Administering SUSE Linux Micro Using transactional-update
- WHAT?
The
transactional-update
command enables you to modify a read-only file system. The modifications are performed in a separate snapshot and do not influence the running system until you boot into the snapshot.- WHY?
You want to administer SUSE Linux Micro and manage its updates, minimizing the risk of system downtime due to update failures while ensuring easy rollbacks.
- EFFORT
It takes less than 30 minutes to understand the
transactional-update
command.- GOAL
You will understand how
transactional-update
works and how you can use it to administer your system.- REQUIREMENTS
A running instance of SUSE Linux Micro
root
privileges
1 Transactional updates #
1.1 What are transactional updates? #
To keep the base operating system stable and consistent, the
SUSE Linux Micro uses a read-only root file system.
Therefore, you cannot perform direct changes to the root file system, for
example, by using the zypper
command. Instead,
SUSE Linux Micro introduces transactional updates
that allow you to apply one or more changes to the root file system.
The default transactional-update
behavior is to create a new snapshot from the current
root file system after each change. To apply the changes, you need to
reboot the host. You cannot run the transactional-update
command multiple times without
rebooting to add more changes to the snapshot. This action creates
separate independent snapshots that do not include changes from the
previous snapshots.
1.2 How do transactional updates work? #
Each time you call the transactional-update
command to change your system—either
to install a package, perform an update, or apply a patch—the
following actions take place:
A new read-write snapshot is created from your current root file system, or from a snapshot that you specified.
All changes are applied (updates, patches or package installation).
The snapshot is switched back to read-only mode.
If the changes were applied successfully, the new root file system snapshot is set as default.
After rebooting, the system boots into the new snapshot.
1.3 Benefits of transactional updates #
They are atomic—the update is applied only if it completes successfully.
Changes are applied in a separate snapshot and so do not influence the running system.
Changes can easily be rolled back.
1.4 Environment within the transactional-update
command #
Each time you run the transactional-update
command, the changes are performed in a
new snapshot. The environment in the snapshot may differ from
the one in the shell you run the transactional-update
command from. For example, the
current working directory ($PWD
) is not set to the
directory from which you run the transactional-update
, but is set to
/
.
From within the snapshot, you cannot access the
/var
directory. This directory is also not
included in the snapshot. However, some directories
are not included in the snapshot but are accessible inside the transactional-update
environment, for example, the /root
directory.
2 Usage of the transactional-update
command #
The transactional-update
command enables the atomic installation or removal of
updates. Updates are applied only if all can be successfully installed.
transactional-update
creates a snapshot of your system and uses it to update the
system. Later you can restore this snapshot. All changes become active
only after reboot.
The transactional-update
command syntax is as follows:
transactional-update [option]
[general_command] [package_command] standalone_command
transactional-update
without arguments
If you do not specify any command or option while running the transactional-update
command, the system updates itself.
Possible command parameters are described further.
transactional-update
options #--interactive, -i
Can be used along with a package command to turn on interactive mode.
--non-interactive, -n
Can be used along with a package command to turn on non-interactive mode.
--continue [number], -c
The
--continue
option is for making multiple changes to the root file system without rebooting. Refer to Section 3, “Applying multiple changes without rebooting” for more details.Another useful feature of the
--continue
option is that you may select any existing snapshot as the base for your new snapshot. The following example demonstrates runningtransactional-update
to install a new package in a snapshot based on snapshot 13, and then running it again to install another package:>
sudo
transactional-update pkg install package_1
>
sudo
transactional-update --continue 13 pkg install package_2
--no-selfupdate
Disables self-updating of
transactional-update
.--drop-if-no-change, -d
Discards the snapshot created by
transactional-update
if there were no changes to the root file system. If there are changes to the/etc
directory, those changes merged back to the current file system.--quiet
The
transactional-update
command does not output tostdout
.--help, -h
Prints help for the
transactional-update
command.--version
Displays the version of the
transactional-update
command.
2.1 General commands #
This section lists general purpose commands of transactional-update
.
grub.cfg
Use this command to rebuild the GRUB boot loader configuration file.
bootloader
The command reinstalls the boot loader.
initrd
Use the command to rebuild
initrd
.kdump
In case you perform changes to your hardware or storage, you may need to rebuild the Kdump initrd.
reboot
The behavior of
reboot
depends on the configuration and changes performed to the system. Ifsoft-reboot
is enabled, only the user space may be restarted without rebooting the hardware and kernel. The enabling and configuration ofsoft-reboot
are described in Section 2.2, “Configuration ofsoft-reboot
”.run <command>
Runs the provided command in a new snapshot.
shell
Opens a read-write shell in the new snapshot before exiting. The command is typically used for debugging purposes.
setup-fips
The command performs all changes needed to enable FIPS on your system.
setup-selinux
Installs and enables targeted SELinux policy.
2.2 Configuration of soft-reboot
#
2.2.1 Enabling/disabling soft-reboot
#
To enable soft-reboot
on transactional-update
, proceed as follows:
Create a directory
/etc/tukit.conf.d/
>
sudo
mkdir /etc/tukit.conf.d/Create a file
/etc/tukit.conf.d/soft-reboot.conf
with the following content:REBOOT_ALLOW_SOFT_REBOOT=true
For example, by running the following command:
>
sudo
echo "REBOOT_ALLOW_SOFT_REBOOT=true" > /etc/tukit.conf.d/soft-reboot.conf
To disable soft-reboot
, change true
to
false
in the /etc/tukit.conf.d/soft-reboot.conf
file.
2.2.2 Configuration of soft-reboot
#
You can define which packages require specific types of reboots
in the /usr/etc/zypp/zypp-boot-plugin.conf
file. To make changes, copy this
file to /etc/zypp/zypp-boot-plugin.conf
, which is writable and is not
replaced during updates. The /etc/zypp/zypp-boot-plugin.conf
file
also has a higher priority than /usr/etc/zypp/zypp-boot-plugin.conf
,
so your configuration is preferred to the default one.
In the /etc/zypp/zypp-boot-plugin.conf
file, under the
[main]
section, there are three reboot options:
- reboot
Here you specify the packages that require a hardware reboot when they are changed.
- kexec
Provides a list of packages whose changes require a kernel reboot. However, a hardware reboot does not take place, and GRUB2 is not triggered.
- soft-reboot
Specifies packages whose changes only require a reboot of the user space.
Entries can be a comma-separated list of package names or a list of all packages that provide a particular application or system component. Regular expressions can also be used. Here is an example:
soft-reboot = glibc, dbus-broker
Or using the provides
statement:
soft-reboot = provides: dbus
3 Applying multiple changes without rebooting #
The transactional-update
command applies changes to the root file system on a
transactional system. The default behavior is to create a new snapshot
from the current root file system after each change and reboot to apply
the changes.
To make multiple changes to the root file system without rebooting, you have several options, which are described in the following sections:
3.1 The transactional-update
--continue
option #
Use the transactional-update
command together with the --continue
option to make multiple changes without rebooting. A separate snapshot is
created on each run that contains all changes from the previous snapshot,
plus your new changes. The final snapshot includes all changes. To apply
them, reboot the system and your final snapshot becomes the new root file
system.
3.2 The transactional-update run
command #
The transactional-update
run
command normally runs only a single
command. However, you can use it to run multiple commands in one
transactional session by concatenating them within a command shell such as
bash
, for example:
>
sudo
transactional-update run bash -c 'ls && date; if [ true ]; then echo -n "Hello "; echo '\''world'\''; fi'
The transactional-update run
command has the same limitations as the transactional-update shell
command described in Section 3.3, “The transactional-update
shell”
except that the entered commands are logged in the
/var/log/transactional-update.log
file.
3.3 The transactional-update
shell #
The transactional-update shell
command opens a shell in the transactional-update
environment. In the shell, you can enter almost any Linux command to make
changes to the file system, for example, install multiple packages with
the zypper
command or perform changes to files that
are part of the read-only file system. You can also verify that the
changes you previously made with the transactional-update
command are correct.
The transactional shell has several limitations. For example, you
cannot operate start or stop services using systemd
commands, or
modify the /var
partition because it is not
mounted. Also, commands entered during a shell session are not logged
in the /transactional-update.log
file.
All changes that you make to the file system are part of a single
snapshot. After you finish making changes to the file system and leave
the shell with the exit
command, you need to reboot
the host to apply the changes.
4 Performing snapshots cleanup #
You can use transactional-update
to clean unused file system snapshots and
unreferenced /etc
overlay directories.
transactional-update
recognizes the following cleanup commands:
cleanup-snapshots
The command marks all unused snapshots for removal by Snapper.
cleanup-overlays
The command removes all unused overlay layers of
/etc
in the/var/lib/overlay
directory.cleanup
The command combines the
cleanup-snapshots
andcleanup-overlays
commands.
4.1 How the cleanup works #
If you run the command transactional-update cleanup
,
all old snapshots without a cleanup algorithm will have one set. All
important snapshots are also marked. The command also removes all
unreferenced (and thus unused) /etc
overlay
directories in /var/lib/overlay
.
The snapshots with the set number
cleanup algorithm
will be deleted according to the rules configured in
/etc/snapper/configs/root
by the following
parameters:
- NUMBER_MIN_AGE
Defines the minimum age of a snapshot (in seconds) that can be automatically removed.
- NUMBER_LIMIT/NUMBER_LIMIT_IMPORTANT
Defines the maximum count of stored snapshots. The cleaning algorithms delete snapshots above the specified maximum value, without taking into account the snapshot and file system space. The algorithms also delete snapshots above the minimum value until the limits for the snapshot and file system are reached.
The snapshot cleanup is also regularly performed by systemd
.
5 Registering products #
You can use the transactional-update register
command
to handle all tasks regarding product registration and its subscription
management. You can supply the following options:
--list-extensions
With this option, the command lists available extensions for your system. You can use the output to find a product identifier for product activation.
-p, --product
Use this option to specify a product for activation. The product identifier has the following format: <name>/<version>/<architecture>, for example,
sle-module-live-patching/15.3/x86_64
. The corresponding command has the following form:>
sudo
transactional-update register -p sle-module-live-patching/15.3/x86_64-r, --regcode
Register your system with the registration code provided. The command registers the subscription and enables software repositories.
-d, --de-register
The option deregisters the system, or when used along with the
-p
option, deregisters an extension.-e, --email
Specify an email address that is used in SUSE Customer Center for registration.
--url
Specify the URL of your registration server. The URL is stored in the configuration and is used in subsequent command invocations. For example:
>
sudo
transactional-update register --url https://scc.suse.com-s, --status
Displays the current registration status in JSON format.
--write-config
Writes the provided options value to the
/etc/SUSEConnect
configuration file.--cleanup
Removes old system credentials.
--version
Prints the version.
--help
Displays the usage of the command.
6 Managing software packages #
You can use transactional-update
to install, update or remove software packages.
SUSE Linux Micro obtains software packages from repositories that are available after the product registration. Except for the main repository, SUSE Linux Micro can access an extra repository with a collection of unsupported packages provided as a convenience for customers, mainly for testing and development purposes.
transactional-update
uses the following commands to manage software packages.
pkg
command and Zypper options
With transactional-update pkg
commands, you can use any
Zypper option that corresponds to the used subcommand. For example,
transactional-update pkg install
understands all
options that zypper install
does.
pkg install
Installs individual packages from the available channels using the
zypper install
command. This command can also be used to install Program Temporary Fix (PTF) RPM files. The default option for this command is--interactive
.>
sudo
transactional-update pkg install package_name
or
>
sudo
transactional-update pkg install rpm1 rpm2
Or, to install a software pattern:
>
sudo
transactional-update pkg install -t pattern pattern_name
pkg remove
Removes individual packages from the active snapshot using the
zypper remove
command. This command can also be used to remove PTF RPM files. The default option for this command is--interactive
.>
sudo
transactional-update pkg remove package_name
pkg update
Updates individual packages from the active snapshot using the
zypper update
command. Only packages that are part of the snapshot of the base file system can be updated. The default option for this command is--interactive
.>
sudo
transactional-update pkg update package_name
patch
Checks for available patches and installs them. The default option for this command is
--non-interactive
.dup
Performs an upgrade of your system. The default option for this command is
--non-interactive
.up
Updates installed packages to newer versions. The default option for this command is
--non-interactive
.migration
The command migrates your system to a selected target. Typically, it is used to upgrade your system if it has been registered via SUSE Customer Center.
7 Performing system rollback #
GRUB 2 enables booting from btrfs snapshots and thus allows you to use any older functional snapshot in case the new snapshot does not work correctly.
When booting a snapshot, the parts of the file system included in the snapshot are mounted read-only; all other file systems and parts that are excluded from snapshots are mounted read-write and can be modified.
An initial bootable snapshot is created at the end of the initial
system installation. You can go back to that state at any time by
booting this snapshot. The snapshot can be identified by the
description first root file system
.
There are two methods to perform a system rollback.
From a running system, you can set the default snapshot, see more in Procedure 2, “Rollback from a running system”.
Especially in cases where the current snapshot is broken, you can boot into the new snapshot and set it to default. For details, refer to Procedure 3, “Rollback to a working snapshot”.
If your current snapshot is functional, you can use the following procedure for a system rollback.
Identify the snapshot that should be set as the default one and note its number.
>
sudo
snapper listSet the snapshot as default.
>
sudo
transactional-update rollback snapshot_numberIf you omit the snapshot number, the current snapshot will be set as default.
Tip: Setting the last working snapshotTo set the last working snapshot as the default one, run
rollback last
.Reboot your system to boot into the new default snapshot.
The following procedure is used in case the current snapshot is broken and you cannot boot into it.
Reboot your system and select
Start bootloader from a read-only snapshot
.Choose a snapshot to boot. The snapshots are sorted according to the date of creation, with the latest one at the top.
Log in to your system and check whether everything works as expected. The data written to directories excluded from the snapshots will stay untouched.
If the snapshot you booted into is not suitable for the rollback, reboot your system and choose another one.
If the snapshot works as expected, you can perform the rollback by running the following command:
>
sudo
transactional-update rollback
And reboot afterwards.
8 Managing automatic transactional updates #
Automatic updates are controlled by systemd.timer
that
runs once per day. This applies all updates and informs
rebootmgrd
that the machine should be rebooted. You may
adjust the time when the update runs, see systemd.timer(5) documentation.
8.1 Disabling automatic updates #
The automatic updates are enabled by default. However, you can disable them with this command:
>
sudo
systemctl --now disable transactional-update.timer
8.2 Configuring notifications of failed updates #
When an automatic transactional-update
fails, the failed snapshot is deleted.
Meanwhile the system may reboot, and then you cannot find out that the
last automatic update failed. Therefore, you can configure a systemd
service that will inform you about the failure of the automatic transactional-update
.
The procedure of doing so can be summarized into the following steps:
Installing the required packages if not present on the system. For details, refer to Section 8.2.1, “Installing required packages”.
Configuring the
systemd-status-mail
service. For details, refer to Section 8.2.2, “Configuring thesystemd-status-mail
service”.
8.2.1 Installing required packages #
The packages mailx
and
systemd-status-mail
are required to configure the
notifications. They are present on the system by default. However, if
you do not have them installed, install the packages by running the
following command:
>
sudo
transactional-update pkg in systemd-status-mail mailx
Reboot the system.
8.2.2 Configuring the systemd-status-mail
service #
To configure the systemd-status-mail
service, you
can create a configuration file or you can use the
jeos-config
tool.
8.2.2.1 Configuring the service using jeos-config
#
To configure the email notifications, you can use the
jeos-config
tools as described bellow.
To open the configuration window, run the command:
>
sudo
jeos-config status_mailIn the dialog, configure the items according to your needs.
Confirm with
.
8.2.2.2 Configuring the service by editing a configuration file #
The default configuration file is in
/usr/etc/default/systemd-status-mail
. To modify
it, create a copy in /etc/default/
and edit the
following items:
- ADDRESS
A mandatory entry. Specify the e-mail address the notification is sent to. For example:
ADDRESS=“tux@example.com”
- FROM
The sender e-mail of the notification mail. Ensure that the address is valid. For example:
FROM=“geeko@example.com”
- MAILER
The type of mail application for sending notifications. Use the
mailx
value as follows:MAILER=“mailx”
- RELAYHOST
Specify the mail relay used by mailx.
RELAYHOST=“mail.example.com:587”
- MAILX_OPTIONS
Specify necessary options to ensure that the mail provider will accept the notification mail. ``
MAILX_OPTIONS="-Sverbose -Ssmtp-use-starttls -Ssmtp-auth=login -Ssmtp-auth-user='tux@example.com' -Ssmtp-auth-password='TopSecret'"
9 Legal Notice #
Copyright© 2006–2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.