Skip to main content

Runtime Updates

Trident supports runtime updates, which allow certain configuration changes to be applied to the servicing OS without requiring a full OS image update. Note that in the case of runtime updates, the servicing OS is the same as the target OS. Runtime updates are faster and less disruptive than A/B updates because they only modify specific components rather than provisioning an entire new root filesystem, and therefore do not require rebooting the host.

Runtime updates are triggered automatically by the update command when Trident detects that only runtime-updateable components have changed in the Host Configuration.

Supported Configurations

Runtime updates currently support the following configurations:

If any other part of the Host Configuration has changed, Trident will begin an A/B update instead of a runtime update.

How Runtime Updates Work

When you run trident update with a Host Configuration that only changes runtime-updateable components:

  1. Stage: Trident downloads any new sysext or confext images and validates them. Network configuration changes are prepared but not yet applied.

  2. Finalize: Trident activates the changes:

    • For sysexts and confexts, downloaded extension images from Stage are moved to their final location and Trident calls systemd-sysext refresh or systemd-confext refresh to merge the new extensions into the OS.
    • For network configuration, Trident applies the new Netplan settings.

  3. Health Checks: If health checks are configured in the Host Configuration, Trident runs them to verify that the update was successful. Ensure that health checks are configured to run on runtime updates by specifying runtime-update after runsOn.

Unlike A/B updates, runtime updates do not require a reboot. The changes take effect immediately on the OS.

Rollback Support

If an operation during Finalize produces an error or if a health check fails, an automatic rollback occurs, reverting the OS back to the state of the previous Host Configuration. The error or health check failure can be found with trident get last-error.

Separate Stage and Finalize

Runtime updates may be separated into stage and finalize operations using the --allowed-operations flag:

# Stage the update
sudo trident update config.yaml --allowed-operations stage

# Later, finalize the update
sudo trident update config.yaml --allowed-operations finalize

Separating stage from finalize allows you to handle the often more time-consuming download of extension images in advance. Then, you can quickly apply the update later by running only finalize.

Known Issues

Runtime updates of netplan are not compatible with root-verity, since Trident's implementation of root-verity mounts a read-only overlay over /etc.