Adolfo Delorenzo
efc7f80b65
Security hardening: bind kubeconfig server to localhost, mount hardening (noexec/nosuid/nodev on tmpfs), sysctl network hardening, kernel module loading lock after boot, SHA256 checksum verification for downloads, kernel AppArmor + Audit support, complain-mode AppArmor profiles for containerd and kubelet, and security integration test. ARM64 Raspberry Pi support: piCore64 base extraction, RPi kernel build from raspberrypi/linux fork, RPi firmware fetch, SD card image with 4- partition GPT and tryboot A/B mechanism, BootEnv Go interface abstracting GRUB vs RPi boot environments, architecture-aware build scripts, QEMU aarch64 dev VM and boot test. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
39 lines
1.1 KiB
Go
39 lines
1.1 KiB
Go
package cmd
|
|
|
|
import (
|
|
"fmt"
|
|
"log/slog"
|
|
)
|
|
|
|
// Activate switches the boot target to the passive partition.
|
|
// After activation, the next reboot will boot from the new partition
|
|
// with boot_counter=3. If health checks fail 3 times, GRUB auto-rolls back.
|
|
func Activate(args []string) error {
|
|
opts := parseOpts(args)
|
|
env := opts.NewBootEnv()
|
|
|
|
// Get passive slot (the one we want to boot into)
|
|
passiveSlot, err := env.PassiveSlot()
|
|
if err != nil {
|
|
return fmt.Errorf("reading passive slot: %w", err)
|
|
}
|
|
|
|
activeSlot, err := env.ActiveSlot()
|
|
if err != nil {
|
|
return fmt.Errorf("reading active slot: %w", err)
|
|
}
|
|
|
|
slog.Info("activating slot", "from", activeSlot, "to", passiveSlot)
|
|
|
|
// Set the passive slot as active with fresh boot counter
|
|
if err := env.ActivateSlot(passiveSlot); err != nil {
|
|
return fmt.Errorf("activating slot %s: %w", passiveSlot, err)
|
|
}
|
|
|
|
fmt.Printf("Slot %s activated (was %s)\n", passiveSlot, activeSlot)
|
|
fmt.Println("Boot counter set to 3. Reboot to start the new version.")
|
|
fmt.Println("The system will automatically roll back if health checks fail 3 times.")
|
|
|
|
return nil
|
|
}
|