Re: Improving the offline updates user experience

2014-11-06 Thread Dennis Gilmore
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, 23 Oct 2014 10:56:00 +0200
Miroslav Suchý  wrote:

> On 10/22/2014 09:07 PM, Michael Stahl wrote:
> > the important point in that case is not reboot after upgrading
> > Firefox but*before*  upgrading Firefox, which means that at the
> > time of the upgrade no Firefox will be running and potentially
> > crashing because one of the 100s of DSOs it loads on-demand has
> > changed in an incompatible way.
> 
> The upgrade can last one hour (more or less). I'm not going to wait
> for upgrade and looking at black screen (albeit with progress bar).
> When upgrading - I save critical work in progress, and start reading
> articles from my RSS queue. And if Firefox crash (which happens very
> very rarely) I lost nothing, but get one hour of my life for free.

I have had some of my arm systems take 6-8 hours and even more to update
storage is a class 10 microsd card. the system was Fedora 21 and about
2-3 weeks worth of updates to be applied, about 700 packages.

Dennis

> To be constructive: I can imagine displaying dialog:
>Going to upgrade your system. Do you want to do it offline?
>  * Yes - most safe way
>  * No - there is non-trivial chance that some running application
> would crash (proceed on your own risk)
> 
> And let the user decide if he is power user or not.
> 

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBAgAGBQJUXFvUAAoJEH7ltONmPFDRwUYQAIEcuR8dyKQehxMk3eiRf2lh
Grq2//ndIBW1dtwQevd0edVmqaQEJ1m9TDNk2WuU1mGUFUeKFpSLUtPimOwgdLpD
V8ls6flIkrdqvmdN7ki0ulGZT18I4Pwc+dH0JdzdkoyaYbB4BpHpwfwPinH1hJDn
23mlaLJNVcKFyFTtn/pcYDKeHIEMrbBuBBTEEGLTn12T50Y7pdrlq97l5BwwS00m
p69XGfeup6Jx3lLQhiYKmioq/eTIGXnLsEomMnd/os5R3P5nqFq7bgRZg5yBtsNn
F8i/TSaqd/QdOomzR2WA2EQAA06Hz2Is4mfeZAELbEFE/1q309PrqJ6yuZhmMDCs
Fcq+qHVMrn9GclHlkL79DQcmlkM9C6WaFzX0x7uDm6hvk5td4+xyqSUtfWvCgQBR
z/YVfB07T+Y7kGltKXCUt3Su+WSKYWeyh5TRaOsvpIa/rwsINNExCUAKgRRvNdHX
IuWL6dzSGvtDN+8ztqd8eVLOVzZnfORNCz8JykOwMOXhM0qGeKxhCanrgwqNellY
fNg1M3LaPp4bLxhi0dhxJxpQuKt7ONc29Npty9MWZ1IFosikDDUevHGZcwiHnxm6
GAByS49Q4Y65w4xAz+Q2uEWZQT087zkiH+FvaZs5Ldgvk+WQEO4V2/l+8xn/0JI+
KdkbTlKL9s2RIgBl6TYs
=cmts
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-26 Thread Michael Scherer
On Wed, Oct 22, 2014 at 11:35:00PM +0100, Ian Malone wrote:
> On 22 October 2014 20:07, Michael Stahl  wrote:
> > On 17.09.2014 13:58, Miroslav Suchý wrote:
> >> On 09/17/2014 11:54 AM, Bastien Nocera wrote:
> >>> All those OSes require reboots when updating the OS.
> >>
> >> Define OS.
> >>
> >> Firefox is definitely not OS. While systemd is OS.
> >> I am fine with reboot after systemd upgrade, but not after upgrading 
> >> Firefox.
> >
> > the important point in that case is not reboot after upgrading Firefox
> > but *before* upgrading Firefox, which means that at the time of the
> > upgrade no Firefox will be running and potentially crashing because one
> > of the 100s of DSOs it loads on-demand has changed in an incompatible way.
> >
> > there used to be quite a few ABRT crashes reported against desktop
> > applications with impossible looking stack traces (although with the
> > automatic micro-reports it's less of a problem nowadays as they are
> > easier to ignore), and sometimes the reporter gives feedback that the
> > application was running across a yum update...
> >
> 
> While it can be a bit confusing the first time it happens to you, the
> solution is just to start and stop firefox again in that case. If it
> the goal is just to tidy ABRT crash reports (and I'm not sure it is)
> then forcing reboots on users wouldn't be very kind.

Beyond cleaning crash reports and reducing them, there is also the perception
of users. 

If we want to have the same reputation as some older windows with "this 
software 
crashed and I do not know why" from our users, then having regular random 
crashes 
after a random delay after upgrade is the way to go. If we still aim for "the 
software
is solid and stable", then we should try to reduce the random crash.

-- 
Michael Scherer
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-24 Thread Miroslav Suchý

On 10/24/2014 12:59 PM, Richard Hughes wrote:

853 must be close to
every package on your box...


Nope.
$ rpm -qa |wc -l
4337

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-24 Thread Reindl Harald


Am 24.10.2014 um 12:02 schrieb Mathieu Bridon:

On Fri, 2014-10-24 at 12:00 +0200, Miroslav Suchý wrote:

I'm not updating daily. I upgraded my machine IIRC 2-3 weeks ago. So lets 
benchmark it and provide you real data.

My machine have classic magnetic disk, however in SW RAID1.
   Timing cached reads:   12236 MB in  2.00 seconds = 6124.59 MB/sec
   Timing buffered disk reads: 412 MB in  3.00 seconds = 137.12 MB/sec
Fedora 21, 16 GB RAM (2GB free), 8 CPU cores, swap available but none used

I run "dnf upgrade" and I have been offered 853 packages and 1.3 GB to download.
Download lasted 3mins 20secs.
Then installation started and since beginning "transaction started" till the 
end lasted exactly 53 minutes.
No specific package is blocking the process, dnf was chewing packages one by 
one in steady pace. Veryfing phase lasted
~4 minutes, so it means approximately 3 second per package, which is what I am 
seeing on screen.

And this is nothing exceptional. I see similar times across all machines I 
maintain. When I'm updating box of my mother
(old EeeBox, updating aprox every 3 months) then the time is usually 3 hours 
(however ~1 hour is just download phase).


More than anything, doesn't this just shows that we simply push way too
many updates in Fedora?


no

* first:  the above is Rawhide/Alpha
* second: the reason i run Fedora and not Debian/RHEL is fast updates
* third:  nobody should apply updates every 3 weeks
  but that above is Alpha and so no "production" machine



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-24 Thread Richard Hughes
On 24 October 2014 11:00, Miroslav Suchý  wrote:
> I run "dnf upgrade" and I have been offered 853 packages and 1.3 GB to
> download.

I'm pretty sure F21 for the last few weeks is not representative of a
normal installed system over a 2 week period. 853 must be close to
every package on your box...

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-24 Thread Mathieu Bridon
On Fri, 2014-10-24 at 12:00 +0200, Miroslav Suchý wrote:
> I'm not updating daily. I upgraded my machine IIRC 2-3 weeks ago. So lets 
> benchmark it and provide you real data.
> 
> My machine have classic magnetic disk, however in SW RAID1.
>   Timing cached reads:   12236 MB in  2.00 seconds = 6124.59 MB/sec
>   Timing buffered disk reads: 412 MB in  3.00 seconds = 137.12 MB/sec
> Fedora 21, 16 GB RAM (2GB free), 8 CPU cores, swap available but none used
> 
> I run "dnf upgrade" and I have been offered 853 packages and 1.3 GB to 
> download.
> Download lasted 3mins 20secs.
> Then installation started and since beginning "transaction started" till the 
> end lasted exactly 53 minutes.
> No specific package is blocking the process, dnf was chewing packages one by 
> one in steady pace. Veryfing phase lasted 
> ~4 minutes, so it means approximately 3 second per package, which is what I 
> am seeing on screen.
> 
> And this is nothing exceptional. I see similar times across all machines I 
> maintain. When I'm updating box of my mother 
> (old EeeBox, updating aprox every 3 months) then the time is usually 3 hours 
> (however ~1 hour is just download phase).

More than anything, doesn't this just shows that we simply push way too
many updates in Fedora?


-- 
Mathieu

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-24 Thread Miroslav Suchý

On 10/23/2014 12:57 PM, Reindl Harald wrote:

The upgrade can last one hour (more or less).


An hour?! Most of my offline updates take a few tens of seconds with
F21. Is this on fairly up-to-date SSD hardware? Are any specific
packages taking longer than the others?


an hour was surely exaggerated


Not at all.
I'm not updating daily. I upgraded my machine IIRC 2-3 weeks ago. So lets 
benchmark it and provide you real data.

My machine have classic magnetic disk, however in SW RAID1.
 Timing cached reads:   12236 MB in  2.00 seconds = 6124.59 MB/sec
 Timing buffered disk reads: 412 MB in  3.00 seconds = 137.12 MB/sec
Fedora 21, 16 GB RAM (2GB free), 8 CPU cores, swap available but none used

I run "dnf upgrade" and I have been offered 853 packages and 1.3 GB to download.
Download lasted 3mins 20secs.
Then installation started and since beginning "transaction started" till the 
end lasted exactly 53 minutes.
No specific package is blocking the process, dnf was chewing packages one by one in steady pace. Veryfing phase lasted 
~4 minutes, so it means approximately 3 second per package, which is what I am seeing on screen.


And this is nothing exceptional. I see similar times across all machines I maintain. When I'm updating box of my mother 
(old EeeBox, updating aprox every 3 months) then the time is usually 3 hours (however ~1 hour is just download phase).


--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-23 Thread Reindl Harald


Am 23.10.2014 um 12:52 schrieb Daniel P. Berrange:

On Thu, Oct 23, 2014 at 11:43:29AM +0100, Richard Hughes wrote:

On 23 October 2014 09:56, Miroslav Suchý  wrote:

The upgrade can last one hour (more or less).


An hour?! Most of my offline updates take a few tens of seconds with
F21. Is this on fairly up-to-date SSD hardware? Are any specific
packages taking longer than the others?


Don't assume everyone is using SSDs with Fedora


that assumption is sadly a common mistake on many places and leads to 
implement things less efficient because "it's fast enough on 'fairly' 
recent hardware)


frankly it will take many years before i replace my 4x2 TB RAID10 disks 
by 4x2 TB SSD just because the price and no i won't re-install from 
scratch to just have the OS only on SSD and my virtual machines (which 
are the reason for that large disks) stay on slower disks




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-23 Thread Reindl Harald


Am 23.10.2014 um 12:43 schrieb Richard Hughes:

On 23 October 2014 09:56, Miroslav Suchý  wrote:

The upgrade can last one hour (more or less).


An hour?! Most of my offline updates take a few tens of seconds with
F21. Is this on fairly up-to-date SSD hardware? Are any specific
packages taking longer than the others?


an hour was surely exaggerated

but there was not so long ago a bug in some package updateing caches 
which took on a hyperfast RAID10 machine with enabled barriers up to 10 
minutes for a ordinary KDE update


before it got fixid without barriers (which are are default) a few 
seconds - you don't know if and how often such things may get triggered 
inside a update transaction (like the useless ldconfig and systemd 
reloads after every single related package)


# https://bugzilla.redhat.com/show_bug.cgi?id=1052173#c32
export PKGSYSTEM_ENABLE_FSYNC=0



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-23 Thread Daniel P. Berrange
On Thu, Oct 23, 2014 at 11:43:29AM +0100, Richard Hughes wrote:
> On 23 October 2014 09:56, Miroslav Suchý  wrote:
> > The upgrade can last one hour (more or less).
> 
> An hour?! Most of my offline updates take a few tens of seconds with
> F21. Is this on fairly up-to-date SSD hardware? Are any specific
> packages taking longer than the others?

Don't assume everyone is using SSDs with Fedora

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-23 Thread Richard Hughes
On 23 October 2014 09:56, Miroslav Suchý  wrote:
> The upgrade can last one hour (more or less).

An hour?! Most of my offline updates take a few tens of seconds with
F21. Is this on fairly up-to-date SSD hardware? Are any specific
packages taking longer than the others?

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-23 Thread Miroslav Suchý

On 10/22/2014 09:07 PM, Michael Stahl wrote:

the important point in that case is not reboot after upgrading Firefox
but*before*  upgrading Firefox, which means that at the time of the
upgrade no Firefox will be running and potentially crashing because one
of the 100s of DSOs it loads on-demand has changed in an incompatible way.


The upgrade can last one hour (more or less). I'm not going to wait for upgrade and looking at black screen (albeit with 
progress bar). When upgrading - I save critical work in progress, and start reading articles from my RSS queue.

And if Firefox crash (which happens very very rarely) I lost nothing, but get 
one hour of my life for free.

To be constructive: I can imagine displaying dialog:
  Going to upgrade your system. Do you want to do it offline?
* Yes - most safe way
* No - there is non-trivial chance that some running application would 
crash (proceed on your own risk)

And let the user decide if he is power user or not.

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Ian Malone
On 22 October 2014 20:07, Michael Stahl  wrote:
> On 17.09.2014 13:58, Miroslav Suchý wrote:
>> On 09/17/2014 11:54 AM, Bastien Nocera wrote:
>>> All those OSes require reboots when updating the OS.
>>
>> Define OS.
>>
>> Firefox is definitely not OS. While systemd is OS.
>> I am fine with reboot after systemd upgrade, but not after upgrading Firefox.
>
> the important point in that case is not reboot after upgrading Firefox
> but *before* upgrading Firefox, which means that at the time of the
> upgrade no Firefox will be running and potentially crashing because one
> of the 100s of DSOs it loads on-demand has changed in an incompatible way.
>
> there used to be quite a few ABRT crashes reported against desktop
> applications with impossible looking stack traces (although with the
> automatic micro-reports it's less of a problem nowadays as they are
> easier to ignore), and sometimes the reporter gives feedback that the
> application was running across a yum update...
>

While it can be a bit confusing the first time it happens to you, the
solution is just to start and stop firefox again in that case. If it
the goal is just to tidy ABRT crash reports (and I'm not sure it is)
then forcing reboots on users wouldn't be very kind.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Michael Stahl
On 17.09.2014 13:58, Miroslav Suchý wrote:
> On 09/17/2014 11:54 AM, Bastien Nocera wrote:
>> All those OSes require reboots when updating the OS.
> 
> Define OS.
> 
> Firefox is definitely not OS. While systemd is OS.
> I am fine with reboot after systemd upgrade, but not after upgrading Firefox.

the important point in that case is not reboot after upgrading Firefox
but *before* upgrading Firefox, which means that at the time of the
upgrade no Firefox will be running and potentially crashing because one
of the 100s of DSOs it loads on-demand has changed in an incompatible way.

there used to be quite a few ABRT crashes reported against desktop
applications with impossible looking stack traces (although with the
automatic micro-reports it's less of a problem nowadays as they are
easier to ignore), and sometimes the reporter gives feedback that the
application was running across a yum update...

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Tom Rivers

On 10/22/2014 10:58, drago01 wrote:

No the OS is more than just a kernel.


Kernel Space contains more than just the kernel.  It also contains 
device drivers, kernel extensions, and other privileged processes that 
require full system access.  User Space exists as a barrier to keep 
applications separate from the OS itself.



Tom
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread drago01
On Wed, Oct 22, 2014 at 4:45 PM, Tom Rivers  wrote:
> On 10/22/2014 06:31, Lennart Poettering wrote:
>>
>> It would be great if we could nicely isolate the apps from the OS so that
>> we can restart the apps independently from the OS, but this requires
>> isolating things first.
>
>
> Isn't the differentiation between kernel space and user space sufficient for
> identifying what is the OS and what is an application?  I know Windows
> blurred those lines during the Browser Wars with Netscape, but to my
> knowledge that separation still exists in Linux.

No the OS is more than just a kernel.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Tom Rivers

On 10/22/2014 06:31, Lennart Poettering wrote:
It would be great if we could nicely isolate the apps from the OS so 
that we can restart the apps independently from the OS, but this 
requires isolating things first.


Isn't the differentiation between kernel space and user space sufficient 
for identifying what is the OS and what is an application?  I know 
Windows blurred those lines during the Browser Wars with Netscape, but 
to my knowledge that separation still exists in Linux.



Tom
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Stephen John Smoogen
On 22 October 2014 04:31, Lennart Poettering  wrote:

> On Wed, 17.09.14 13:58, Miroslav Suchý (msu...@redhat.com) wrote:
>
> > On 09/17/2014 11:54 AM, Bastien Nocera wrote:
> > >All those OSes require reboots when updating the OS.
> >
> > Define OS.
> >
> > Firefox is definitely not OS. While systemd is OS.
> > I am fine with reboot after systemd upgrade, but not after upgrading
> > Firefox.
>
> Well, on Fedora and Unixes the apps are just part of the OS, they are
> all dropped into /usr, and not isolated out.
>
> It would be great if we could nicely isolate the apps from the OS so
> that we can restart the apps independently from the OS, but this
> requires isolating things first.
>
> We are working on app sandboxes, and they will make this available,
> but it's the traditional Linux model cannot really deliver this.
>
>
Well it depends on the traditional model that you are going to refer to. In
the model of the Unix systems I had to set up in the late 1980's and the
1990's... there was a separation in that items for the OS were in the root
directories (say /bin and /sbin), and stuff that was not  OS critical but
user critical were in /usr/{bin,sbin}. And then local critical were in /opt
or /usr/local depending on the OS.

We (Linux distributions) lost that distinction sometime in the past decade
and then undid it completely with the various /usr/ merges. [This isn't
meant to open that can of worms.. the distinction was broken before the
merge.. the merge just made it clear.]

I am not sure how to best move from here. A complete reinvent of
hierarchies is always tempting.. but it has always been the deathknell of
every OS that has done it in the past due to chasm crossing issues (too
much old stuff needing old things causing any benefits from new stuff to be
actual detriments). Doing a more thorough job of packaging items so that
system only items were in /bin,/lib, etc has never worked because too many
things sit between the two. [its a user component AND a system component!]
At best I can say it comes down to operating systems are too damn
complicated and I need to go back to potato farming :)






> Lennart
>
> --
> Lennart Poettering, Red Hat
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>



-- 
Stephen J Smoogen.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Lennart Poettering
On Wed, 22.10.14 14:11, Roberto Ragusa (m...@robertoragusa.it) wrote:

> On 10/21/2014 10:02 PM, Lennart Poettering wrote:
> 
> > Maybe
> > that's actually a strategy to adopt here: upload the encryption keys
> > into the firmware as efi vars, and then pull them out on next boots or
> > so (assuming that efi vars can be marked to survive soft reboots
> > without making them fully persistent...)
> 
> Hmmm, surrendering your encryption keys to the only software
> part which you do not have control on?

The firmware runs at the highest priviliges anyway, it can do whatever
it wants... You don't have to "surrender" you keys to it. If it wants
them it can take them anyway...

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Roberto Ragusa
On 10/21/2014 10:02 PM, Lennart Poettering wrote:

> Maybe
> that's actually a strategy to adopt here: upload the encryption keys
> into the firmware as efi vars, and then pull them out on next boots or
> so (assuming that efi vars can be marked to survive soft reboots
> without making them fully persistent...)

Hmmm, surrendering your encryption keys to the only software
part which you do not have control on?

-- 
   Roberto Ragusamail at robertoragusa.it
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Matthew Miller
On Wed, Oct 22, 2014 at 08:48:59AM +0200, Miroslav Suchý wrote:
> >Offline updates are more for the cases where things need to be
> >reliable, because no well educated admin is available to instantly
> >fix things.
> 
> I will print it an pin up on my notice board.
> 
> And the implication is that offline updates are not for readers of
> devel@lists.fedoraproject.org

I don't think that's very fair, without the context. First, of course,
we're developing for more than just ourselves. And second, this isn't a
reversible statement: just because offline updates primarily target one
user type doesn't mean that other user types can't or shouldn't use it.

Why do I care about this? The non-techie user wants less rebooting too.
I'd love to see the updates toolchain get more smarts about recognizing
when an update is "safe" (or at least "safer") and not reboot in those
cases. That's possible but would be an investment of work. In the
meantime, "offline updates if you want simple and guaranteed", "use
yum or dnf online if you're able to handle unlikely but possible
consequences" seems workable enough.

-- 
Matthew Miller

Fedora Project Leader
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Lennart Poettering
On Wed, 17.09.14 13:58, Miroslav Suchý (msu...@redhat.com) wrote:

> On 09/17/2014 11:54 AM, Bastien Nocera wrote:
> >All those OSes require reboots when updating the OS.
> 
> Define OS.
> 
> Firefox is definitely not OS. While systemd is OS.
> I am fine with reboot after systemd upgrade, but not after upgrading
> Firefox.

Well, on Fedora and Unixes the apps are just part of the OS, they are
all dropped into /usr, and not isolated out.

It would be great if we could nicely isolate the apps from the OS so
that we can restart the apps independently from the OS, but this
requires isolating things first. 

We are working on app sandboxes, and they will make this available,
but it's the traditional Linux model cannot really deliver this.

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-22 Thread Lennart Poettering
On Tue, 16.09.14 13:35, Petr Pisar (ppi...@redhat.com) wrote:

> On 2014-09-16, Richard Hughes  wrote:
> > The much bigger issues is if you're using a D-Bus service
> > like most applications seem to do (and most use quite a few system and
> > session, directly and indirectly) then you've also got to co-ordinate
> > and handle changing D-Bus API (which typically isn't versioned).
> 
> Maybe it's time to version the API.
> 
> Look at microkernel based systems which utilize messaging heavily and
> the API consumers (applications or another subsystems) have to be
> prepared for spurious API provider (server) restarts.
> 
> A server can refuse a message any time (especially if it does not
> understand the request). Simple operations are usualy implemented as
> a sequence of requests and responses where initial request obtains
> a descriptor (a session, a handle) and subsequent requests passe it as
> context (a session) identifier. If the server is restarted in between,
> the context identifier becomes unrecognized and it's up to the
> application to deal with it.
> 
> Just the fact that somebody calls functions over dbus instead of jumping
> into a shared library do not free them from maintaing API.

Well, the theory for this might be great. But reality tells us that
code that isn't regularly tested tends to be broken. Hence: the
assumption it would be reasonably possible to comprehensively test all
kinds of updates between any combination of software versions,
executed in any order, simultaneously with the user using the machine,
then is simply wrong. You explode the test matrix, and without testing
such upgrades will never be reliable.  The offline update logic is
about making the test matrix smaller, and adding determinism where it
normally is missing.

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-21 Thread Miroslav Suchý

On 10/21/2014 10:08 PM, Lennart Poettering wrote:

Offline updates are more for the cases where things need to be
reliable, because no well educated admin is available to instantly fix
things.


I will print it an pin up on my notice board.

And the implication is that offline updates are not for readers of 
devel@lists.fedoraproject.org

--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-21 Thread Reindl Harald



Am 21.10.2014 um 22:08 schrieb Lennart Poettering:

On Fri, 12.09.14 18:37, Reindl Harald (h.rei...@thelounge.net) wrote:

1 out of a million cases needs offline updates

really - the only good at it is that you can stick
at using YUM and decide what you have to do at your
own - rarely updates really require a reboot

* lsof | grep DEL | grep /usr and restart services on servers


Well, some deps are not visible like that, because they do not involve
continuous mappings or open fds.


may be true but in practice no problem over many years


Moreover, it won't help you much anyway, as some daemons are not
restarble right now, most prominently dbus-daemon


you repeat that again and again while i restart dbus over years on 
headless machines for web/file/db-servers and frankly before F15 even 
messagebus was completly disabled on all that machines



And strictly speaking as you cannot restart all daemons at the very
same instant, or even at the same instant as you install the new files
and remove the old ones you will always have races where daemons might
make use of resources or interfaces that are either newer than what
they expect or older.


interesting is that not so long ago there where just not much such 
dependencies - mandatory presence of dbus is very recent


other services like some webapp talking to a db-server? frankly i wrote 
10 years ago db-layers to wait and retry so you can restart the db 
server after an update



offline updates are really about make updates fully reliable. Yes, in
most cases a "yum update" during runtime works well enough, and yes, I
usually do my updates that way too. But I am actually able to help
myself if something goes wrong. And so are you.


true


Offline updates are more for the cases where things need to be
reliable, because no well educated admin is available to instantly fix
things. Possibly because the machine is used by noobs only, or because
the machine is buried somewhere under the see, or where so many
instances of the machine are running that a human admins don't scale

Hope that makes some sense


yes, but keep in mind not introduce more and more dependencies to make 
them mandatory somewhere in the future




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-21 Thread Lennart Poettering
On Fri, 12.09.14 18:37, Reindl Harald (h.rei...@thelounge.net) wrote:

> 
> Am 12.09.2014 um 18:33 schrieb Nathanael d. Noblet:
> > So I don't use Firefox anymore but I do know back in the day if we had
> > FF open when we updated it would do a double request for each page/form.
> > However when updating we just restarted FF and it would work fine after
> > that. I've never noticed any other issues than FF but like I said I
> > don't use it anymore.
> > 
> > Granted that doesn't matter obviously we don't want that kind of
> > behaviour. 
> > 
> > I am curious though. Everyone says the only way to do it securely and
> > safely is with nothing running. Why can't updates be applied with stuff
> > running prior to a reboot? 
> 
> 1 out of a million cases needs offline updates
> 
> really - the only good at it is that you can stick
> at using YUM and decide what you have to do at your
> own - rarely updates really require a reboot
> 
> * lsof | grep DEL | grep /usr and restart services on servers

Well, some deps are not visible like that, because they do not involve
continuous mappings or open fds.

Moreover, it won't help you much anyway, as some daemons are not
restarble right now, most prominently dbus-daemon.

And strictly speaking as you cannot restart all daemons at the very
same instant, or even at the same instant as you install the new files
and remove the old ones you will always have races where daemons might
make use of resources or interfaces that are either newer than what
they expect or older. 

offline updates are really about make updates fully reliable. Yes, in
most cases a "yum update" during runtime works well enough, and yes, I
usually do my updates that way too. But I am actually able to help
myself if something goes wrong. And so are you. 

Offline updates are more for the cases where things need to be
reliable, because no well educated admin is available to instantly fix
things. Possibly because the machine is used by noobs only, or because
the machine is buried somewhere under the see, or where so many
instances of the machine are running that a human admins don't scale.

Hope that makes some sense.

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-21 Thread Lennart Poettering
On Fri, 12.09.14 10:46, Stephen Gallagher (sgall...@redhat.com) wrote:

> It is very common for users to have systems with encrypted root
> partitions (or even just /var and /etc). This may be due to a
> personal

Nitpicking: we currently do not support split-off /etc on
Fedora/Dracut. /var may be split out though.

> We could significantly improve this situation by allowing the system
> to drop directly from the interactive system into the updater
> environment without doing a full reboot or relaunching the kernel.
> 
> Lennart, would it be possible to set up a special systemd target for
> performing updates that would essentially stop all processes except
> for systemd and then apply the updates?

Well, the entire logic we have in place for offline updates is to
ensure that they are applied in a well-defined very clean, minimal
environment. Actually, that's not just the logic that is in place,
that's the whole reason for having them at all! 

I mean, if it is OK to allow leaking runtime state into the upgrade
process we could just run the updates in parallel to normal runtime,
how we always did things.

Or in even otherwords: offline updates are supposed to make update
strictly reliable, and for that I figure a full reset and fresh boot,
with everything initialized to the boot-up defaults is the closest if
not only option.

That all said, we have been discussing supporting a new reboot-mode in
systemd, which would essentially shut down userspace, until only PID 1
remains, and then immediately start userspace again on the same
kernel. This would be pretty close to what you are asking for
here... However, so far we have quite some concerns about adding this,
precisely for the reason that it pretends to be a reset of everything
to the boot-up defaults, but actually isn't, as a ton of runtime state
is retained in /sys and /proc/sys and other runtime objects.

> [1] I'm told that this might not be necessary; that systemd can
> re-exec itself to pick up its own updates. That would reduce the scope
> presumably to "only the kernel" forcing reboots.

Well, you cannot really do this atomically. Offline updates are about
reliability. But you cannot restart userspace reliably during
runtime. Think about this: daemons talk to each other, supporting a
variety of APIs and API versions. If we want to do an update, then
we'd have to restart all daemons at the same instant to ensure that no
daemon starts talking with another daemon at the wrong time where it
might be confused by either a too old or too new daemon. However,
restarten them all at once is not possible. Moreover, some daemons
cannot be restarted at all (for example dbus-daemon; and journald is
difficult too, as it will lose connections to all other daemon's
stdout/stderr if you do, even though it other works fine).

Hence: I'd really recommend leaving offline updates as is. 

I see the problem though and acknowledge the fact that entering the
passwords multiple times is annoying. Interestingly hw hdd encryption
is nicer there as the keys are not flushed out on resets... Maybe
that's actually a strategy to adopt here: upload the encryption keys
into the firmware as efi vars, and then pull them out on next boots or
so (assuming that efi vars can be marked to survive soft reboots
without making them fully persistent...)

I understand this is all unsatisfying. Maybe fixing related problems
might improve the situation a bit though. For example, I find it quite
annoying if we always ask for both a hdd passphrase and a user
passphrase at boot. It has been a long-time todo list item for systemd
to add the hdd passphrases (with strict expiry) to the kernel keyring
and then optionally pull them out there for gdm's autologin mode, so
that they can be used for decrypting the gnome keyring and
such. However, so far we haven't worked on that yet... 

Lennart

-- 
Lennart Poettering, Red Hat
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-21 Thread Stephen Gallagher



On Mon, 2014-10-13 at 11:26 -0400, Stephen Gallagher wrote:
> 
> 
> On Thu, 2014-10-02 at 07:53 -0400, Stephen Gallagher wrote:
> > 
> > 
> > On Fri, 2014-09-12 at 10:46 -0400, Stephen Gallagher wrote:
> > > == The Problem ==
> > > 
> > > It is very common for users to have systems with encrypted root
> > > partitions (or even just /var and /etc). This may be due to a personal
> > > concern for their data or a corporate policy mandating full-disk
> > > encryption. Disk encryption requires a password (or other more
> > > complicated credentials) be be presented just after the kernel is
> > > booted and before the drives can be mounted and their data read.
> > > 
> > > With the current implementation of the offline updates in Fedora, this
> > > leads to a very unpleasant user experience when updating. We offer two
> > > ways to perform offline updates in the default user environment of
> > > Fedora Workstation: "Install updates and reboot" or "Install updates
> > > and shut down".
> > > 
> > > With "Install updates and reboot", the behavior is as follows:
> > > 
> > > 1) The system shuts down and initiates an ACPI reboot.
> > > 2) The system presents the kernel boot menu and then starts the
> > > updater kernel.
> > > 3) The system presents the user with a password prompt for the disk
> > > encryption (possibly more than one, if the system is configured with
> > > different passwords for different partitions).
> > > 4) The offline updates occur.
> > > 5) The system shuts down and initiates an ACPI reboot.
> > > 6) The system presents the kernel boot menu and then starts the
> > > standard (possibly updated) kernel.
> > > 7) The system presents the user with a password prompt for the disk
> > > encryption (possibly more than one, if the system is configured with
> > > different passwords for different partitions).
> > > 8) The system completes booting.
> > > 
> > > During this experience, the user has been required to enter their disk
> > > encryption password *twice*. The same is true for the "Install and
> > > shut down" case, except that the two passwords are separated by some
> > > actual wallclock time.
> > > 
> > > == Proposed Improvements ==
> > > 
> > > We could significantly improve this situation by allowing the system
> > > to drop directly from the interactive system into the updater
> > > environment without doing a full reboot or relaunching the kernel.
> > > 
> > > Lennart, would it be possible to set up a special systemd target for
> > > performing updates that would essentially stop all processes except
> > > for systemd and then apply the updates?
> > > 
> > > In an ideal world, it would then also be possible after update is
> > > completed to restore operation to the standard boot targets of systemd
> > > so that the system comes back up without having to perform a total
> > > reboot. The exceptional case would of course be that in which either
> > > the kernel, libc or systemd[1] needed to be updated, in which case a
> > > reboot could be performed.
> > > 
> > > In this scenario, we can reduce the number of encrypted disk
> > > challenges to at most a single one, and that only if absolutely
> > > minimal plumbing packages saw an update.
> > > 
> > > I'd very much like to hear from the plumbers on this matter.
> > > 
> > > 
> > > [1] I'm told that this might not be necessary; that systemd can
> > > re-exec itself to pick up its own updates. That would reduce the scope
> > > presumably to "only the kernel" forcing reboots.
> > 
> > 
> > I'm bumping this thread to get comments from Lennart (CCed). There's a
> > lot of chatter in the conversation, but I'd very much like to hear an
> > answer to the specific questions I posed in this first email.
> 
> Trying one more time to get Lennart to chime in here.


I spotted on another mailing list that Lennart is using a different
email address these days. I'm now trying to reach him on that one
instead.


signature.asc
Description: This is a digitally signed message part
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-13 Thread Stephen Gallagher



On Thu, 2014-10-02 at 07:53 -0400, Stephen Gallagher wrote:
> 
> 
> On Fri, 2014-09-12 at 10:46 -0400, Stephen Gallagher wrote:
> > == The Problem ==
> > 
> > It is very common for users to have systems with encrypted root
> > partitions (or even just /var and /etc). This may be due to a personal
> > concern for their data or a corporate policy mandating full-disk
> > encryption. Disk encryption requires a password (or other more
> > complicated credentials) be be presented just after the kernel is
> > booted and before the drives can be mounted and their data read.
> > 
> > With the current implementation of the offline updates in Fedora, this
> > leads to a very unpleasant user experience when updating. We offer two
> > ways to perform offline updates in the default user environment of
> > Fedora Workstation: "Install updates and reboot" or "Install updates
> > and shut down".
> > 
> > With "Install updates and reboot", the behavior is as follows:
> > 
> > 1) The system shuts down and initiates an ACPI reboot.
> > 2) The system presents the kernel boot menu and then starts the
> > updater kernel.
> > 3) The system presents the user with a password prompt for the disk
> > encryption (possibly more than one, if the system is configured with
> > different passwords for different partitions).
> > 4) The offline updates occur.
> > 5) The system shuts down and initiates an ACPI reboot.
> > 6) The system presents the kernel boot menu and then starts the
> > standard (possibly updated) kernel.
> > 7) The system presents the user with a password prompt for the disk
> > encryption (possibly more than one, if the system is configured with
> > different passwords for different partitions).
> > 8) The system completes booting.
> > 
> > During this experience, the user has been required to enter their disk
> > encryption password *twice*. The same is true for the "Install and
> > shut down" case, except that the two passwords are separated by some
> > actual wallclock time.
> > 
> > == Proposed Improvements ==
> > 
> > We could significantly improve this situation by allowing the system
> > to drop directly from the interactive system into the updater
> > environment without doing a full reboot or relaunching the kernel.
> > 
> > Lennart, would it be possible to set up a special systemd target for
> > performing updates that would essentially stop all processes except
> > for systemd and then apply the updates?
> > 
> > In an ideal world, it would then also be possible after update is
> > completed to restore operation to the standard boot targets of systemd
> > so that the system comes back up without having to perform a total
> > reboot. The exceptional case would of course be that in which either
> > the kernel, libc or systemd[1] needed to be updated, in which case a
> > reboot could be performed.
> > 
> > In this scenario, we can reduce the number of encrypted disk
> > challenges to at most a single one, and that only if absolutely
> > minimal plumbing packages saw an update.
> > 
> > I'd very much like to hear from the plumbers on this matter.
> > 
> > 
> > [1] I'm told that this might not be necessary; that systemd can
> > re-exec itself to pick up its own updates. That would reduce the scope
> > presumably to "only the kernel" forcing reboots.
> 
> 
> I'm bumping this thread to get comments from Lennart (CCed). There's a
> lot of chatter in the conversation, but I'd very much like to hear an
> answer to the specific questions I posed in this first email.

Trying one more time to get Lennart to chime in here.


signature.asc
Description: This is a digitally signed message part
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-10-02 Thread Stephen Gallagher



On Fri, 2014-09-12 at 10:46 -0400, Stephen Gallagher wrote:
> == The Problem ==
> 
> It is very common for users to have systems with encrypted root
> partitions (or even just /var and /etc). This may be due to a personal
> concern for their data or a corporate policy mandating full-disk
> encryption. Disk encryption requires a password (or other more
> complicated credentials) be be presented just after the kernel is
> booted and before the drives can be mounted and their data read.
> 
> With the current implementation of the offline updates in Fedora, this
> leads to a very unpleasant user experience when updating. We offer two
> ways to perform offline updates in the default user environment of
> Fedora Workstation: "Install updates and reboot" or "Install updates
> and shut down".
> 
> With "Install updates and reboot", the behavior is as follows:
> 
> 1) The system shuts down and initiates an ACPI reboot.
> 2) The system presents the kernel boot menu and then starts the
> updater kernel.
> 3) The system presents the user with a password prompt for the disk
> encryption (possibly more than one, if the system is configured with
> different passwords for different partitions).
> 4) The offline updates occur.
> 5) The system shuts down and initiates an ACPI reboot.
> 6) The system presents the kernel boot menu and then starts the
> standard (possibly updated) kernel.
> 7) The system presents the user with a password prompt for the disk
> encryption (possibly more than one, if the system is configured with
> different passwords for different partitions).
> 8) The system completes booting.
> 
> During this experience, the user has been required to enter their disk
> encryption password *twice*. The same is true for the "Install and
> shut down" case, except that the two passwords are separated by some
> actual wallclock time.
> 
> == Proposed Improvements ==
> 
> We could significantly improve this situation by allowing the system
> to drop directly from the interactive system into the updater
> environment without doing a full reboot or relaunching the kernel.
> 
> Lennart, would it be possible to set up a special systemd target for
> performing updates that would essentially stop all processes except
> for systemd and then apply the updates?
> 
> In an ideal world, it would then also be possible after update is
> completed to restore operation to the standard boot targets of systemd
> so that the system comes back up without having to perform a total
> reboot. The exceptional case would of course be that in which either
> the kernel, libc or systemd[1] needed to be updated, in which case a
> reboot could be performed.
> 
> In this scenario, we can reduce the number of encrypted disk
> challenges to at most a single one, and that only if absolutely
> minimal plumbing packages saw an update.
> 
> I'd very much like to hear from the plumbers on this matter.
> 
> 
> [1] I'm told that this might not be necessary; that systemd can
> re-exec itself to pick up its own updates. That would reduce the scope
> presumably to "only the kernel" forcing reboots.


I'm bumping this thread to get comments from Lennart (CCed). There's a
lot of chatter in the conversation, but I'd very much like to hear an
answer to the specific questions I posed in this first email.


signature.asc
Description: This is a digitally signed message part
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-17 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/16/2014 04:02 PM, Lukáš Tinkl wrote:
> Dne 16.9.2014 v 17:29 Matthias Clasen napsal(a):
>> On Tue, 2014-09-16 at 16:21 +0200, Zdenek Kabelac wrote:
>> 
>>> 
>>> Has Fedora given up Unix ??
>> 
>> This thread has gone quite far out into the weeds. It started
>> with a fairly concrete question: can we improve the offline
>> update experience by requiring only a single reboot, instead of
>> two ?
> 
> That's the core of the problem, while other systems have been
> trying for years to get rid of this nonsense (updates requiring
> reboots), we are moving the opposite direction. Technical reasons
> aside(*), this is NOT right for our users.
> 

While that may be a wonderfully ideal state to reach (and certainly
worth discussion), I agree with Matthias that this has gone far afield
of my original question.

I'd like to try to tie this thread back to answering a single
question: Without a fundamental redesign of the way things work, which
would be a VERY large and long-term effort, can we improve the user
experience for people *today* with fairly little effort?

If the answer to that question is "yes", is there anything
fundamentally wrong with adding that workaround while we solve the
situation in a more complete manner?

I think this is a great example of the adage "perfect is the enemy of
the good". We have a situation that everyone seems to agree is less
than ideal and we have two proposed solutions: one that probably
requires only a few weeks of work and testing and one that probably
requires a fundamental change to the way the system works and
therefore could take years to accomplish.

Ask yourself this question: are you as a user patient enough to wait
for a perfect solution or are you happy with incremental improvement?


> 
> (*) I agree offline updates are the safest way technically but
> that should be only regarded as a workaround for a more fundamental
> problem, lying deep below the desktop level.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlQZe9kACgkQeiVVYja6o6N7LQCdHKJxoApCxamQgD65XW5tPYmz
n7oAniCMrdHSL36Zp6P/auCd9iF3h53f
=Ow2a
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-17 Thread Miroslav Suchý

On 09/17/2014 11:54 AM, Bastien Nocera wrote:

All those OSes require reboots when updating the OS.


Define OS.

Firefox is definitely not OS. While systemd is OS.
I am fine with reboot after systemd upgrade, but not after upgrading Firefox.

And there we have lots of packages in between those two. Where you would draw a line? What is OS? (And this brought us 
to core of Fedora.next discussion :) )


--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-17 Thread Bastien Nocera


- Original Message -
> Dne 16.9.2014 v 17:29 Matthias Clasen napsal(a):
> > On Tue, 2014-09-16 at 16:21 +0200, Zdenek Kabelac wrote:
> >
> >>
> >> Has Fedora given up Unix ??
> >
> > This thread has gone quite far out into the weeds. It started with a
> > fairly concrete question: can we improve the offline update experience
> > by requiring only a single reboot, instead of two ?
> 
> That's the core of the problem, while other systems have been trying for
> years to get rid of this nonsense (updates requiring reboots), we are
> moving the opposite direction. Technical reasons aside(*), this is NOT
> right for our users.
> 
> 
> (*) I agree offline updates are the safest way technically but that
> should be only regarded as a workaround for a more fundamental problem,
> lying deep below the desktop level.

There are no desktop systems that can do live application updates. Applications
on mobile OSes get killed (and state is saved) when you update them.

All those OSes require reboots when updating the OS.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Lukáš Tinkl

Dne 16.9.2014 v 17:29 Matthias Clasen napsal(a):

On Tue, 2014-09-16 at 16:21 +0200, Zdenek Kabelac wrote:



Has Fedora given up Unix ??


This thread has gone quite far out into the weeds. It started with a
fairly concrete question: can we improve the offline update experience
by requiring only a single reboot, instead of two ?


That's the core of the problem, while other systems have been trying for 
years to get rid of this nonsense (updates requiring reboots), we are 
moving the opposite direction. Technical reasons aside(*), this is NOT 
right for our users.



(*) I agree offline updates are the safest way technically but that 
should be only regarded as a workaround for a more fundamental problem, 
lying deep below the desktop level.

--
Lukáš Tinkl 
Senior Software Engineer - KDE desktop team, Brno
KDE developer 
Red Hat Inc. http://cz.redhat.com
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Zdenek Kabelac

Dne 16.9.2014 v 17:36 Miloslav Trmač napsal(a):

- Original Message -

2. Ability to detect which processes depend on which versions of which
components.


We already managed to brought in systemd


I can’t see how systemd helps.  See the other discussions about Python/Ruby
modules that leave no obvious trace of their dependency after being loaded
into memory.


It has similar complexity and maybe packages could be described just like
services - so similar thing could be possibly reused here ?

Extra manual dependency information that would get obsolete?


Runtime removal of unused packages might be fun.
It could be something like 'fstrim' tool to run through cron...


3. Ability to automatically restart such processes without loosing state
(either completely transparently or with some user notification for
GUIs).


I'm not quite sure why we would need restart - simply delayed lazy release
of
unused packages would do the trick here - doing here state-full design is
much
more complex thing


Because otherwise you end up with an old version of Firefox running for 60
days (or however long a laptop can run with suspends and no restarts; most
people about never quit their browser), and that version of Firefox
keeping an old version of a system-wide daemon running for 60 days as
well..


Sure if user is able to run Firefox for 60 days  (though my usually goes out
of RAM in just a week or so, if it's not crashing earlier...) - then he is
happy user.

Until an exploit _that they have already installed an update for_ steals their 
data.


I guess something may show to user some nice gui dialog warning like -  'Hey
there is a new version installed - so 'restart' your browser to get new cool
feature'  (FF normally already detects upgrades and suggest restart)

No, that’s not good enough.  The OS should restart it for the user (other OSes 
already can do this).  (In the case of user-invisible components there is no 
other option, and for user-visible GUIs it is also the right thing to do.)


As long as Firefox can't restart 'unnoticeable' while playing youtube video - 
this is not an option - when admins updates machine - it just can't kill every 
users' running firefox.


It's fine to place a warning somewhere and require restart with some 'many 
hours' timeout - but for almost all "Firefox" updates - it's good enough to 
restart it just sometimes latest - and for those  'have to restart' - it still 
upon admins policy  - not upon Fedora package maintainer


Zdenek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Miloslav Trmač
- Original Message -
> Dne 16.9.2014 v 17:08 Miloslav Trmač napsal(a):
> > - Original Message -
> >>> Well, what we would need is:
> >>> 1. Ability to keep multiple versions (both ABI-compatible and
> >>> ABI-incompatible) of a single application or library or service installed
> >>> and running at the same time.
> >>
> >> Other distributions allow to install multiple version of same libraries
> >
> > AFAIK only when the ABI (soname) is different.  We also need to allow for
> > the case when the ABI stays the same but the internal implementation
> > changes (e.g. changing a format of a resource file that is used by the
> > library, making old processes incompatible with the newly installed
> > resource).
> 
> That's what I mean - when something changes in the library - soname should
> change.  It's quite broken to release same version of library with the same
> name when there is different internal implementation.

No.  Let me try to explain the issue in detail.

libfoo-1.0.0 and libfoo-1.0.1 both use /usr/share/libfoo/magic_database, but 
the internal format has changed between the versions.  It is _internal_ so 
changing the soname would be both unnecessary and _inappropriate_ (breaking 
users).  Looking at current packaging, neither RPM nor debian would install 
libfoo-1.0.0 and libfoo-1.0.1 in parallel.  Looking at the filesystem (i.e. 
assuming that we can change packaging), we may have both /usr/lib*/foo-1.0.0.so 
and /usr/lib*/foo-1.0.1.so installed on the filesystem, but that 
/usr/share/libfoo/magic_database can only have only one of the versions.  (OK, 
in this case it could be argued that it is the upstream’s fault and that they 
should version the magic_database path if they change the internal format, to 
explicitly design for parallel installs.  But now consider the distribution 
patching the library (changing “release” as opposed to “version” in RPM 
terminology); upstream can’t reasonably for that, parallel installation of 
same-version-different-release packages must be a distribution-focused 
filesystem design.


> >>> 2. Ability to detect which processes depend on which versions of which
> >>> components.
> >>
> >> We already managed to brought in systemd
> >
> > I can’t see how systemd helps.  See the other discussions about Python/Ruby
> > modules that leave no obvious trace of their dependency after being loaded
> > into memory.
> 
> It has similar complexity and maybe packages could be described just like
> services - so similar thing could be possibly reused here ?
Extra manual dependency information that would get obsolete?


> >>> 3. Ability to automatically restart such processes without loosing state
> >>> (either completely transparently or with some user notification for
> >>> GUIs).
> >>
> >> I'm not quite sure why we would need restart - simply delayed lazy release
> >> of
> >> unused packages would do the trick here - doing here state-full design is
> >> much
> >> more complex thing
> >
> > Because otherwise you end up with an old version of Firefox running for 60
> > days (or however long a laptop can run with suspends and no restarts; most
> > people about never quit their browser), and that version of Firefox
> > keeping an old version of a system-wide daemon running for 60 days as
> > well..
> 
> Sure if user is able to run Firefox for 60 days  (though my usually goes out
> of RAM in just a week or so, if it's not crashing earlier...) - then he is
> happy user.
Until an exploit _that they have already installed an update for_ steals their 
data.

> I guess something may show to user some nice gui dialog warning like -  'Hey
> there is a new version installed - so 'restart' your browser to get new cool
> feature'  (FF normally already detects upgrades and suggest restart)
No, that’s not good enough.  The OS should restart it for the user (other OSes 
already can do this).  (In the case of user-invisible components there is no 
other option, and for user-visible GUIs it is also the right thing to do.)
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Matthias Clasen
On Tue, 2014-09-16 at 16:21 +0200, Zdenek Kabelac wrote:

> 
> Has Fedora given up Unix ??

This thread has gone quite far out into the weeds. It started with a
fairly concrete question: can we improve the offline update experience
by requiring only a single reboot, instead of two ?

I'd still be interested in hearing Lennarts opinion on this.


Matthias

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Zdenek Kabelac

Dne 16.9.2014 v 17:08 Miloslav Trmač napsal(a):

- Original Message -

Well, what we would need is:
1. Ability to keep multiple versions (both ABI-compatible and
ABI-incompatible) of a single application or library or service installed
and running at the same time.


Other distributions allow to install multiple version of same libraries


AFAIK only when the ABI (soname) is different.  We also need to allow for the 
case when the ABI stays the same but the internal implementation changes (e.g. 
changing a format of a resource file that is used by the library, making old 
processes incompatible with the newly installed resource).


That's what I mean - when something changes in the library - soname should 
change.  It's quite broken to release same version of library with the same 
name when there is different internal implementation.  It's something library 
package maintainer should take care of...


There is also support for versioned symbols.





2. Ability to detect which processes depend on which versions of which
components.


We already managed to brought in systemd


I can’t see how systemd helps.  See the other discussions about Python/Ruby 
modules that leave no obvious trace of their dependency after being loaded into 
memory.


It has similar complexity and maybe packages could be described just like 
services - so similar thing could be possibly reused here ?


Anyway - I've not been thinking too deeply about this...





3. Ability to automatically restart such processes without loosing state
(either completely transparently or with some user notification for GUIs).


I'm not quite sure why we would need restart - simply delayed lazy release of
unused packages would do the trick here - doing here state-full design is much
more complex thing


Because otherwise you end up with an old version of Firefox running for 60 days 
(or however long a laptop can run with suspends and no restarts; most people 
about never quit their browser), and that version of Firefox keeping an old 
version of a system-wide daemon running for 60 days as well..


Sure if user is able to run Firefox for 60 days  (though my usually goes out 
of RAM in just a week or so, if it's not crashing earlier...) - then he is 
happy user.


I guess something may show to user some nice gui dialog warning like -  'Hey 
there is a new version installed - so 'restart' your browser to get new cool 
feature'  (FF normally already detects upgrades and suggest restart)


I don't see nothing wrong with this case - it's per user and doesn't require 
upgrade - and if I've something important is running in my browser I could 
delay restart to the moment I don't care.






And surprisingly even Systemd guru realized there is something broken with
current filesystem layout - except solving it with Btrfs is not really a
fix...


The sad thing is that adding more workarounds like namespaces and the like 
really might be easier than agreeing on making a real change and getting it 
done :(  But we will live with the costs forever.


Look at NixOS - there are no namespace or btrfs requirements

Zdenek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Miloslav Trmač
- Original Message -
> > Well, what we would need is:
> > 1. Ability to keep multiple versions (both ABI-compatible and
> > ABI-incompatible) of a single application or library or service installed
> > and running at the same time.
> 
> Other distributions allow to install multiple version of same libraries

AFAIK only when the ABI (soname) is different.  We also need to allow for the 
case when the ABI stays the same but the internal implementation changes (e.g. 
changing a format of a resource file that is used by the library, making old 
processes incompatible with the newly installed resource).

> > 2. Ability to detect which processes depend on which versions of which
> > components.
> 
> We already managed to brought in systemd

I can’t see how systemd helps.  See the other discussions about Python/Ruby 
modules that leave no obvious trace of their dependency after being loaded into 
memory.

> > 3. Ability to automatically restart such processes without loosing state
> > (either completely transparently or with some user notification for GUIs).
> 
> I'm not quite sure why we would need restart - simply delayed lazy release of
> unused packages would do the trick here - doing here state-full design is much
> more complex thing

Because otherwise you end up with an old version of Firefox running for 60 days 
(or however long a laptop can run with suspends and no restarts; most people 
about never quit their browser), and that version of Firefox keeping an old 
version of a system-wide daemon running for 60 days as well..

> And surprisingly even Systemd guru realized there is something broken with
> current filesystem layout - except solving it with Btrfs is not really a
> fix...

The sad thing is that adding more workarounds like namespaces and the like 
really might be easier than agreeing on making a real change and getting it 
done :(  But we will live with the costs forever.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Zdenek Kabelac

Dne 16.9.2014 v 16:39 Miloslav Trmač napsal(a):

- Original Message -

Dne 16.9.2014 v 12:21 Richard Hughes napsal(a):

On 16 September 2014 10:55, Zdenek Kabelac  wrote:

Just a thought - but wouldn't be better spend time to enlighten
Gnome/Firefox developers how to write applications in a way the could be
upgraded runtime


So, it's not just the application, it's every application and D-Bus
service the application uses. Even glibc opens files-as-resources at


So it's time to fix D-Bus then as well!

If something is broken - it will not get fixed by hiding broken design behind
reboot&upgrade.


Quite true.


If you can't fix the Firefox (or some other broken tool) and you want to allow
install of new version - then you need to allow i.e. parallel installs of such
packages - it's that simple - I've been doing this more then 15 years ago at
University - so really nothing new here...


Well, what we would need is:
1. Ability to keep multiple versions (both ABI-compatible and ABI-incompatible) 
of a single application or library or service installed and running at the same 
time.


Other distributions allow to install multiple version of same libraries - I've 
never understood the Fedora policy to recompile whole Fedora when a new 
version of library is released.


This policy design is quite 'show-stopper' for anything like this...


2. Ability to detect which processes depend on which versions of which 
components.


We already managed to brought in systemd


3. Ability to automatically restart such processes without loosing state 
(either completely transparently or with some user notification for GUIs).


I'm not quite sure why we would need restart - simply delayed lazy release of 
unused packages would do the trick here - doing here state-full design is much 
more complex thing


The primary use-case to target should be to allow reinstall user packages 
while they are in use.




This has all been done before, and can be done again.  (And it would make at 
least half of the userbase clamoring for containers what they need, without 
playing ugly complex nontransparent namespace games.)  But let’s be clear about 
it, 1. means completely changing our filesystem layout, and 3. means changing 
our process model to go way beyond int main(...).

It is technically possible, it is the right thing to do.  Do we want to do it 
and can we do it?


Fedora made not much useful /usr move thing - so maybe it's time to think and 
design something really useful.


As mentioned there are OSes which do handle things much better...

And surprisingly even Systemd guru realized there is something broken with 
current filesystem layout - except solving it with Btrfs is not really a fix...



Has Fedora given up Unix ??


The Unix history is actually closer to “edit header files to match your 
hardware, then rebuild the kernel and userpace with (make world), and reboot“.  
Packaged applications with an ISV source and an update stream separate from the 
OS have certainly been built on top of Unix but have never been a major design 
focus.  Arguably the whole point of a “Linux distribution” has been to get 
closer to the BSD-style single-kernel-and-userspace distribution updated always 
as a whole.


My view rather is - Fedora is taking feature-by-feature away from my box.

Zdenek


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Miloslav Trmač
- Original Message -
> Dne 16.9.2014 v 12:21 Richard Hughes napsal(a):
> > On 16 September 2014 10:55, Zdenek Kabelac  wrote:
> >> Just a thought - but wouldn't be better spend time to enlighten
> >> Gnome/Firefox developers how to write applications in a way the could be
> >> upgraded runtime
> >
> > So, it's not just the application, it's every application and D-Bus
> > service the application uses. Even glibc opens files-as-resources at
> 
> So it's time to fix D-Bus then as well!
> 
> If something is broken - it will not get fixed by hiding broken design behind
> reboot&upgrade.

Quite true.

> If you can't fix the Firefox (or some other broken tool) and you want to allow
> install of new version - then you need to allow i.e. parallel installs of such
> packages - it's that simple - I've been doing this more then 15 years ago at
> University - so really nothing new here...

Well, what we would need is:
1. Ability to keep multiple versions (both ABI-compatible and ABI-incompatible) 
of a single application or library or service installed and running at the same 
time.
2. Ability to detect which processes depend on which versions of which 
components.
3. Ability to automatically restart such processes without loosing state 
(either completely transparently or with some user notification for GUIs).

This has all been done before, and can be done again.  (And it would make at 
least half of the userbase clamoring for containers what they need, without 
playing ugly complex nontransparent namespace games.)  But let’s be clear about 
it, 1. means completely changing our filesystem layout, and 3. means changing 
our process model to go way beyond int main(...).  

It is technically possible, it is the right thing to do.  Do we want to do it 
and can we do it?

> This 'reboot' idea is just 'somehow' usable maybe for a single seat single
> user desktop - but not anywhere else.
> 
> Has Fedora given up Unix ??

The Unix history is actually closer to “edit header files to match your 
hardware, then rebuild the kernel and userpace with (make world), and reboot“.  
Packaged applications with an ISV source and an update stream separate from the 
OS have certainly been built on top of Unix but have never been a major design 
focus.  Arguably the whole point of a “Linux distribution” has been to get 
closer to the BSD-style single-kernel-and-userspace distribution updated always 
as a whole.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Zdenek Kabelac

Dne 16.9.2014 v 12:21 Richard Hughes napsal(a):

On 16 September 2014 10:55, Zdenek Kabelac  wrote:

Just a thought - but wouldn't be better spend time to enlighten
Gnome/Firefox developers how to write applications in a way the could be
upgraded runtime


So, it's not just the application, it's every application and D-Bus
service the application uses. Even glibc opens files-as-resources at


So it's time to fix D-Bus then as well!

If something is broken - it will not get fixed by hiding broken design behind 
reboot&upgrade.


Guys it's 21st. century -  it's so much broken idea to reboot 'machine' 
because I want to upgrade i.e. Firefox - that I simply don't have words for it.


If you can't fix the Firefox (or some other broken tool) and you want to allow
install of new version - then you need to allow i.e. parallel installs of such 
packages - it's that simple - I've been doing this more then 15 years ago at 
University - so really nothing new here...


While the old-firefox is in use - new one could be installed in parallel
and the old one is removed when the last user closes app - of course
this has another problem with dependency hell - again solvable thing - look at 
i.e. NixOS.


Just fix things in their core instead of hiding problem in pointless reboots.

Have any of those 'inventors' of  reboot&update ever managed multiuser system?

This 'reboot' idea is just 'somehow' usable maybe for a single seat single 
user desktop - but not anywhere else.


Has Fedora given up Unix ??

Zdenek

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Petr Pisar
On 2014-09-16, Richard Hughes  wrote:
> The much bigger issues is if you're using a D-Bus service
> like most applications seem to do (and most use quite a few system and
> session, directly and indirectly) then you've also got to co-ordinate
> and handle changing D-Bus API (which typically isn't versioned).

Maybe it's time to version the API.

Look at microkernel based systems which utilize messaging heavily and
the API consumers (applications or another subsystems) have to be
prepared for spurious API provider (server) restarts.

A server can refuse a message any time (especially if it does not
understand the request). Simple operations are usualy implemented as
a sequence of requests and responses where initial request obtains
a descriptor (a session, a handle) and subsequent requests passe it as
context (a session) identifier. If the server is restarted in between,
the context identifier becomes unrecognized and it's up to the
application to deal with it.

Just the fact that somebody calls functions over dbus instead of jumping
into a shared library do not free them from maintaing API.

-- Petr

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Richard Hughes
On 16 September 2014 13:29, Przemek Klosowski
 wrote:
> OK, but this is means that we painted ourselves in the corner---something is
> wrong if my Android phone, which I don't have to reboot for updates,  has
> higher uptime than my computer.

Right, we certainly have. By not having an OS / app layering policy
we've basically lumped everything into the OS layer. We're now as good
as Android, when you upgrade releases that you basically do an offline
update like we do in GNOME.

The only way to do application online updating (IMO) is to solve four things:

* Defining an OS platform
* Not breaking platform API
* Sandboxing
* Per-user applications

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Josh Boyer
On Tue, Sep 16, 2014 at 8:29 AM, Przemek Klosowski
 wrote:
> On 09/16/2014 06:33 AM, Richard Hughes wrote:
>
>   I've triaged many bugs to do with online and offline update failures, and
> if we're going to say that we actually care about the users data, it becomes
> increasingly hard to defend the "old" way of doing it. I'm sure I could find
> numerous bugs numbers where doing an online update made the session/terminal
> crash which of course leaves you with duplicate packages on your system
> which may or may not be fixable. Richard
>
> OK, but this is means that we painted ourselves in the corner---something is
> wrong if my Android phone, which I don't have to reboot for updates,  has
> higher uptime than my computer.

You don't have to restart your phone for app updates, but the app
itself is restarted.  For Android updates, it does require you to
reboot the phone.  Android updates happen rather infrequently.  Your
analogy is slightly flawed.

> We are in a bind: on one hand, the best security practice is to upgrade
> daily to avoid emerging vulnerabilities; on the other hand daily reboots
> aren't really a nutritious alternative.  Something has to give---which one
> do we do:
>
>  - create a separate daily security upgrade stream, curated to not require
> reboots if at all possible

This has been suggested before and it isn't a terrible idea.  It
requires people to work on it though.

>  - follow Microsoft and do a fixed 'patch Tuesday' schedule instead of ASAP
> updates

There have been suggestions around having "levels" of updates.  A
firehose level, which is the equivalent of today, and then a batched
level, etc.  Also needs people to work on it.

josh
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Przemek Klosowski

On 09/16/2014 06:33 AM, Richard Hughes wrote:
I've triaged many bugs to do with online and offline update failures, 
and if we're going to say that we actually care about the users data, 
it becomes increasingly hard to defend the "old" way of doing it. I'm 
sure I could find numerous bugs numbers where doing an online update 
made the session/terminal crash which of course leaves you with 
duplicate packages on your system which may or may not be fixable. 
Richard 
OK, but this is means that we painted ourselves in the 
corner---something is wrong if my Android phone, which I don't have to 
reboot for updates,  has higher uptime than my computer.


We are in a bind: on one hand, the best security practice is to upgrade 
daily to avoid emerging vulnerabilities; on the other hand daily reboots 
aren't really a nutritious alternative.  Something has to give---which 
one do we do:


 - create a separate daily security upgrade stream, curated to not 
require reboots if at all possible


 - follow Microsoft and do a fixed 'patch Tuesday' schedule instead of 
ASAP updates


 - rewrite Linux or at least Gnome/DBus for safe updates :)


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Richard Hughes
On 16 September 2014 11:26, Reindl Harald  wrote:
> and the other side of the story are some hundret dist-upgrades i
> made in the past years with YUM (in a screen session for safety)
> while just continue to browse the web and read / answer email

So you're saying my technical analysis is incorrect because it happens
to work for you? I've triaged many bugs to do with online and offline
update failures, and if we're going to say that we actually care about
the users data, it becomes increasingly hard to defend the "old" way
of doing it. I'm sure I could find numerous bugs numbers where doing
an online update made the session/terminal crash which of course
leaves you with duplicate packages on your system which may or may not
be fixable.

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Reindl Harald

Am 16.09.2014 um 12:21 schrieb Richard Hughes:
> On 16 September 2014 10:55, Zdenek Kabelac  wrote:
>> Just a thought - but wouldn't be better spend time to enlighten
>> Gnome/Firefox developers how to write applications in a way the could be
>> upgraded runtime
> 
> So, it's not just the application, it's every application and D-Bus
> service the application uses. Even glibc opens files-as-resources at
> runtime. The much bigger issues is if you're using a D-Bus service
> like most applications seem to do (and most use quite a few system and
> session, directly and indirectly) then you've also got to co-ordinate
> and handle changing D-Bus API (which typically isn't versioned). This
> means you've got to restart the system DBus service at the right time
> in the on-line update, which means co-ordinating with any other open
> sessions on the system. Most desktop apps don't just sit in islands on
> their own. It's probably okay to live-update powertop on a single-user
> system when it's not being run, but anything much more integrated than
> that just isn't going to work very well

and the other side of the story are some hundret dist-upgrades i
made in the past years with YUM (in a screen session for safety)
while just continue to browse the web and read / answer email



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Richard Hughes
On 16 September 2014 10:55, Zdenek Kabelac  wrote:
> Just a thought - but wouldn't be better spend time to enlighten
> Gnome/Firefox developers how to write applications in a way the could be
> upgraded runtime

So, it's not just the application, it's every application and D-Bus
service the application uses. Even glibc opens files-as-resources at
runtime. The much bigger issues is if you're using a D-Bus service
like most applications seem to do (and most use quite a few system and
session, directly and indirectly) then you've also got to co-ordinate
and handle changing D-Bus API (which typically isn't versioned). This
means you've got to restart the system DBus service at the right time
in the on-line update, which means co-ordinating with any other open
sessions on the system. Most desktop apps don't just sit in islands on
their own. It's probably okay to live-update powertop on a single-user
system when it's not being run, but anything much more integrated than
that just isn't going to work very well.

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Zdenek Kabelac

Dne 16.9.2014 v 11:48 Richard Hughes napsal(a):

On 16 September 2014 10:36, Roberto Ragusa  wrote:

If applications would just use libraries correctly, the kernel
would be able to let parts of deleted files be available for lazy
loading.


Sure, as long as all[1] the resources were either open()d when the
user started the program, or linked in as resources into the library
itself then it works fine. You can certainly design an application
that does this correctly, it's just that very few do. A lot of GNOME
apps compile in resources into the binary itself, using GResource, and
this very much helps live updating.




Just a thought - but wouldn't be better spend time to enlighten Gnome/Firefox 
developers how to write applications in a way the could be upgraded runtime, 
instead of forcing users to reboot machines  which seems seriously ridiculous.


And if we can't fix Gnome -  then let's have there daemon/systemd service 
waiting in background till the 'problematic' app is still running - and run 
upgrade when the app is finally closed (eventually kindly ask user to close 
the app in case of some CVE)


Zdenek


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Richard Hughes
On 16 September 2014 10:36, Roberto Ragusa  wrote:
> If applications would just use libraries correctly, the kernel
> would be able to let parts of deleted files be available for lazy
> loading.

Sure, as long as all[1] the resources were either open()d when the
user started the program, or linked in as resources into the library
itself then it works fine. You can certainly design an application
that does this correctly, it's just that very few do. A lot of GNOME
apps compile in resources into the binary itself, using GResource, and
this very much helps live updating.

Richard

[1] Including help files, all clipart, all icons, all .ui files, and
all the .css for all the dialogs.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Roberto Ragusa
On 09/12/2014 05:47 PM, Richard Hughes wrote:

> That's just not safe. Have you ever had firefox open and done a
> firefox update? Widgets start disappearing, redraws start having weird
> artifects and then after a little while it just crashes. Other
> applications like LibreOffice behave the same. Anyone that says things
> like "the old version of the library stays in memory" obviously hasn't
> actually done much real-world GUI programming in the last decade, or
> runs any kind of secure desktop system.

You are basically saying that "modern" software is just breaking
things which were perfectly solved decades ago.
If applications would just use libraries correctly, the kernel
would be able to let parts of deleted files be available for lazy
loading.

-- 
   Roberto Ragusamail at robertoragusa.it
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Reindl Harald

Am 16.09.2014 um 10:50 schrieb Richard Hughes:
> On 15 September 2014 13:06, Miroslav Suchý  wrote:
>> But *I* do not want to reboot after each upgrade. Those crashes will be
>> 0.1% of all crashes on my workstation
> 
> I think you might change your mind when it's you're the one that has
> to triage those ABRT-reported bugs. Also, consoling users with lost
> data gets tiring really quick

well, users which want full control typically disable
or even uninstall ABRT - as long offline updates are
not becoming mandatory all is fine

[harry@srv-rhsoft:~]$ rpm -qa | grep -i ABRT
[harry@srv-rhsoft:~]$



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-16 Thread Richard Hughes
On 15 September 2014 13:06, Miroslav Suchý  wrote:
> But *I* do not want to reboot after each upgrade. Those crashes will be
> 0.1% of all crashes on my workstation

I think you might change your mind when it's you're the one that has
to triage those ABRT-reported bugs. Also, consoling users with lost
data gets tiring really quick.

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Richard W.M. Jones
On Mon, Sep 15, 2014 at 04:07:39PM +0200, Vít Ondruch wrote:
> Dne 15.9.2014 14:28, Richard W.M. Jones napsal(a):
> > On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
> >> Every of the script is based on assumption that you already read some
> >> library/unit whatever. But that is not enough. I wonder how you want to
> >> detect that you need restart in case that I have something like this:
> >>
> >> $ ls
> >> foo.rb
> >> bar.rb
> >>
> >> $ cat foo.rb
> >>
> >> def some_function
> >>   require 'bar'
> >> end
> >>
> >> And now
> >>
> >> 1) I run some application, which loads my foo.rb file.
> >> 2) I later update the package which removes bar.rb file.
> >> 3) And I call some_function which fails due to missing bar.rb
> > How is this not 'foo' simply being broken?
> 
> They might come from different packages.

OK, in which case the package that needs bar was broken because it
didn't express that need in its dependencies, nor guard against the
possibility that bar was not installed.

> Or there might be also another
> level of requires, where bar.rb requires by baz.rb. In case that bar.rb
> stays and baz.rb is removed, you still cannot predict that this will
> fail in the future, since neither of these files was loaded before.

In which case bar.rb was similarly broken, for the same reason as
above.

> Or there might be another example of code with similar issues:
> 
> $ cat foo.rb
> 
> def some_function
>   $files.each {|f| require f}
> end
> 
> $files = Dir.glob('*.rb')
> 
> I.e. during initialization, you list available files and you want to
> load them later, but at that moment, they are not there already.

This code is still by any measure broken.  There are lots of ways that
such code could fail to work.

Plainly what I'm trying to say is: If the potentially insecure code
has been loaded into a Python process, and the python interpreter has
the small modification that I suggested, then we will be able to
detect that the insecure code is loaded into memory and flag the
process/service as needing to be restarted.

That's all.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Vít Ondruch
Dne 15.9.2014 14:28, Richard W.M. Jones napsal(a):
> On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
>> Every of the script is based on assumption that you already read some
>> library/unit whatever. But that is not enough. I wonder how you want to
>> detect that you need restart in case that I have something like this:
>>
>> $ ls
>> foo.rb
>> bar.rb
>>
>> $ cat foo.rb
>>
>> def some_function
>>   require 'bar'
>> end
>>
>> And now
>>
>> 1) I run some application, which loads my foo.rb file.
>> 2) I later update the package which removes bar.rb file.
>> 3) And I call some_function which fails due to missing bar.rb
> How is this not 'foo' simply being broken?

They might come from different packages. Or there might be also another
level of requires, where bar.rb requires by baz.rb. In case that bar.rb
stays and baz.rb is removed, you still cannot predict that this will
fail in the future, since neither of these files was loaded before.

Or there might be another example of code with similar issues:

$ cat foo.rb

def some_function
  $files.each {|f| require f}
end

$files = Dir.glob('*.rb')

I.e. during initialization, you list available files and you want to
load them later, but at that moment, they are not there already.

>   ie. Not expressing its
> needs properly in its RPM dependencies?


We typically express dependencies between packages, the separate library
files are typically considered just implementation detail. But I agree
that it would be more precise to express dependencies between separate
library files, instead of packages. Anyway, this is case of dynamic
loading, so I am not sure how you would specify the dependencies.


Vít
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Richard W.M. Jones
On Mon, Sep 15, 2014 at 02:49:34PM +0200, Reindl Harald wrote:
> 
> 
> Am 15.09.2014 um 14:44 schrieb Richard W.M. Jones:
> > On Mon, Sep 15, 2014 at 02:40:34PM +0200, Reindl Harald wrote:
> >>
> >> Am 15.09.2014 um 14:28 schrieb Richard W.M. Jones:
> >>> On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
>  1) I run some application, which loads my foo.rb file.
>  2) I later update the package which removes bar.rb file.
>  3) And I call some_function which fails due to missing bar.rb
> >>>
> >>> How is this not 'foo' simply being broken?  ie. Not expressing its
> >>> needs properly in its RPM dependencies?
> >>>
> >>> It would still have been broken even with a reboot
> >>
> >> no - why should it?
> >>
> >> 'foo' is loaded in memory, updated and now has different dependencies
> >> no longer require 'bar.rb' but your running version still do
> > 
> > Please read closely.  'foo' has *not* been updated.
> > 
> > If 'foo' had been updated, we would have spotted it and restarted that
> > process using my technique outlined in the previous email
> 
> cross deps coming in my mind
> foo -> library -> library -> library
> 
> * the first maybe already loaded
> * also loaded the second one in a previous call
> * that version relies on teh third one for some operations
> * in a update the deps have changed
> 
> so you may have a mix with different dep-chains in memory
> and some parts used the first time from disk with unexpected
> results

I have absolutely no idea what you are talking about.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Reindl Harald


Am 15.09.2014 um 14:44 schrieb Richard W.M. Jones:
> On Mon, Sep 15, 2014 at 02:40:34PM +0200, Reindl Harald wrote:
>>
>> Am 15.09.2014 um 14:28 schrieb Richard W.M. Jones:
>>> On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
 1) I run some application, which loads my foo.rb file.
 2) I later update the package which removes bar.rb file.
 3) And I call some_function which fails due to missing bar.rb
>>>
>>> How is this not 'foo' simply being broken?  ie. Not expressing its
>>> needs properly in its RPM dependencies?
>>>
>>> It would still have been broken even with a reboot
>>
>> no - why should it?
>>
>> 'foo' is loaded in memory, updated and now has different dependencies
>> no longer require 'bar.rb' but your running version still do
> 
> Please read closely.  'foo' has *not* been updated.
> 
> If 'foo' had been updated, we would have spotted it and restarted that
> process using my technique outlined in the previous email

cross deps coming in my mind
foo -> library -> library -> library

* the first maybe already loaded
* also loaded the second one in a previous call
* that version relies on teh third one for some operations
* in a update the deps have changed

so you may have a mix with different dep-chains in memory
and some parts used the first time from disk with unexpected
results





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Richard W.M. Jones
On Mon, Sep 15, 2014 at 02:40:34PM +0200, Reindl Harald wrote:
> 
> Am 15.09.2014 um 14:28 schrieb Richard W.M. Jones:
> > On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
> >> 1) I run some application, which loads my foo.rb file.
> >> 2) I later update the package which removes bar.rb file.
> >> 3) And I call some_function which fails due to missing bar.rb
> > 
> > How is this not 'foo' simply being broken?  ie. Not expressing its
> > needs properly in its RPM dependencies?
> > 
> > It would still have been broken even with a reboot
> 
> no - why should it?
> 
> 'foo' is loaded in memory, updated and now has different dependencies
> no longer require 'bar.rb' but your running version still do

Please read closely.  'foo' has *not* been updated.

If 'foo' had been updated, we would have spotted it and restarted that
process using my technique outlined in the previous email.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Reindl Harald

Am 15.09.2014 um 14:28 schrieb Richard W.M. Jones:
> On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
>> 1) I run some application, which loads my foo.rb file.
>> 2) I later update the package which removes bar.rb file.
>> 3) And I call some_function which fails due to missing bar.rb
> 
> How is this not 'foo' simply being broken?  ie. Not expressing its
> needs properly in its RPM dependencies?
> 
> It would still have been broken even with a reboot

no - why should it?

'foo' is loaded in memory, updated and now has different dependencies
no longer require 'bar.rb' but your running version still do

yes, such corner cases are possible, regardless no reason
for go the windows way and reboot after any minor update



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Richard W.M. Jones

On Mon, Sep 15, 2014 at 10:57:13AM +0200, Vít Ondruch wrote:
> Every of the script is based on assumption that you already read some
> library/unit whatever. But that is not enough. I wonder how you want to
> detect that you need restart in case that I have something like this:
> 
> $ ls
> foo.rb
> bar.rb
> 
> $ cat foo.rb
> 
> def some_function
>   require 'bar'
> end
> 
> And now
> 
> 1) I run some application, which loads my foo.rb file.
> 2) I later update the package which removes bar.rb file.
> 3) And I call some_function which fails due to missing bar.rb

How is this not 'foo' simply being broken?  ie. Not expressing its
needs properly in its RPM dependencies?

It would still have been broken even with a reboot.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Miroslav Suchý

On 09/15/2014 10:57 AM, Vít Ondruch wrote:

Every of the script is based on assumption that you already read some
library/unit whatever. But that is not enough. I wonder how you want to
detect that you need restart in case that I have something like this:

$ ls
foo.rb
bar.rb

$ cat foo.rb

def some_function
   require 'bar'
end

And now

1) I run some application, which loads my foo.rb file.
2) I later update the package which removes bar.rb file.
3) And I call some_function which fails due to missing bar.rb


Indeed, would foo.rb and bar.rb comes from different packages, then there is 
really no way.


There is no universal and reliable way how to detect this scenario IMO.


Well, if you are operator of nuclear power plant, then I understand the need of 
reboot after each upgrade.

But *I* do not want to reboot after each upgrade. Those crashes will be 0.1% of all crashes on my workstation, which 
is less PITA than rebooting because I upgraded 'foo-doc' package.


--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Vít Ondruch
Every of the script is based on assumption that you already read some
library/unit whatever. But that is not enough. I wonder how you want to
detect that you need restart in case that I have something like this:

$ ls
foo.rb
bar.rb

$ cat foo.rb

def some_function
  require 'bar'
end

And now

1) I run some application, which loads my foo.rb file.
2) I later update the package which removes bar.rb file.
3) And I call some_function which fails due to missing bar.rb

There is no universal and reliable way how to detect this scenario IMO.


Vít



Dne 15.9.2014 10:06, Richard W.M. Jones napsal(a):
> On Mon, Sep 15, 2014 at 09:50:36AM +0200, Miroslav Suchý wrote:
>> On 09/12/2014 07:09 PM, Reindl Harald wrote:
>>> never worked relieable here on multiple machines
>>>
>>> it often showed nothing where i knew the thing
>>> which should be restarted without looking and
>>> "lsof" proved it
>> I am one of those guys who refuse to reboot after each upgrade (and
>> it works for me) and needs-restarting is ugly and insufficient to
>> me.
>>
>> Therefore I initiated this project:
>>   https://github.com/FrostyX/tracer
>>   http://copr.fedoraproject.org/coprs/frostyx/tracer/
>>
>> It is still not finished and ready for announcement, but if you are
>> looking for some other way than offline-upgrade, this might be worth
>> of participating.
> It wasn't clear to me how tracer works for non-C programs.
>
> However there was some Red Hat only discussion recently about how to
> do this for Python programs, with minimal overhead.  Below I'm just
> reproducing a technique (untested) that I think will work for Python.
>
> It requires a small patch to the Python interpreter, and a similar
> patch to any other language interpreters (eg. Perl, Ruby).
>
> Rich.
>
> ---
> For each module (*.py or *.pyc) that it imports, have it mmap the
> first page of that file into its memory.
>
> The mmap would be PROT_NONE because it's not actually used, and the
> associated file descriptor should be closed.
>
> This will appear in /proc/PID/maps, with a "(deleted)" flag if the
> underlying file gets deleted (and hence the process needs restarting).
>
> The cost should be almost nothing:
>
>  - 4K of virtual memory, no real memory   
>  - an extra mmap syscall on import
>  - an extra segment in the kernel's VM AVL  
> ---
>
> Rich.
>


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Miroslav Suchý

On 09/15/2014 10:06 AM, Richard W.M. Jones wrote:

It wasn't clear to me how tracer works for non-C programs.


https://github.com/FrostyX/tracer/commit/4abfc4ecbc6d1d4cd89b7162e1ba3f63088db3ff

Which basicaly checkout output of `ps` and if there is e.g. python as 
executable, it will check for arguments and use those.
But I agree that interpreted languages are problem, because they open the file, 
read it and close the handler.
So there are no footsteps to track.


However there was some Red Hat only discussion recently about how to
do this for Python programs, with minimal overhead.  Below I'm just
reproducing a technique (untested) that I think will work for Python.

It requires a small patch to the Python interpreter, and a similar
patch to any other language interpreters (eg. Perl, Ruby).

Rich.

---
For each module (*.py or *.pyc) that it imports, have it mmap the
first page of that file into its memory.

The mmap would be PROT_NONE because it's not actually used, and the
associated file descriptor should be closed.

This will appear in /proc/PID/maps, with a "(deleted)" flag if the
underlying file gets deleted (and hence the process needs restarting).

The cost should be almost nothing:

  - 4K of virtual memory, no real memory
  - an extra mmap syscall on import
  - an extra segment in the kernel's VM AVL
---


Very nice.
Is there some bugzilla RFE report for this? Or should I file it?


--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Richard W.M. Jones
On Mon, Sep 15, 2014 at 09:50:36AM +0200, Miroslav Suchý wrote:
> On 09/12/2014 07:09 PM, Reindl Harald wrote:
> >never worked relieable here on multiple machines
> >
> >it often showed nothing where i knew the thing
> >which should be restarted without looking and
> >"lsof" proved it
> 
> I am one of those guys who refuse to reboot after each upgrade (and
> it works for me) and needs-restarting is ugly and insufficient to
> me.
> 
> Therefore I initiated this project:
>   https://github.com/FrostyX/tracer
>   http://copr.fedoraproject.org/coprs/frostyx/tracer/
> 
> It is still not finished and ready for announcement, but if you are
> looking for some other way than offline-upgrade, this might be worth
> of participating.

It wasn't clear to me how tracer works for non-C programs.

However there was some Red Hat only discussion recently about how to
do this for Python programs, with minimal overhead.  Below I'm just
reproducing a technique (untested) that I think will work for Python.

It requires a small patch to the Python interpreter, and a similar
patch to any other language interpreters (eg. Perl, Ruby).

Rich.

---
For each module (*.py or *.pyc) that it imports, have it mmap the
first page of that file into its memory.

The mmap would be PROT_NONE because it's not actually used, and the
associated file descriptor should be closed.

This will appear in /proc/PID/maps, with a "(deleted)" flag if the
underlying file gets deleted (and hence the process needs restarting).

The cost should be almost nothing:

 - 4K of virtual memory, no real memory   
 - an extra mmap syscall on import
 - an extra segment in the kernel's VM AVL  
---

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-15 Thread Miroslav Suchý

On 09/12/2014 07:09 PM, Reindl Harald wrote:

never worked relieable here on multiple machines

it often showed nothing where i knew the thing
which should be restarted without looking and
"lsof" proved it


I am one of those guys who refuse to reboot after each upgrade (and it works for me) and needs-restarting is ugly and 
insufficient to me.


Therefore I initiated this project:
  https://github.com/FrostyX/tracer
  http://copr.fedoraproject.org/coprs/frostyx/tracer/

It is still not finished and ready for announcement, but if you are looking for some other way than offline-upgrade, 
this might be worth of participating.


--
Miroslav Suchy, RHCE, RHCDS
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-13 Thread Corey Sheldon
the keys are in kernelspace IIRC and thus updated / passed on initrd
/initramfs updates and kernel updates

Corey W Sheldon
Freelance IT Consultant, Multi-Discipline Tutor
310.909.7672
www.facebook.com/1stclassmobileshine

On Sat, Sep 13, 2014 at 7:01 PM, Ian Pilcher  wrote:

> On 09/13/2014 03:59 AM, Fred New wrote:
> > One step up from this would be something like a kpatch process in rpm
> > combined with packaged metadata that replaces in-memory modules so that
> > reboots wouldn't be necessary. Yeh, probably impossible.
>
> This has almost certainly already been considered by people smarter than
> me, but it occurs to me that there's no reason that kexec couldn't some-
> how pass LUKS/dm-crypt keys to the new kernel.
>
> --
> 
> Ian Pilcher arequip...@gmail.com
>  "I grew up before Mark Zuckerberg invented friendship" 
> 
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-13 Thread Ian Pilcher
On 09/13/2014 03:59 AM, Fred New wrote:
> One step up from this would be something like a kpatch process in rpm
> combined with packaged metadata that replaces in-memory modules so that
> reboots wouldn't be necessary. Yeh, probably impossible.

This has almost certainly already been considered by people smarter than
me, but it occurs to me that there's no reason that kexec couldn't some-
how pass LUKS/dm-crypt keys to the new kernel.

-- 

Ian Pilcher arequip...@gmail.com
 "I grew up before Mark Zuckerberg invented friendship" 


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-13 Thread Fred New
On Sat, Sep 13, 2014 at 3:32 AM, Chris Murphy 
wrote:

>
> On Sep 12, 2014, at 9:47 AM, Richard Hughes  wrote:
>
> > The *only* way to do this
> > securely and safely in the system we have now is in a clean pre-boot
> > environment,
>
> Mostly clean post-boot environment, with the system we have now?
>
> > What we could do is do updates on shutdown by basically killing
> > everything except PID 1, and then restart everything, but even then
> > that relies on no systemd or kernel updates being present.
>
> Even if the system is fully rebooted once, after the update is done in a
> post-boot environment, it's half the reboots needed now.
>
> One step up from this would be a way for packages to contain metadata
> indicating they need a reboot after an update; if none require it, then
> isolate graphical.target rather than a reboot.
>

One step up from this would be something like a kpatch process in rpm
combined with packaged metadata that replaces in-memory modules so that
reboots wouldn't be necessary. Yeh, probably impossible.

Fred
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Chris Murphy

On Sep 12, 2014, at 9:47 AM, Richard Hughes  wrote:

> The *only* way to do this
> securely and safely in the system we have now is in a clean pre-boot
> environment,

Mostly clean post-boot environment, with the system we have now?

> What we could do is do updates on shutdown by basically killing
> everything except PID 1, and then restart everything, but even then
> that relies on no systemd or kernel updates being present.

Even if the system is fully rebooted once, after the update is done in a 
post-boot environment, it's half the reboots needed now.

One step up from this would be a way for packages to contain metadata 
indicating they need a reboot after an update; if none require it, then isolate 
graphical.target rather than a reboot.


Chris Murphy
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Reindl Harald

Am 12.09.2014 um 23:36 schrieb Richard W.M. Jones:
> On Fri, Sep 12, 2014 at 10:33:13AM -0600, Nathanael d. Noblet wrote:
>> I am curious though. Everyone says the only way to do it securely and
>> safely is with nothing running. Why can't updates be applied with stuff
>> running prior to a reboot? 
> 
> There's no reason, apart from the kernel.  You're doing it right already

well, some libraries like glibc leads also in better reboot
since they are used by nearly any component, but for 99% of
all updates a reboot is a joke since you easily can restart
servcices with nearly zero downtime

systemctl condrestart service1 service2 service3

condrestart since i distribute such commands over the whole
infrsastructure after tests and deployment and not every
installed service is enabled on all hosts



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Richard W.M. Jones
On Fri, Sep 12, 2014 at 10:33:13AM -0600, Nathanael d. Noblet wrote:
> I am curious though. Everyone says the only way to do it securely and
> safely is with nothing running. Why can't updates be applied with stuff
> running prior to a reboot? 

There's no reason, apart from the kernel.  You're doing it right already.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Reindl Harald


Am 12.09.2014 um 18:58 schrieb Till Maas:
> On Fri, Sep 12, 2014 at 06:37:07PM +0200, Reindl Harald wrote:
> 
>> * lsof | grep DEL | grep /usr and restart services on servers
> 
> There is a convenient script called "needs-restarting" to do this.
> Checkrestart on debian even suggest potential init scripts that can be
> used to restart the services

never worked relieable here on multiple machines

it often showed nothing where i knew the thing
which should be restarted without looking and
"lsof" proved it



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Till Maas
On Fri, Sep 12, 2014 at 06:37:07PM +0200, Reindl Harald wrote:

> * lsof | grep DEL | grep /usr and restart services on servers

There is a convenient script called "needs-restarting" to do this.
Checkrestart on debian even suggest potential init scripts that can be
used to restart the services.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Nathanael d. Noblet
On Fri, 2014-09-12 at 16:47 +0100, Richard Hughes wrote:
> On 12 September 2014 16:16, Nathanael d. Noblet  wrote:
> > Yeah, I almost never use the reboot & install method. 90% of the
> > packages being installed/updated seem foolish to need a reboot to
> > update.
> 
> I've been called worse that foolish I guess...
> 
> > I typically do a yum update manually and then if I notice
> > glibc/kernel/systemd or other big packages do a reboot.
> 
> That's just not safe. Have you ever had firefox open and done a
> firefox update? Widgets start disappearing, redraws start having weird
> artifects and then after a little while it just crashes. Other
> applications like LibreOffice behave the same. Anyone that says things
> like "the old version of the library stays in memory" obviously hasn't
> actually done much real-world GUI programming in the last decade, or
> runs any kind of secure desktop system. The *only* way to do this
> securely and safely in the system we have now is in a clean pre-boot
> environment, which is sad and crap UX, but still nevertheless true.
> When we have application sandboxing and a stable OS platform to use,
> we can certainly do something more sane, but until then we're just
> hacking around the problem.

So I don't use Firefox anymore but I do know back in the day if we had
FF open when we updated it would do a double request for each page/form.
However when updating we just restarted FF and it would work fine after
that. I've never noticed any other issues than FF but like I said I
don't use it anymore.

Granted that doesn't matter obviously we don't want that kind of
behaviour. 

I am curious though. Everyone says the only way to do it securely and
safely is with nothing running. Why can't updates be applied with stuff
running prior to a reboot? 


-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Reindl Harald

Am 12.09.2014 um 18:33 schrieb Nathanael d. Noblet:
> So I don't use Firefox anymore but I do know back in the day if we had
> FF open when we updated it would do a double request for each page/form.
> However when updating we just restarted FF and it would work fine after
> that. I've never noticed any other issues than FF but like I said I
> don't use it anymore.
> 
> Granted that doesn't matter obviously we don't want that kind of
> behaviour. 
> 
> I am curious though. Everyone says the only way to do it securely and
> safely is with nothing running. Why can't updates be applied with stuff
> running prior to a reboot? 

1 out of a million cases needs offline updates

really - the only good at it is that you can stick
at using YUM and decide what you have to do at your
own - rarely updates really require a reboot

* lsof | grep DEL | grep /usr and restart services on servers
* logout/login and the above on workstations



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Richard Hughes
On 12 September 2014 16:16, Nathanael d. Noblet  wrote:
> Yeah, I almost never use the reboot & install method. 90% of the
> packages being installed/updated seem foolish to need a reboot to
> update.

I've been called worse that foolish I guess...

> I typically do a yum update manually and then if I notice
> glibc/kernel/systemd or other big packages do a reboot.

That's just not safe. Have you ever had firefox open and done a
firefox update? Widgets start disappearing, redraws start having weird
artifects and then after a little while it just crashes. Other
applications like LibreOffice behave the same. Anyone that says things
like "the old version of the library stays in memory" obviously hasn't
actually done much real-world GUI programming in the last decade, or
runs any kind of secure desktop system. The *only* way to do this
securely and safely in the system we have now is in a clean pre-boot
environment, which is sad and crap UX, but still nevertheless true.
When we have application sandboxing and a stable OS platform to use,
we can certainly do something more sane, but until then we're just
hacking around the problem.

What we could do is do updates on shutdown by basically killing
everything except PID 1, and then restart everything, but even then
that relies on no systemd or kernel updates being present. Solving the
real problem is much harder (OS + Apps split) but we also need to slow
the firehose of needless updates.

Richard
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: Improving the offline updates user experience

2014-09-12 Thread Nathanael d. Noblet
On Fri, 2014-09-12 at 10:46 -0400, Stephen Gallagher wrote:
> == Proposed Improvements ==
> 
> We could significantly improve this situation by allowing the system
> to drop directly from the interactive system into the updater
> environment without doing a full reboot or relaunching the kernel.
> 
> Lennart, would it be possible to set up a special systemd target for
> performing updates that would essentially stop all processes except
> for systemd and then apply the updates?
> 
> In an ideal world, it would then also be possible after update is
> completed to restore operation to the standard boot targets of systemd
> so that the system comes back up without having to perform a total
> reboot. The exceptional case would of course be that in which either
> the kernel, libc or systemd[1] needed to be updated, in which case a
> reboot could be performed.
> 
> In this scenario, we can reduce the number of encrypted disk
> challenges to at most a single one, and that only if absolutely
> minimal plumbing packages saw an update.
> 
> I'd very much like to hear from the plumbers on this matter.

Yeah, I almost never use the reboot & install method. 90% of the
packages being installed/updated seem foolish to need a reboot to
update. I typically do a yum update manually and then if I notice
glibc/kernel/systemd or other big packages do a reboot. 

All my systems have disk encryption since some of our projects could
potentially include people's private information. The latest way of
updating is just plain annoying for an unknown gain.

I would *love* if it was improved.

-- 
Nathanael 

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Improving the offline updates user experience

2014-09-12 Thread Stephen Gallagher
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

== The Problem ==

It is very common for users to have systems with encrypted root
partitions (or even just /var and /etc). This may be due to a personal
concern for their data or a corporate policy mandating full-disk
encryption. Disk encryption requires a password (or other more
complicated credentials) be be presented just after the kernel is
booted and before the drives can be mounted and their data read.

With the current implementation of the offline updates in Fedora, this
leads to a very unpleasant user experience when updating. We offer two
ways to perform offline updates in the default user environment of
Fedora Workstation: "Install updates and reboot" or "Install updates
and shut down".

With "Install updates and reboot", the behavior is as follows:

1) The system shuts down and initiates an ACPI reboot.
2) The system presents the kernel boot menu and then starts the
updater kernel.
3) The system presents the user with a password prompt for the disk
encryption (possibly more than one, if the system is configured with
different passwords for different partitions).
4) The offline updates occur.
5) The system shuts down and initiates an ACPI reboot.
6) The system presents the kernel boot menu and then starts the
standard (possibly updated) kernel.
7) The system presents the user with a password prompt for the disk
encryption (possibly more than one, if the system is configured with
different passwords for different partitions).
8) The system completes booting.

During this experience, the user has been required to enter their disk
encryption password *twice*. The same is true for the "Install and
shut down" case, except that the two passwords are separated by some
actual wallclock time.

== Proposed Improvements ==

We could significantly improve this situation by allowing the system
to drop directly from the interactive system into the updater
environment without doing a full reboot or relaunching the kernel.

Lennart, would it be possible to set up a special systemd target for
performing updates that would essentially stop all processes except
for systemd and then apply the updates?

In an ideal world, it would then also be possible after update is
completed to restore operation to the standard boot targets of systemd
so that the system comes back up without having to perform a total
reboot. The exceptional case would of course be that in which either
the kernel, libc or systemd[1] needed to be updated, in which case a
reboot could be performed.

In this scenario, we can reduce the number of encrypted disk
challenges to at most a single one, and that only if absolutely
minimal plumbing packages saw an update.

I'd very much like to hear from the plumbers on this matter.


[1] I'm told that this might not be necessary; that systemd can
re-exec itself to pick up its own updates. That would reduce the scope
presumably to "only the kernel" forcing reboots.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlQTB1YACgkQeiVVYja6o6MvpgCeLbkWSgY5XGI4nJg3skjyu8v+
nQUAoIyvNHpJ8SRytPPKGZ3C8kZ560J9
=zZ+N
-END PGP SIGNATURE-
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct