THE SUP SOFTWARE UPGRADE PROTOCOL Carnegie Mellon University School of Computer Science Steven Shafer Mary Thompson 8 September 1989 The SUP system is a set of programs for maintaining a set of files in identical versions across a network of cooperating machines. It runs under the Mach operating system. 1. Introduction The SUP System is a set of programs that provide for collections of files to be maintained in identical versions across a number of machines. These programs are: SUP The "client" program, run by users or system maintainers, which initiates the upgrade activity on a machine requesting the latest version of a collection of files. SUP will normally be run as a daemon, firing up once each night (week, etc.) to upgrade the specified file collections. SUPFILESRV The "file server" program, a daemon that is run by the system maintainer to service requests for files initiated by client SUP programs. The file server runs on every machine used as a "repository" of distributable versions of files. It runs continuously and listens for network connection requests by individual client processes; for each individual client request, a process is forked to service that request. SUPSCAN The "file scanner" program, that may optionally be run periodically to speed up execution of the file server. It pre-compiles a list of files on the file system that match the specifications for a given file collection so that the file server need not do this during each upgrade of that collection. The file scanner is normally used daily for very large file collections that are upgraded by many clients each day; it is not so useful for small file collections or for those that are upgraded by only a few client machines per day. When SUP is run, the user designates the names of certain "file collections", sets of files, that should be upgraded. All pre-defined system collections have entries in the coll.host file that gives the name of the host will act as the repository for that software collection. The file server on that machine provides a list of the files included in the collection and which ones have been changed since the last time this collection was upgraded from that client machine; the client decides which of these files it needs to receive; and the files are sent from the file server. In this way, files can be installed on the repository machine once, and they will propagate to all machines upgrading from that repository as soon as the respective users execute SUP to perform the upgrade. This allows groups of cooperating users to establish sets of files that can be relied upon to be the same across a set of host machines. SUP is intended to provide a broadcast facility for maintaining identical versions of files across multiple machines. An alternative approach is to provide a common file system; even when such a system is available, SUP is useful for maintaining frequently used files on local disk storage, and for maintaining files across the file server machines themselves. The SUP system does not address the issues of version control, nor of maintaining compatibility of pieces of a system that are being independently changed by different users or on different machines; what SUP provides is a broadcast mechanism for issuing stable, reliable versions of software or data files, produced by a small number of maintainers and needed by a larger number of users. SUP is intended specifically to address these situations: - A large collection of system software prepared by a maintenance staff for use by a large user community. For example, the CMU-CSD UNIX software used by hundreds of workstations. In such situations, the users know absolutely nothing about how to obtain such software, but they need to keep it constantly upgraded on their machines. Similarly, the maintainers cannot possibly maintain each user's machine individually: they must rely on a broadcast mechanism such as SUP. - A moderate collection of software and data files shared by the members of a project. For example, the vision libraries used by computer vision researchers at CMU. Again, a small number of maintainers on a specific machine produce and maintain this software, which is used by many users on many machines in the CMU environment. However, SUP will not support the practice of some groups that have large programs with different pieces being simultaneously modified and tested in incompatible ways by various users. - A user with accounts on more than one machine. Such a user can set up SUP to automatically copy a collection of files from one machine to one or more others whenever they are changed on the repository machine. If the system maintenance staff is involved on the repository machine a "system" file collection can be set up for which client SUP programs need know nothing but the name of the collection. Otherwise, the file collection will be "private", and client SUP programs must be specifically told the name of the repository host and the base directory name for the collection on that host. SUP provides facilities for upgrading read-protected files (i.e. files that are not readable by the general public), data encryption of transmitted files and filenames, allowing access only to selected host machines not on the local network, automatically creating backup copies of critical files, executing command-files or programs after upgrading files that require special handling, and mailing progress and error messages to designated users. SUP is also as clever as can be about ensuring that upgraded files have the same accounting information (mode, owner, links, etc.) on the client machine as on the repository machine, and ensuring that upgrade problems don't wipe out existing files when this is avoidable. 2. How to Use SUP to Upgrade a File Collection You will normally want to run SUP periodically, say every day or every week, using the at program, to upgrade important file collections such as UNIX system software. You can also execute SUP directly at any time. The SUP command looks like this: $ sup [flags] [supfile] These are the flags and arguments: -a (all files) Normally, SUP only upgrades files if they are out-of-date or missing on your machine. If you specify the -a flag, then all files in the collection will be upgraded regardless of whether they meet these conditions. This is useful for recovering from catastrophic file deletions or disk crashes. -b (backup) If this flag is given, or the backup supfile option is specified, the contents of regular files on the local system will be saved before they are overwritten with new data. The file collection maintainer can designate specific files to be worthy of backing up whenever they are upgraded. However, such backup will only take place if you specify this flag or the backup option to allow backups for a file collection on your machine. The backup mechanism will create a copy of the current version of a file immediately before a new copy is received from the file server; the copy is given the same name as the original file but is put into a directory called BACKUP within the directory containing the original file. For example, /usr/sas/src/foo.c would have a backup copy called /usr/sas/src/BACKUP/foo.c. There is no provision for automatically maintaining multiple old versions of files; you would have to do this yourself. -B overrides and disables the -b flag and the backup supfile option. -d (delete) Files that are no longer in the collection on the repository will be deleted if present on the local machine. This may also be specified in a supfile with the deleteoption. -D This flag overrides and disables the -d flag and the delete supfile option. -e (execute) Sup will execute commands sent from the repository that should be run when a file is upgraded. If the -e flag is omitted, Sup will print a message that specifies the command to execute. This may also be specified in a supfile with the execute option. -E overrides and disables the -e flag and the execute supfile option. -f (file list) If you specify -f, then SUP will print a list of all the files in the specified collections, indicating which ones need to be upgraded, which are directories, and which require backup copies to be created. The upgrade itself will not be performed. -l (local) Normally, SUP will not upgrade a collection if the repository is on the same machine. This allows users to run upgrades on all machines without having to make special checks for the repository machine. If the -l flag is specified, collections will be upgraded even if the repository is local. -m (mail) Normally, SUP prints log messages on its standard output and diagnostic output. With the -m flag, messages will be mailed to you instead. This also allows the notify option to be effective (see the discussion of supfiles below) to send mail to someone else. -N (network debugging) The -N flag causes SUP to produce tons of output lines describing the progress and status of the network communications with the name server and file server. -P (debugging ports) The -P flag tells SUP to use an alternate set of TCP ports from the normal ports. This is a debugging aid for system maintenance. -o (old files) This flag overrides the noold option if it appears in the supfile. The -a flag also overrides the noold option. See "Supfiles" below for details. -O overrides and disables the -o flag and the old supfile option. -s (system collections) Normally, you will specify a specific supfile to describe the file collections you want. If you use the -s flag, then a specific supfile will be used that describes the system software file collections. The supfile for system software is /usr/cmu/lib/supfiles/coll.list. -t (time) If you specify -t, then SUP will simply print out the last time and date at which each specified file collection was successfully upgraded; it will not perform any actual upgrade. This is a diagnostic aid in case you suspect the upgrades aren't working. -v (verbose) Normally, SUP only produces messages to tell what's gone wrong (if anything does go wrong). With the -v flag, messages will be produced to tell what is happening when things are going normally as well. supfile You must specify the name of a supfile, unless you use the -s flag to indicate the system software supfile. The supfile, described below, specifies which file collections you want to upgrade. For example, to upgrade system software on your machine, type: $ sup -s or, to have detailed log messages mailed to you: $ sup -v -m -s Because SUP runs with your user-id, you will not be able to upgrade the system software unless you are logged onto that account when you execute SUP. Each file collection being upgraded must have a base directory on your machine, which will normally contain all the files in the collection. Within this directory there should be a subdirectory called sup that will be used by the SUP program; it will be created automatically if you do not create it. SUP will put files into this directory as needed. If you want to find out what files need to be upgraded, type: $ sup -f supfile This will list all the files in the collection, indicating which need to be upgraded (and why), which are directories, and which would have backup copies created if the upgrade were performed. If you simply want to find out the date and time of the last successful upgrades, type: $ sup -t supfile This will print the collection name and time of the last upgrade for each collection described in the indicated supfile. For the system collections, you can use: $ sup -s -t 2.1 Supfiles When you execute SUP, you specify a supfile either by name or by using the -s flag. This file is a list of the file collections you wish to upgrade. The supfile is a text file, with each file collection described on a single line. The line begins with the name of the collection, and may then have a number of options separated by spaces. The options are: base=directory The name of the base directory on this machine for this file collection, when you don't want to use the default (/usr/collection). host=hostname The name of the host machine acting as the repository for this file collection, used for "private" file collections. For "system" file collections, this is unnecessary because the this information is kept in /usr/cs/lib/supfiles/coll.host. hostbase=directory The name of the base directory on the repository machine for the file collection (see "How to Set Up a File Collection" below). This is also used only for "private" file collections; for "system" file collections, the information is obtained automatically by the file server. The default name of the host base directory is /usr/collection. login=accountid The name of the account to be used by the file server, when the default is not acceptable (i.e. it doesn't have the necessary file access privileges to read the file collection). The default at CMU is the "Anonymous FTP" account if no data encryption is used, or the owner of the directory sup/collection within the repository machine's base directory if encryption is used. password=password The password used for the login account specified by the "login" option. This password will be transmitted in encrypted form over the network. crypt=key An optional encryption key for filenames and file data for this file collection. If used, the same key must be specified on the repository machine or the upgrade will not take place. This key is used for filenames and data only -- not for transmission of the passsword in the "password" option. The use of data encryption also implies an alternate default account for the file server (see the "login" option above). notify=mailaddress The account name to which mail is to be addressed for log messages for this file collection, when the -m flag is given to SUP. The account name can be a complete mail address, possibly including a network host name such as sas@cmu-cs-ius. noexec This option prevents the automatic execution of command files on your machine with the upgrade is finished (see "What SUP Does" below). backup This option enables backup copies of critical files to be created by SUP as specified in "What SUP Does" below. nodelete This option prevents SUP from deleting files on your machine if they are deleted from the file collection on the repository machine. noold This option tells SUP not to check on files in the collection that have not been modified or created since the last upgrade. This allows SUP to run much faster on large file collections, but prevents it from deleting files on the client machine if they are deleted from the repository, or from restoring files that have been accidentally deleted from the client machine. This option is normally useful only for very large file collections. Its function subsumes that of the nodelete option. The noold flag will be ignored when either the -a or -o flag is specified to SUP; this allows a complete file check to be performed with the -o flag when needed to recover from, say, accidental deletion of critical files. Here is an example of a supfile: cmu backup vision crypt=pupil backup notify=vision@cmu-cs-ius sas host=ius hostbase=/usr/sas/sun login=sas password=foo crypt=bletch This supfile specifies the following file collection upgrades: cmu The "cmu" file collection, which is a "system" file collection, with local base directory /usr/cmu (the default). Backup copies of critical files will be created during upgrading. vision The "vision" file collection, also a "system" file collection, with local base directory /usr/vision. Backups will be created. The data will be encrypted with key pupil, and log messages will be sent to the vision account on cmu-cs-ius. sas A "private" file collection will be upgraded from the cmu-cs-ius machine. The remote base directory is /usr/sas/sun, but the local base directory is /usr/sas. The file server will login on account sas with password foo; the data will be encrypted with key bletch. 3. What SUP Does An upgrade involves several steps: 1. SUP first reads the specified supfile, checking it for errors and recording all the specifications and options. 2. If any collections do not specify a host name, SUP will look in /usr/cs/supfiles/coll.host to find out the names of the hosts for these collections. In the preceding example, the name server would be asked to supply the host names for the cmu and vision file collections. 3. For each collection on the list, SUP will connect to the file server on the appropriate host and carry on the upgrade process. (If the file server is on the same host machine as the client, and the base directories are the same, then no upgrade is performed.) a. The file server and SUP exchange setup information, including the host base directory, login account name, password, and encryption key. SUP also reports the time of the last upgrade, by looking in the file sup/collection/when (e.g. /usr/vision/sup/vision/when) on the client machine. The file server gets the base directory name, if needed, by looking in the file /usr/cs/lib/supservers/coll.dir, and gets the encryption key from sup/collection/crypt on the repository machine. The connection may be refused by the file server for such reasons as: - incorrect login name or password - base directory is protected against access by the specified account - incorrect data encryption key - host not allowed access b. Once the connection is established and access permission has been granted as above, the file server builds a list of all files and directories in the file collection. The list file sup/collection/list (see "How to Set Up a File Collection" below) is used to generate this list. The files indicated in the list file are marked with a special flag if they are indicated to have backup copies created in case of upgrade. The last modification date of each file is checked against the time of the last upgrade (reported by the client above), and if it has been modified since the last upgrade, a flag is set to indicate that the client's copy of this file is out of date. The file list, along with the backup and out-of-date flag for each file, is sent to the client. If a scan file exists as created by SUPSCAN (sup/collection/scan), then the file list is taken from the scan file instead of being constructed from the list file by the file server. In this case, the time of record for the upgrade will be the time at which the scan file was created rather than the time at which the upgrade actually occurs. If the noold option was specified in the supfile (and not overridden by the -a or -o flag to SUP), the list of filenames sent to the client process will exclude those files that were not created or modified since the last upgrade. c. The client SUP process receives the list of files and constructs a list of the files it needs. This will normally be those files that are either (1) out-of-date as indicated by the flag sent from the file server, or (2) missing from the local machine. However, if the -a flag was specified to SUP, then every file in the list will be selected by the client process. The list of needed files is sent to the file server. For each selected file, if the backup flag was marked and the user specified the backup option in the supfile, then a backup copy of the file will be created. This will be a copy of the file with "backup/" inserted in the filename just after the directory name, i.e. /usr/vision/lib/libvision.a would have a backup copy named /usr/vision/lib/backup/libvision.a. (The indicated directory, e.g. /usr/vision/lib/backup, will be created if needed.) Also at this time, if the nodelete option was not specified, the client reads its list of files in the collection during the last successful upgrade, sup/collection/last, and deletes any files appearing in that list that are not in the current file list. d. The file server receives the list of files requested by the client. It checks to see that each file is on its list of files for this collection, and that each file is accessible; if a file fails either condition its name will be reported to the client as being denied to that client. Each file will be sent to the client machine, along with the owning account name, the owning group name, the 12 low-order mode bits, and the last modification time for that file. If a file has more than one link (filename), both of which are requested by the client, then the file will be sent once and the second (etc.) filename will be accompanied only by a flag saying it's a link and the name of the file actually sent. The client receives each file and processes it as described under "File Installation" below. Directories are treated similarly to files; the mode, owning account and group, and modification time are transmitted to the client machine whenever a directory is upgraded. e. When all files have been transmitted, the file server looks at the list of command-files to be executed after upgrading for this collection (see "How to Set Up a File Collection" below). If any of the command-files or their trigger files have been upgraded, then the client is sent the filename of the command-file. The client SUP process will normally execute these files; however, if the user has specified noexec in the supfile, then the files will not be executed. In this case, a log message will be created and printed or mailed, telling the user to please execute these files. When creating command files to be executed by SUP, you should bear in mind that the command file might be executed several times on the same version of the trigger files. f. Finally, if the upgrade is successfully completed, the file server reports the time (on its own clock) at which the upgrade began; the client will record this time in the file sup/collection/when to be reported as above at the start of the next upgrade. If the nodelete option was not specified, then the list of all files in the collection is written into sup/collection/last. SUP and the server processes begin each connection by determining whether byte-swapping is necessary for passing integers across the network. If so, the server process performs byte-swapping on input or output of integers to the network, while the client uses its natural representation for network I/O. 3.1 File Installation When SUP receives an ordinary file (i.e. one that is not a link to a previously sent file), it follows this procedure: 1. If the file doesn't already exist on the local machine, it's a new file. It will be created and the data will be read directly into this file. 2. Otherwise, the file already exists. An attempt will be made to read the file contents from the network into a temporary file, which will later be renamed to replace the destination file. SUP will try to create a temporary file in the following directories, proceeding down the list until one of the attempts succeeds: a. destination-directory (the directory containing the file itself) b. sup (the sup subdirectory of the local base directory) c. . (the local base directory) d. /usr/tmp e. /tmp If all these attempts fail, SUP will try to create the destination file itself instead of using a temporary file. If that fails, SUP will complain with a log message and go on to the next file. 3. The file data itself is read into the temporary or destination file. Interrupts are disabled during this process. 4. If the file read was a temporary file, it is renamed to the destination file. This is done via link/unlink, if possible, unless the destination file has more than one link already on this machine. If the link/unlink fails or if the destination file has multiple links, then the temporary file is actually copied to the destination and the temporary file is unlinked. 5. The owner, group, modification time, and low-order 12 mode bits of the destination file are set to the values received from the file server. The last-access time of the file is set to the current local clock. 6. If the -v flag was specified to SUP, a log message is printed indicating the successful receipt of the file. When SUP receives a new link to a file previously received, it simply tries to unlink and link unless the two names are on different file systems on the local machine. If this is the case, or if the link fails, then the previously received file is actually copied to the new name (using exactly the same process as described above for creating a temporary file if needed, etc.) The file-system comparison checks the file system of the old file itself and the directory containing the new name. In all cases, if the directory containing a received file or link does not exist on the local machine, SUP creates it with mkdir (recursively if needed) before creating that file or link. The mode, owner, group, and modification time of the newly created directory will then be set to be the same as the mode of the corresponding directory on the repository machine. This accounting information will be updated whenever the directory is modified on the repository machine. As can be seen from this description, SUP will work the most smoothly (i.e. always using link/unlink for file name changing) if it has write permission in the local base directory and in all subdirectories of that directory. 4. How to Set Up a File Collection It takes only a little bit of effort to set up a file collection on a repository machine to be upgraded by authorized clients. First, the file collection must be given a name and a base directory. There can be several collections with different names sharing the same base directory; for example, there might be a file collection called cmulib for the CMU C library, and one called cmumathlib for just the math routines in the CMU C library, both using /usr/cmu as the base directory. If it is a "private" file collection, client users must be told the name of the repository host and the name of the host base directory for use in the host and hostbase options in the supfile, described above. If it is a "system" collection instead, the system maintainers must alert the name servers of the host name (in /usr/cmu/lib/supservers/coll.host) and the appropriate file server of the base directory name (if not the default, by putting it into /usr/cmu/lib/supservers/coll.dir). Within the base directory, a subdirectory must be created called sup. Within this subdirectory will be a further subdirectory whose name is the name of the collection (there may be several of these if several collections share the same base directory). Each collection's subdirectory will contain any or all of four files: collection/list The list file, describing the files in the collection. The format of this file is explained below. collection/host Normally, the file server allows access to a collection by all machines. If you wish to allow access only to specific remote hosts, you can list their names, one per line, in this text file. If a remote host has several alias names, it need only be listed once in this file. The name LOCAL can be used to allow access to all machines on the local network. This access control is in addition to the other forms of authentication provided by SUP (data encryption and UNIX file protection modes). collection/crypt If you wish to apply data encryption to the filenames and file contents in this collection during upgrading, create this file and place in it the encryption key. This should be on a single line of text containing nothing else except an optional newline character. The client must supply the same key via the crypt option in the supfile for this file collection; the file server checks that explicitly before authorizing the upgrade to take place. collection/scan To speed up execution of the file server, you may wish to create a scan file periodically. This is done by executing the SUPSCAN program: $ supscan [-v] collection [basedir] This will construct a list of all files matching the specifications in the list file, and record it in the scan file. When an upgrade is performed on the collection, the file server will notice that the scan file is present and use this list instead of actually building the filename list by analyzing the list file. The time of record for the upgrade will then be the time at which the scan file was created rather than the time at which the upgrade occurs. A scan file is only useful for very large file collections that are upgraded many times each day. The options for the SUPSCAN program are -v ("verbose") to produce messages as it scans the file list, and basedir if the collection is a private collection whose base directory name is not the default name. This is all the preparation required for a file collection to be upgraded. Note that the default user-id for the file server is "Anonymous FTP" if no data encryption is used; if encryption is used, the default will be the owner of the subdirectory sup/collection within the base directory. 4.1 The List File The list file contains a description of the files to be upgraded. It contains any number of commands, each on a separate line of text. Each line contains a keyword and a number of operands separated by spaces. All filenames in the list are evaluated relative to the collection's base directory on the repository machine for the file server, and relative to the base directory on the client machine for the client SUP process. All (except execfile) may be file specifications containing the shell's meta-characters *, ?, [...], and {...}. The commands are: upgrade filename ... These files will be included in the list of files to be upgraded. If a directory name is given, all the files in that directory will be included and any subdirectories will be recursively included as well. omit filename ... These files will not be included in the list; if a directory is specified, it will not be included nor will its contents be included. For example, the specifications upgrade lib and omit lib/test will include all files and subdirectories of lib except lib/test (and any subdirectories or files within lib/test). omitany pattern ... The specified patterns are compared against the files in the upgrade list. If a pattern matches, the file is omitted. The omitany command currently supports all wild-card patterns except {...}. Also, the pattern must match the entire filename, so a leading */, or a trailing /*, may be necessary in the pattern. backup filename ... The files will be marked for creating backup copies whenever they are upgraded (as described above). Only files can be included in this list -- not directories. As noted above, actual backup copies will only be created by SUP when these files are being upgraded, and then only if the user has specified the backup option in the supfile. execute execfile (triggerfile ...) ... The listed execfiles are command files or programs to be executed after an upgrade to perform routine installation of the upgraded files. Each execfile will be executed only when it is upgraded itself, or when any of its listed triggerfiles have been upgraded. The installation tasks performed by such files might be, for example, creating a table of contents for manual entries or for a subroutine library, or modifying a host name field within a data file. include listfile ... The named listfiles will be read at this point. This allows a collection to contain another collection in its entirety, by simply specifying the name of the listfile for that other collection. backup filename... The specified file(s) are marked for backup; if they are upgraded and the client has specified the backup option in the corresponding line of the supfile, then backup copies will be created as described above. Directories may not be specified, and no recursive filename construction is performed; you must specify the names of the specific files to be backed up before upgrading. symlink filename... The specified file(s) are to be treated as symbolic links and will be transfered as such and not followed. By default, SUP will follow symbolic links. rsymlink dirname... All the symbolic links in the specified subdirectories are to be transferred as such and not followed. Blank lines may appear freely in the list file, and the order in which command lines appear within the file does not matter. Filenames must generally match as strings, e.g. with base directory /usr/vision, "lib" in the upgrade command would not match "/usr/vision/lib" in the omit command; it would only match "lib" in the omit command. However, one special exception exists: if the base directory is specified via "dot" (.) in the upgrade command, the filenames within that directory need not begin with "./" in other commands. For example, with base directory /usr/vision, the commands "upgrade ." and "omit exp" specify a file list including all files and directories within /usr/vision except the subdirectory /usr/vision/exp and its subdirectories and files. 5. Setup for SUP You need to add the following entries to /etc/services: supfilesrv 871/tcp supfiledbg 1127/tcp A supfilsrv daemon should be kept running on any machine that may act as a repository for a collection. Since this includes private collections, it is advisable to have supfilesrv running on all machines if SUP is to be widely used. nanny can be used to start the supfilesrv. The program modcoll.8 is used to set up the control files for the "system" collections. See /usr/cs/man/man8/modcoll.8 Table of Contents 1. Introduction 1 2. How to Use SUP to Upgrade a File Collection 2 2.1 Supfiles 2 3. What SUP Does 4 3.1 File Installation 4 4. How to Set Up a File Collection 5 4.1 The List File 5 5. Setup for SUP 6