I just wanted to chime in here and thank you all for the great ideas. I bought a Sophos SG-135r1 off eBay about six months ago, under $100 shipped and I was psyched to get started. Then I read: On x86 machines, on the other hand, upgrading is more complex than the first installation.. Yay.
Knowing I wanted to have larger than normal A/B partitions (or I guess technically 2/3 partitions) from beginning. I bought a fresh SSD, used the dd method to copy 21.02.2 to the drive, expanded the root partition/filesystem to 512MB+/-. Created a second root 512MB+/- partition and dd'd the contents of sda2 -> sda3 and updated the filesystem guid. That was about all I had the stomach for, but wanted to get this unit in place to support other network upgrades I had in progress, hoping I had planned enough that I didn't need to redo everything when I wanted to upgrade next.
I learned some about Image Builder, and it seemed a little too abstract at the time. I support about a half-dozen 'dumb APs' in my network, a mix of mostly TP-Link Archer A7, CPE210, and a few others. I'm running a mix of fast roaming and mesh, which requires the non-base version of wpad, and upgrading is a bear of flashing, SSHing in, replacing wpad, installing a few other packages, etc.. I learned how to run Image Builder as a Docker image on the Sophos, and roll my own images with all the packages I need out of the gate.
Fast forward to upgrading this time around, and at a high level this was my process:
create a backup file using sysupgrade (I save it to the /dev/sda4 partition I mount to /opt)
using Image Builder: to get both a kernel and a rootfs.tar.gz you need to compile twice, once with CONFIG_TARGET_ROOTFS_PARTSIZE=512 (or large enough for all your packages) in the .config file, and then once with CONFIG_TARGET_ROOTFS_PARTSIZE=104 (the default, but smaller than it can actually build an image file), this will leave the .tar.gz in the directory when it fails. This saves the effort of extracting the rootfs from the image.
I've got a few helper scripts I'm still working on, but I do things like create a /.sda2 or /.sda3 file to help me keep track of which partition is mounted as root (since OpenWrt does remount trickery and shows stuff like /dev/root on / type ext4 (rw,noatime)
in mount so you can't really tell otherwise. The gist of the root filesystem upgrade is (assuming you're running on /dev/sda2):
mount /dev/sda3 to /mnt/sda3
cd /mnt/sda3
rm -rf *
tar -zxvf /opt/imagebuilder/bin/openwrt-imagebuilder-22.03.2-x86-64.Linux-x86_64/openwrt-22.03.2-x86-64-generic-rootfs.tar.gz
cp /opt/imagebuilder/bin/openwrt-imagebuilder-22.03.2-x86-64.Linux-x86_64/bin/targets/x86/64/openwrt-22.03.2-x86-64-generic-kernel.bin /boot
(you might need to remove a third kernel as you can only really support three with the default /boot volume size)
vi /boot/grub/grub.cfg
Duplicate the menuentry lines, I generally make them read like:
menuentry "OpenWrt sda3" {
linux /boot/openwrt-22.03.2-x86-64-generic-kernel.bin root=PARTUUID=4ce52bd8-aafd-4253-9e39-38f47211cfa1 rootwait cons
}
menuentry "OpenWrt sda3 (failsafe)" {
linux /boot/openwrt-22.03.2-x86-64-generic-kernel.bin failsafe=true root=PARTUUID=4ce52bd8-aafd-4253-9e39-38f47211cfa1 r
}
Change the default line to match (set default="2") and hope for the best? Personally I put a USB to serial adapter in the Archer A7 sitting next to the Sophos device and used a (Cisco?) console cable to get a grub console (via screen of all things). I generally leave the default to the known working config, hand boot up by selecting the new menu option in the serial console via screen, and it it works editing the default entry in grub.cfg.
If it boots up fine I restore the backup.
An anomaly I've found: If you change the partition GUID, which I did, but I'm not sure it's necessary, it will not properly mount the /boot partition (like at all). This is generally a simple:
mkdir /boot
mount /dev/sda1 /boot
mount --bind /boot/boot /boot
I wrote a helper script that does this, and a few other things like determine which root partition is currently mounted, and mounts the other partition to /mnt/sda2, for example.
Hopefully some or all of this makes sense, and helps the next person thinking, "wow upgrading x86_64 is too hard" because it is a lot. I'd love to see some of these concepts integrated, somehow.