smartos-platform-upgrade/platform-upgrade

#!/bin/bash

# https://github.com/calmh/smartos-platform-upgrade
# Copyright (c) 2012-2016 Jakob Borg & Contributors
# Distributed under the MIT License

# us-east.manta.joyent.com currently use Let's Encrypt
# https://letsencrypt.org/certs/isrgrootx1.txt
# https://letsencrypt.org/certs/lets-encrypt-r3.txt

cert_file=$(mktemp)
function cleanup {
        rm "$cert_file"
}
trap cleanup EXIT
cat >"$cert_file" <<EOF
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
EOF

function _curl {
        curl -s --cacert "$cert_file" $@
}
function usage() {
    cat <<- "USAGE"
$ platform-upgrade [-u URL -s MD5SUM_URL] [-f]

OPTIONS:
  -u URL        : Remote/local url of platform-version.tgz file
  -s MD5SUM_URL : Remote/local url of md5 checksum file
  -f            : Force installation if version is already present

EXAMPLE:
  # Use default Joyent URL for latest platform image
  platform-upgrade
  # Use local platform and checksum file
  platform-upgrade -u file:///tmp/platform-20180510T153535Z.tgz -s file:///tmp/md5sum.txt
USAGE
}

force="false"
while getopts :fu:s: option; do
    case "$option" in
        u)
            platform_url="$OPTARG"
            ;;
        s)
            md5sums_url="$OPTARG"
            ;;
        f)
            force="true"
            ;;
        \?)
            usage
            exit -1
            ;;
    esac
done
shift $((OPTIND-1))

if [[ -n $platform_url ]] && [[ ! -n $md5sums_url ]]; then
	usage
	exit -1
fi

if [[ ! -n $platform_url ]]; then
    host=https://us-east.manta.joyent.com
    latest_path="${host}$(_curl "$host/Joyent_Dev/public/SmartOS/latest")"
    version="$(expr "$latest_path" : '.*\([0-9]\{8\}T[0-9]\{6\}Z\).*')"
    latest_spec_path="$(_curl "$host/Joyent_Dev/public/SmartOS/$version")"
    header="$(expr "$latest_spec_path" : '.*platform-release-\([0-9]\{8\}\)-.*')"
    platform_url="$latest_path/platform-release-$header-$version.tgz"
    if [[ ! -n $md5sums_url ]]; then
        md5sums_url="$latest_path/md5sums.txt"
    fi
else
    header="$(expr "$platform_url" : '.*platform-release-\([0-9]\{8\}\)-.*')"
    version="$(expr "$platform_url" : '.*\([0-9]\{8\}T[0-9]\{6\}Z\).*')"
fi

platform_file="platform-release-$header-$version.tgz"
platform_dir="platform-$version"

IFS=_ read brand kernel < <(uname -v)
if [[ $kernel == $version ]]; then
    echo "Already on latest version ($kernel)."
    $force || exit -1
fi

tmp=$(mktemp -d)
cd "$tmp" || exit -1

echo -n "Downloading $platform_file..."
if ! _curl -o "$platform_file" "$platform_url" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying checksum..."
_curl "$md5sums_url" \
        | grep "$platform_file" \
        | awk '{print $1}' > expected.md5
openssl md5 "$platform_file" | awk '{print $2}' > actual.md5
if ! cmp -s actual.md5 expected.md5 ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Extracting latest platform..."
if ! gtar zxf "$platform_file" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Marking release version..."
if ! echo $version > $platform_dir/VERSION ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Checking current boot device..."
if [[ -z $1 ]] ; then
        removables=($(diskinfo -cH | \
                      awk 'BEGIN { FS="\t" } $7~/\?\?R./ { print $2 }'))
        echo -n " detected ${removables[@]}"
        if [[ ${#removables[@]} -eq 0 ]]; then
                echo
                echo "Error: Unable to detect removable device."
                diskinfo
                echo "Specify correct device on the command line."
                exit -1
        elif [[ ${#removables[@]} -gt 1 ]]; then
                echo
                echo "Error: more than one removable device detected."
                diskinfo -cH | awk 'BEGIN { FS="\t" } $7~/\?\?R./ { print }'
                echo "Specify correct device on the command line."
                exit -1
        fi
        # Look for a GPT/EFI VTOC; if there isn't one, then this is almost
        # certainly an MBR-partitioned device. If it's a GPT label, then we
        # want the slice that's of type 2 (ROOT).
        if [[ -e "/dev/dsk/${removables[0]}" ]]; then
                partition=$(/usr/sbin/prtvtoc -h "/dev/dsk/${removables[0]}" | \
                            awk ' $2 == 2 { print $1 }')
                if [[ $? -eq 0 && -n "$partition" ]]; then
                        echo -n ", GPT label"
                        usb="/dev/dsk/${removables[0]}s${partition}"
                fi
        fi
        if [[ -z "$usb" ]]; then
                echo -n ", MBR label"
                usb="/dev/dsk/${removables[0]}p1"
        fi
else
        usb="$1"
        echo -n " using $usb"
fi

umount "$usb" 2>/dev/null
mkdir usb
if ! mount -F pcfs -o foldcase "$usb" "$tmp/usb" ; then
        echo ", mount failed"
        exit -1
else
        echo -n ", mounted"
fi

if [[ ! -d usb/platform ]] ; then
        echo ", missing platform dir"
        exit -1
else
        echo ", OK"
fi

echo -n "Updating platform on boot device..."
if ! rsync -rltD "$platform_dir/" usb/platform.new/ ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Remounting boot device..."
umount "$usb" 2>/dev/null
if ! mount -F pcfs -o foldcase "$usb" "$tmp/usb" ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying kernel checksum on boot device..."
openssl dgst -sha1 "$platform_dir"/i86pc/kernel/amd64/unix | cut -d ' ' -f 2 > kernel.expected
openssl dgst -sha1 usb/platform.new/i86pc/kernel/amd64/unix | cut -d ' ' -f 2 > kernel.actual
if ! cmp -s kernel.actual kernel.expected ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Verifying boot_archive checksum on boot device..."
openssl dgst -sha1 usb/platform.new/i86pc/amd64/boot_archive | cut -d ' ' -f 2 > boot_archive.actual
if ! cmp -s boot_archive.actual usb/platform.new/i86pc/amd64/boot_archive.hash ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo -n "Activating new platform on $usb..."
rm -rf usb/old
mkdir usb/old
if ! ( mv usb/platform usb/old && mv usb/platform.new usb/platform ) ; then
        echo " failed"
        exit -1
else
        echo " OK"
fi

echo
echo "Boot device upgraded. To do:"
echo
echo " 1) Sanity check the contents of $tmp/usb"
echo " 2) umount $usb"
echo " 3) reboot"