Skip to content

Instantly share code, notes, and snippets.

@neilmayhew

neilmayhew/update-oem-vmware.sh

Last active July 22, 2023 21:42
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save neilmayhew/358abe8f1a4d023b0e4fe49c8fc58acb to your computer and use it in GitHub Desktop.
Save neilmayhew/358abe8f1a4d023b0e4fe49c8fc58acb to your computer and use it in GitHub Desktop.
Download ZIP
Update a Flatcar installation on VMWare to use the latest OEM content
Raw
update-oem-vmware.sh
#!/usr/bin/env bash
# Update a Flatcar installation on VMWare to use the latest OEM content
#
# Copyright 2020, Neil Mayhew <neil@kerith.ca>
# LICENSE: MIT
set -ex
shopt -s extglob nullglob
OEMCONTENT=oem-vmware.tgz
KEEPCONTENT=
if [ -n "$1" ]
then
OEMCONTENT=$1
KEEPCONTENT=yes
fi
# Cache sudo credentials
sudo true
if [ ! -f "$OEMCONTENT" ]
then
# Fetch the release-signing public key
KEYID=F88CFEDEFF29A5B4D9523864E25D9AED0593B34A
KEYSERVER=keyserver.ubuntu.com
gpg --keyserver $KEYSERVER --recv-key $KEYID
# Download the current stable VMWare Flatcar release
IMGNAME=flatcar_production_vmware_raw_image.bin
wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/${IMGNAME}.bz2{,.sig}
gpg --verify ${IMGNAME}.bz2{.sig,}
bunzip2 -k ${IMGNAME}.bz2
# Mount the OEM image partition via loopback
MNT=$(mktemp -d) && trap 'rmdir "$MNT"' 0
LOOPDEV=$(sudo losetup -f --show -P ${IMGNAME})
sudo mount -r "${LOOPDEV}p6" "$MNT"
# Save the content
tar -cvzf "$OEMCONTENT" --exclude=lost+found -C "$MNT" .
# Unmount the OEM image partition
sudo umount "$MNT"
sudo losetup -d "${LOOPDEV}"
# Remove the downloaded image files
rm -f ${IMGNAME}{,.bz2{.sig,}}
fi
# Stop existing services and remove them
if [ -d /usr/share/oem/units/ ]
then
cd /usr/share/oem/units/
UNITS=(*)
cd "$OLDPWD"
sudo systemctl stop -- "${UNITS[@]}" || true
cd /etc/systemd/system/
sudo rm -f "${UNITS[@]}"
cd "$OLDPWD"
sudo systemctl daemon-reload
fi
# Remove the exiting content
sudo rm -rf /usr/share/oem/!(lost+found)
# Install the new content
sudo tar -xf "$OEMCONTENT" -C /usr/share/oem
[ -n "$KEEPCONTENT" ] || rm -f "$OEMCONTENT"
# Install new services and start them
if [ -d /usr/share/oem/units/ ]
then
cd /usr/share/oem/units/
UNITS=(*)
[ "${#UNITS[@]}" -gt 0 ] &&
sudo cp -p -- "${UNITS[@]}" /etc/systemd/system/
cd "$OLDPWD"
sudo systemctl daemon-reload
sudo systemctl start -- "${UNITS[@]}"
fi
# Inform the user
set +x
echo "New OEM content was installed and services were restarted"
@cron410
Copy link

cron410 commented Oct 11, 2021

It seems that GPG service is deprecated, I had to change the Keyserver to sks.pod02.fleetstreetops.com out of the pool of remaining servers here: https://sks-keyservers.net/status/

I would guess that the service is not going to be available much longer and should be moved to something else.

@neilmayhew
Copy link
Author

Thanks for catching this. I've switched to using keys.openpgp.org in my gpg.conf, so I'll update the gist to use the same.

@neilmayhew
Copy link
Author

Even keys.openpgp.org is problematic now. It no longer includes user IDs, so gpg won't import keys from it. keyserver.ubuntu.com seems to be a good choice, so I've updated the gist.

@bignay2000
Copy link 

./update-oem-vmware.sh
+ shopt -s extglob nullglob
+ OEMCONTENT=oem-vmware.tgz
+ KEEPCONTENT=
+ '[' -n '' ']'
+ sudo true
+ '[' '!' -f oem-vmware.tgz ']'
+ KEYID=782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
+ KEYSERVER=keyserver.ubuntu.com
+ gpg --keyserver keyserver.ubuntu.com --recv-key 782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E25D9AED0593B34A: public key "Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ IMGNAME=flatcar_production_vmware_raw_image.bin
+ wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2 https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
--2023-07-16 16:38:44--  https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2
Resolving stable.release.flatcar-linux.net... 136.144.58.113
Connecting to stable.release.flatcar-linux.net|136.144.58.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388249739 (370M) [application/x-bzip2]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2'

flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 370.26M  42.9MB/s    in 9.1s

2023-07-16 16:38:54 (40.5 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2' saved [388249739/388249739]

--2023-07-16 16:38:54--  https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
Reusing existing connection to stable.release.flatcar-linux.net:443.
HTTP request sent, awaiting response... 200 OK
Length: 594 [application/pgp-signature]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2.sig'

flatcar_production_vmware_raw_image.bi 100%[==========================================================================>]     594  --.-KB/s    in 0s

2023-07-16 16:38:54 (408 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2.sig' saved [594/594]

FINISHED --2023-07-16 16:38:54--
Total wall clock time: 10s
Downloaded: 2 files, 370M in 9.1s (40.5 MB/s)
+ gpg --verify flatcar_production_vmware_raw_image.bin.bz2.sig flatcar_production_vmware_raw_image.bin.bz2
gpg: Signature made Tue Jul  4 16:01:22 2023 UTC
gpg:                using RSA key E9426D8B67E35DF476BD048185F7C8868837E271
gpg:                issuer "buildbot@flatcar-linux.org"
gpg: Can't check signature: No public key

Script got farther than before.
@neilmayhew

@bignay2000
Copy link

bignay2000 commented Jul 16, 2023
edited 

./update-oem-vmware.sh
+ shopt -s extglob nullglob
+ OEMCONTENT=oem-vmware.tgz
+ KEEPCONTENT=
+ '[' -n '' ']'
+ sudo true
+ '[' '!' -f oem-vmware.tgz ']'
+ KEYID=782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
+ KEYSERVER=keyserver.ubuntu.com
+ gpg --keyserver keyserver.ubuntu.com --recv-key 782B3BC9F10CF638A5DCF5105B2910CBFCBEAB91
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E25D9AED0593B34A: public key "Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
+ IMGNAME=flatcar_production_vmware_raw_image.bin
+ wget -N https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2 https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
--2023-07-16 16:38:44--  https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2
Resolving stable.release.flatcar-linux.net... 136.144.58.113
Connecting to stable.release.flatcar-linux.net|136.144.58.113|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 388249739 (370M) [application/x-bzip2]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2'

flatcar_production_vmware_raw_image.bi 100%[==========================================================================>] 370.26M  42.9MB/s    in 9.1s

2023-07-16 16:38:54 (40.5 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2' saved [388249739/388249739]

--2023-07-16 16:38:54--  https://stable.release.flatcar-linux.net/amd64-usr/current/flatcar_production_vmware_raw_image.bin.bz2.sig
Reusing existing connection to stable.release.flatcar-linux.net:443.
HTTP request sent, awaiting response... 200 OK
Length: 594 [application/pgp-signature]
Saving to: 'flatcar_production_vmware_raw_image.bin.bz2.sig'

flatcar_production_vmware_raw_image.bi 100%[==========================================================================>]     594  --.-KB/s    in 0s

2023-07-16 16:38:54 (408 MB/s) - 'flatcar_production_vmware_raw_image.bin.bz2.sig' saved [594/594]

FINISHED --2023-07-16 16:38:54--
Total wall clock time: 10s
Downloaded: 2 files, 370M in 9.1s (40.5 MB/s)
+ gpg --verify flatcar_production_vmware_raw_image.bin.bz2.sig flatcar_production_vmware_raw_image.bin.bz2
gpg: Signature made Tue Jul  4 16:01:22 2023 UTC
gpg:                using RSA key E9426D8B67E35DF476BD048185F7C8868837E271
gpg:                issuer "buildbot@flatcar-linux.org"
gpg: Can't check signature: No public key

Script got farther than before. @neilmayhew

Commented out line 33 to skip gpg --verify

Successfully updated vmware tools on 5 vms. Took about 75 seconds :)

@neilmayhew
Copy link
Author

The keyid has changed, and the new keyid isn't available on keyservers yet. It is in fact a subkey of the official signing key published here.

This has been discussed in the following Flatcar issues:

I'll update the gist once the situation has been resolved.

@neilmayhew
Copy link
Author

@bignay2000 Glad you were able to get it working for now

@neilmayhew
Copy link
Author

I changed the keyid to be the id of the main key instead of the id of the subkey that was in use at the time this script was written. This should be future-proof since Flatcar doesn't change to a different main key, it only adds new subkeys to it.

@neilmayhew
Copy link
Author

Also, note that the key id is the full-length id rather than the abbreviated one that's reported by gpg and shown on the Flatcar web page. (The abbreviated version is a suffix of the full one.)

@bignay2000
Copy link

Reran the script without commenting out verify. Successfully updated 5 vms a second time. Thanks for making this robust.

@neilmayhew
Copy link
Author

@bignay2000 Thanks for reporting back!

Hopefully Flatcar will always push the key to the key servers from now on and this, together with my recent changes, will prevent people from running into this problem again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment