update-done: add minimal tool to manage system updates for /etc and /var, if /usr has changed

In order to support offline updates to /usr, we need to be able to run
certain tasks on next boot-up to bring /etc and /var in line with the
updated /usr. Hence, let's devise a mechanism how we can detect whether
/etc or /var are not up-to-date with /usr anymore: we keep "touch
files" in /etc/.updated and /var/.updated that are mtime-compared with
/usr. This means:

Whenever the vendor OS tree in /usr is updated, and any services that
shall be executed at next boot shall be triggered, it is sufficient to
update the mtime of /usr itself. At next boot, if /etc/.updated and/or
/var/.updated is older than than /usr (or missing), we know we have to
run the update tools once. After that is completed we need to update the
mtime of these files to the one of /usr, to keep track that we made the
necessary updates, and won't repeat them on next reboot.

A subsequent commit adds a new ConditionNeedsUpdate= condition that
allows checking on boot whether /etc or /var are outdated and need
updating.

This is an early step to allow booting up with an empty /etc, with
automatic rebuilding of the necessary cache files or user databases
therein, as well as supporting later updates of /usr that then propagate
to /etc and /var again.

.gitignore

@@ -109,6 +109,7 @@
 /systemd-tty-ask-password-agent
 /systemd-uaccess
 /systemd-udevd
+/systemd-update-done
 /systemd-update-utmp
 /systemd-user-sessions
 /systemd-vconsole-setup

Makefile.am

@@ -361,7 +361,8 @@ rootlibexec_PROGRAMS = \
 	systemd-sysctl \
 	systemd-sleep \
 	systemd-bus-proxyd \
-	systemd-socket-proxyd
+	systemd-socket-proxyd \
+	systemd-update-done
 
 systemgenerator_PROGRAMS = \
 	systemd-getty-generator \
@@ -495,7 +496,8 @@ nodist_systemunit_DATA = \
 	units/initrd-cleanup.service \
 	units/initrd-udevadm-cleanup-db.service \
 	units/initrd-switch-root.service \
-	units/systemd-nspawn@.service
+	units/systemd-nspawn@.service \
+	units/systemd-update-done.service
 
 dist_userunit_DATA = \
 	units/user/basic.target \
@@ -538,7 +540,8 @@ EXTRA_DIST += \
 	units/initrd-cleanup.service.in \
 	units/initrd-udevadm-cleanup-db.service.in \
 	units/initrd-switch-root.service.in \
-	units/systemd-nspawn@.service.in
+	units/systemd-nspawn@.service.in \
+	units/systemd-update-done.service.in
 
 CLEANFILES += \
 	units/console-shell.service.m4 \
@@ -1640,6 +1643,14 @@ systemd_update_utmp_LDADD = \
 	libsystemd-shared.la \
 	$(AUDIT_LIBS)
 
+# ------------------------------------------------------------------------------
+systemd_update_done_SOURCES = \
+	src/update-done/update-done.c
+
+systemd_update_done_LDADD = \
+	libsystemd-internal.la \
+	libsystemd-shared.la
+
 # ------------------------------------------------------------------------------
 systemd_shutdownd_SOURCES = \
 	src/shutdownd/shutdownd.c
@@ -5100,14 +5111,19 @@ RUNLEVEL4_TARGET_WANTS += \
 RUNLEVEL5_TARGET_WANTS += \
 	systemd-update-utmp-runlevel.service
 endif
+
 SYSINIT_TARGET_WANTS += \
-	systemd-update-utmp.service
+	systemd-update-utmp.service \
+	systemd-update-done.service
+
 LOCAL_FS_TARGET_WANTS += \
 	systemd-remount-fs.service \
 	tmp.mount
+
 MULTI_USER_TARGET_WANTS += \
 	getty.target \
 	systemd-ask-password-wall.path
+
 SYSINIT_TARGET_WANTS += \
 	dev-hugepages.mount \
 	dev-mqueue.mount \

src/update-done/Makefile

@@ -0,0 +1 @@
+../Makefile

src/update-done/update-done.c

@@ -0,0 +1,104 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2014 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "util.h"
+
+static int apply_timestamp(const char *path, struct timespec *ts) {
+        struct timespec twice[2];
+        struct stat st;
+
+        assert(path);
+        assert(ts);
+
+        if (stat(path, &st) >= 0) {
+                /* Is the timestamp file already newer than the OS? If so, there's nothing to do. */
+                if (st.st_mtim.tv_sec > ts->tv_sec ||
+                    (st.st_mtim.tv_sec == ts->tv_sec && st.st_mtim.tv_nsec >= ts->tv_nsec))
+                        return 0;
+
+                /* It is older? Then let's update it */
+                twice[0] = *ts;
+                twice[1] = *ts;
+
+                if (utimensat(AT_FDCWD, path, twice, AT_SYMLINK_NOFOLLOW) < 0) {
+
+                        if (errno == EROFS) {
+                                log_debug("Can't update timestamp file %s, file system is read-only.", path);
+                                return 0;
+                        }
+
+                        log_error("Failed to update timestamp on %s: %m", path);
+                        return -errno;
+                }
+
+        } else if (errno == ENOENT) {
+                _cleanup_close_ int fd = -1;
+
+                /* The timestamp file doesn't exist yet? Then let's create it. */
+
+                fd = open(path, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644);
+                if (fd < 0) {
+
+                        if (errno == EROFS) {
+                                log_debug("Can't create timestamp file %s, file system is read-only.", path);
+                                return 0;
+                        }
+
+                        log_error("Failed to create timestamp file %s: %m", path);
+                        return -errno;
+                }
+
+                twice[0] = *ts;
+                twice[1] = *ts;
+
+                if (futimens(fd, twice) < 0) {
+                        log_error("Failed to update timestamp on %s: %m", path);
+                        return -errno;
+                }
+        } else {
+                log_error("Failed to stat() timestamp file %s: %m", path);
+                return -errno;
+        }
+
+        return 0;
+}
+
+int main(int argc, char *argv[]) {
+        struct stat st;
+        int r, q;
+
+        log_set_target(LOG_TARGET_AUTO);
+        log_parse_environment();
+        log_open();
+
+        if (stat("/usr", &st) < 0) {
+                log_error("Failed to stat /usr: %m");
+                return EXIT_FAILURE;
+        }
+
+        r = apply_timestamp("/etc/.updated", &st.st_mtim);
+
+        q = apply_timestamp("/var/.updated", &st.st_mtim);
+        if (q < 0 && r == 0)
+                r = q;
+
+        return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}

units/.gitignore

@@ -65,6 +65,7 @@
 /systemd-udevd.service
 /systemd-update-utmp-runlevel.service
 /systemd-update-utmp.service
+/systemd-update-done.service
 /systemd-user-sessions.service
 /systemd-vconsole-setup.service
 /user@.service

units/systemd-update-done.service.in

@@ -0,0 +1,21 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=Update is Completed
+Documentation=man:sysusers.d(5) man:systemd-sysusers(8)
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=systemd-readahead-collect.service systemd-readahead-replay.service local-fs.target
+Before=sysinit.target shutdown.target
+RefuseManualStart=yes
+RefuseManualStop=yes
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=@rootlibexecdir@/systemd-update-done