By accident, this was mounting partitions as well, which caused
conflicts in partial updates where some partitions don't have snapshots.
Test: update_device.py with partial OTA
Change-Id: I2db0e6269f0a02cbe8164fa2a72b887c352f56d8
There more output lines of `avbtool` now, adjusts the expected
output of `avbtool info_image --image test.img` in the test
cases.
Bug: 178215452
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I924d6d97ef0a4c19c93017c2491bf251dfc51cae
Simulate merge interruption and merge restart and
validate the data once entire merge is completed.
Bug: 167409187
Test: cow_snapuserd_test
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Ia940d5fbd2426bdf13347ffb6637d753b2228de6
If executing `adb remount -R` and DSU is running but disabled, then
enable the DSU (one-shot mode) so that the reboot afterwards would stay
within the DSU guest system.
Normally reboot within a DSU guest system would bring the device back to
the host system. However when doing adb remount -R, we actually doesn't
want to exit DSU, but wish to reboot back into DSU guest system again
with remount machinery (overlayfs) properly set up.
Also sort the header include order.
Bug: 165925766
Test: Within a DSU guest system, DSU disabled, adb remount -R
=> After reboot, system is DSU and overlayfs is mounted
Test: adb-remount-test.sh within DSU guest system
Change-Id: I72a7a568e985b183d357ae6e1a7d0113e9921200
securityfs /sys/kernel/security securityfs rw,relatime 0 0
is causing the noatime check in adb-remount-test.sh to fail.
Bug: 165925766
Test: Create an aosp_cf_x86_phone-userdebug AVD && adb-remount-test.sh
Test: Use DSU to install GSI on the AVD && adb-remount-test.sh
Change-Id: Ibae0d4bbbbc78fb74f4ad82f2313251598c77f72
Snapuserd daemon parses the merge completion request based on
how the dm-snapshot merge is done. dm-snapshot marks the merge as
complete by zeroing out the metadata viz old-chunk and new-chunk id's.
If we have a sector 0 operation such as copy/replace op,
then old-chunk id will be 0 and new-chunk id will be a non-zero
pseudo number. Once the merge is complete, then old-chunk and new-chunk will be 0.
The problem is that daemon used to track the merge completion just by checking
if old-chunk was non-zero. This check is not sufficient and ends up
tripping the assert in the daemon.
Bug: 178061207
Test: Modify cow_snapuserd_test to test this case and validate the
IO path.
Reported-by: Kelvin Zhang <zhangkelvin@google.com>
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I6603af1c7b55e487dc3aec0c30c0a9dea0fedb56
If a partition shrinks in an update, it must be merged before any other
partitions. Otherwise, a copy operation may source from the tail of the
shrunk partition, which could be overwritten by a merge operation in
another partition.
This patch adds a "MergePhase" indicator to the update status that is
valid only when the state is MERGING. Partitions that shrink are merged
first, and the phase will be FIRST_PHASE. Once ProcessUpdateState() has
determined that all first-phase snapshots are merged, it will switch to
SECOND_PHASE and remaining snapshots can start merging.
Otherwise, there is no change to the merge algorithm. The phase split is
an implementation detail and not exposed to update_engine.
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I06043f8e3b81bdecefb6a4b5944a97b7086eeb49
When a partition shrinks, it is not correct to use the base device as
the "source" device for the new COW format, because we may need to read
blocks that do not exist in the new partition.
To resolve this, we store a copy of the old partition layout in /metadata,
and use it to create a "source" view of the old partition. The new
stacking looks as follows:
partition_b (dm-snapshot):
- partition_b-base (partition_b dm-linear)
- partition_b-cow-user (dm-user + snapuserd):
- partition_b-cow (COW image)
- partition_b-src (partition_a dm-linear)
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I872f271cc1f25cc796b94188fdde247cdc4050b4
VAB has an unused optimization that allows bypassing snapshots for the
area of a partition that grows during an OTA. The code for this is
entirely unused since the optimization was never enabled. The benefits
are marginal, and making it safe is quite complicated. The "new" region
cannot overlap with any region being relinquished by a shrink operation,
without snapshotting the region that would be overwritten. This would be
burdensome to implement and would minimize space savings.
Let's remove the code related to this optimization until we are
confident we can implement it safely in VABC.
Bug: 177935716
Test: vts_libsnapshot_test
Change-Id: I7d6a68dce57c8a4389ea6bff9f31971276a20db4
The test uses 'external/avb/test/data/testkey_rsa2048.pem' from the
source tree, which is not available when running the test. Copy
the test key with the test case in Android.bp to fix the issue.
Bug: 177906739
Test: atest libvbmeta_test
Change-Id: I528dcdc5b48ed4af36ddd360380eb39631ff4317
This fix is to keep the dm line in the status file and let the
UnmapImageDevice to clean up correctly.
Bug: 171861574
Test: execute following command on a device with a SD card inserted
adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 4294967296
Change-Id: Ia56f8f724f04e7e20586e088c89b62a1068766e4
The sector count can decrease as the merge progresses, so we only care
that the sector count is less than or equal to the device size.
Bug: N/A
Test: reboot during VABC merge
Change-Id: I1da956456ea28ca0fdfbf9373848987c9f71ff68
This bit was getting lost because InitiateMerge() did not save the
compression bit when overwriting the update state.
Bug: N/A
Test: vts_libsnapshot_test
Test: reboot during merge phase of VABC OTA
Change-Id: I1a2219b501088de352a9c31d4b8b1a3f72d0e159
WaitForDelete is supposed to block until close() has been called on the
COW image. However, it could race with the destructor for Snapuserd
since nothing guaranteed it was freed within the global lock.
This patch fixes the bug and refactors the surrounding code to make the
responsibilities of each thread clearer.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Icfc264e6dff378db585c81cde381cc24269f4800
Grouping metadata into clusters decreases the overhead occured by extra
reads. Assuming a constant added cost with reads, we currently measure
this to be around 1.2 microseconds. For an entire OTA, this can add up
to several seconds of time. Setting the cluster size to 200 removes
99.5% of that extra time, while adding 20 bytes per 200 ops, as well as
up to 200*20 byes (4kb) unused space near the end of the file, although
it would be half of that on average. We save 99.5% of the overhead of
separate reads for a 0.5% space increase.
We've opted for a change to the default so that tools that estimate cow
size and any others will automatically be kept up to date, without
needing to update the value everywhere.
Bug: 172026020
Test: cow_api_test
Change-Id: Id4525cf2abfecf4691b46588823cb3cb4f6234d9
* changes:
libsnapshot: Fix tests that depend on PrepareOneSnapshot().
libsnapshot: Ensure dm-user devices are destroyed after a merge.
libsnapshot: Fix tests for mapping snapshots in first-stage init.
init: Add an selinux transition for snapuserd.
PrepareOneSnapshot was hardcoded in a way that only worked with
pre-compression devices. This patch makes it use the public API and
supported update flow.
One test, SnapshotTest.Merge, now uses OpenSnapshotWriter instead of
MapUpdateSnapshot. There are still other tests using the old API call.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Iec4bf6efe6a82e1f90b81fa4211201845ebabe62
Also, make sure snapuserd has closed its references. This is preventing
the merge from completing until a reboot.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Iba18f887bdb262c630ec44461871e19fe64dbf3c
These tests are failing due to a missing WaitForFile call. Simplify
setting this up by adding a helper.
Bug: N/A
Test: vts_libsnapshot_test
Change-Id: Ic2afa74f72c7e364695233120b2327bae904882a
If the requested IO is not 4k aligned and spans
between two COW Operations, then we will have
to split the IO as we need to read the partial
buffers from two COW operations.
BUG: 176918488
Test: cow_snapuserd_test - Data verification with unaligned IO
Full OTA on cuttlefish
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Icf6801e1767112b92cb7991808860f119adebda2
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
This adds the -d option to Inspect_Cow, which will cause it to attempt
to decompress all data blocks, reporting any errors it encounters.
Useful for detecting corruption in Cow files.
Bug: 172026020
Test: Inspect_Cow -d [cow_file]
Change-Id: Iebf5f7f485b33b36daab4ab07005ca37e51d692f
Previously, we'd check if a new cluster was needed before we added a Cow
Operation. This would cause an op's associated data to go to the wrong
location, so instead we check if we'll need a new cluster after writing
each op.
Bug: 172026020
Test: cow_api_test (ClusterCompressGz)
Change-Id: Ia43afedcfd430961b34f5914da4265b89e6fadb9
If we read up to a label, this error message is unneeded, and if we
don't, we already return an error message before this, leaving the old
message as entirely redundant and misleading.
Test: Run, verify "No COW Footer, recovered data" does not show in logs
Bug: 172026020
Change-Id: I31d054ccf898cf93c71ff201f0868e57cd1a6135
In first-stage init, during the selinux transition, no socket is needed.
It's even advantageous not to create one, since it greatly reduces the
amount of avc audits. This patch allows starting snapuserd with a preset
list of socket commands that it can run on startup.
Bug: 173476209
Test: manual test
Change-Id: I758d99097372e4dffb252e2836fd859b7fed162a
This is in preparation for expanding the command-line features of
snapuserd.
Bug: N/A
Test: builds
Change-Id: Id33c4f190dc0f99cd436f0e9a6b1d6ee92e245e4
