Trusted Boot Upgrades

This section covers how to upgrade a Kairos node with Trusted Boot enabled.

See the Trusted Boot Installation and Trusted Boot Architecture pages for more references.


In order to upgrade a node to a new version of the OS, you need to generate again the installable medium with the same keys used in the steps before.

The process will generate an EFI file which we will pack into a container image that will be used to upgrade the node.

First we need to extract the EFI file from the ISO file generated with what explained in the Trusted Boot Installation documentation:

Generate the upgrade image

  1. Build the container image used to generate the upgrade image
# Build the container image that will be used to generate the keys and installable medium
git clone
cd enki
docker build -t enki --target tools-image .
  1. Build the Container image used for upgrades

# ubuntu:
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t uki -d /work/upgrade-image -k /keys

# Generate container-image for upgrades
docker run --rm -v $PWD/keys:/keys -v $PWD:/work -ti enki build-uki $CONTAINER_IMAGE -t container -d /work/upgrade-image -k /keys
  1. Push the upgrade image to a registry
# Now you can load upgrade_image.tar to a registry and use it with kairos-agent
docker load -i *.tar
#401b8e83daf6: Loading layer [==================================================>]  1.263GB/1.263GB
# Loaded image: kairos_uki:v3.0.0-alpha2
docker push <IMAGE_NAME>

Upgrade with kairos-agent

Let’s assume an upgrade image named has been built and pushed as described in the section above. From a shell inside a running Kairos OS, the following command will upgrade to the new version:

kairos-agent upgrade --source

Upgrades with Kubernetes

Kairos can be upgraded with the system-upgrade-controller from Kubernetes itself. The controller and all the relevant CRDs should already be installed (at the time of writing, this workaround is needed in order to install the system-upgrade-controller: workaround for the missing “latest” tag).

A “Plan” resource needs to be created which will use the image generated in the step above. Since that image only contains the EFI files for the upgrade and in order to be able use any ImagePullSecrets defined on the cluster, we will create and image that can be used to start a Pod and also contains the efi and conf files for the upgrade.

Assuming an upgrade image named was built using a Kairos image named, the following dockerfile will create an image that can be used to start a Plan for upgrade:

FROM as upgradeImage
COPY --from=upgradeImage / /trusted-boot

(Let’s call the image built with this dockerfile planImage:vx.y.z)

The following plan can now be deployed on the cluster:

apiVersion: v1
kind: Secret
  name: upgrade
  namespace: system-upgrade
type: Opaque
stringData: |
    rm -rf /host/usr/local/trusted-boot
    mkdir -p /host/usr/local/trusted-boot
    mount --rbind /trusted-boot /host/usr/local/trusted-boot
    chroot /host kairos-agent --debug upgrade --source dir:/usr/local/trusted-boot    
kind: Plan
  name: os-upgrade
  namespace: system-upgrade
    k3s-upgrade: server
  concurrency: 1
  version: "vx.y.z" # The tag of the "upgrade.image" below
      - {key:, operator: Exists}
  serviceAccountName: system-upgrade
    - name: upgrade
      path: /host/run/system-upgrade/secrets/upgrade
  cordon: false
    force: false
    disableEviction: true
    image: "planImage"
    command: ["sh"]
    args: ["/run/system-upgrade/secrets/upgrade/"]


Generate the upgrade image manually

You can also manually generate the container image:

CONF=$(basename $(ls -1 $PWD/upgrade-image/loader/entries/*.conf))
# Replace with the version of the OS you are upgrading to (next boot auto selection)
cat <<EOF > upgrade-image/loader/loader.conf
default $CONF
timeout 5
console-mode max
editor no

## Generate the container image
docker run --rm -v $PWD:/work --entrypoint /bin/tar -ti enki -C /work/upgrade-image -cf /work/src.tar .

docker run -ti -v $PWD:/work util pack $CONTAINER_IMAGE_NAME /work/src.tar /work/upgrade_image.tar

Last modified June 10, 2024: Update uki upgrade instructions (3c55a0e)