Sorry, I should have been clearer. Can you make limiting to a specific repository *optional*? There may be people who want to update everything, especially if they build their own images which access internal repositories.

Hi, I am also working on this and didn't know this is earlier than me. I think this one is more complete while mine is only focusing on FreeBSD-base repo. However I guess there are still something useful (or not, as I'm still testing):

• bootstrap/update pkg
• only reboot when there is pkg updated

It's short so I guess I can just paste the core part of mine here. Hope this helps.

firstboot_base_upgrade_run()
{

        # Calculate the checksum of the orignal state
        state_orig=`pkg info -g FreeBSD-\* | sha256`

        # Bootstrap and update pkg to ensure synchronization with the repository
        env ASSUME_ALWAYS_YES=YES pkg bootstrap -f | cat
        env ASSUME_ALWAYS_YES=YES pkg update -f | cat

        # Upgrade the FreeBSD-* packages
        env ASSUME_ALWAYS_YES=YES pkg upgrade \
                --repository FreeBSD-base -g FreeBSD-\* </dev/null | cat

        # Calculate the checksum of the state again
        state_new=`pkg info -g FreeBSD-\* | sha256`

        if [ $state_orig != $state_new ]; then
                echo "Requesting reboot after installing updates."
                touch ${firstboot_sentinel}-reboot
        fi
}

btw, you can try to run it with rclint, but I don't usually follow "Do not quote values unless necessary" error.

@lwhsu out of interest, how do you end up with a system that has FreeBSD-base packages installed but doesn't have pkg bootstrapped?

In D56381#1295532, @ivy wrote:

@lwhsu out of interest, how do you end up with a system that has FreeBSD-base packages installed but doesn't have pkg bootstrapped?

hmm, in the past there is a step in the vm image build to remove the pkg repo database:

mount -t devfs devfs ${DESTDIR}/dev

# The firstboot_pkgs rc.d script will download the repository
# catalogue and install or update pkg when the instance first
# launches, so these files would just be replaced anyway; removing
# them from the image allows it to boot faster.
chroot ${DESTDIR} ${EMULATOR} env ASSUME_ALWAYS_YES=yes \
        /usr/sbin/pkg delete -f -y pkg
umount ${DESTDIR}/dev
rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports
rm -r ${DESTDIR}/var/db/pkg/repos/FreeBSD-ports-kmods

I didn't know this got removed in 54e006369c9aab4f3a22f026eb6924c0f9cafda8 (and it would be good if we can find a way to do this under NO_ROOT)

But still, for the VM, it's still safer to get the pkg re-bootstrapped on the first boot, in the past there was an issue that the pkg in the VM image is too old and cannot work with the repo with newer format on pkg.freebsd.org. That caused many CI failures in other projects, and made many projects need to write those env ASSUME_ALWAYS_YES=YES pkg bootstrap -f and env ASSUME_ALWAYS_YES=YES pkg update -f two lines in the beginning of their CI script before installing the required packages.

In D56381#1295529, @ziaee wrote:

use logic inspired from @lwhsu to prevent reboot if nothing happened. compare the file size in bytes of the pkg database instead of using pkg inf and checksum to save water/coal. tested on my laptop

I know that the chance could be low, but I feel in the process, some packages increase the pkg database the size and some decrease it, there is chance to be the same size before/after the operation.

Yes, there is still the possibility of checksum collision, and that's why the distinfo has both checksum and size.

In D56381#1295504, @ziaee wrote:

note, i like a blank line at the end of scripts for cat reasons. if we don't want this, i can remove it, but it doesn't hurt anything and we do it all over the place.

Do you mean you want a newline character or a blank line? It doesn't seem to me it's our common practice to have a whole blank line in the end of the file (that's actually 2 newline characters), but yes we do need a newline character in the end of the file.

I'm inclined to skip the "figure out if we need to reboot or just restart services" complexity at this point because

1. Trying to restart services when we're in running from inside /etc/rc sounds like a recipe for getting things started in the wrong order.
2. Odds are that there's going to be a kernel update and we'll need to reboot anyway.

In D56381#1302386, @ziaee wrote:

ok, what if we separate the pkg update, and take the state after updating, but before upgrading, then we will actually know if the upgrade did anything. maybe because of this we can simplify the logic at the end a bit more.

I think pkg info | sha256 would work? If any packages are updated (or installed or removed) then that hash will change.

In D56381#1302390, @cperciva wrote:

In D56381#1302386, @ziaee wrote:

ok, what if we separate the pkg update, and take the state after updating, but before upgrading, then we will actually know if the upgrade did anything. maybe because of this we can simplify the logic at the end a bit more.

I think pkg info | sha256 would work? If any packages are updated (or installed or removed) then that hash will change.

I think it would work too, but I don't see why we wouldn't want to stat the mtime in between updating and upgrading instead. By my rough estimate, time(1) shows 0.08 real for the pkg info | sha256, but for stat -f %c /var/db/pkg/local.sqlite it shows 0.00 real, so, that's less electricity, right?

In D56381#1302566, @ziaee wrote:

In D56381#1302390, @cperciva wrote:

In D56381#1302386, @ziaee wrote:

ok, what if we separate the pkg update, and take the state after updating, but before upgrading, then we will actually know if the upgrade did anything. maybe because of this we can simplify the logic at the end a bit more.

I think pkg info | sha256 would work? If any packages are updated (or installed or removed) then that hash will change.

I think it would work too, but I don't see why we wouldn't want to stat the mtime in between updating and upgrading instead. By my rough estimate, time(1) shows 0.08 real for the pkg info | sha256, but for stat -f %c /var/db/pkg/local.sqlite it shows 0.00 real, so, that's less electricity, right?

Fair point, but I'm a little bit concerned about this being brittle -- /var/db/pkg/local.sqlite is not a public interface for pkg, so there's no guarantee that a future pkg won't (a) change that path, or (b) touch that file even if nothing has changed. I don't want to suddenly discover in FreeBSD 16.3 that VMs aren't rebooting after applying security updates because something changed in pkg.

In D56381#1302615, @cperciva wrote:

In D56381#1302566, @ziaee wrote:

In D56381#1302390, @cperciva wrote:

In D56381#1302386, @ziaee wrote:

ok, what if we separate the pkg update, and take the state after updating, but before upgrading, then we will actually know if the upgrade did anything. maybe because of this we can simplify the logic at the end a bit more.

I think pkg info | sha256 would work? If any packages are updated (or installed or removed) then that hash will change.

I think it would work too, but I don't see why we wouldn't want to stat the mtime in between updating and upgrading instead. By my rough estimate, time(1) shows 0.08 real for the pkg info | sha256, but for stat -f %c /var/db/pkg/local.sqlite it shows 0.00 real, so, that's less electricity, right?

Fair point, but I'm a little bit concerned about this being brittle -- /var/db/pkg/local.sqlite is not a public interface for pkg, so there's no guarantee that a future pkg won't (a) change that path, or (b) touch that file even if nothing has changed. I don't want to suddenly discover in FreeBSD 16.3 that VMs aren't rebooting after applying security updates because something changed in pkg.

that is a valid concern from @cperciva I don't think I will change anything in that area, but yes the content of /var/db/pkg is supposed to be opaque. (I know I am the one who recommended the mtime check in the first place).

In D56381#1302616, @bapt wrote:

In D56381#1302615, @cperciva wrote:

Fair point, but I'm a little bit concerned about this being brittle -- /var/db/pkg/local.sqlite is not a public interface for pkg, so there's no guarantee that a future pkg won't (a) change that path, or (b) touch that file even if nothing has changed. I don't want to suddenly discover in FreeBSD 16.3 that VMs aren't rebooting after applying security updates because something changed in pkg.

that is a valid concern from @cperciva I don't think I will change anything in that area, but yes the content of /var/db/pkg is supposed to be opaque. (I know I am the one who recommended the mtime check in the first place).

Yeah I'm not just concerned about deliberate changes in pkg itself either -- it's possible that sqlite's behaviour might change.