smartos-platform-upgrade/platform-upgrade

#!/bin/bash

# https://github.com/calmh/smartos-platform-upgrade
# Copyright (c) 2012-2016 Jakob Borg & Contributors
# Distributed under the MIT License

# us-east.manta.joyent.com currently uses a wildcard certificate based on the
# Thawte Primary Root CA.
# SHA-1=91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
# SHA-256=8D:72:2F:81:A9:C1:13:C0:79:1D:F1:36:A2:96:6D:B2:6C:95:0A:97:1D:B4:6B:41:99:F4:EA:54:B7:8B:FB:9F
cert_file=$(mktemp)
function cleanup {
        rm "$cert_file"
}
trap cleanup EXIT
cat >"$cert_file" <<EOF
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYw
NzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5j
LjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYG
A1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNl
IG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFs
W0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta
3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk
6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6
Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94J
NqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XP
r87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfU
DW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mz
YJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAX
xPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2
/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/
LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
jVaMaA==
-----END CERTIFICATE-----
EOF

function _curl {
        curl -s --cacert "$cert_file" $@
}

host=https://us-east.manta.joyent.com
latest_path=$(_curl "$host/Joyent_Dev/public/SmartOS/latest")
version="${latest_path##*/}"
platform_file="platform-$version.tgz"
platform_dir="platform-$version"
platform_url="$host$latest_path/$platform_file"
md5sums_url="$host$latest_path/md5sums.txt"

force="false"
while getopts :f option; do
    case "$option" in
        f)
            force="true"
            ;;
        \?)
            echo "Invalid option: -$OPTARG" >&2
            exit -1
            ;;
    esac
done
shift $((OPTIND-1))

IFS=_ read brand kernel < <(uname -v)
if [[ $kernel == $version ]]; then
    echo "Already on latest version ($kernel)."
    $force || exit -1
fi

tmp=$(mktemp -d)
cd "$tmp" || exit -1

echo -n "Downloading latest platform ($platform_file)..."
if ! _curl -o "$platform_file" "$platform_url" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying checksum..."
_curl "$md5sums_url" \
        | grep "$platform_file" \
        | awk '{print $1}' > expected.md5
openssl md5 "$platform_file" | awk '{print $2}' > actual.md5
if ! cmp -s actual.md5 expected.md5 ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Extracting latest platform..."
if ! gtar zxf "$platform_file" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Marking release version..."
if ! echo $version > $platform_dir/VERSION ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Checking current boot device..."
if [[ -z $1 ]] ; then
        removables=($(diskinfo | awk '/^USB/ { print $2 }'))
        echo -n " detected ${removables[@]}"
        if [[ ${#removables[@]} -gt 1 ]]; then
                  echo
                  echo "Error: more than one removable device detected."
                  diskinfo | awk 'NR == 1 || /^USB/ { print }'
                  echo "Specify correct device on the command line."
                  exit -1
        fi
        usb="/dev/dsk/${removables[0]}p1"
else
        usb="$1"
        echo -n " using $usb"
fi

umount "$usb" 2>/dev/null
mkdir usb
if ! mount -F pcfs -o foldcase "$usb" "$tmp/usb" ; then
        echo ", mount failed"
        exit -1
else
        echo -n ", mounted"
fi

if [[ ! -d usb/platform ]] ; then
        echo ", missing platform dir"
        exit -1
else
        echo ", OK"
fi

echo -n "Updating platform on boot device..."
if ! rsync -a "$platform_dir/" usb/platform.new/ ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Remounting boot device..."
umount "$usb" 2>/dev/null
if ! mount -F pcfs -o foldcase "$usb" "$tmp/usb" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying kernel checksum on boot device..."
openssl dgst -sha1 "$platform_dir"/i86pc/kernel/amd64/unix | cut -d ' ' -f 2 > kernel.expected
openssl dgst -sha1 usb/platform.new/i86pc/kernel/amd64/unix | cut -d ' ' -f 2 > kernel.actual
if ! cmp -s kernel.actual kernel.expected ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying boot_archive checksum on boot device..."
openssl dgst -sha1 usb/platform.new/i86pc/amd64/boot_archive | cut -d ' ' -f 2 > boot_archive.actual
if ! cmp -s boot_archive.actual usb/platform.new/i86pc/amd64/boot_archive.hash ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Activating new platform on $usb..."
rm -rf usb/old
mkdir usb/old
if ! ( mv usb/platform usb/old && mv usb/platform.new usb/platform ) ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo
echo "Boot device upgraded. To do:"
echo
echo " 1) Sanity check the contents of $tmp/usb"
echo " 2) umount $usb"
echo " 3) reboot"