vm_tools/upgrade_container/upgrade_container - mirrors/cros/chromiumos/platform2 - Git at Google

 #!/bin/sh
 # Copyright 2019 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # Upgrades a Crostini container to the versions in the arguments in order,
 # expects to be run as root.
 #
 # Upgrade from stretch to buster:
 # ./upgrade_container DEBIAN_BUSTER
 #
 # Upgrade from buster to bullseye:
 # ./upgrade_container DEBIAN_BULLSEYE
 #
 # Upgrade from stretch to bullseye through buster:
 # ./upgrade_container DEBIAN_BUSTER DEBIAN_BULLSEYE
 # Note that debian does not support skip-version upgrades.
 #
 # Complete a previously unfinished upgrade:
 # ./upgrade_container

 set -ex

 to_buster() {
   [ $1 = 'DEBIAN_BUSTER' ]
 }

 to_bullseye() {
   [ $1 = 'DEBIAN_BULLSEYE' ]
 }

 # Really old versions of openssl will prioritize expired trust chains over valid
 # ones. This is problematic because deb.debian.org chains up to Let's Encrypt,
 # whose root cert is cross-signed by a now-expired certificate, which means we
 # can't update packages (including openssl itself). Work around this issue by
 # deleting any expired root certificates now, before we try to connect to
 # anything.
 if grep -q "VERSION_CODENAME=stretch" /etc/os-release; then
   for pem in /usr/share/ca-certificates/mozilla/*; do
     if ! openssl x509 -checkend 0 -in "${pem}" -out /dev/null; then
       rm "${pem}"
     fi
   done
   /usr/sbin/update-ca-certificates
 fi

 # Use defaults for everything, we don't support answering prompts.
 export DEBIAN_FRONTEND=noninteractive

 # Make sure apt-keys are up to date. We don't use keyring.debian.org because it
 # only serves debian-specific keys and that's not enough when we want the
 # Google package signing key. however most people don't need this so ignore
 # failures.
 APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --batch \
     --refresh-keys --keyserver keyserver.ubuntu.com \
     EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796 || true

 do_upgrade() {
   # When conflicting configuration files exist between the local system and the
   # upstream package, prefer the default option. If there is no default option,
   # default to keeping the local version. This is required along with setting
   # DEBIAN_FRONTEND above for a truly noninteractive upgrade experience.
   APT_OPTIONS="-o Dpkg::Options::=--force-confdef
    -o Dpkg::Options::=--force-confold"

   # If a previous run of this script was killed, it might have left packages in
   # a half-configured state. Complete the configurations.
   dpkg --configure -a || true

   # Upgrade everything.
   apt-get ${APT_OPTIONS} update -y
   apt-get ${APT_OPTIONS} upgrade -y
   apt-get ${APT_OPTIONS} dist-upgrade -y
 }

 # Debian doesn't support skip-version upgrades, so we need to make sure we're
 # already up to date on our current version before continuing. This also handles
 # the case where we restart an upgrade after /etc/os-release has been updated.
 do_upgrade

 for version in $@; do
   if to_buster "${version}"; then
     # No longer need to backport GPU support packages.
     rm -f /etc/apt/sources.list.d/cros-gpu.list \
       /etc/apt/preferences.d/cros-gpu.pref

     # The actual flip to buster.
     sed -i 's/stretch/buster/g' /etc/apt/sources.list \
       /etc/apt/sources.list.d/cros.list

   elif to_bullseye "${version}"; then
     # The actual flip to bullseye.
     sed -i 's/buster/bullseye/g' /etc/apt/sources.list \
       /etc/apt/sources.list.d/cros.list

     # The bullseye security repo is called "bullseye-security", while buster
     # uses "buster/updates"
     sed -i 's/debian-security\/\? bullseye\/updates/debian-security bullseye-security/g' \
       /etc/apt/sources.list
   fi

   # Upgrade again, now to the new version.
   do_upgrade
 done
	#!/bin/sh
	# Copyright 2019 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# Upgrades a Crostini container to the versions in the arguments in order,
	# expects to be run as root.
	#
	# Upgrade from stretch to buster:
	# ./upgrade_container DEBIAN_BUSTER
	#
	# Upgrade from buster to bullseye:
	# ./upgrade_container DEBIAN_BULLSEYE
	#
	# Upgrade from stretch to bullseye through buster:
	# ./upgrade_container DEBIAN_BUSTER DEBIAN_BULLSEYE
	# Note that debian does not support skip-version upgrades.
	#
	# Complete a previously unfinished upgrade:
	# ./upgrade_container

	set -ex

	to_buster() {
	[ $1 = 'DEBIAN_BUSTER' ]
	}

	to_bullseye() {
	[ $1 = 'DEBIAN_BULLSEYE' ]
	}

	# Really old versions of openssl will prioritize expired trust chains over valid
	# ones. This is problematic because deb.debian.org chains up to Let's Encrypt,
	# whose root cert is cross-signed by a now-expired certificate, which means we
	# can't update packages (including openssl itself). Work around this issue by
	# deleting any expired root certificates now, before we try to connect to
	# anything.
	if grep -q "VERSION_CODENAME=stretch" /etc/os-release; then
	for pem in /usr/share/ca-certificates/mozilla/*; do
	if ! openssl x509 -checkend 0 -in "${pem}" -out /dev/null; then
	rm "${pem}"
	fi
	done
	/usr/sbin/update-ca-certificates
	fi

	# Use defaults for everything, we don't support answering prompts.
	export DEBIAN_FRONTEND=noninteractive

	# Make sure apt-keys are up to date. We don't use keyring.debian.org because it
	# only serves debian-specific keys and that's not enough when we want the
	# Google package signing key. however most people don't need this so ignore
	# failures.
	APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --batch \
	--refresh-keys --keyserver keyserver.ubuntu.com \
	EB4C1BFD4F042F6DDDCCEC917721F63BD38B4796 \|\| true

	do_upgrade() {
	# When conflicting configuration files exist between the local system and the
	# upstream package, prefer the default option. If there is no default option,
	# default to keeping the local version. This is required along with setting
	# DEBIAN_FRONTEND above for a truly noninteractive upgrade experience.
	APT_OPTIONS="-o Dpkg::Options::=--force-confdef
	-o Dpkg::Options::=--force-confold"

	# If a previous run of this script was killed, it might have left packages in
	# a half-configured state. Complete the configurations.
	dpkg --configure -a \|\| true

	# Upgrade everything.
	apt-get ${APT_OPTIONS} update -y
	apt-get ${APT_OPTIONS} upgrade -y
	apt-get ${APT_OPTIONS} dist-upgrade -y
	}

	# Debian doesn't support skip-version upgrades, so we need to make sure we're
	# already up to date on our current version before continuing. This also handles
	# the case where we restart an upgrade after /etc/os-release has been updated.
	do_upgrade

	for version in $@; do
	if to_buster "${version}"; then
	# No longer need to backport GPU support packages.
	rm -f /etc/apt/sources.list.d/cros-gpu.list \
	/etc/apt/preferences.d/cros-gpu.pref

	# The actual flip to buster.
	sed -i 's/stretch/buster/g' /etc/apt/sources.list \
	/etc/apt/sources.list.d/cros.list

	elif to_bullseye "${version}"; then
	# The actual flip to bullseye.
	sed -i 's/buster/bullseye/g' /etc/apt/sources.list \
	/etc/apt/sources.list.d/cros.list

	# The bullseye security repo is called "bullseye-security", while buster
	# uses "buster/updates"
	sed -i 's/debian-security\/\? bullseye\/updates/debian-security bullseye-security/g' \
	/etc/apt/sources.list
	fi

	# Upgrade again, now to the new version.
	do_upgrade
	done