-
Notifications
You must be signed in to change notification settings - Fork 326
Autoupdater Improvements
T-X edited this page Dec 15, 2018
·
5 revisions
tl;dr: Signed site/domain-config updates, using a site.conf-independent push (& pull) propagation
- Similar to firmware updates, provide a versioned and signed site-/domain-config, too.
- Provide an AP interface with a fixed, non-configurable, static ESSID and non-configurable, static IP address (similar to the local-node address, but not changeable via site.conf)
- Run some (web?) server on it capable of receiving and verifying signed site-/domain-config, as well as offering the own, current site-/domain-config.
- One initial node gets "manually" infused with the new, signed site-/domain-config.
- It restarts its gluon-scheduled-domain-switch (if present) and checks if the new config contains a domain switch that is due now.4 If so, this switch is performed first (including device reboot)
- Then it scans for neighbor APs with the magic config-updater ESSID.
- Then for each such AP found:
- It connects to it in STA ("client") mode and uploads the signed site-/domain-config
- Receiving nodes validate the signature and check that the version number incremented.
- If those checks are ok, then this neighbor node installs the new site-/domain-config and performs the same push-steps again for its own neighbors.
- Finally, with some offset it reboots so that the newly installed site-/domain-config can take effect
- After (a re)boot plus jitter and in regular intervals plus jitter a node should scan for neighbor APs with the magic config-updater ESSID.
- Then for each such AP found:
- It connects to it in STA ("client") mode and downloads the signed site-/domain-config this neighbor currently uses.
- It then validates the downloaded and signed signature and checks whether the version number is higher.
- If those checks are ok, then this neighbor node install the new site-/domain-config.
- This node then switches from "pull-mode" to "push-mode" and follows the according push mode procedure.
- Finally, with some offset it reboots so that the newly installed site-/domain-config can take effect
- Any potentially broken site-/domain.conf changes, including scheduled domain switches can be undone at any time. The site/domain-conf-updater itself is fully independent of any site-/domain.conf settings.
- Flash writes are minimized.
- A power-cut during this update process is harmless.
- site-/domain.conf are device and architecture independent and therefore easy and quick to propagate to and hold for neighbors: Each node is a site-/domain.config mirror on its own, no need for central update servers.
-
Always use public keys from the site.conf autoupdater section from the original version provided by the firmware? Instead of any new version provided by a signed site-/domain-config update. -> to avoid that such an update messes anything up irrevocably
-
How to best propagate an update over VPN and cable connections?
Option 1)
- Join a special, fixed IPv6 multicast address on VPN and cable interfaces
- To scan and discover, a node sends an ICMPv6 packet to this dedicated multicast address
- Use the IPv6 source addresses returned by the ICMPv6 Echo Replies as targets to connect to and to download/upload site-/domain-configs from/to as well
Disadvantage:
- Not revertable on broken VPN settings changes in new site-/domain-config
=> Maybe add a special "site update channel" VPN. For its settings, always use the parameters specified in the original site.conf provided by the firmware (similar to public keys for site-/domain.conf updates, as suggested above).
Option 2)
- Allow direct push to potential, global IPv6 address on WAN/uplink interface
- Might (temporarily) be memorized on the gateway server side from the previous VPN connections?
Option 3)
- Some central, last-resort web-server on the internet where an HTTP-GET with the own site-code might be send to over WAN/uplink interface?
Option 4)
-
Usage
-
Community
-
Development
- Device Integration
- Roadmap
- Release-life-cycle
- Protocols
- Meeting 2024/06
- Meeting 2024/05
- Meeting 2024/03
- Meeting 2024/02
- Meeting 2024/01
- Meeting 2023/06
- Meeting 2023/05
- Meetup-CCCamp
- Meeting 2023/04
- Meeting 2023/03
- Meeting 2023/02
- Meeting 2023/01
- Meeting 2022/06
- Meeting 2022/05
- Meeting 2022/04
- Meeting 2022/03
- Meeting 2022/02
- Meeting 2022/01
- Meeting 2021/01
- Meeting 2019/01
- Meeting 2018/03
- Meeting 2018/02
- Meeting 2018/01
- Meeting 2017/01
- Concepts
- Release Process
-
Debugging