(The question is general Linux, not NixOS-specific, but the use case is. Users of other Linuxes would say “we do not need that, and mark WONTFIX”)
You might known about nix-infect and nix-lustrate techniques. There are plenty of implementations of both, so I will not refer to particular implementations but the 2 techniques in general.
-
nix-infectuseskexecto run NixOS’skernelandinitrd, whereinitrdhas either installation script or ssh server which one could login, repartition/reencrypt disk and install full NixOS. -
nix-lustrateusesgrubto install NixOS’skernelandinitrdand after reboot we get almost the same.
Advantage ofnix-infectis if something went wrong (absent device driver oninitrd, wrong network setting), we won’t brick the server. We first getting working NixOS and then start changing data on disk.
Advantage ofnix-lustrateis we keep files from the previous OS and even can switch back to old OS.
For dealing with remote servers I prefer nix-infect as a “safer” choice, which won’t result in calling remote hands to reinstall.
The problem:
kexec works well when versions of old and new kernels are the same, or relatively close to each other.
But victim system might be CentOS with 3.0 or even 2.6 kernel.
The question:
is there a technique to allow kexec’ing such setups?
May be in multiple steps, upgrading kernel in small steps?
Or may be there is something relevant in rootkit/malware world?