>> (graphics crash). Nevertheless, kexec is something worth considering too:
>> the state is reset quite thoroughly, and we avoid the potentially very
>> slow POST.
>
> 2.0
I thought kexec was disabled for this purpose, at least on UEFI Secure
Boot enabled computers?
My "2.0" there was meant to indicate that I'm not personally willing to
investigate that at this time. I see it as more of a "2.0" feature.