Posted by dww on October 16, 2009 at 5:05pm
| Project: | Drupal core |
| Version: | 8.x-dev |
| Component: | update.module |
| Category: | task |
| Priority: | major |
| Assigned: | Unassigned |
| Status: | needs work |
| Issue tags: | Update manager |
Issue Summary
Update manager is now in core (#538660: Move update manager upgrade process into new authorize.php file (and make it actually work)), meaning end-users can upgrade missing updates (and install new code) via the web UI. Yay!
Unfortunately, making it able to upgrade Drupal core was just too complicated for the initial patch, and threatened to derail the entire effort getting into D7. Sadly, I think this is going to have to be punted to D8, but I'm opening an issue about it for discussion and so we have a stake in the ground for this effort in the future.
Comments
#1
Subscribing...
Being able to upgrade contrib modules is the biggest pain and we've take a huge leap forward already. Realistically I can live with pushing core upgrades to D8 if we need to since core doesn't have releases all that often, and drush will probably figure out how to do it in the meantime. :)
#2
Sounds pretty critical, that by default plugin manager can't upgrade its biggest use case?
#3
What precisely makes it complicated? I'm scanning the other issues in vain for a clue :(
#4
Right, sorry. Jacob and I started a conversation about this in IRC but neither finished, nor wrote up the partial results here. Here are some of the main tricky issues:
A) authorize.php runs in a reduced bootstrap, so broken contrib can't harm it, but it's still bootstrapping and running parts of core: (Form API, Batch API, system.module, user.module, maintenance theme system, language system, plus the FileTransfer and Updater classes). Updating those things via authorize.php while it's running is slightly scary and hard to get right.
B) We can't necessarily assume there's another directory higher up in the tree than the webroot, so we can't exactly move the current core out of the way, extract the new one in place, make sure it's working, and then switch over. Basically, recovery from a botched upgrade and rolling back is hard -- this is probably going to have to be destructive (simply overwrite your existing version with new files). If we auto-generate a backup of your existing files (our Archiver classes would need to support create, not just extract), and we write that to your webroot somewhere, we'd have to write it to your private/files folder to avoid the security risk of someone being able to download the thing, extracting your settings.php file and getting your DB credentials (not to mention all your files).
C) Related to (B), but slightly different -- although you're not supposed to hack core, people sometimes do. It's not clear how to detect these cases and what to do about it when we hit a locally modified file.
D) Since we can't just move your sites folder out of the way and then destroy everything else, it's not obvious what to do when core removes files between versions. It's easy to go through the extracted new version of core and move all those files into place, but what about the files that aren't in the extracted copy that were part of an earlier version of core? A few options we discussed:
E) It makes solving #606190: Fix handling of database schema updates in update manager workflow even more urgent. Even though schema updates from point releases of core are rare along a stable series, they can happen, and it's possible (though unlikely) that a schema change which changes some of the lower-level bootstrapping code might break authorize.php -- we update the code, but the schema hasn't changed, so now the code trying to generate the landing page to report about your update is broken with a fatal SQL error in one of the queries. :( We'd have to study how update.php handles this problem a little more closely, and then basically replicate that in authorize.php.
...
There are probably a lot of other smaller details, but this should already give people enough to chew on...
#5
I forgot to list option #4 for the removed files case:
D.4) Bake in some special-case mechanism in update manager to deal with this. We definitely can't add a system_update_N() that knows about this, since DB and code updates must remain completely separate (else we break the non-update manager case of people deploying sites for real with drush, aegir, etc). But, we could have some special file or other mechanism (TBD) that tells update manager that if it's upgrading core, it needs to remove certain files.
#6
FYI: #22336: Move all core Drupal files under a /core folder to improve usability and upgrades would simplify things quite a bit in here...
#7
I disagree about B). I think assuming that the webroot is not the only dir the client has is okay. Perhaps for people with only one directory - has anyone ever seen this? backups would fail.
C). I don't think we need to worry about core hackers, just let them know that they will lose any changes they made
D). As the jack-ass who brought this up and proposed / researched the patch solution, I like Derek's idea more: Don't worry about it. At least for now, it's unlikely to be a problem. If need be, we can update our core updater probably with a minor update if we realize it will cause a problem later. Not ideal, but possible.
E). Is actually a larger problem than specified because we want to run updates in a separate batch process, not as part of the file moving page load (generally). So we would have to bake it in separately into the process.
I actually think the only ways to do E) with absolute certainty is to redirect to update.php immediately after the upgrade, to make sure it is run immediately OR run the updates in the same page request as the core update (which is probably cool, but if an index changes on the node table or something, it might cause an execution timeout or something).
-J
#8
Run for your lives!
#9
Something to add here as a special consideration - preserving "special" files. I suspect many people modify the .htaccess file and some also robots.txt, so when the site is upgraded, such files will need to be somehow protected - one method could be to simply have an upgrade version of drupal that does not include such files...
#10
Okay, getting very close to a prototype here.
One problem we've got to solve though:
In update.manager.php around :425
foreach ($projects as $project => $url) {$project_location = $directory . '/' . $project;
This is kinda hacky to begin with, but when you DL drupal core, it unpacks into drupal-7.x-dev or whatever so it doesn't match up, unlike modules and themes. I'm thinking we should probably refactor this so that we are just grabbing the first directory out of our tarball and calling that the project directory. We then have to make sure we can track this throughout the project so we don't have to guess it based on the name of the thing we are updating later.
#11
@JacobSingh: Any more progress here? We're doing a Update manager code sprint today and it'd be really nice to be able to get this issue fixed. Can you post your work-in-progress prototype at least? Thanks!
#12
Hey Derek,
Sorry I'm getting this so late. I've got a million kids running around the house, work is just not going to happen.
Here is a patch I sent to someone who was having issues with copy-contents vs copy directory. The upgrade core patch also addresses this, so I thought it might solve his problem. I haven't messed with this at all in over 2 weeks, so it might not even apply, but much of the useful bits will.
Last time I ran it, it worked, although warning: you may blitz your install.
Best,
Jacob
#13
Sub.
#14
me too
#15
#16
The last submitted patch, upgrade_core-606592-42.patch, failed testing.
#17
Strange idea that might make "upgrade core" easier...
There is always an upgrade patch that fixes security holes, but does not include "additional bug fixes" -- what if we supported that kind of an upgrade using some sort of code that is capable of applying a patch to core files?
From the drupal.org announcement to upgrade: "To fix the security problem, you can either (1) upgrade Drupal or (2) patch Drupal. We strongly recommend you do a full upgrade (which is also detailed in the security announcement) as the patches do not contain the additional bug fixes that went into the releases. Applying the patches will leave your site in an unversioned state and confuse the update status module, which will keep reminding you to upgrade to 6.16 or 5.22. Please read the announcement for details on the patch."
Just a thought?
Also, #22336: Move all core Drupal files under a /core folder to improve usability and upgrades seems like it will be D8 and would make this much easier (as dww originally pointed out).
Josh
#18
After talking to webchick moving this to Drupal 8, simply to much work left to be done
#19
Downgrading all D8 criticals to major per http://drupal.org/node/45111
#20
1. I don't think this needs to wait until http://drupal.org/node/22336 is fixed. It's just an excuse, and this could be fixed w/out that.
2. Subscribe
3. I think simply extracting Archive.tar.gz/drupal-7.0 -> DRUPAL_ROOT would be perfectly fine.
4. I think we should make sure all files are is_writable before extracting the archive.
5. I'm unassinging this, as I don't think Jacob Singh is going to do any work on this issue.
But that's just my opinion.
#21
#22
Subscribing.
#23
Bump...
#24
Uploading a partial patch for this.
#25
This one is more improved.
#26
Excellent, thanks for getting this patch started!
A) There are some code style bugs, especially in the CoreUpdater class.
B) There's no sense keeping all the "manual" updates plumbing if there's no longer anything that needs manual updating. ;)
C) This shouldn't be here:
- $archive_errors = update_manager_archive_verify($project, $local_cache, $extract_directory);+ $archive_errors = array(); //update_manager_archive_verify($project, $local_cache, $extract_directory);
We still want to verify the archive if we're upgrading core.
Also, this patch doesn't address any of the points I raised in comment #4...
Anyway, this is a totally legit start, but "needs work" is definitely the appropriate status here.
Thanks!
-Derek
#27
Subscribe! Drupal 8 needs this!
#28
+ $archive_errors = array(); //update_manager_archive_verify($project, $local_cache, $extract_directory);
Yes, that was kind of a hack (update_manager_archive_verify() was saying that it didn't have a .info file in it).
I'll try to work on this more today.
#29
#30
Sub
#31
A) authorize.php runs in a reduced bootstrap, so broken contrib can't harm it, but it's still bootstrapping and running parts of core: (Form API, Batch API, system.module, user.module, maintenance theme system, language system, plus the FileTransfer and Updater classes). Updating those things via authorize.php while it's running is slightly scary and hard to get right.
We could do this:
1. Copy all system modules to a tmp backup dir. Verify integrity of ea. copied module immediately after it is copied.
2. Exit and go to the next iteration of the batch.
3. Copy all includes to a tmp backup dir. Verify integrity of ea. copied include immediately after it is copied.
4. Exit and go to the next iteration of the batch.
5. Copy the new authorize.php, then copy modules and includes from archive location into place. Copy the ones that authorize.php uses first. Verify integrity of ea. copied file/module after it is copied. If we run out of time, authorize.php will be able to run on the next iteration of the batch.
6. Copy the rest of the files.
The idea is this: if something fails, authorize.php will still be able to run and revert changes/ finish the job/ etc. Since we're upgrading core, if anything goes wrong, we should abort immediately. We may also calculate beforehand (maybe in step 3) if the server is fast enough to copy the files required by authorize.php before the script times out.
#32
In fact, we could use get_included_files();, then copy those files from the archive first.
#33
Here is a little further.... I still can't seem to get drupal to pick up CoreUpdater.
#34
+++ b/modules/system/system.updater.incundefined@@ -144,3 +144,55 @@ class ThemeUpdater extends Updater implements DrupalUpdaterInterface {
+ public function getInstallDirectory() {
+
+ return DRUPAL_ROOT;
you can leave out these blank lines, they are not needed.
There are a couple of them in the code
Powered by Dreditor.
#35
It would be lovely to have - I haven't used Wordpress' version to update their core but the plugin updater works well.
The only concern I would have would be that it should definitely save the current files to a /tmp directory before an update.