Trusted Boot Upgrades
WarningThis section is still a work in progress and only available in Kairos v3.x releases and alphas.
This section covers how to upgrade a Kairos node with Trusted Boot enabled.
In order to upgrade a node to a new version of the OS, you need to generate again the installable medium with the same keys used in the steps before.
NoteThe resulting container image can be used for upgrades with
The process will generate an EFI file which we will pack into a container image that will be used to upgrade the node.
First we need to extract the EFI file from the ISO file generated with what explained in the Trusted Boot Installation documentation:
WarningThis step is required until #2171 is implemented.
Generate the upgrade image
- Build the container image used to generate the upgrade image
# Build the container image that will be used to generate the keys and installable medium
git clone https://github.com/kairos-io/enki.git
docker build -t enki --target tools-image .
- Build the Container image used for upgrades
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t uki -d /work/upgrade-image -k /keys
# Generate container-image for upgrades
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t container -d /work/upgrade-image -k /keys
- Push the upgrade image to a registry
# Now you can load upgrade_image.tar to a registry and use it with kairos-agent
docker load -i *.tar
#401b8e83daf6: Loading layer [==================================================>] 1.263GB/1.263GB
# Loaded image: kairos_uki:v3.0.0-alpha2
docker push <IMAGE_NAME>
Upgrades with KubernetesIn order to upgrade with Kubernetes using system upgrade controller plans you can use the image used to generate the installable medium, and use it as a base image for the upgrade image. When invoking
kairos-agent in the plan however, you need to specify the
--source flag to point to the image that contains the UKI file.
Generate the upgrade image manually
You can also manually generate the container image:
CONF=$(basename $(ls -1 $PWD/upgrade-image/loader/entries/*.conf))
# Replace with the version of the OS you are upgrading to (next boot auto selection)
cat <<EOF > upgrade-image/loader/loader.conf
## Generate the container image
docker run --rm -v $PWD:/work --entrypoint /bin/tar -ti enki -C /work/upgrade-image -cf /work/src.tar .
docker run -ti -v $PWD:/work quay.io/luet/base:latest util pack $CONTAINER_IMAGE_NAME /work/src.tar /work/upgrade_image.tar
Was this page helpful?
Awesome! Glad to hear it! Please tell us how we can improve.
Oh snap! Sorry to hear that. Please tell us how we can improve.