Updating Silverblue: GNOME Software? Automatic updates?

Some problems/questions regarding updates on Silverblue:

1. In GNOME Software I sometimes only got the blue “Install all updates” and I could click it, but did not notice it does anything.
   When I just tried to reproduce it, however, it worked for some reason…
2. rpm-ostree shows me it can apparently enable auto-update:

   $ rpm-ostree status
   State: idle
   AutomaticUpdates: disabled
   

   So:
   1. How can I enable automatic updates?
   2. In GNOME Software I have auto-updates enabled. Apparently, this has nothing to do with that/is not related/does not change this setting. Is anything planned to change this or what?

Security updates/Changelog

In GNOME Software on “usual” Fedora’s I had a nice changelog etc. Now on Silverblue, I only saw this (no details for any updates):

updates1200×1294 95.5 KB

Updating via rpm-ostree showed me this:

rpm-ostree update
⠚ Writing objects: 1 
Writing objects: 1... done
Checking out tree eb064f4... done
Enabled rpm-md repositories: updates fedora-cisco-openh264 fedora rpmfusion-free-updates rpmfusion-free
Updating metadata for 'updates'... done
rpm-md repo 'updates'; generated: 2019-07-27T00:50:45Z
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2019-03-21T15:16:16Z
rpm-md repo 'fedora' (cached); generated: 2019-04-25T23:49:41Z
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2019-07-22T14:53:32Z
rpm-md repo 'rpmfusion-free' (cached); generated: 2019-04-16T20:46:20Z
Importing rpm-md... done
Resolving dependencies... done
Relabeling... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Freed: 204,8 MB (pkgcache branches: 0)
Upgraded:
  container-selinux 2:2.107-1.git453b816.fc30 -> 2:2.111.0-1.fc30
  flatpak 1.4.2-2.fc30 -> 1.4.2-3.fc30
  flatpak-libs 1.4.2-2.fc30 -> 1.4.2-3.fc30
  flatpak-selinux 1.4.2-2.fc30 -> 1.4.2-3.fc30
  flatpak-session-helper 1.4.2-2.fc30 -> 1.4.2-3.fc30
  gnome-user-docs 3.32.2-1.fc30 -> 3.32.3-1.fc30
  ibus-typing-booster 2.6.2-1.fc30 -> 2.6.4-1.fc30
  openssh 8.0p1-4.fc30 -> 8.0p1-5.fc30
  openssh-clients 8.0p1-4.fc30 -> 8.0p1-5.fc30
  openssh-server 8.0p1-4.fc30 -> 8.0p1-5.fc30
  qt5-qtbase 5.12.4-3.fc30 -> 5.12.4-4.fc30
  qt5-qtbase-common 5.12.4-3.fc30 -> 5.12.4-4.fc30
  qt5-qtbase-gui 5.12.4-3.fc30 -> 5.12.4-4.fc30
  sqlite-libs 3.26.0-5.fc30 -> 3.26.0-6.fc30
  tpm2-abrmd 2.1.1-1.fc30 -> 2.2.0-1.fc30
Added:
  python3-distro-1.4.0-1.fc30.noarch
Run "systemctl reboot" to start a reboot

Also no details and no CVEs/security advisories listed, but when running ´rpm-ostree status´ later I was quite surprised to see that it seems to advise me to reboot, because there is an advisory:

rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
  ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.20190727.0 (2019-07-27T00:41:05Z)
                BaseCommit: eb064f4ac22e56ea270a4f7065a5466d0326cc67921e49705bbd5335039c1d91
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
             SecAdvisories: 1 moderate
                      Diff: 15 upgraded, 1 added
           LayeredPackages: ***
             LocalPackages: rpmfusion-free-release-30-1.noarch

● ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.20190726.0 (2019-07-26T00:43:43Z)
                BaseCommit: f8a402113a13cb8a9f447f1916a9cd7b4ef39453e5e45cb742043ca69699c35f
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: ***
             LocalPackages: rpmfusion-free-release-30-1.noarch

  ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.20190725.0 (2019-07-25T00:39:16Z)
                BaseCommit: a7100c09474f7bc42cf71f90fa77e74baa756834c738a7425b7771655de3caa6
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: ***
             LocalPackages: rpmfusion-free-release-30-1.noarch

Again a problem though: I have no idea what advisory it is, which software it affects etc. It just shows me “there is something”.

Also, again, why does not GNOME Software show this? Why does not show it rpm-ostree update during the update (maybe changing the last sentence message to more strongly advise to reboot?)

2.1 I sugest you read this post (also thought this video was mildly helpful) to enable auto updates for fedora silverblue, it’s not the most intuitive and simple process but it works
2.2 the auto-updates mentioned in gnome software concern the applications that you have installed as flatpaks and not the operating system (at least that’s what i have understood)

if you add a -v (verbose): rpm-ostree -v status you will get a detailed list of all the CVEs and the effected software.

Ugh, yeah, kinda elaborate process. Is there any plan to later enable this by default?

Is the automatic upgrade tutorial @mhack mentions out of date already? There is a warning for experimental usage and the walk through explains that “ex-stage” should be used. However checking the man page of the file only lists non, check, and stage as options not ex-stage.

Hi, author of that tutorial here.

Your reasoning is correct. The stage functionality has moved out of experimental with this commit:

I’ve personally been using the staging feature it since I wrote that guide over a year ago, with no ill effects.

I believe the plan is to eventually enable the automatic updates by default, but I don’t know of the timeline for that yet.

Here’s the simple way to enable the automatic staging of updates (assuming you haven’t touched /etc/rpm-ostreed.conf at all):

$ sudo sed -i 's|^#AutomaticUpdatePolicy=none|AutomaticUpdatePolicy=stage|' /etc/rpm-ostreed.conf
$ sudo rpm-ostree reload
$ sudo systemctl enable rpm-ostreed-automatic.timer --now

Afterwards, you can inspect rpm-ostree and the timer to see your changes took effect:

$ rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: no runs since boot
Deployments:
● ostree://fedora:fedora/30/x86_64/testing/silverblue
                   Version: 30.20190729.0 (2019-07-29T02:34:10Z)
                BaseCommit: a5d1add72506ea9797b1517397b8dd4774b45766aa777cb39b0ff8a0565d65bf
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: chromium cockpit-bridge compat-ffmpeg28 fedora-arm-installer ffmpeg-libs krb5-workstation ksmtuned libvirt libvirt-client libvirt-daemon-kvm libvirt-devel qemu-kvm tilix tmux vagrant-libvirt vim-enhanced virt-install
                            virt-manager

$ systemctl status rpm-ostreed-automatic.timer
● rpm-ostreed-automatic.timer - RPM-OSTree Automatic Update Trigger
   Loaded: loaded (/usr/lib/systemd/system/rpm-ostreed-automatic.timer; enabled; vendor preset: disabled)
   Active: active (waiting) since Tue 2019-07-30 09:48:11 EDT; 32min ago
  Trigger: Tue 2019-07-30 10:47:52 EDT; 27min left
     Docs: man:rpm-ostree(1)
           man:rpm-ostreed.conf(5)

Thank you for writing that tutorial! I didn’t know the automatic upgrades were a possibility until i found that. Very cool stuff. Also I am happy to hear that this wasn’t as risky of a move as I had thought it was going in. Again thank you for your contributions!

I’m really just a user like a lot of other folks on this forum. Anyone can contribute!

Well, it’s the same instruction as provided above. Anyway, this is also only just staging, i.e. it downloads the, but does not apply them, correct?

So if I restart, I will be in the same system? I still need to run rpm-ostree to apply them?

BTW you can remove the last two sudos from the last commands, both rpm-ostree and systemctl care for getting root permissions by themselves. (or don’t need it)

After all, I guess it would already help, if GNOME Software would properly show the updates. Here ios what happened:

1. It showed me (the usual) notification “There are important [yes, there was one CVE!] updates.”
2. But when I click on it/open it, I only see a simple “Update all” button, nothing else:
   
   

   gnome-software1494×413 17.3 KB

The man page covers the different options pretty well:

..."check" downloads just enough metadata to check for updates and display them in rpm-ostree status.

Finally, the "stage" policy downloads and unpacks the update, performing any package layering. Only a small amount of work is left to be performed at shutdown time via the ostree-finalize-staged.service systemd unit.

So in the case of stage, if you reboot, you’ll be in the new update that was downloaded and staged. If you don’t want this behavior, use the check setting.

I personally don’t use the GNOME Software interface, so I’m not sure what is going on there. I’d recommend filing an issue upstream to discuss with the maintainers - Issues · GNOME / gnome-software · GitLab

To answer/correct myself: No. Actually, it is the same as when you run rpm-ostree update! Staging apparently means it stages it to be applied for the next reboot (and this is fine and enough, just remember to reboot from time to time )

So this is great!

Done: