New updater: Planning #2
Description
Since I am super annoyed by the fact that the old web updater is broken all the time, @MorrisJobke and me sat together and came up with this proposal on what a new updater app should do.
Basically I do believe it's a quick task to get something more reliable than the forked updater and we can easily do that as independent small PHP script. – I'll see what I can work together, since the updater we ship now is anyways inherently broken we need something fixed anyways. I have lost complete trust in the updater app and want something small that does LESS magic but that MORE reliable.
@schiessle @karlitschek Any more input on below thoughts?
Update procedure
Use case: Replaces all Nextcloud files with the new ones. It doesn't perform the Nextcloud migration steps or so. The goal is to have a minimal viable product that "just works and doesn't eat data", we can add improvements on top of that later. The steps are divided in different AJAX requests so that we don't run into timeouts. (Don't is such an hard word. I guess there are still possibilities, but less.)
Step 1: Verify that the folder does not contain some custom subfolders or files. If so: Bail out.
Step 1a: Check write permissions on all folders. If not there: Bail out.
Step 2: Set nextcloud into maintenance mode
Step 3: Copy all folders (except data) into "data/updater-$instanceid/backups/nextcloud-X-Y-Z/
Step 4: Download nextcloud folder to $DATADIR/updater-$instanceid/downloads/nextcloud-$versionnumber
Step 5: Extract Nextcloud in the downloads folder and verify integrity of download. If integrity check fails: Bail out.
Step 6: Grep over core/shipped.json and remove all apps that are shipped from the apps folder
Step 7: Overwrite an "index.php", "public.php" and "ocs/v1.php" that just serve a 503 and show an "Update in progress warning"
Step 8: Delete all files except:
- the files of step 7 (to serve 503 on all endpoints - they are overwritten anyways)
- data/
- config/ (except config/config.sample.php)
- non-shipped themes (default & example to be deleted)
- non-shipped apps (see shipped.json for folder to be deleted)
- updater/index.php (and the CSS, JS files that the updater needs ?!?)
Step 9: Move downloaded nextcloud folder into the web root, except updater
Step 10: Replace updater.php PHP file that does the updating steps
Step 11: Disable maintenance mode
Step 12: Goto /.. to trigger web updater
After every step the current step gets written to "data/updater-$instanceid/.update-step" so that if the connection fails by the user the step can be resumed.
Restore procedure ("Aka undo upgrade")
Use case: If an update fails in one of the 11 steps mentioned before it should be possible to get back to a state before the update. This doesn't catch cases where the Nextcloud migration steps fail. The steps are divided in different AJAX requests so that we don't run into timeouts.
Step 1: Verify that the folder does not contain some custom subfolders or files. If so: Bail out.
Step 1a: Check write permissions on all folders. If not there: Bail out.
Step 2: Set nextcloud into maintenance mode
Step 3: Create an "index.php", "public.php" and "ocs/v1.php" that just serve a 503 and show an "Update in progress warning"
Step 4: Remove all except data and config
Step 5: Copy back $DATADIR/updater-$instanceid/backups/nextcloud-X-Y-Z/ (automatically detect latest) to the web root
Step 6: Replace updater.php PHP file that does the updating steps
Step 7: Disable maintenance mode
Remarks
- REALLY ESSENTIAL: During testing: kill the connection in every step ...the upgrade then needs to resume fine if the user comes back
- Updater screen is only accessible for properly authenticated admins (see the magic Lukas implemented in oC for that - Harden updater authentication owncloud/core#22276)
Future improvements (to be filed as different tickets later)
- manual changes to .htaccess/.user.ini: either show the user the backup and the current new version or try to put as many as possible in the database/config file