Update Vendor tools on existing installations (e.g. VMWare open-vm.tools) #21
Comments
t-lo
added
kind/bug
|
I tried to reproduce it but after two updates the |
t-lo
changed the title
|
I've updated the issue title and description as I received more information from the original reporter. Please pardon the confusion:
|
|
OEM partitions are not updated as far as I know. |
|
We might want to turn this into a feature request then. |
|
I would rather look into moving OEM partition contents to a container image run by a service we ship in |
t-lo
added
kind/feature
t-lo
changed the title
|
FYI, with auto-updating images (the default) and the recent bump from kernel 4 to 5, this breaks vmtoolsd on 100% of systems updating from kernel 4 to 5. As an immediate response it would be cool if you might provide an easy way (easier than vmware silly solution) to update the vmtoolsd, or you will get bombarded with issues on github. And moving forward, it seems a bad idea to lock the bundled oem tools in time to the point in time when the image was first deployed, while the OS continues to move forward. It 100% guarantees this kind of thing will happen over and over again. Alas I can't help code this feature, but I'm available to guinea pig anything you come up. |
|
Yes, indeed it's a bad idea - that's why we have this issue open! We're working on it, but it's not a simple one-line fix and we want to do it right. |
|
Here is oem partition from 2605.5.0 clean install in case someone is totally hosed and cannot follow vmware suggestion. Caveat: security-wise it is an abysimally bad idea to download binaries that run as root from arbitrary sources (i.e. me) |
|
I didn't have this problem because internally, I generate a (private) docker container that contains new tools, and on execution rsync's the new tools into /usr/share/oem. I've been running 11.1.0 for quite some time. A similar technique could be used with an image on Docker hub... or by adding a separate image to the update servers. (i.e. add oem-2605.5.0.tar.gz files with appropriate .sig files to the channel release sites and provide an updater tool, integrated with update-engine or otherwise) |
|
Also interesting to note the version I compiled doesn't depend on libssl at all.. :-D |
|
The workaround documented by VMWare involves creating a new VM. This isn't a viable option for me, so I wrote a script that can be run on an existing VM to upgrade it. The script downloads the current stable VMWare Flatcar image and extracts the OEM partition from it. It then copies the files across to the running OEM partition and restarts the daemons. If you specify a tar filename on the command line it will reuse an existing tarfile if it exists and leave the tarfile in place afterwards so you can reuse it on other machines. [Edit: use the updated version as discussed below] #!/usr/bin/env bash
# Update a Flatcar installation on VMWare to use the latest OEM content
set -ex
shopt -s extglob
OEMCONTENT=oem-vmware.tgz
KEEPCONTENT=
if [ -n "$1" ]
then
OEMCONTENT=$1
KEEPCONTENT=yes
fi
# Cache sudo credentials
sudo true
if [ ! -f "$OEMCONTENT" ]
then
# Fetch the release-signing public key
KEYID=782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
KEYSERVER=pool.sks-keyservers.net
gpg --keyserver $KEYSERVER --recv-key $KEYID
# Download the current stable VMWare Flatcar release
IMGNAME=flatcar_production_vmware_raw_image.bin
wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/${IMGNAME}.bz2{,.sig}
gpg --verify ${IMGNAME}.bz2{.sig,}
bunzip2 -k ${IMGNAME}.bz2
# Mount the OEM image partition via loopback
MNT=$(mktemp -d) && trap 'rmdir "$MNT"' 0
LOOPDEV=$(sudo losetup -f --show -P ${IMGNAME})
sudo mount -r "${LOOPDEV}p6" "$MNT"
# Save the content
tar -cvzf "$OEMCONTENT" --exclude=lost+found -C "$MNT" .
# Unmount the OEM image partition
sudo umount "$MNT"
sudo losetup -d "${LOOPDEV}"
# Remove the downloaded image files
rm -f ${IMGNAME}{,.bz2{.sig,}}
fi
# Stop the daemons
(cd /usr/share/oem/units && sudo systemctl stop -- *)
# Remove the exiting content
sudo rm -rf /usr/share/oem/!(lost+found)
# Install the new content
sudo tar -xf "$OEMCONTENT" -C /usr/share/oem
[ -n "$KEEPCONTENT" ] || rm -f "$OEMCONTENT"
# Restart the daemons
(cd /usr/share/oem/units && sudo systemctl start -- *)
set +x
# Inform the user
echo "New OEM content was installed and services were restarted" |
|
Thanks for sharing! You also have to add a step to copy the new |
Good point. That did complicate things a little, but I've updated and tested the script, and put it in a gist. I realise that most people are running ephemeral instances and will just recreate their VMs, but hopefully this still helps some. |
|
The recent new alpha release (2697.0.0) introduces another new version of |
|
I did a spike to better understand the major challenges left; WIP PRs are
Major blockers left:
|
@neilmayhew I just wanted to give you a big shout out for this. Thank you very much for saving our asses. |
|
I used the script again myself today, to bring the OEM directories in line with the new Flatcar stable release that just arrived ( |
sayanchowdhury
added
platform/VMWare
and removed
channel/alpha
Getting an error when I try to update. My ESXi 8 VM: |
|
Unfortunately, things keep changing with the keyservers. I've had to change my personal GPG config several times since I wrote this gist. It will work with $ gpg --keyserver keyserver.ubuntu.com --recv-key 782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
gpg: key E25D9AED0593B34A: "Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1I'll update the gist. |
|
It looks like the image is being signed with a different key from before ( |
|
For now, you could just comment out the verification on line 33 |
|
I downloaded and imported the key using the instructions on the web page, and it has two new subkeys, one of which is the one used to sign the image. Verifying the image now works. However, I don't see the point of using |
This worked, successfully update VMWare Tools from open-vm-tools from 11.3.5 to 12.1.5 (ESXi Host Client Dashboard shows new version) Thank you |
Older images are signed with the older key, newer ones with the new one. We now allow for some overlap and issue the new one before the old one fully expires so that there is less chance of us ending with images not being able to verify updates.
That's exactly what the idea was: that if you need to verify it, you prefetch it (out of band) and use that to verify. We do have the key inside the image in the
From what I heard keyservers are not a reliable way to distribute gpg keys in this day and age. That being said: I just pushed the key to the ubuntu keyserver (anyone is able to do that). |
|
Thanks for pushing the key. I guess I could have done that myself, using the key from the web page! I'll respond to your comments about the security aspects in #1114. |
|
The update mechanism will be available once the VMWare setup is reworked. That rework is tracked in #1144 We can leave this issue here open for visibility of the workaround script until the rework is done. |
|
The rework is done and the next Alpha will have A/B updated vmware tools: flatcar/scripts#1146 The migration will only happen after both A/B partitions are on the version that require the OEM systemd-sysext image. |
|
That's great news! I look forward to seeing the results. |
The Flatcar Container Linux VMWare image ships with VMWare guest tools. However, when updating Flatcar Container Linux, the guest tools are not updated even if a newer version is shipped with the Flatcar update.
Note that VMWare maintains a knowledge base article on this issue that includes a workaround: https://kb.vmware.com/s/article/2142569
The text was updated successfully, but these errors were encountered: