qubes-download-dom0-updates.sh 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. #!/bin/bash
  2. DOM0_UPDATES_DIR=/var/lib/qubes/dom0-updates
  3. GUI=1
  4. CLEAN=0
  5. CHECK_ONLY=0
  6. OPTS="--installroot $DOM0_UPDATES_DIR"
  7. if [ -f "$DOM0_UPDATES_DIR/etc/dnf/dnf.conf" ]; then
  8. OPTS="$OPTS --config=$DOM0_UPDATES_DIR/etc/dnf/dnf.conf"
  9. elif [ -f "$DOM0_UPDATES_DIR/etc/yum.conf" ]; then
  10. OPTS="$OPTS --config=$DOM0_UPDATES_DIR/etc/yum.conf"
  11. fi
  12. # DNF uses /etc/yum.repos.d, even when --installroot is specified
  13. OPTS="$OPTS --setopt=reposdir=$DOM0_UPDATES_DIR/etc/yum.repos.d"
  14. # DNF verifies signatures implicitly, but yumdownloader does not.
  15. SIGNATURE_REGEX=""
  16. PKGLIST=()
  17. YUM_ACTION=
  18. export LC_ALL=C
  19. while [ -n "$1" ]; do
  20. case "$1" in
  21. --doit)
  22. # ignore
  23. ;;
  24. --nogui)
  25. GUI=0
  26. ;;
  27. --gui)
  28. GUI=1
  29. ;;
  30. --clean)
  31. CLEAN=1
  32. ;;
  33. --check-only)
  34. CHECK_ONLY=1
  35. ;;
  36. --action=*)
  37. YUM_ACTION=${1#--action=}
  38. ;;
  39. -*)
  40. OPTS="$OPTS $1"
  41. ;;
  42. *)
  43. PKGLIST+=( "${1}" )
  44. if [ -z "$YUM_ACTION" ]; then
  45. YUM_ACTION=install
  46. fi
  47. ;;
  48. esac
  49. shift
  50. done
  51. if [ -z "$YUM_ACTION" ]; then
  52. YUM_ACTION=upgrade
  53. fi
  54. YUM="yum"
  55. if type dnf >/dev/null 2>&1; then
  56. YUM="dnf --best --allowerasing --noplugins"
  57. else
  58. # salt in dom0 thinks it's using dnf but we only have yum so need to remove extra options
  59. OPTS="${OPTS/--best --allowerasing/}"
  60. fi
  61. if ! [ -d "$DOM0_UPDATES_DIR" ]; then
  62. echo "Dom0 updates dir does not exists: $DOM0_UPDATES_DIR" >&2
  63. exit 1
  64. fi
  65. mkdir -p $DOM0_UPDATES_DIR/etc
  66. if [ -e /etc/debian_version ]; then
  67. # Default rpm configuration on Debian uses ~/.rpmdb for rpm database (as
  68. # rpm isn't native package manager there)
  69. mkdir -p "$DOM0_UPDATES_DIR$HOME"
  70. rm -rf "$DOM0_UPDATES_DIR$HOME/.rpmdb"
  71. cp -r "$DOM0_UPDATES_DIR/var/lib/rpm" "$DOM0_UPDATES_DIR$HOME/.rpmdb"
  72. fi
  73. # Rebuild rpm database in case of different rpm version
  74. rm -f $DOM0_UPDATES_DIR/var/lib/rpm/__*
  75. rpm --root=$DOM0_UPDATES_DIR --rebuilddb
  76. if [ "$CLEAN" = "1" ]; then
  77. # shellcheck disable=SC2086
  78. $YUM $OPTS clean all
  79. rm -f "$DOM0_UPDATES_DIR"/packages/*
  80. rm -rf "$DOM0_UPDATES_DIR"/var/cache/*
  81. fi
  82. # just check for updates, but don't download any package
  83. if [ ${#PKGLIST[@]} -eq 0 ] && [ "$CHECK_ONLY" = "1" ]; then
  84. echo "Checking for dom0 updates..." >&2
  85. # shellcheck disable=SC2086
  86. UPDATES_FULL=$($YUM $OPTS check-update)
  87. check_update_retcode=$?
  88. if [ "$check_update_retcode" -eq 1 ]; then
  89. # Exit here if yum have reported an error. Exit code 100 isn't an
  90. # error, it's "updates available" info, so check specifically for exit code 1
  91. exit 1
  92. fi
  93. if [ $check_update_retcode -eq 100 ]; then
  94. echo "Available updates: "
  95. echo "$UPDATES_FULL"
  96. exit 100
  97. else
  98. echo "No new updates available"
  99. if [ "$GUI" = 1 ]; then
  100. zenity --info --text="No new updates available"
  101. fi
  102. exit 0
  103. fi
  104. fi
  105. # now, we will download something
  106. YUM_COMMAND="fakeroot $YUM $YUM_ACTION -y --downloadonly"
  107. # check for --downloadonly option - if not supported (Debian), fallback to
  108. # yumdownloader
  109. if ! $YUM --help | grep -q downloadonly; then
  110. if dpkg --compare-versions \
  111. "$(dpkg-query --show --showformat='${version}' rpm)" gt 4.14; then
  112. SIGNATURE_REGEX="^[A-Za-z0-9._+-/]{1,128}\.rpm: digests signatures OK$"
  113. else
  114. SIGNATURE_REGEX="^[A-Za-z0-9._+-/]{1,128}\.rpm: [a-z0-9() ]* (pgp|gpg) [a-z0-9 ]* OK$"
  115. fi
  116. # setup environment for yumdownloader to be happy
  117. if [ ! -e "$DOM0_UPDATES_DIR/etc/yum.conf" ]; then
  118. ln -nsf dnf/dnf.conf "$DOM0_UPDATES_DIR/etc/yum.conf"
  119. fi
  120. if [ "$YUM_ACTION" = "install" ]; then
  121. YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
  122. elif [ "$YUM_ACTION" = "upgrade" ]; then
  123. # shellcheck disable=SC2086
  124. UPDATES_FULL=$($YUM $OPTS check-update "${PKGLIST[@]}")
  125. check_update_retcode=$?
  126. UPDATES_FULL=$(echo "$UPDATES_FULL" | grep -v "^Loaded plugins:\|^Last metadata\|^$")
  127. mapfile -t PKGLIST < <(echo "$UPDATES_FULL" | grep -v "^Obsoleting\|Could not" | cut -f 1 -d ' ')
  128. if [ "$check_update_retcode" -eq 0 ]; then
  129. # exit code 0 means no updates available - regardless of stdout messages
  130. echo "No new updates available" >&2
  131. exit 0
  132. fi
  133. YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
  134. elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then
  135. # those actions do not download any package, so lack of --downloadonly is irrelevant
  136. YUM_COMMAND="$YUM $YUM_ACTION -y"
  137. elif [ "$YUM_ACTION" == "reinstall" ]; then
  138. # this is just approximation of 'reinstall' action...
  139. mapfile -t PKGLIST < <(rpm --root=$DOM0_UPDATES_DIR -q "${PKGLIST[@]}")
  140. YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve"
  141. else
  142. echo "ERROR: yum version installed in VM $(hostname) does not suppport --downloadonly option" >&2
  143. echo "ERROR: only 'install' and 'upgrade' actions supported ($YUM_ACTION not)" >&2
  144. if [ "$GUI" = 1 ]; then
  145. zenity --error --text="yum version too old for '$YUM_ACTION' action, see console for details"
  146. fi
  147. exit 1
  148. fi
  149. fi
  150. mkdir -p "$DOM0_UPDATES_DIR/packages"
  151. set -e
  152. if [ "$GUI" = 1 ]; then
  153. ( echo "1"
  154. # shellcheck disable=SC2086
  155. $YUM_COMMAND $OPTS "${PKGLIST[@]}"
  156. echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \
  157. --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates"
  158. else
  159. # shellcheck disable=SC2086
  160. $YUM_COMMAND $OPTS "${PKGLIST[@]}"
  161. fi
  162. find "$DOM0_UPDATES_DIR/var/cache" -name '*.rpm' -print0 2>/dev/null |\
  163. xargs -0 -r ln -f -t "$DOM0_UPDATES_DIR/packages/"
  164. if ls "$DOM0_UPDATES_DIR"/packages/*.rpm > /dev/null 2>&1; then
  165. if [ -n "$SIGNATURE_REGEX" ]; then
  166. rpmkeys_error=0
  167. for pkg in "$DOM0_UPDATES_DIR"/packages/*.rpm; do
  168. rpmkeys_exit_code=0
  169. output="$(rpmkeys --root "$DOM0_UPDATES_DIR" --checksig "$pkg")" \
  170. || rpmkeys_exit_code="$?"
  171. if [ ! "$rpmkeys_exit_code" = "0" ]; then
  172. echo "ERROR: could not verify $pkg" >&2
  173. rpmkeys_error=1
  174. rm "$pkg"
  175. elif ! echo "$output" |grep -Pq "$SIGNATURE_REGEX"; then
  176. echo "ERROR: missing or invalid signature for $pkg" >&2
  177. rpmkeys_error=1
  178. rm "$pkg"
  179. else
  180. echo "Successfully verified $pkg" >&2
  181. fi
  182. done
  183. if [ ! "$rpmkeys_error" = "0" ]; then
  184. echo "ERROR: could not verify one or more packages" >&2
  185. exit 1
  186. fi
  187. fi
  188. cmd="/usr/lib/qubes/qrexec-client-vm dom0 qubes.ReceiveUpdates /usr/lib/qubes/qfile-agent"
  189. qrexec_exit_code=0
  190. $cmd "$DOM0_UPDATES_DIR"/packages/*.rpm || { qrexec_exit_code=$? ; true; };
  191. if [ ! "$qrexec_exit_code" = "0" ]; then
  192. echo "'$cmd $DOM0_UPDATES_DIR/packages/*.rpm' failed with exit code ${qrexec_exit_code}!" >&2
  193. exit "$qrexec_exit_code"
  194. fi
  195. else
  196. echo "No packages downloaded" >&2
  197. fi