-
-
Save neilmayhew/358abe8f1a4d023b0e4fe49c8fc58acb to your computer and use it in GitHub Desktop.
#!/usr/bin/env bash | |
# Update a Flatcar installation on VMWare to use the latest OEM content | |
# | |
# Copyright 2020, Neil Mayhew <neil@kerith.ca> | |
# LICENSE: MIT | |
set -ex | |
shopt -s extglob nullglob | |
OEMCONTENT=oem-vmware.tgz | |
KEEPCONTENT= | |
if [ -n "$1" ] | |
then | |
OEMCONTENT=$1 | |
KEEPCONTENT=yes | |
fi | |
# Cache sudo credentials | |
sudo true | |
if [ ! -f "$OEMCONTENT" ] | |
then | |
# Fetch the release-signing public key | |
KEYID=F88CFEDEFF29A5B4D9523864E25D9AED0593B34A | |
KEYSERVER=keyserver.ubuntu.com | |
gpg --keyserver $KEYSERVER --recv-key $KEYID | |
# Download the current stable VMWare Flatcar release | |
IMGNAME=flatcar_production_vmware_raw_image.bin | |
wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/${IMGNAME}.bz2{,.sig} | |
gpg --verify ${IMGNAME}.bz2{.sig,} | |
bunzip2 -k ${IMGNAME}.bz2 | |
# Mount the OEM image partition via loopback | |
MNT=$(mktemp -d) && trap 'rmdir "$MNT"' 0 | |
LOOPDEV=$(sudo losetup -f --show -P ${IMGNAME}) | |
sudo mount -r "${LOOPDEV}p6" "$MNT" | |
# Save the content | |
tar -cvzf "$OEMCONTENT" --exclude=lost+found -C "$MNT" . | |
# Unmount the OEM image partition | |
sudo umount "$MNT" | |
sudo losetup -d "${LOOPDEV}" | |
# Remove the downloaded image files | |
rm -f ${IMGNAME}{,.bz2{.sig,}} | |
fi | |
# Stop existing services and remove them | |
if [ -d /usr/share/oem/units/ ] | |
then | |
cd /usr/share/oem/units/ | |
UNITS=(*) | |
cd "$OLDPWD" | |
sudo systemctl stop -- "${UNITS[@]}" || true | |
cd /etc/systemd/system/ | |
sudo rm -f "${UNITS[@]}" | |
cd "$OLDPWD" | |
sudo systemctl daemon-reload | |
fi | |
# Remove the exiting content | |
sudo rm -rf /usr/share/oem/!(lost+found) | |
# Install the new content | |
sudo tar -xf "$OEMCONTENT" -C /usr/share/oem | |
[ -n "$KEEPCONTENT" ] || rm -f "$OEMCONTENT" | |
# Install new services and start them | |
if [ -d /usr/share/oem/units/ ] | |
then | |
cd /usr/share/oem/units/ | |
UNITS=(*) | |
[ "${#UNITS[@]}" -gt 0 ] && | |
sudo cp -p -- "${UNITS[@]}" /etc/systemd/system/ | |
cd "$OLDPWD" | |
sudo systemctl daemon-reload | |
sudo systemctl start -- "${UNITS[@]}" | |
fi | |
# Inform the user | |
set +x | |
echo "New OEM content was installed and services were restarted" |
Thanks for catching this. I've switched to using keys.openpgp.org in my gpg.conf, so I'll update the gist to use the same.
Even keys.openpgp.org
is problematic now. It no longer includes user IDs, so gpg won't import keys from it. keyserver.ubuntu.com
seems to be a good choice, so I've updated the gist.
./update-oem-vmware.sh
+ shopt -s extglob nullglob
+ OEMCONTENT=oem-vmware.tgz
+ KEEPCONTENT=
+ '[' -n '' ']'
+ sudo true
+ '[' '!' -f oem-vmware.tgz ']'
+ KEYID=782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
+ KEYSERVER=keyserver.ubuntu.com
+ gpg --keyserver keyserver.ubuntu.com --recv-key 782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E25D9AED0593B34A: public key "Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
+ IMGNAME=flatcar_production_vmware_raw_image.bin
+ wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2 https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
--2023-07-16 16:38:44-- https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2
Resolving stable.release.flatcar-linux.net... 136.144.58.113
Connecting to stable.release.flatcar-linux.net|136.144.58.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388249739 (370M) [application/x-bzip2]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2'
flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 370.26M 42.9MB/s in 9.1s
2023-07-16 16:38:54 (40.5 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2' saved [388249739/388249739]
--2023-07-16 16:38:54-- https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
Reusing existing connection to stable.release.flatcar-linux.net:443.
HTTP request sent, awaiting response... 200 OK
Length: 594 [application/pgp-signature]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2.sig'
flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 594 --.-KB/s in 0s
2023-07-16 16:38:54 (408 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2.sig' saved [594/594]
FINISHED --2023-07-16 16:38:54--
Total wall clock time: 10s
Downloaded: 2 files, 370M in 9.1s (40.5 MB/s)
+ gpg --verify flatcar_production_vmware_raw_image.bin.bz2.sig flatcar_production_vmware_raw_image.bin.bz2
gpg: Signature made Tue Jul 4 16:01:22 2023 UTC
gpg: using RSA key E9426D8B67E35DF476BD048185F7C8868837E271
gpg: issuer "buildbot@flatcar-linux.org"
gpg: Can't check signature: No public key
Script got farther than before.
@neilmayhew
./update-oem-vmware.sh + shopt -s extglob nullglob + OEMCONTENT=oem-vmware.tgz + KEEPCONTENT= + '[' -n '' ']' + sudo true + '[' '!' -f oem-vmware.tgz ']' + KEYID=782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91 + KEYSERVER=keyserver.ubuntu.com + gpg --keyserver keyserver.ubuntu.com --recv-key 782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91 gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key E25D9AED0593B34A: public key "Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>" imported gpg: Total number processed: 1 gpg: imported: 1 + IMGNAME=flatcar_production_vmware_raw_image.bin + wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2 https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig --2023-07-16 16:38:44-- https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2 Resolving stable.release.flatcar-linux.net... 136.144.58.113 Connecting to stable.release.flatcar-linux.net|136.144.58.113|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 388249739 (370M) [application/x-bzip2] Saving to: 'flatcar_production_vmware_raw_image.bin.bz2' flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 370.26M 42.9MB/s in 9.1s 2023-07-16 16:38:54 (40.5 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2' saved [388249739/388249739] --2023-07-16 16:38:54-- https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig Reusing existing connection to stable.release.flatcar-linux.net:443. HTTP request sent, awaiting response... 200 OK Length: 594 [application/pgp-signature] Saving to: 'flatcar_production_vmware_raw_image.bin.bz2.sig' flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 594 --.-KB/s in 0s 2023-07-16 16:38:54 (408 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2.sig' saved [594/594] FINISHED --2023-07-16 16:38:54-- Total wall clock time: 10s Downloaded: 2 files, 370M in 9.1s (40.5 MB/s) + gpg --verify flatcar_production_vmware_raw_image.bin.bz2.sig flatcar_production_vmware_raw_image.bin.bz2 gpg: Signature made Tue Jul 4 16:01:22 2023 UTC gpg: using RSA key E9426D8B67E35DF476BD048185F7C8868837E271 gpg: issuer "buildbot@flatcar-linux.org" gpg: Can't check signature: No public key
Script got farther than before. @neilmayhew
Commented out line 33 to skip gpg --verify
Successfully updated vmware tools on 5 vms. Took about 75 seconds :)
@bignay2000 Glad you were able to get it working for now
I changed the keyid to be the id of the main key instead of the id of the subkey that was in use at the time this script was written. This should be future-proof since Flatcar doesn't change to a different main key, it only adds new subkeys to it.
Also, note that the key id is the full-length id rather than the abbreviated one that's reported by gpg and shown on the Flatcar web page. (The abbreviated version is a suffix of the full one.)
Reran the script without commenting out verify. Successfully updated 5 vms a second time. Thanks for making this robust.
@bignay2000 Thanks for reporting back!
Hopefully Flatcar will always push the key to the key servers from now on and this, together with my recent changes, will prevent people from running into this problem again.
It seems that GPG service is deprecated, I had to change the Keyserver to sks.pod02.fleetstreetops.com out of the pool of remaining servers here: https://sks-keyservers.net/status/
I would guess that the service is not going to be available much longer and should be moved to something else.