Energia Open Source
Powered by Open Source
Transactional Roll-backsand Upgrades
John Thomson: [email protected]
Paulo Trezentos: [email protected]
http://twitter.com/PauloTrezentosPartner / Technical Director
Monday 1st February [preview][Sunday, 7th February 2010]
Presented by:
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 2
Powered by Open Source
OverviewAn overview of what Caixa Mágica does.MANCOOSI projectRoll-back
DefinitionTypes of roll-backAs part of a bigger system
DSLDefinitionExample
ApproachImplementationConclusion[Demonstration] + Q&A
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 3
Powered by Open Source
A brief summary of Caixa Mágica Software and an overview of what we do:Caixa Mágica is a software and solutions providerfor GNU/Linux based Free/Open Source Software(FOSS) Systems, based in Lisbon, Portugal.Linux- Caixa Mágica 14 is the main LinuxDistribution available in Portugal.Caixa Mágica work with national companies, the Government
and with European partners to promote Open Source in all aspects of work.
Over 600,000 Linux CM systems installed (single & dual boot)Next slides One of the key projects that we are working on is →
the MANCOOSI project. Working on various aspects of Package Upgrade problems including solvers, distribution independent meta-data as well as Transactional Roll-back that I will be discussing.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 4
Powered by Open Source
European based research projectsCaixa Mágica works in many multi-national European based
research projects. After the conclusion of the EDOS (EU FP6 STREP) based project it is now actively working on another, MANCOOSI.
Many other projects in the pipeline and that have been bidded for.
Work with a multitude of top-tier Universities and research institutions.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 5
Powered by Open Source
About MANCOOSI
MANCOOSI - Managing the complexity of open source software. www.mancoosi.org - Many branches of work to solve package management issues that have been identified through EDOS project.
Jeff Johnson will present Transactionally Protected Package Management for @rpm5.org implementation of roll-back.
Stefano Zacchiroli will present Cross-distro dependency resolution as part of the work for MANCOOSI in a different stream.
Aim is to investigate package upgrades on computer systems and to develop a framework from which roll-back and pre-analysed upgrade plans are possible.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 6
Powered by Open Source
Roll-back as simple as traversing time?
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 7
Powered by Open Source
What does roll-back mean, really?In terms of package configuration, roll-back is the process of
inverting the changes to the system made by package upgrades to get back to a particular system state.
Many other mechanisms out there that work on using file system snapshots/saving the state, (next slide).
The mechanism is one part of Transactionally Protected Package Management that Jeff Johnson will speak about in his presentation later. Our method for allowing roll-back is one part of a much bigger mechanism that allows for deterministic system configurations.
Installation TimelinePkgFoo v 1.00Time: 10.00pm
PkgFoo v 2.00Time: 10.20pm
Roll-back, possible?
S1 S2
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 8
Powered by Open Source
Different types of roll-backConary as a 2nd Generation Package Manager, aims to
meet many short-comings of current meta-installers. Used in Linux Distributions such as Foresight Linux.
Augeas, is a configuration management tool thatmakes manipulating config files from the shell much easier
and possible through other language bindings.ZFS, used by Nexenta is an example of a file-system,
snapshot mechanism that uses the storage available to snapshot several system states.
NixOS is a non-LSB based system that re-thinks how files and resources are used to try and make all files purely functional and so don't require installing per-se.
Other mechanisms e.g. etckeeper being developed by Fedora also try and capture configuration files into a VCS.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 9
Powered by Open Source
Difficulties of Roll-backPackage maintainers tend to think in the forward direction of
upgrading packages and trying to maintain compatibility for subsequent versions. Working in the reverse direction is a relatively unheard of concept.
The idea of roll-back is squarely placed against the idea that programs and their maintainers improve upon packages in each iteration. Downgrade is seen as a negative process.
If it was neccessary it would have already have been done, or would it?
Rolling-back changes is 'only' needed when a package fails to work on the system, so a better dependency and conflict checker is more important than roll-back?
There may be cases where roll-back is impossible using the techniques that we have investigated, or possibly at all.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 10
Powered by Open Source
Roll-back is one part of a bigger pictureAbility to undo package upgrade/install is just one benefit of
having a system that can capture the package configuration state and maintain a deterministic transition model of the system.
By examining the current maintainer scripts and templates provided by programs such as deb-helper and rpm-helper we have defined a language that can assist which cannot be addressed by current meta-installers or maintainer scripts.
Transactionaly Protected Package Management (TPPM) is what we are aiming to move towards. Presentation of same topic name by Jeff Johnson at 2:45pm, in the same room.
roll-back TPPM
roll-back
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 11
Powered by Open Source
What is the Domain Specific Language (DSL) and what does it achieve?The DSL is a language used to abstract from the system and
represent it in such a way as to be able to solve a particular problem that we identified.
In our case, the DSL is focused on analysing package maintainer scripts and detecting how they interoperate on a system that we have modelled as well.
We designed the DSL not to be a Turing Complete Language like BASH but rather something where we can focus on particular details we wish to examine.
The DSL is a language designed to capture the details of the vast majority of common maintainer scripts and then to be refined with subsequent versions and to increase coverage.
We wish to capture the functional aims of a large number of maintainer scripts and to improve coverage until cases where DSL will work is the norm.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 12
Powered by Open Source
Domain Specific Language (DSL) ExampleThe DSL has been created to assist with some of the problems
discovered and analysed by prior research.Using cups.spec %post example from CUPS-1.4.2%post
dslstart postinst_init(cups)/sbin/chkconfig add cups
/sbin/chkconfig cups on
dslend postinst_init(cups)
# Restart cupsd if we are upgrading...
dslstart post_init_restart(cups)
if test $1 gt 1; then
/sbin/service cups stop
/sbin/service cups start
fi
dslend post_init_restart(cups)
Matched DSL Pair
Matched DSL Pair
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 13
Powered by Open Source
Example continued, Log
dslID TID parentID DSL_CMD bhINVERSE
1 1 1 start postinst_init(cups) TRUE
2 1 1 end postinst_init(cups) TRUE
3 1 1 start post_init_restart(cups) TRUE
4 1 1 end post_init_restart(cups) TRUE
rbHist
id parent op pkgName pkgVer1 pkgVer2 dateTime
1 1 inst cups 0 1.4.2 2010-01-30pkgHist
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 14
Powered by Open Source
Transactions- what happens if a maintainer script fails?If a maintainer script fails in the middle of one of the operations
will have a log like this
Transaction has quite obviously failed. No matching end for a DSL command reached. Odd number of elements etc.
Perform a roll-back for all matching sub-transaction ID elements, but in the reverse order with certain constraints.
If a set of script elements cannot perform roll-back in the middle of operating, then don't create a dsl tag.
dslID TID parentID DSL_CMD bhINVERSE
1 1 1 start postinst_init(cups) TRUE
2 1 1 end postinst_init(cups) TRUE
3 1 1 start post_init_restart(cups) TRUE
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 15
Powered by Open Source
Our approach for roll-backAfter investigation into the problem and looking at state-of-the-
art systems we decided on an approach where we use a Domain Specific Language (DSL).
By creating a model of the system in terms of the new language and by representing the changes in the state of the system performed by package upgrades in terms of DSL we aim to be able to a-priori investigate the target configuration.
If a package upgrade fails, at that moment, we leave our system potentially in an un-known state and run the risks of having an inconsistent amount of files in an upgraded state.
We propose a hybrid mechanism where we use DSL to monitor the package configuration state and if that does not work, to revert back to a system-call trapping mechanism.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 16
Powered by Open Source
Our approach as a diagramAiming to add to apt-rpm (and eventually
other meta-installers) a branch.From that branch:
Pre-check/simulate the possible outcome of a package upgrade
Use the additional syntax to drive package state transitions.
Many methods for tackling the problem. We are trying to amalgamate some of the methods that we think work.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 17
Powered by Open Source
Modifying apt-rpm to include roll-back features.DSL approach uses many new elements built into apt-rpm.We first want to check if the simulator that is possible using our new approach, detects whether or not there is likely to be a package configuration failure.Even if the simulator does not detect a failure it does not mean that the actual configuration will fail on the system. This is a compromise taken to abstract from the system in the model.Next we replace the traditional configuration script running, which is run by an agnostic meta-installer and instead run our DSL commands.By keeping our commands in a log and knowing how the system modified we should be able to perform roll-back.
model_simulator ( )
DSL_interpreter_pre ( )
run_transaction ()
Apt
DSL_interpreter_post ( )
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 18
Powered by Open Source
System Integration
model_simulator ( )
DSL_reverse_post ( )
run_transaction ()
Apt
DSL_reverse_pre ( )
For executing the roll-back statements we will have a log of the DSL commands executed in-sequence. To perform the roll-back we need to run the inverse statements associated with those commands in the reverse order.The reason for having the simulator at this stage is to pre-check that if the package configuration can be rolled-back whether it will leave an erroneus state. As we upgraded from that state we hope in most cases the answer will be that it is possible.As we are performing a LIFO style roll-back we run post commands before we run the pre statements.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 19
Powered by Open Source
WP2
ArchitectureModified Package as input -> DSL extracted -> Log storage and
simulator -> Mechanism for executing roll-backs -> Maintenance of scripts etc.
.spec file%post/sbin/chkconfig --add cups/sbin/chkconfig cups on...
Inject DSLdslstart postinst_init(cups)dslend postinst_init(cups) Logs
SQLite DB
Simulator
Roll-back
Modified System State
User I/P
Apt-rpm
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 20
Powered by Open Source
Overall approachAnalyse maintainer scripts for common themes as per work
D3.2.Identify common themes in scripts and functional elements.Use these common elements as the basis for a first version of
the DSL and release that version.Modify standard maintainer scripts to include DSL commands
link to binary files or some other mechanism. We have →chosen to add dsl commands into the modified .spec files.
Log DSL elements into a SQLite database so that they can be captured, replayed or otherwise analysed.
Develop a roll-back mechanism that uses the log + stored info in the VCS to recover the original state of the machine →ACID?
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 21
Powered by Open Source
ResultsInsert a table comparing approaches (snapshot, syscall, DSL)
with advantages & disadvantages
* Not sure how this would work quite yet. *
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 22
Powered by Open Source
ConclusionRoll-back for package configuration is not as simple as it might
initially seem. There are certain commands which use information out of the grasp and control of the system, such as opening sockets to external servers and modifying information held on them.
Need to consider the problems oflibraries being upgraded andimplicit dependencies onparticular versions that may nothave explicit connections.Using the DSL we aim to removea lot of the failures in packageupgrades that occur when files areupdated out of order.
Energia Open Source
07.02.2010 Transactional Rollbacks and Upgrades 23
Powered by Open Source
Questions?Thank you for listening. I hope that it was interesting and that
you have some questions to ask.