From db1c94114650b797c695a1859f5a07a710ab83ba Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Tue, 27 Sep 2022 15:15:39 -0700 Subject: [PATCH 01/38] Set overridable userid's at build time --- Makefile | 33 +++++++++- aziotctl/.cargo/config.toml | 5 ++ aziotctl/src/config/apply.rs | 10 +-- .../src/internal/check/checks/cert_expiry.rs | 6 +- .../internal/check/checks/certs_preloaded.rs | 2 +- .../internal/check/checks/read_key_pairs.rs | 2 +- cert/aziot-certd/aziot-certd.service.in | 2 +- ...iot-certd.socket => aziot-certd.socket.in} | 4 +- contrib/debian/postinst | 16 ++--- contrib/debian/postrm | 16 ++--- contrib/debian/preinst | 40 ++++++------ .../aziot-identity-service.spec.in | 64 +++++++++---------- .../aziot-identityd.service.in | 2 +- ...tityd.socket => aziot-identityd.socket.in} | 4 +- key/aziot-keyd/aziot-keyd.service.in | 2 +- ...aziot-keyd.socket => aziot-keyd.socket.in} | 4 +- tpm/aziot-tpmd/aziot-tpmd.service.in | 2 +- ...aziot-tpmd.socket => aziot-tpmd.socket.in} | 4 +- 18 files changed, 127 insertions(+), 91 deletions(-) create mode 100644 aziotctl/.cargo/config.toml rename cert/aziot-certd/{aziot-certd.socket => aziot-certd.socket.in} (79%) rename identity/aziot-identityd/{aziot-identityd.socket => aziot-identityd.socket.in} (79%) rename key/aziot-keyd/{aziot-keyd.socket => aziot-keyd.socket.in} (78%) rename tpm/aziot-tpmd/{aziot-tpmd.socket => aziot-tpmd.socket.in} (77%) diff --git a/Makefile b/Makefile index 6d9166166..f452b101a 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,12 @@ BINDGEN = bindgen CBINDGEN = cbindgen +# Default users under which the services will run. Override by specifying on the CLI for make. +USER_AZIOTID ?= aziotid +USER_AZIOTCS ?= aziotcs +USER_AZIOTKS ?= aziotks +USER_AZIOTTPM ?= aziottpm + # 0 => false, _ => true V = 0 @@ -56,7 +62,11 @@ CARGO_OUTPUT_ABSPATH = $(abspath ./target/$(CARGO_TARGET)/$(CARGO_PROFILE_DIRECT VENDOR_PREFIX = $(CARGO_OUTPUT_ABSPATH)/fakeroot VENDOR_PKGCONFIG = $(VENDOR_PREFIX)$(AZIOT_PRIVATE_LIBRARIES)/pkgconfig -CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" cargo +CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" \ + USER_AZIOTID="$(USER_AZIOTID)" \ + USER_AZIOTCS="$(USER_AZIOTCS)" \ + USER_AZIOTKS="$(USER_AZIOTKS)" \ + USER_AZIOTTPM="$(USER_AZIOTTPM)" cargo # Some of the targets use bash-isms like `set -o pipefail` SHELL = /bin/bash @@ -309,6 +319,9 @@ deb: dist # Copy package files cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/ sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst # Build package # Note: This builds the `default` target before the normal Debian packaging (instead @@ -366,6 +379,10 @@ rpm: -e "s|@devtoolset@|$$DEVTOOLSET|g" \ -e "s|@llvm_toolset@|$$LLVM_TOOLSET|g" \ -e "s|@openssl_engine_filename@|$$OPENSSL_ENGINE_FILENAME|g" \ + -e "s/@user_aziotid@/$(USER_AZIOTID)/g" \ + -e "s/@user_aziotks@/$(USER_AZIOTKS)/g" \ + -e "s/@user_aziotcs@/$(USER_AZIOTCS)/g" \ + -e "s/@user_aziottpm@/$(USER_AZIOTTPM)/g" \ >$(RPMBUILDDIR)/SPECS/aziot-identity-service.spec # Copy preset file to be included in the package @@ -464,15 +481,27 @@ install-common: $(INSTALL) -d -m 0700 $(DESTDIR)$(localstatedir)/lib/aziot/tpmd # Systemd services and sockets + $(INSTALL) -d $(DESTDIR)$(unitdir) # NOTE: We do not use "install -D ... -t ..." since it is broken on # RHEL 7 derivatives and will not be fixed. # Ref: https://bugzilla.redhat.com/show_bug.cgi?format=multiple&id=1758488 for i in cert identity key tpm; do \ + OUTPUT_SOCKET="$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \ + <"$$i/aziot-$${i}d/aziot-$${i}d.socket.in" sed \ + -e 's|@user_aziotid@|$(USER_AZIOTID)|' \ + -e 's|@user_aziotks@|$(USER_AZIOTKS)|' \ + -e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \ + -e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \ + >"$$OUTPUT_SOCKET"; \ + chmod 0644 "$$OUTPUT_SOCKET"; \ OUTPUT_SERVICE="$(DESTDIR)$(unitdir)/aziot-$${i}d.service"; \ - $(INSTALL_DATA) -D "$$i/aziot-$${i}d/aziot-$${i}d.socket" "$(DESTDIR)$(unitdir)/aziot-$${i}d.socket"; \ <"$$i/aziot-$${i}d/aziot-$${i}d.service.in" sed \ -e 's|@private-libs@|$(AZIOT_PRIVATE_LIBRARIES)|' \ -e 's|@libexecdir@|$(libexecdir)|' \ + -e 's|@user_aziotid@|$(USER_AZIOTID)|' \ + -e 's|@user_aziotks@|$(USER_AZIOTKS)|' \ + -e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \ + -e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \ >"$$OUTPUT_SERVICE"; \ chmod 0644 "$$OUTPUT_SERVICE"; \ done diff --git a/aziotctl/.cargo/config.toml b/aziotctl/.cargo/config.toml new file mode 100644 index 000000000..756099ca3 --- /dev/null +++ b/aziotctl/.cargo/config.toml @@ -0,0 +1,5 @@ +[env] +USER_AZIOTID = "aziotid" +USER_AZIOTKS = "aziotks" +USER_AZIOTCS = "aziotcs" +USER_AZIOTTPM = "aziottpm" diff --git a/aziotctl/src/config/apply.rs b/aziotctl/src/config/apply.rs index 5b3a25324..85e039579 100644 --- a/aziotctl/src/config/apply.rs +++ b/aziotctl/src/config/apply.rs @@ -37,10 +37,12 @@ pub(crate) fn run(options: Options) -> anyhow::Result<()> { // So when running as root, get the four users appropriately. // Otherwise, if this is a debug build, fall back to using the current user. // Otherwise, tell the user to re-run as root. - let aziotks_user = crate::internal::common::get_system_user("aziotks")?; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; - let aziotid_user = crate::internal::common::get_system_user("aziotid")?; - let aziottpm_user = crate::internal::common::get_system_user("aziottpm")?; + // When run in a snap expect the four users to be prefixed with `snap_`. + + let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; + let aziotid_user = crate::internal::common::get_system_user(env!("USER_AZIOTID"))?; + let aziottpm_user = crate::internal::common::get_system_user(env!("USER_AZIOTTPM"))?; let common_config::apply::RunOutput { keyd_config, diff --git a/aziotctl/src/internal/check/checks/cert_expiry.rs b/aziotctl/src/internal/check/checks/cert_expiry.rs index eb4095758..241252acb 100644 --- a/aziotctl/src/internal/check/checks/cert_expiry.rs +++ b/aziotctl/src/internal/check/checks/cert_expiry.rs @@ -47,7 +47,7 @@ impl IdentityCert { ) -> Result { use aziot_identityd_config::{DpsAttestationMethod, ManualAuthMethod, ProvisioningType}; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let provisioning = &unwrap_or_skip!(&cache.cfg.identityd) .provisioning @@ -123,7 +123,7 @@ impl EstIdentityBootstrapCerts { ) -> Result { let certd_config = unwrap_or_skip!(&cache.cfg.certd); - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let certs = certd_config .cert_issuance @@ -226,7 +226,7 @@ impl LocalCaCert { None => return Ok(CheckResult::Ignored), }; - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; let (res, cert_info) = validate_cert(certd_config, cert_id, "Local CA", &aziotcs_user).await?; diff --git a/aziotctl/src/internal/check/checks/certs_preloaded.rs b/aziotctl/src/internal/check/checks/certs_preloaded.rs index 9a4653acd..33a0a809a 100644 --- a/aziotctl/src/internal/check/checks/certs_preloaded.rs +++ b/aziotctl/src/internal/check/checks/certs_preloaded.rs @@ -45,7 +45,7 @@ impl CertsPreloaded { let mut visited: BTreeMap<_, _> = Default::default(); - let aziotcs_user = crate::internal::common::get_system_user("aziotcs")?; + let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; for id in preloaded_certs.keys() { match walk_preloaded_certs(id, preloaded_certs, &aziotcs_user, &mut visited).await? { diff --git a/aziotctl/src/internal/check/checks/read_key_pairs.rs b/aziotctl/src/internal/check/checks/read_key_pairs.rs index 1c34c3b7f..c1d96b99e 100644 --- a/aziotctl/src/internal/check/checks/read_key_pairs.rs +++ b/aziotctl/src/internal/check/checks/read_key_pairs.rs @@ -63,7 +63,7 @@ impl ReadKeyPairs { let mut warn_aggregated = vec![]; // Check every preloaded key at a file:// URI is readable by the aziotks user and report errors when they aren't. - let aziotks_user = crate::internal::common::get_system_user("aziotks")?; + let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?; for (id, path) in preloaded_keys { if let Ok(aziot_keys_common::PreloadedKeyLocation::Filesystem { path }) = path.parse() { diff --git a/cert/aziot-certd/aziot-certd.service.in b/cert/aziot-certd/aziot-certd.service.in index ea5705e83..e33aa9bf8 100644 --- a/cert/aziot-certd/aziot-certd.service.in +++ b/cert/aziot-certd/aziot-certd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-certd KillMode=process Restart=on-failure RestartSec=5s -User=aziotcs +User=@user_aziotcs@ [Install] WantedBy=multi-user.target diff --git a/cert/aziot-certd/aziot-certd.socket b/cert/aziot-certd/aziot-certd.socket.in similarity index 79% rename from cert/aziot-certd/aziot-certd.socket rename to cert/aziot-certd/aziot-certd.socket.in index 86a763b21..55157abc1 100644 --- a/cert/aziot-certd/aziot-certd.socket +++ b/cert/aziot-certd/aziot-certd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-certd.service ListenStream=/run/aziot/certd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotcs -SocketGroup=aziotcs +SocketUser=@user_aziotcs@ +SocketGroup=@user_aziotcs@ [Install] WantedBy=sockets.target diff --git a/contrib/debian/postinst b/contrib/debian/postinst index 5fb306053..c65123b21 100755 --- a/contrib/debian/postinst +++ b/contrib/debian/postinst @@ -20,10 +20,10 @@ set -e case "$1" in configure) - chown aziotcs:aziotcs /etc/aziot/certd/config.toml.default - chown aziotid:aziotid /etc/aziot/identityd/config.toml.default - chown aziotks:aziotks /etc/aziot/keyd/config.toml.default - chown aziottpm:aziottpm /etc/aziot/tpmd/config.toml.default + chown @user_aziotcs@:@user_aziotcs@ /etc/aziot/certd/config.toml.default + chown @user_aziotid@:@user_aziotid@ /etc/aziot/identityd/config.toml.default + chown @user_aziotks@:@user_aziotks@ /etc/aziot/keyd/config.toml.default + chown @user_aziottpm@:@user_aziottpm@ /etc/aziot/tpmd/config.toml.default chown root:root /etc/aziot/config.toml.template for f in \ /etc/aziot/certd/config.toml.default \ @@ -36,16 +36,16 @@ case "$1" in chmod 0600 /etc/aziot/config.toml.template if [ -d /var/lib/aziot/certd ]; then - chown aziotcs:aziotcs /var/lib/aziot/certd + chown @user_aziotcs@:@user_aziotcs@ /var/lib/aziot/certd fi if [ -d /var/lib/aziot/identityd ]; then - chown aziotid:aziotid /var/lib/aziot/identityd + chown @user_aziotid@:@user_aziotid@ /var/lib/aziot/identityd fi if [ -d /var/lib/aziot/keyd ]; then - chown aziotks:aziotks /var/lib/aziot/keyd + chown @user_aziotks@:@user_aziotks@ /var/lib/aziot/keyd fi if [ -d /var/lib/aziot/tpmd ]; then - chown aziottpm:aziottpm /var/lib/aziot/tpmd + chown @user_aziottpm@:@user_aziottpm@ /var/lib/aziot/tpmd fi for d in \ diff --git a/contrib/debian/postrm b/contrib/debian/postrm index 5f24a76bf..b69dbb633 100755 --- a/contrib/debian/postrm +++ b/contrib/debian/postrm @@ -23,10 +23,10 @@ case "$1" in systemctl daemon-reload # Kill all processes running under aziot-identity-service users. - killall -SIGKILL -u aziotid || true - killall -SIGKILL -u aziotcs || true - killall -SIGKILL -u aziotks || true - killall -SIGKILL -u aziottpm || true + [ "@user_aziotid@" != "root" ] && killall -SIGKILL -u @user_aziotid@ || true + [ "@user_aziotcs@" != "root" ] && killall -SIGKILL -u @user_aziotcs@ || true + [ "@user_aziotks@" != "root" ] && killall -SIGKILL -u @user_aziotks@ || true + [ "@user_aziottpm@" != "root" ] && killall -SIGKILL -u @user_aziottpm@ || true # Delete directories used by aziot-identity-service. rm -rf /etc/aziot @@ -34,10 +34,10 @@ case "$1" in rm -rf /var/lib/aziot # Delete aziot-identity-service users. - /usr/sbin/userdel aziotid - /usr/sbin/userdel aziotcs - /usr/sbin/userdel aziotks - /usr/sbin/userdel aziottpm + [ "@user_aziotid@" != "root" ] && /usr/sbin/userdel @user_aziotid@ + [ "@user_aziotcs@" != "root" ] && /usr/sbin/userdel @user_aziotcs@ + [ "@user_aziotks@" != "root" ] && /usr/sbin/userdel @user_aziotks@ + [ "@user_aziottpm@" != "root" ] && /usr/sbin/userdel @user_aziottpm@ ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; diff --git a/contrib/debian/preinst b/contrib/debian/preinst index 3f3ce6a1c..0ebf7ca12 100755 --- a/contrib/debian/preinst +++ b/contrib/debian/preinst @@ -18,39 +18,39 @@ case "$1" in # For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install # but the user deleted the directory manually) - if ! /usr/bin/getent group aziotks >/dev/null; then - /usr/sbin/groupadd -r aziotks + if ! /usr/bin/getent group @user_aziotks@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotks@ fi - if ! /usr/bin/getent passwd aziotks >/dev/null; then - /usr/sbin/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks + if ! /usr/bin/getent passwd @user_aziotks@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@ fi mkdir -p /var/lib/aziot/keyd - if ! /usr/bin/getent group aziottpm >/dev/null; then - /usr/sbin/groupadd -r aziottpm + if ! /usr/bin/getent group @user_aziottpm@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziottpm@ fi - if ! /usr/bin/getent passwd aziottpm >/dev/null; then - /usr/sbin/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm + if ! /usr/bin/getent passwd @user_aziottpm@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@ fi mkdir -p /var/lib/aziot/tpmd - if ! /usr/bin/getent group aziotcs >/dev/null; then - /usr/sbin/groupadd -r aziotcs + if ! /usr/bin/getent group @user_aziotcs@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotcs@ fi - if ! /usr/bin/getent passwd aziotcs >/dev/null; then - /usr/sbin/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs - /usr/sbin/usermod -aG aziotks aziotcs + if ! /usr/bin/getent passwd @user_aziotcs@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@ + /usr/sbin/usermod -aG @user_aziotks@ @user_aziotcs@ fi mkdir -p /var/lib/aziot/certd - if ! /usr/bin/getent group aziotid >/dev/null; then - /usr/sbin/groupadd -r aziotid + if ! /usr/bin/getent group @user_aziotid@ >/dev/null; then + /usr/sbin/groupadd -r @user_aziotid@ fi - if ! /usr/bin/getent passwd aziotid >/dev/null; then - /usr/sbin/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid - /usr/sbin/usermod -aG aziotcs aziotid - /usr/sbin/usermod -aG aziotks aziotid - /usr/sbin/usermod -aG aziottpm aziotid + if ! /usr/bin/getent passwd @user_aziotid@ >/dev/null; then + /usr/sbin/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@ + /usr/sbin/usermod -aG @user_aziotcs@ @user_aziotid@ + /usr/sbin/usermod -aG @user_aziotks@ @user_aziotid@ + /usr/sbin/usermod -aG @user_aziottpm@ @user_aziotid@ fi mkdir -p /var/lib/aziot/identityd ;; diff --git a/contrib/enterprise-linux/aziot-identity-service.spec.in b/contrib/enterprise-linux/aziot-identity-service.spec.in index 836ea2637..836770b6e 100644 --- a/contrib/enterprise-linux/aziot-identity-service.spec.in +++ b/contrib/enterprise-linux/aziot-identity-service.spec.in @@ -84,36 +84,36 @@ make -j \ # For each of CS, IS, KS: create group, create user, create home directory (in case user already exists from a previous install # but the user deleted the directory manually) -if ! %{_bindir}/getent group aziotks >/dev/null; then - %{_sbindir}/groupadd -r aziotks +if ! %{_bindir}/getent group @user_aziotks@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotks@ fi -if ! %{_bindir}/getent passwd aziotks >/dev/null; then - %{_sbindir}/useradd -r -g aziotks -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd aziotks +if ! %{_bindir}/getent passwd @user_aziotks@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotks@ -c 'aziot-keyd user' -s /sbin/nologin -d /var/lib/aziot/keyd @user_aziotks@ fi -if ! %{_bindir}/getent group aziottpm >/dev/null; then - %{_sbindir}/groupadd -r aziottpm +if ! %{_bindir}/getent group @user_aziottpm@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziottpm@ fi -if ! %{_bindir}/getent passwd aziottpm >/dev/null; then - %{_sbindir}/useradd -r -g aziottpm -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd aziottpm +if ! %{_bindir}/getent passwd @user_aziottpm@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziottpm@ -c 'aziot-tpmd user' -s /sbin/nologin -d /var/lib/aziot/tpmd @user_aziottpm@ fi -if ! %{_bindir}/getent group aziotcs >/dev/null; then - %{_sbindir}/groupadd -r aziotcs +if ! %{_bindir}/getent group @user_aziotcs@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotcs@ fi -if ! %{_bindir}/getent passwd aziotcs >/dev/null; then - %{_sbindir}/useradd -r -g aziotcs -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd aziotcs - %{_sbindir}/usermod -aG aziotks aziotcs +if ! %{_bindir}/getent passwd @user_aziotcs@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotcs@ -c 'aziot-certd user' -s /sbin/nologin -d /var/lib/aziot/certd @user_aziotcs@ + %{_sbindir}/usermod -aG @user_aziotks@ @user_aziotcs@ fi -if ! %{_bindir}/getent group aziotid >/dev/null; then - %{_sbindir}/groupadd -r aziotid +if ! %{_bindir}/getent group @user_aziotid@ >/dev/null; then + %{_sbindir}/groupadd -r @user_aziotid@ fi -if ! %{_bindir}/getent passwd aziotid >/dev/null; then - %{_sbindir}/useradd -r -g aziotid -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd aziotid - %{_sbindir}/usermod -aG aziotcs aziotid - %{_sbindir}/usermod -aG aziotks aziotid - %{_sbindir}/usermod -aG aziottpm aziotid +if ! %{_bindir}/getent passwd @user_aziotid@ >/dev/null; then + %{_sbindir}/useradd -r -g @user_aziotid@ -c 'aziot-identityd user' -s /sbin/nologin -d /var/lib/aziot/identityd @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziotcs@ @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziotks@ @user_aziotid@ + %{_sbindir}/usermod -aG @user_aziottpm@ @user_aziotid@ fi @@ -158,25 +158,25 @@ fi %{_libdir}/%{name}/*.so* # Default configs and config directories -%attr(400, aziotcs, aziotcs) %{_sysconfdir}/aziot/certd/config.toml.default -%attr(700, aziotcs, aziotcs) %dir %{_sysconfdir}/aziot/certd/config.d +%attr(400, @user_aziotcs@, @user_aziotcs@) %{_sysconfdir}/aziot/certd/config.toml.default +%attr(700, @user_aziotcs@, @user_aziotcs@) %dir %{_sysconfdir}/aziot/certd/config.d -%attr(400, aziotid, aziotid) %{_sysconfdir}/aziot/identityd/config.toml.default -%attr(700, aziotid, aziotid) %dir %{_sysconfdir}/aziot/identityd/config.d +%attr(400, @user_aziotid@, @user_aziotid@) %{_sysconfdir}/aziot/identityd/config.toml.default +%attr(700, @user_aziotid@, @user_aziotid@) %dir %{_sysconfdir}/aziot/identityd/config.d -%attr(400, aziotks, aziotks) %{_sysconfdir}/aziot/keyd/config.toml.default -%attr(700, aziotks, aziotks) %dir %{_sysconfdir}/aziot/keyd/config.d +%attr(400, @user_aziotks@, @user_aziotks@) %{_sysconfdir}/aziot/keyd/config.toml.default +%attr(700, @user_aziotks@, @user_aziotks@) %dir %{_sysconfdir}/aziot/keyd/config.d -%attr(400, aziottpm, aziottpm) %{_sysconfdir}/aziot/tpmd/config.toml.default -%attr(700, aziottpm, aziottpm) %dir %{_sysconfdir}/aziot/tpmd/config.d +%attr(400, @user_aziottpm@, @user_aziottpm@) %{_sysconfdir}/aziot/tpmd/config.toml.default +%attr(700, @user_aziottpm@, @user_aziottpm@) %dir %{_sysconfdir}/aziot/tpmd/config.d %attr(600, root, root) %{_sysconfdir}/aziot/config.toml.template # Home directories -%attr(-, aziotcs, aziotcs) %dir /var/lib/aziot/certd -%attr(-, aziotid, aziotid) %dir /var/lib/aziot/identityd -%attr(-, aziotks, aziotks) %dir /var/lib/aziot/keyd -%attr(-, aziottpm, aziottpm) %dir /var/lib/aziot/tpmd +%attr(-, @user_aziotcs@, @user_aziotcs@) %dir /var/lib/aziot/certd +%attr(-, @user_aziotid@, @user_aziotid@) %dir /var/lib/aziot/identityd +%attr(-, @user_aziotks@, @user_aziotks@) %dir /var/lib/aziot/keyd +%attr(-, @user_aziottpm@, @user_aziottpm@) %dir /var/lib/aziot/tpmd # Systemd services and sockets %{_unitdir}/aziot-certd.service diff --git a/identity/aziot-identityd/aziot-identityd.service.in b/identity/aziot-identityd/aziot-identityd.service.in index 42adf6f07..7e261fd22 100644 --- a/identity/aziot-identityd/aziot-identityd.service.in +++ b/identity/aziot-identityd/aziot-identityd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-identityd KillMode=process Restart=on-failure RestartSec=5s -User=aziotid +User=@user_aziotid@ [Install] WantedBy=multi-user.target diff --git a/identity/aziot-identityd/aziot-identityd.socket b/identity/aziot-identityd/aziot-identityd.socket.in similarity index 79% rename from identity/aziot-identityd/aziot-identityd.socket rename to identity/aziot-identityd/aziot-identityd.socket.in index f3e5de556..23e910a37 100644 --- a/identity/aziot-identityd/aziot-identityd.socket +++ b/identity/aziot-identityd/aziot-identityd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-identityd.service ListenStream=/run/aziot/identityd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotid -SocketGroup=aziotid +SocketUser=@user_aziotid@ +SocketGroup=@user_aziotid@ [Install] WantedBy=sockets.target diff --git a/key/aziot-keyd/aziot-keyd.service.in b/key/aziot-keyd/aziot-keyd.service.in index cf66c34c1..0a33965fd 100644 --- a/key/aziot-keyd/aziot-keyd.service.in +++ b/key/aziot-keyd/aziot-keyd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-keyd KillMode=process Restart=on-failure RestartSec=5s -User=aziotks +User=@user_aziotks@ [Install] WantedBy=multi-user.target diff --git a/key/aziot-keyd/aziot-keyd.socket b/key/aziot-keyd/aziot-keyd.socket.in similarity index 78% rename from key/aziot-keyd/aziot-keyd.socket rename to key/aziot-keyd/aziot-keyd.socket.in index 739d1a4ee..beb7b8123 100644 --- a/key/aziot-keyd/aziot-keyd.socket +++ b/key/aziot-keyd/aziot-keyd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-keyd.service ListenStream=/run/aziot/keyd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziotks -SocketGroup=aziotks +SocketUser=@user_aziotks@ +SocketGroup=@user_aziotks@ [Install] WantedBy=sockets.target diff --git a/tpm/aziot-tpmd/aziot-tpmd.service.in b/tpm/aziot-tpmd/aziot-tpmd.service.in index 34e1d10f4..31bbfc4ff 100644 --- a/tpm/aziot-tpmd/aziot-tpmd.service.in +++ b/tpm/aziot-tpmd/aziot-tpmd.service.in @@ -9,7 +9,7 @@ ExecStart=@libexecdir@/aziot-identity-service/aziot-tpmd KillMode=process Restart=on-failure RestartSec=5s -User=aziottpm +User=@user_aziottpm@ [Install] WantedBy=multi-user.target diff --git a/tpm/aziot-tpmd/aziot-tpmd.socket b/tpm/aziot-tpmd/aziot-tpmd.socket.in similarity index 77% rename from tpm/aziot-tpmd/aziot-tpmd.socket rename to tpm/aziot-tpmd/aziot-tpmd.socket.in index b49fd4a46..201927c0c 100644 --- a/tpm/aziot-tpmd/aziot-tpmd.socket +++ b/tpm/aziot-tpmd/aziot-tpmd.socket.in @@ -6,8 +6,8 @@ PartOf=aziot-tpmd.service ListenStream=/run/aziot/tpmd.sock SocketMode=0660 DirectoryMode=0755 -SocketUser=aziottpm -SocketGroup=aziottpm +SocketUser=@user_aziottpm@ +SocketGroup=@user_aziottpm@ [Install] WantedBy=sockets.target From 2bb294b0fb2f29524250281553344ac16de60817 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Mon, 24 Oct 2022 16:27:07 +0000 Subject: [PATCH 02/38] make the third-party-notices tool more robust to various cross-building environments Signed-off-by: Alex Lewontin --- contrib/third-party-notices.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/third-party-notices.sh b/contrib/third-party-notices.sh index 4bc6af97a..97a1d151f 100755 --- a/contrib/third-party-notices.sh +++ b/contrib/third-party-notices.sh @@ -10,11 +10,11 @@ case "$ARCH" in platform='x86_64-unknown-linux-gnu' ;; - 'arm32v7') + 'arm32v7'|'armhf') platform='armv7-unknown-linux-gnueabihf' ;; - 'aarch64') + 'aarch64'|'arm64') platform='aarch64-unknown-linux-gnu' ;; From fd34fde50d98a9a28a0f61cb7f9ea6e6f23c6a6b Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Mon, 24 Oct 2022 16:28:06 +0000 Subject: [PATCH 03/38] Initial snapcrafting for 1.4 Signed-off-by: Alex Lewontin --- .gitignore | 5 + contrib/snap/command-chain/launch-wrapper.sh | 9 ++ snap/hooks/configure | 28 ++++ snap/hooks/install | 8 + snap/snapcraft.yaml | 150 +++++++++++++++++++ 5 files changed, 200 insertions(+) create mode 100755 contrib/snap/command-chain/launch-wrapper.sh create mode 100755 snap/hooks/configure create mode 100755 snap/hooks/install create mode 100644 snap/snapcraft.yaml diff --git a/.gitignore b/.gitignore index da31d932a..155f2a384 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,8 @@ /packages /target .vscode + +/parts +/stage +/prime +*.snap diff --git a/contrib/snap/command-chain/launch-wrapper.sh b/contrib/snap/command-chain/launch-wrapper.sh new file mode 100755 index 000000000..68cefd520 --- /dev/null +++ b/contrib/snap/command-chain/launch-wrapper.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +set -e + +echo "Making /run/aziot if it does not exist" +mkdir -p /run/aziot +echo "Successfully made /run/aziot if it did not exist" + +exec "$@" diff --git a/snap/hooks/configure b/snap/hooks/configure new file mode 100755 index 000000000..b4de23e2a --- /dev/null +++ b/snap/hooks/configure @@ -0,0 +1,28 @@ +#!/bin/sh + + +toml_kvp() { + printf "%s = \"%s\"\n" "$1" "$2" +} + +toml_new_section() { + printf "\n\n" + printf "[%s]\n" "$1" +} + +{ + echo "# Dynamically generated configuration, do not edit!" + + toml_kvp "hostname" "$(cat /etc/hostname)" + + toml_new_section "aziot_keys" + toml_kvp "homedir_path" "$SNAP_COMMON/libaziot_keys_homedir" + + toml_new_section "provisioning" + toml_kvp "source" "$(snapctl get provisioning.source)" + # TODO: don't print this if not set + toml_kvp "connection_string" "$(snapctl get provisioning.connection-string)" + +} > $SNAP_DATA/etc/aziot/config.toml + +$SNAP/bin/aziotctl config apply diff --git a/snap/hooks/install b/snap/hooks/install new file mode 100755 index 000000000..15226a2ef --- /dev/null +++ b/snap/hooks/install @@ -0,0 +1,8 @@ +#!/bin/sh + +cp -r $SNAP/etc $SNAP_DATA/etc +cp -r $SNAP/var $SNAP_COMMON/var +mkdir -p $SNAP_COMMON/var/secrets/aziot + +mkdir -p $SNAP_COMMON/libaziot_keys_homedir +mkdir -p $SNAP_COMMON/sockets diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml new file mode 100644 index 000000000..0843fcbe0 --- /dev/null +++ b/snap/snapcraft.yaml @@ -0,0 +1,150 @@ +name: azure-iot-identity +base: core20 # the base snap is the execution environment for this snap +version: '1.4-001' # just for humans, typically '1.2+git' or '1.3.2' +summary: Single-line elevator pitch for your amazing snap # 79 char long summary +description: | + This is my-snap's description. You have a paragraph or two to tell the + most important story about your snap. Keep it under 100 words though, + we live in tweetspace and your description wants to look good in the snap + store. + +grade: devel # must be 'stable' to release into candidate/stable channels +confinement: strict + +parts: + rust-toolchain: + plugin: nil + build-packages: + - curl + build-environment: + - BINDGEN_VERSION: '0.54.0' + - CBINDGEN_VERSION: '0.15.0' + - PATH: "$PATH:$HOME/.cargo/bin" + override-build: | + mkdir -p $HOME/.cargo/bin + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --no-modify-path --profile minimal -y + cargo install bindgen --version "=$BINDGEN_VERSION" + cargo install cbindgen --version "=$CBINDGEN_VERSION" + iot-identity-services: + build-environment: + - PATH: "$PATH:$HOME/.cargo/bin" + - ARCH: "$SNAPCRAFT_TARGET_ARCH" + after: [ rust-toolchain ] + plugin: nil + source: ./ + build-packages: + - acl + - autoconf + - autoconf-archive + - automake + - build-essential + - clang + - cmake + - curl + - git + - jq + - libclang1 + - libltdl-dev + - libssl-dev + - libtool + - libtss2-dev + - llvm-dev + - pkg-config + - to arm64: + - ca-certificates + - libcurl4-openssl-dev + stage-packages: + - libtss2-esys0 + override-build: | + contrib/third-party-notices.sh > THIRD-PARTY-NOTICES + make install-deb DESTDIR=$SNAPCRAFT_PART_INSTALL RELEASE=1 USER_AZIOTID=root USER_AZIOTCS=root USER_AZIOTKS=root USER_AZIOTTPM=root + organize: + usr/: . + stage: + - -include + # - -lib/systemd + override-prime: | + snapcraftctl prime + ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-certd + ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-identityd + ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-keyd + ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-tpmd + command-chain: + plugin: dump + source: ./contrib + stage: [ snap/command-chain ] + +apps: + aziotctl: + command: bin/aziotctl + plugs: + - network + - sockets + certd: + command-chain: [ snap/command-chain/launch-wrapper.sh ] + command: libexec/aziot-certd + daemon: simple + plugs: + - network-bind + - sockets + # sockets: + # unix: + # listen-stream: $SNAP_COMMON/sockets/certd.sock + # socket-mode: 0660 + identityd: + command-chain: [ snap/command-chain/launch-wrapper.sh ] + command: libexec/aziot-identityd + daemon: simple + plugs: + - network + - network-bind + - sockets + # sockets: + # unix: + # listen-stream: $SNAP_COMMON/sockets/identityd.sock + # socket-mode: 0660 + keyd: + command-chain: [ snap/command-chain/launch-wrapper.sh ] + command: libexec/aziot-keyd + daemon: simple + plugs: + - network-bind + - sockets + # sockets: + # unix: + # listen-stream: $SNAP_COMMON/sockets/keyd.sock + # socket-mode: 0660 + tpmd: + command-chain: [ snap/command-chain/launch-wrapper.sh ] + command: libexec/aziot-tpmd + daemon: simple + plugs: + - network-bind + - sockets + - tpm + # sockets: + # unix: + # listen-stream: $SNAP_COMMON/sockets/tpmd.sock + # socket-mode: 0660 + +environment: + LD_LIBRARY_PATH: $SNAP/lib/aziot-identity-service + +plugs: + sockets: + interface: system-files + write: [ /run/aziot ] +# slots: +# sockets: +# interface: content +# content: aziot-sockets +# source: +# write: [ $SNAP_COMMON/sockets ] + +layout: + /var/lib/aziot: + symlink: $SNAP_COMMON/var/lib/aziot + /var/secrets/aziot: + symlink: $SNAP_COMMON/var/secrets/aziot + /etc/aziot: + symlink: $SNAP_DATA/etc/aziot From ed36bf9d917aec0ab14d089485d3a4d9968ea7cb Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Sat, 29 Oct 2022 06:18:46 -0400 Subject: [PATCH 04/38] snapcraft: refine aziotctl interfaces Signed-off-by: Alex Lewontin --- snap/snapcraft.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 0843fcbe0..8bdf4d1f7 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -78,6 +78,8 @@ apps: aziotctl: command: bin/aziotctl plugs: + - log-observe + - system-observe - network - sockets certd: From 81427528b786dfdfb709654a6370af0983b6e5f8 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Thu, 3 Nov 2022 17:24:03 -0400 Subject: [PATCH 05/38] aziotctl: use snapctl for system commands Signed-off-by: Alex Lewontin --- Makefile | 13 ++++++- aziotctl/Cargo.toml | 3 ++ aziotctl/aziotctl-common/Cargo.toml | 3 ++ aziotctl/aziotctl-common/src/system/mod.rs | 37 +++++++++++++++++++ .../aziotctl-common/src/system/restart.rs | 37 ++++++++++++++++++- .../src/system/set_log_level.rs | 26 ++++++++++++- aziotctl/aziotctl-common/src/system/stop.rs | 31 ++++++++++++++++ contrib/snap/command-chain/launch-wrapper.sh | 5 +++ key/aziot-keys/Cargo.toml | 4 ++ snap/snapcraft.yaml | 11 +++++- 10 files changed, 163 insertions(+), 7 deletions(-) diff --git a/Makefile b/Makefile index f452b101a..1d9cba9df 100644 --- a/Makefile +++ b/Makefile @@ -26,6 +26,15 @@ ARCH = INSTALL_PRESET = true +# Enable special features based on a specific package format +# '' => none, 'snap' => snap package +PACKAGE_FORMAT ?= +CARGO_FEATURES = + +ifeq ($(PACKAGE_FORMAT), snap) + CARGO_FEATURES += --features snapctl +endif + ifeq ($(V), 0) BINDGEN_VERBOSE = CARGO_VERBOSE = --quiet @@ -130,13 +139,13 @@ default: # See the doc header of the aziot-keys-common crate for more info. $(CARGO) build \ -p aziot-keys \ - $(CARGO_PROFILE) --target $(CARGO_TARGET) $(CARGO_VERBOSE) + $(CARGO_PROFILE) $(CARGO_FEATURES) --target $(CARGO_TARGET) $(CARGO_VERBOSE) $(CARGO) build \ -p aziotctl \ -p aziotd \ -p aziot-key-openssl-engine-shared \ - $(CARGO_PROFILE) --target $(CARGO_TARGET) $(CARGO_VERBOSE) + $(CARGO_PROFILE) $(CARGO_FEATURES) --target $(CARGO_TARGET) $(CARGO_VERBOSE) clean: $(CARGO) clean $(CARGO_VERBOSE) diff --git a/aziotctl/Cargo.toml b/aziotctl/Cargo.toml index 889b4608c..add031ea9 100644 --- a/aziotctl/Cargo.toml +++ b/aziotctl/Cargo.toml @@ -51,3 +51,6 @@ openssl-sys2 = { path = "../openssl-sys2" } [dev-dependencies] bytes = "1" + +[features] +snapctl = ["aziotctl-common/snapctl"] diff --git a/aziotctl/aziotctl-common/Cargo.toml b/aziotctl/aziotctl-common/Cargo.toml index 1282a855b..9e4aa7c0a 100644 --- a/aziotctl/aziotctl-common/Cargo.toml +++ b/aziotctl/aziotctl-common/Cargo.toml @@ -26,3 +26,6 @@ http-common = { path = "../../http-common" } [dev-dependencies] bytes = "1" toml = "0.5" + +[features] +snapctl = [] diff --git a/aziotctl/aziotctl-common/src/system/mod.rs b/aziotctl/aziotctl-common/src/system/mod.rs index 4a6159f31..e584de827 100644 --- a/aziotctl/aziotctl-common/src/system/mod.rs +++ b/aziotctl/aziotctl-common/src/system/mod.rs @@ -18,6 +18,7 @@ pub struct ServiceDefinition { } // Note, the ordering is important, since the first service is considered the root and will be started by the restart command. +#[cfg(not(feature = "snapctl"))] pub const SERVICE_DEFINITIONS: &[&ServiceDefinition] = &[ &ServiceDefinition { service: "aziot-identityd.service", @@ -37,6 +38,28 @@ pub const SERVICE_DEFINITIONS: &[&ServiceDefinition] = &[ }, ]; +// Ordering is not important here, we defer it to snapd +#[cfg(feature = "snapctl")] +pub const SERVICE_DEFINITIONS: &[&ServiceDefinition] = &[ + &ServiceDefinition { + service: "identityd", + sockets: &["aziot-identityd.socket"], + }, + &ServiceDefinition { + service: "keyd", + sockets: &["aziot-keyd.socket"], + }, + &ServiceDefinition { + service: "certd", + sockets: &["aziot-certd.socket"], + }, + &ServiceDefinition { + service: "tpmd", + sockets: &["aziot-tpmd.socket"], + }, +]; + +#[cfg(not(feature = "snapctl"))] fn print_command_error(result: &std::process::Output) { use std::io::{self, Write}; @@ -49,3 +72,17 @@ fn print_command_error(result: &std::process::Output) { io::stdout().write_all(&result.stderr).unwrap(); eprintln!(); } + +#[cfg(feature = "snapctl")] +fn print_command_error(result: &std::process::Output) { + use std::io::{self, Write}; + + eprintln!("snapctl exited with non-zero status code."); + eprintln!("stdout:"); + eprintln!("======="); + io::stdout().write_all(&result.stdout).unwrap(); + eprintln!("stderr:"); + eprintln!("======="); + io::stdout().write_all(&result.stderr).unwrap(); + eprintln!(); +} diff --git a/aziotctl/aziotctl-common/src/system/restart.rs b/aziotctl/aziotctl-common/src/system/restart.rs index 05ea3fa25..39b6fbe7d 100644 --- a/aziotctl/aziotctl-common/src/system/restart.rs +++ b/aziotctl/aziotctl-common/src/system/restart.rs @@ -4,8 +4,12 @@ use std::process::Command; use anyhow::{Context, Result}; -use super::{print_command_error, stop, ServiceDefinition}; +use super::{print_command_error, ServiceDefinition}; +#[cfg(not(feature = "snapctl"))] +use super::stop; + +#[cfg(not(feature = "snapctl"))] pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { // stop all services stop(services)?; @@ -20,6 +24,7 @@ pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { start(services[0].service) } +#[cfg(not(feature = "snapctl"))] fn start(name: &str) -> Result<()> { print!("Starting {}...", name); let result = Command::new("systemctl") @@ -35,3 +40,33 @@ fn start(name: &str) -> Result<()> { Ok(()) } + +#[cfg(feature = "snapctl")] +pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { + let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { + Ok(snap_instance_name) => snap_instance_name, + Err(_) => { + std::env::var("SNAP_NAME").expect("snapctl must be used within the context of a snap") + } + }; + + print!("Restarting {} services...", snap_instance_name); + + let service_names = services + .iter() + .map(|s| format!("{}.{}", snap_instance_name, s.service)); + + let result = Command::new("snapctl") + .arg("restart") + .args(service_names) + .output() + .context("Failed to call snapctl restart")?; + + if result.status.success() { + println!("Restarted!"); + } else { + print_command_error(&result); + } + + Ok(()) +} diff --git a/aziotctl/aziotctl-common/src/system/set_log_level.rs b/aziotctl/aziotctl-common/src/system/set_log_level.rs index 71495aef4..3b622b4b3 100644 --- a/aziotctl/aziotctl-common/src/system/set_log_level.rs +++ b/aziotctl/aziotctl-common/src/system/set_log_level.rs @@ -1,13 +1,18 @@ // Copyright (c) Microsoft. All rights reserved. -use std::fs; -use std::io::prelude::*; +#[cfg(not(feature = "snapctl"))] +use std::{fs, io::prelude::*}; + use std::process::Command; use anyhow::{Context, Result}; use super::ServiceDefinition; +#[cfg(feature = "snapctl")] +use super::print_command_error; + +#[cfg(not(feature = "snapctl"))] pub fn set_log_level(services: &[&ServiceDefinition], level: log::Level) -> Result<()> { for service in services.iter().map(|s| s.service) { write_log_level_file(service, level).with_context(|| { @@ -23,6 +28,7 @@ pub fn set_log_level(services: &[&ServiceDefinition], level: log::Level) -> Resu Ok(()) } +#[cfg(not(feature = "snapctl"))] fn write_log_level_file(service: &str, level: log::Level) -> Result<()> { let directory = format!("/etc/systemd/system/{}.d", service); fs::create_dir_all(&directory)?; @@ -35,3 +41,19 @@ fn write_log_level_file(service: &str, level: log::Level) -> Result<()> { Ok(()) } + +#[cfg(feature = "snapctl")] +pub fn set_log_level(_services: &[&ServiceDefinition], level: log::Level) -> Result<()> { + let result = Command::new("snapctl") + .args(&["set", &format!("log-level={}", level)]) + .output() + .context("Failed to call snapctl set")?; + + if result.status.success() { + println!("Set log level to {} for all services. Run the `{} system restart` command for the changes to take effect.", level, crate::program_name()); + } else { + print_command_error(&result); + } + + Ok(()) +} diff --git a/aziotctl/aziotctl-common/src/system/stop.rs b/aziotctl/aziotctl-common/src/system/stop.rs index 4cce73b2e..eea45aef9 100644 --- a/aziotctl/aziotctl-common/src/system/stop.rs +++ b/aziotctl/aziotctl-common/src/system/stop.rs @@ -6,6 +6,7 @@ use anyhow::{Context, Result}; use super::{print_command_error, ServiceDefinition}; +#[cfg(not(feature = "snapctl"))] pub fn stop(services: &[&ServiceDefinition]) -> Result<()> { // stop all services for service in services.iter().map(|s| s.service) { @@ -24,3 +25,33 @@ pub fn stop(services: &[&ServiceDefinition]) -> Result<()> { Ok(()) } + +#[cfg(feature = "snapctl")] +pub fn stop(services: &[&ServiceDefinition]) -> Result<()> { + let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { + Ok(snap_instance_name) => snap_instance_name, + Err(_) => { + std::env::var("SNAP_NAME").expect("snapctl must be used within the context of a snap") + } + }; + + print!("Stopping {} services...", snap_instance_name); + + let service_names = services + .iter() + .map(|s| format!("{}.{}", snap_instance_name, s.service)); + + let result = Command::new("snapctl") + .arg("stop") + .args(service_names) + .output() + .context("Failed to call snapctl stop")?; + + if result.status.success() { + println!("Stopped!"); + } else { + print_command_error(&result); + } + + Ok(()) +} diff --git a/contrib/snap/command-chain/launch-wrapper.sh b/contrib/snap/command-chain/launch-wrapper.sh index 68cefd520..2a3d704bf 100755 --- a/contrib/snap/command-chain/launch-wrapper.sh +++ b/contrib/snap/command-chain/launch-wrapper.sh @@ -6,4 +6,9 @@ echo "Making /run/aziot if it does not exist" mkdir -p /run/aziot echo "Successfully made /run/aziot if it did not exist" +log_level="$(snapctl get log-level)" +if [ -n "$log_level" ]; then + export AZIOT_LOG="$log_level" +fi + exec "$@" diff --git a/key/aziot-keys/Cargo.toml b/key/aziot-keys/Cargo.toml index 1f622a681..abd21a733 100644 --- a/key/aziot-keys/Cargo.toml +++ b/key/aziot-keys/Cargo.toml @@ -26,3 +26,7 @@ openssl2 = { path = "../../openssl2" } openssl-sys2 = { path = "../../openssl-sys2" } pkcs11 = { path = "../../pkcs11/pkcs11" } pkcs11-sys = { path = "../../pkcs11/pkcs11-sys" } + +[features] +# Unused at the moment, but need this so we can present a unified list of features to all packages +snapctl = [] diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 8bdf4d1f7..8d509d138 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-001' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4-002' # just for humans, typically '1.2+git' or '1.3.2' summary: Single-line elevator pitch for your amazing snap # 79 char long summary description: | This is my-snap's description. You have a paragraph or two to tell the @@ -57,7 +57,14 @@ parts: - libtss2-esys0 override-build: | contrib/third-party-notices.sh > THIRD-PARTY-NOTICES - make install-deb DESTDIR=$SNAPCRAFT_PART_INSTALL RELEASE=1 USER_AZIOTID=root USER_AZIOTCS=root USER_AZIOTKS=root USER_AZIOTTPM=root + make install-deb \ + RELEASE=1 \ + PACKAGE_FORMAT=snap \ + USER_AZIOTID=root \ + USER_AZIOTCS=root \ + USER_AZIOTKS=root \ + USER_AZIOTTPM=root \ + DESTDIR=$SNAPCRAFT_PART_INSTALL organize: usr/: . stage: From 36cb299aa7d84a72101e5f4defce6fddd2de675b Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Sat, 5 Nov 2022 12:17:42 -0400 Subject: [PATCH 06/38] Add real snap metadata description and summary Co-authored-by: Micah Lewis <1009123+micahl@users.noreply.github.com> --- snap/snapcraft.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 8d509d138..9528e13fe 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,12 +1,11 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap version: '1.4-002' # just for humans, typically '1.2+git' or '1.3.2' -summary: Single-line elevator pitch for your amazing snap # 79 char long summary +summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | - This is my-snap's description. You have a paragraph or two to tell the - most important story about your snap. Keep it under 100 words though, - we live in tweetspace and your description wants to look good in the snap - store. + The Identity Service provisions a device's identity and any modules it runs. The device identity can be based + on symmetric keys or X.509 certificates. It supports manual device registrations or individual/group + enrollments with the Azure Device Provisioning Service. grade: devel # must be 'stable' to release into candidate/stable channels confinement: strict From 5f964e9f4fa758225329eb36126871a1362628cd Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Mon, 14 Nov 2022 12:46:23 -0500 Subject: [PATCH 07/38] use separate snapctl stop & start calls Signed-off-by: Alex Lewontin --- .../aziotctl-common/src/system/restart.rs | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/aziotctl/aziotctl-common/src/system/restart.rs b/aziotctl/aziotctl-common/src/system/restart.rs index 39b6fbe7d..c7a4aa828 100644 --- a/aziotctl/aziotctl-common/src/system/restart.rs +++ b/aziotctl/aziotctl-common/src/system/restart.rs @@ -4,10 +4,7 @@ use std::process::Command; use anyhow::{Context, Result}; -use super::{print_command_error, ServiceDefinition}; - -#[cfg(not(feature = "snapctl"))] -use super::stop; +use super::{print_command_error, stop, ServiceDefinition}; #[cfg(not(feature = "snapctl"))] pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { @@ -43,6 +40,15 @@ fn start(name: &str) -> Result<()> { #[cfg(feature = "snapctl")] pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { + // stop all services + stop(services)?; + + // start all services + start(services) +} + +#[cfg(feature = "snapctl")] +pub fn start(services: &[&ServiceDefinition]) -> Result<()> { let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { Ok(snap_instance_name) => snap_instance_name, Err(_) => { @@ -50,20 +56,20 @@ pub fn restart(services: &[&ServiceDefinition]) -> Result<()> { } }; - print!("Restarting {} services...", snap_instance_name); + print!("Starting {} services...", snap_instance_name); let service_names = services .iter() .map(|s| format!("{}.{}", snap_instance_name, s.service)); let result = Command::new("snapctl") - .arg("restart") + .arg("start") .args(service_names) .output() - .context("Failed to call snapctl restart")?; + .context("Failed to call snapctl start")?; if result.status.success() { - println!("Restarted!"); + println!("Started!"); } else { print_command_error(&result); } From 3ac54f54e0f7eb3752bcc945f94864d19e663d8a Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Mon, 14 Nov 2022 13:09:55 -0500 Subject: [PATCH 08/38] Replace individual config options with raw config passthrough Signed-off-by: Alex Lewontin --- snap/hooks/configure | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/snap/hooks/configure b/snap/hooks/configure index b4de23e2a..960809e01 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -11,18 +11,13 @@ toml_new_section() { } { - echo "# Dynamically generated configuration, do not edit!" - toml_kvp "hostname" "$(cat /etc/hostname)" + snapctl get raw-config + toml_new_section "aziot_keys" toml_kvp "homedir_path" "$SNAP_COMMON/libaziot_keys_homedir" - toml_new_section "provisioning" - toml_kvp "source" "$(snapctl get provisioning.source)" - # TODO: don't print this if not set - toml_kvp "connection_string" "$(snapctl get provisioning.connection-string)" - } > $SNAP_DATA/etc/aziot/config.toml $SNAP/bin/aziotctl config apply From 7522429ae97881ce76448ecb0d12983bde9eab32 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Tue, 15 Nov 2022 12:39:45 -0500 Subject: [PATCH 09/38] Use "PLATFORM_FEATURES" instead of "PACKAGE_FORMAT" Co-authored-by: Micah Lewis <1009123+micahl@users.noreply.github.com> --- Makefile | 8 ++++---- snap/snapcraft.yaml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 1d9cba9df..0505947bd 100644 --- a/Makefile +++ b/Makefile @@ -26,12 +26,12 @@ ARCH = INSTALL_PRESET = true -# Enable special features based on a specific package format -# '' => none, 'snap' => snap package -PACKAGE_FORMAT ?= +# Enable special features for specific runtime platforms +# '' => none, 'snapd' => snapd features +PLATFORM_FEATURES ?= CARGO_FEATURES = -ifeq ($(PACKAGE_FORMAT), snap) +ifeq ($(PLATFORM_FEATURES), snapd) CARGO_FEATURES += --features snapctl endif diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 9528e13fe..b23ab4447 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -58,7 +58,7 @@ parts: contrib/third-party-notices.sh > THIRD-PARTY-NOTICES make install-deb \ RELEASE=1 \ - PACKAGE_FORMAT=snap \ + PLATFORM_FEATURES=snapd \ USER_AZIOTID=root \ USER_AZIOTCS=root \ USER_AZIOTKS=root \ From c6f111c4dafb06b6043d831a3a66dd0ba81b4ee5 Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Fri, 18 Nov 2022 11:12:51 -0800 Subject: [PATCH 10/38] Updates to comment on users. --- aziotctl/src/config/apply.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aziotctl/src/config/apply.rs b/aziotctl/src/config/apply.rs index 85e039579..aedf6478f 100644 --- a/aziotctl/src/config/apply.rs +++ b/aziotctl/src/config/apply.rs @@ -37,7 +37,7 @@ pub(crate) fn run(options: Options) -> anyhow::Result<()> { // So when running as root, get the four users appropriately. // Otherwise, if this is a debug build, fall back to using the current user. // Otherwise, tell the user to re-run as root. - // When run in a snap expect the four users to be prefixed with `snap_`. + // When run in a snap expect the four users to run as root. let aziotks_user = crate::internal::common::get_system_user(env!("USER_AZIOTKS"))?; let aziotcs_user = crate::internal::common::get_system_user(env!("USER_AZIOTCS"))?; From 6202a67bc977f3b09154b77f94d20b2a1c664d08 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Sat, 29 Oct 2022 06:17:54 -0400 Subject: [PATCH 11/38] many: allow build-time setting of the socket directory Signed-off-by: Alex Lewontin --- Makefile | 9 +++++++-- aziotctl/.cargo/config.toml | 1 + aziotctl/src/system.rs | 4 ++-- cert/aziot-certd-config/src/lib.rs | 12 +++++------ cert/aziot-certd/aziot-certd.socket.in | 2 +- contrib/debian/postrm | 2 +- http-common/src/connector.rs | 5 +++-- identity/aziot-identityd-config/src/lib.rs | 10 ++++++---- .../aziot-identityd/aziot-identityd.socket.in | 2 +- .../src/lib.rs | 7 ++++--- key/aziot-keyd-config/src/lib.rs | 8 ++++++-- key/aziot-keyd/aziot-keyd.socket.in | 2 +- tpm/aziot-tpmd-config/src/lib.rs | 20 +++++++++++++++---- tpm/aziot-tpmd/aziot-tpmd.socket.in | 2 +- 14 files changed, 56 insertions(+), 30 deletions(-) diff --git a/Makefile b/Makefile index 0505947bd..f04151c17 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,9 @@ USER_AZIOTCS ?= aziotcs USER_AZIOTKS ?= aziotks USER_AZIOTTPM ?= aziottpm +# Default socket directory. Override by specifying on the CLI for make. +SOCKET_DIR ?= /run/aziot + # 0 => false, _ => true V = 0 @@ -75,7 +78,8 @@ CARGO = VENDOR_PREFIX="$(VENDOR_PREFIX)" VENDOR_PKGCONFIG="$(VENDOR_PKGCONFIG)" USER_AZIOTID="$(USER_AZIOTID)" \ USER_AZIOTCS="$(USER_AZIOTCS)" \ USER_AZIOTKS="$(USER_AZIOTKS)" \ - USER_AZIOTTPM="$(USER_AZIOTTPM)" cargo + USER_AZIOTTPM="$(USER_AZIOTTPM)" \ + SOCKET_DIR="$(SOCKET_DIR)" cargo # Some of the targets use bash-isms like `set -o pipefail` SHELL = /bin/bash @@ -329,7 +333,7 @@ deb: dist cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/ sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst - sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' 's|@socket_dir@|$(SOCKET_DIR)|g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst # Build package @@ -501,6 +505,7 @@ install-common: -e 's|@user_aziotks@|$(USER_AZIOTKS)|' \ -e 's|@user_aziotcs@|$(USER_AZIOTCS)|' \ -e 's|@user_aziottpm@|$(USER_AZIOTTPM)|' \ + -e 's|@socket_dir@|$(SOCKET_DIR)|' \ >"$$OUTPUT_SOCKET"; \ chmod 0644 "$$OUTPUT_SOCKET"; \ OUTPUT_SERVICE="$(DESTDIR)$(unitdir)/aziot-$${i}d.service"; \ diff --git a/aziotctl/.cargo/config.toml b/aziotctl/.cargo/config.toml index 756099ca3..6fcb94777 100644 --- a/aziotctl/.cargo/config.toml +++ b/aziotctl/.cargo/config.toml @@ -3,3 +3,4 @@ USER_AZIOTID = "aziotid" USER_AZIOTKS = "aziotks" USER_AZIOTCS = "aziotcs" USER_AZIOTTPM = "aziottpm" +SOCKET_DIR = "/run/aziot" diff --git a/aziotctl/src/system.rs b/aziotctl/src/system.rs index f8b86f2d4..9e00e27d1 100644 --- a/aziotctl/src/system.rs +++ b/aziotctl/src/system.rs @@ -52,7 +52,7 @@ pub struct ReprovisionOptions { #[arg( value_name = "Identity Service URI", long, - default_value = "unix:///run/aziot/identityd.sock" + default_value = concat!("unix://", env!("SOCKET_DIR"), "/identityd.sock") )] uri: url::Url, } @@ -71,7 +71,7 @@ pub async fn system(options: Options) -> Result<()> { #[cfg(not(debug_assertions))] Options::Reprovision(_) => { reprovision( - &url::Url::parse("unix:///run/aziot/identityd.sock") + &url::Url::parse(concat!("unix://", env!("SOCKET_DIR"), "/identityd.sock")) .expect("hard-coded URI should parse"), ) .await diff --git a/cert/aziot-certd-config/src/lib.rs b/cert/aziot-certd-config/src/lib.rs index d08d4c7fa..6bd6e7066 100644 --- a/cert/aziot-certd-config/src/lib.rs +++ b/cert/aziot-certd-config/src/lib.rs @@ -338,10 +338,10 @@ impl Default for Endpoints { fn default() -> Self { Endpoints { aziot_certd: Connector::Unix { - socket_path: Path::new("/run/aziot/certd.sock").into(), + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/certd.sock")).into(), }, aziot_keyd: Connector::Unix { - socket_path: Path::new("/run/aziot/keyd.sock").into(), + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")).into(), }, } } @@ -554,10 +554,10 @@ certs = ["test"] endpoints: Endpoints { aziot_certd: Connector::Unix { - socket_path: Path::new("/run/aziot/certd.sock").into() + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/certd.sock")).into() }, aziot_keyd: Connector::Unix { - socket_path: Path::new("/run/aziot/keyd.sock").into() + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")).into() }, }, @@ -739,10 +739,10 @@ aziot_certd = "unix:///run/aziot/certd.sock" endpoints: Endpoints { aziot_certd: Connector::Unix { - socket_path: Path::new("/run/aziot/certd.sock").into(), + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/certd.sock")).into(), }, aziot_keyd: Connector::Unix { - socket_path: Path::new("/run/aziot/keyd.sock").into(), + socket_path: Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")).into(), }, }, diff --git a/cert/aziot-certd/aziot-certd.socket.in b/cert/aziot-certd/aziot-certd.socket.in index 55157abc1..2f0078d95 100644 --- a/cert/aziot-certd/aziot-certd.socket.in +++ b/cert/aziot-certd/aziot-certd.socket.in @@ -3,7 +3,7 @@ Description=Azure IoT Certificates Service API socket PartOf=aziot-certd.service [Socket] -ListenStream=/run/aziot/certd.sock +ListenStream=@socket_dir@/certd.sock SocketMode=0660 DirectoryMode=0755 SocketUser=@user_aziotcs@ diff --git a/contrib/debian/postrm b/contrib/debian/postrm index b69dbb633..11ea56446 100755 --- a/contrib/debian/postrm +++ b/contrib/debian/postrm @@ -30,7 +30,7 @@ case "$1" in # Delete directories used by aziot-identity-service. rm -rf /etc/aziot - rm -rf /run/aziot + rm -rf @socket_dir@ rm -rf /var/lib/aziot # Delete aziot-identity-service users. diff --git a/http-common/src/connector.rs b/http-common/src/connector.rs index 2fadb49d5..f1e61412b 100644 --- a/http-common/src/connector.rs +++ b/http-common/src/connector.rs @@ -874,9 +874,10 @@ mod tests { }, ), ( - "unix:///run/aziot/keyd.sock", + concat!("unix://", env!("SOCKET_DIR"), "/keyd.sock"), super::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/keyd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")) + .into(), }, ), ] { diff --git a/identity/aziot-identityd-config/src/lib.rs b/identity/aziot-identityd-config/src/lib.rs index 54b2d48eb..d37e2efb9 100644 --- a/identity/aziot-identityd-config/src/lib.rs +++ b/identity/aziot-identityd-config/src/lib.rs @@ -216,16 +216,18 @@ impl Default for Endpoints { fn default() -> Self { Endpoints { aziot_certd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/certd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/certd.sock")) + .into(), }, aziot_identityd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/identityd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/identityd.sock")) + .into(), }, aziot_keyd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/keyd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")).into(), }, aziot_tpmd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/tpmd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/tpmd.sock")).into(), }, } } diff --git a/identity/aziot-identityd/aziot-identityd.socket.in b/identity/aziot-identityd/aziot-identityd.socket.in index 23e910a37..fa1ae98de 100644 --- a/identity/aziot-identityd/aziot-identityd.socket.in +++ b/identity/aziot-identityd/aziot-identityd.socket.in @@ -3,7 +3,7 @@ Description=Azure IoT Identity Service API socket PartOf=aziot-identityd.service [Socket] -ListenStream=/run/aziot/identityd.sock +ListenStream=@socket_dir@/identityd.sock SocketMode=0660 DirectoryMode=0755 SocketUser=@user_aziotid@ diff --git a/key/aziot-key-openssl-engine-shared/src/lib.rs b/key/aziot-key-openssl-engine-shared/src/lib.rs index f3953ba47..d4a76bce3 100644 --- a/key/aziot-key-openssl-engine-shared/src/lib.rs +++ b/key/aziot-key-openssl-engine-shared/src/lib.rs @@ -27,9 +27,10 @@ unsafe extern "C" fn aziot_key_openssl_engine_shared_bind( unsafe extern "C" fn engine_init(e: *mut openssl_sys::ENGINE) -> std::os::raw::c_int { let result = r#catch(Some(|| Error::ENGINE_INIT), || { - let key_connector: http_common::Connector = "unix:///run/aziot/keyd.sock" - .parse() - .expect("hard-coded URI must parse successfully"); + let key_connector: http_common::Connector = + concat!("unix://", env!("SOCKET_DIR"), "/keyd.sock") + .parse() + .expect("hard-coded URI must parse successfully"); let key_client = aziot_key_client::Client::new( aziot_key_common_http::ApiVersion::V2021_05_01, key_connector, diff --git a/key/aziot-keyd-config/src/lib.rs b/key/aziot-keyd-config/src/lib.rs index 1a8eeec5d..644cb665c 100644 --- a/key/aziot-keyd-config/src/lib.rs +++ b/key/aziot-keyd-config/src/lib.rs @@ -49,7 +49,7 @@ impl Default for Endpoints { fn default() -> Self { Endpoints { aziot_keyd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/keyd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/keyd.sock")).into(), }, } } @@ -113,7 +113,11 @@ keys = ["test"] endpoints: super::Endpoints { aziot_keyd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/keyd.sock").into() + socket_path: std::path::Path::new(concat!( + env!("SOCKET_DIR"), + "/keyd.sock" + )) + .into() }, }, diff --git a/key/aziot-keyd/aziot-keyd.socket.in b/key/aziot-keyd/aziot-keyd.socket.in index beb7b8123..36f687092 100644 --- a/key/aziot-keyd/aziot-keyd.socket.in +++ b/key/aziot-keyd/aziot-keyd.socket.in @@ -3,7 +3,7 @@ Description=Azure IoT Keys Service API socket PartOf=aziot-keyd.service [Socket] -ListenStream=/run/aziot/keyd.sock +ListenStream=@socket_dir@/keyd.sock SocketMode=0660 DirectoryMode=0755 SocketUser=@user_aziotks@ diff --git a/tpm/aziot-tpmd-config/src/lib.rs b/tpm/aziot-tpmd-config/src/lib.rs index 278252c9b..46e8e7ba4 100644 --- a/tpm/aziot-tpmd-config/src/lib.rs +++ b/tpm/aziot-tpmd-config/src/lib.rs @@ -120,7 +120,7 @@ impl Default for Endpoints { fn default() -> Self { Endpoints { aziot_tpmd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/tpmd.sock").into(), + socket_path: std::path::Path::new(concat!(env!("SOCKET_DIR"), "/tpmd.sock")).into(), }, } } @@ -144,7 +144,11 @@ mod tests { }, endpoints: super::Endpoints { aziot_tpmd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/tpmd.sock").into() + socket_path: std::path::Path::new(concat!( + env!("SOCKET_DIR"), + "/tpmd.sock" + )) + .into() }, }, } @@ -171,7 +175,11 @@ auth_key_index = 0x01_02_03 }, endpoints: super::Endpoints { aziot_tpmd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/tpmd.sock").into() + socket_path: std::path::Path::new(concat!( + env!("SOCKET_DIR"), + "/tpmd.sock" + )) + .into() }, }, } @@ -201,7 +209,11 @@ owner = "world" }, endpoints: super::Endpoints { aziot_tpmd: http_common::Connector::Unix { - socket_path: std::path::Path::new("/run/aziot/tpmd.sock").into() + socket_path: std::path::Path::new(concat!( + env!("SOCKET_DIR"), + "/tpmd.sock" + )) + .into() }, }, } diff --git a/tpm/aziot-tpmd/aziot-tpmd.socket.in b/tpm/aziot-tpmd/aziot-tpmd.socket.in index 201927c0c..eb7552656 100644 --- a/tpm/aziot-tpmd/aziot-tpmd.socket.in +++ b/tpm/aziot-tpmd/aziot-tpmd.socket.in @@ -3,7 +3,7 @@ Description=Azure IoT TPM Service API socket PartOf=aziot-tpmd.service [Socket] -ListenStream=/run/aziot/tpmd.sock +ListenStream=@socket_dir@/tpmd.sock SocketMode=0660 DirectoryMode=0755 SocketUser=@user_aziottpm@ From 379c320954f02958c34d38b8d758a9400f55d3ec Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Tue, 29 Nov 2022 20:08:12 -0500 Subject: [PATCH 12/38] snapcraft: share sockets & config locations Signed-off-by: Alex Lewontin --- snap/hooks/configure | 2 +- snap/hooks/install | 10 +++---- snap/snapcraft.yaml | 70 ++++++++++++++++++++++---------------------- 3 files changed, 40 insertions(+), 42 deletions(-) diff --git a/snap/hooks/configure b/snap/hooks/configure index 960809e01..f32a9f7f1 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -18,6 +18,6 @@ toml_new_section() { toml_new_section "aziot_keys" toml_kvp "homedir_path" "$SNAP_COMMON/libaziot_keys_homedir" -} > $SNAP_DATA/etc/aziot/config.toml +} > /etc/aziot/config.toml $SNAP/bin/aziotctl config apply diff --git a/snap/hooks/install b/snap/hooks/install index 15226a2ef..8814073e7 100755 --- a/snap/hooks/install +++ b/snap/hooks/install @@ -1,8 +1,6 @@ -#!/bin/sh - -cp -r $SNAP/etc $SNAP_DATA/etc -cp -r $SNAP/var $SNAP_COMMON/var -mkdir -p $SNAP_COMMON/var/secrets/aziot +#!/bin/bash +mkdir -p $SNAP_DATA/shared/{secrets,sockets}/aziot +mkdir -p $SNAP_DATA/shared/config/aziot/{keyd,certd,identityd,tpmd}/config.d +mkdir -p $SNAP_DATA/var/lib/{aziot/{keyd,certd,identityd,tpmd},tpm} mkdir -p $SNAP_COMMON/libaziot_keys_homedir -mkdir -p $SNAP_COMMON/sockets diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index b23ab4447..e13b67349 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-002' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4-004' # just for humans, typically '1.2+git' or '1.3.2' summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | The Identity Service provisions a device's identity and any modules it runs. The device identity can be based @@ -63,12 +63,14 @@ parts: USER_AZIOTCS=root \ USER_AZIOTKS=root \ USER_AZIOTTPM=root \ + SOCKET_DIR=/var/sockets/aziot \ DESTDIR=$SNAPCRAFT_PART_INSTALL organize: usr/: . stage: - -include # - -lib/systemd + - -var override-prime: | snapcraftctl prime ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-certd @@ -87,18 +89,16 @@ apps: - log-observe - system-observe - network - - sockets certd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-certd daemon: simple plugs: - network-bind - - sockets - # sockets: - # unix: - # listen-stream: $SNAP_COMMON/sockets/certd.sock - # socket-mode: 0660 + sockets: + unix: + listen-stream: $SNAP_DATA/shared/sockets/aziot/certd.sock + socket-mode: 0660 identityd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-identityd @@ -106,53 +106,53 @@ apps: plugs: - network - network-bind - - sockets - # sockets: - # unix: - # listen-stream: $SNAP_COMMON/sockets/identityd.sock - # socket-mode: 0660 + sockets: + unix: + listen-stream: $SNAP_DATA/shared/sockets/aziot/identityd.sock + socket-mode: 0660 keyd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-keyd daemon: simple plugs: - network-bind - - sockets - # sockets: - # unix: - # listen-stream: $SNAP_COMMON/sockets/keyd.sock - # socket-mode: 0660 + sockets: + unix: + listen-stream: $SNAP_DATA/shared/sockets/aziot/keyd.sock + socket-mode: 0660 tpmd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-tpmd daemon: simple plugs: - network-bind - - sockets - tpm - # sockets: - # unix: - # listen-stream: $SNAP_COMMON/sockets/tpmd.sock - # socket-mode: 0660 + sockets: + unix: + listen-stream: $SNAP_DATA/shared/sockets/aziot/tpmd.sock + socket-mode: 0660 environment: LD_LIBRARY_PATH: $SNAP/lib/aziot-identity-service -plugs: - sockets: - interface: system-files - write: [ /run/aziot ] -# slots: -# sockets: -# interface: content -# content: aziot-sockets -# source: -# write: [ $SNAP_COMMON/sockets ] +slots: + aziotctl-executables: + interface: content + content: aziotctl-executables + source: + read: [ $SNAP/bin ] + identity-service: + interface: content + content: aziot-identity-service + source: + write: [ $SNAP_DATA/shared ] layout: /var/lib/aziot: - symlink: $SNAP_COMMON/var/lib/aziot + symlink: $SNAP_DATA/var/lib/aziot /var/secrets/aziot: - symlink: $SNAP_COMMON/var/secrets/aziot + symlink: $SNAP_DATA/shared/secrets/aziot + /var/sockets/aziot: + symlink: $SNAP_DATA/shared/sockets/aziot /etc/aziot: - symlink: $SNAP_DATA/etc/aziot + symlink: $SNAP_DATA/shared/config/aziot From 70d71d1bc983c9ae730c0cffd42f1e7c6541d44c Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Fri, 2 Dec 2022 18:44:16 -0800 Subject: [PATCH 13/38] Update Makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index f04151c17..0f63750e3 100644 --- a/Makefile +++ b/Makefile @@ -333,7 +333,7 @@ deb: dist cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/ sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst - sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' 's|@socket_dir@|$(SOCKET_DIR)|g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g s|@socket_dir@|$(SOCKET_DIR)|g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst # Build package From fcac3fb6fa3bf40b5fd2c3868af09c7be821b6e1 Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:17:25 -0800 Subject: [PATCH 14/38] Update Makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0f63750e3..3c5390ce0 100644 --- a/Makefile +++ b/Makefile @@ -333,7 +333,7 @@ deb: dist cp -R contrib/debian /tmp/aziot-identity-service-$(PACKAGE_VERSION)/ sed -i -e 's/@version@/$(PACKAGE_VERSION)/g; s/@release@/$(PACKAGE_RELEASE)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/changelog sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postinst - sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g s|@socket_dir@|$(SOCKET_DIR)|g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm + sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g; s|@socket_dir@|$(SOCKET_DIR)|g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/postrm sed -i -e 's/@user_aziotid@/$(USER_AZIOTID)/g; s/@user_aziotks@/$(USER_AZIOTKS)/g; s/@user_aziotcs@/$(USER_AZIOTCS)/g; s/@user_aziottpm@/$(USER_AZIOTTPM)/g' /tmp/aziot-identity-service-$(PACKAGE_VERSION)/debian/preinst # Build package From f6fedd2a781ea75c45519e368427be8d6e4b3198 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Mon, 5 Dec 2022 14:34:25 -0500 Subject: [PATCH 15/38] Make the snap sockets world writable Signed-off-by: Alex Lewontin --- snap/snapcraft.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index e13b67349..06a224e19 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-004' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4-005' # just for humans, typically '1.2+git' or '1.3.2' summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | The Identity Service provisions a device's identity and any modules it runs. The device identity can be based @@ -98,7 +98,7 @@ apps: sockets: unix: listen-stream: $SNAP_DATA/shared/sockets/aziot/certd.sock - socket-mode: 0660 + socket-mode: 0666 identityd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-identityd @@ -109,7 +109,7 @@ apps: sockets: unix: listen-stream: $SNAP_DATA/shared/sockets/aziot/identityd.sock - socket-mode: 0660 + socket-mode: 0666 keyd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-keyd @@ -119,7 +119,7 @@ apps: sockets: unix: listen-stream: $SNAP_DATA/shared/sockets/aziot/keyd.sock - socket-mode: 0660 + socket-mode: 0666 tpmd: command-chain: [ snap/command-chain/launch-wrapper.sh ] command: libexec/aziot-tpmd @@ -130,7 +130,7 @@ apps: sockets: unix: listen-stream: $SNAP_DATA/shared/sockets/aziot/tpmd.sock - socket-mode: 0660 + socket-mode: 0666 environment: LD_LIBRARY_PATH: $SNAP/lib/aziot-identity-service From 444572d1747e6e3a45fc0a62a38d1b199687b4ae Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Tue, 17 Jan 2023 12:30:08 -0500 Subject: [PATCH 16/38] snap: remove superfluous directory creation from wrapper script Signed-off-by: Alex Lewontin --- contrib/snap/command-chain/launch-wrapper.sh | 4 ---- snap/snapcraft.yaml | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/contrib/snap/command-chain/launch-wrapper.sh b/contrib/snap/command-chain/launch-wrapper.sh index 2a3d704bf..fcab5737e 100755 --- a/contrib/snap/command-chain/launch-wrapper.sh +++ b/contrib/snap/command-chain/launch-wrapper.sh @@ -2,10 +2,6 @@ set -e -echo "Making /run/aziot if it does not exist" -mkdir -p /run/aziot -echo "Successfully made /run/aziot if it did not exist" - log_level="$(snapctl get log-level)" if [ -n "$log_level" ]; then export AZIOT_LOG="$log_level" diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 06a224e19..2b344607d 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-005' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4-006' # just for humans, typically '1.2+git' or '1.3.2' summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | The Identity Service provisions a device's identity and any modules it runs. The device identity can be based From bb3e9f247cd0766f310fd94a86437e19aa7146af Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Tue, 31 Jan 2023 09:13:04 +0000 Subject: [PATCH 17/38] Skip building TSS libraries. --- Makefile | 4 ++-- snap/snapcraft.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a3c5f2519..2f713d90d 100644 --- a/Makefile +++ b/Makefile @@ -119,7 +119,7 @@ default: # incorrect assumption of /usr/local. There is probably a better # way to do this... set -euo pipefail; \ - if [ -d third-party/tpm2-tss ]; then \ + if [ $(VENDOR_LIBTSS) != 0 -a -d third-party/tpm2-tss ]; then \ cd third-party/tpm2-tss; \ ./bootstrap; \ ./configure \ @@ -457,7 +457,7 @@ install-common: # tpm2-tss # See comment above regarding environment bleedover on RPM # builds. - if [ -d third-party/tpm2-tss ]; then \ + if [ $(VENDOR_LIBTSS) != 0 -a -d third-party/tpm2-tss ]; then \ cd third-party/tpm2-tss; \ $(MAKE) libdir=$(AZIOT_PRIVATE_LIBRARIES) install-exec; \ fi diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 2b344607d..78004028c 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -58,6 +58,7 @@ parts: contrib/third-party-notices.sh > THIRD-PARTY-NOTICES make install-deb \ RELEASE=1 \ + VENDOR_LIBTSS=0 \ PLATFORM_FEATURES=snapd \ USER_AZIOTID=root \ USER_AZIOTCS=root \ From 78536707092fadeb77965ce0055d79ebbd18f0bd Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Mon, 13 Feb 2023 11:26:29 -0800 Subject: [PATCH 18/38] Fix system logs. Bump bindgen/cbindgen --- aziotctl/aziotctl-common/src/config/mod.rs | 1 + aziotctl/aziotctl-common/src/system/mod.rs | 8 ++++---- aziotctl/aziotctl-common/src/system/restart.rs | 6 +++++- aziotctl/aziotctl-common/src/system/status.rs | 12 +++++++++++- aziotctl/aziotctl-common/src/system/stop.rs | 6 +++++- snap/snapcraft.yaml | 6 +++--- 6 files changed, 29 insertions(+), 10 deletions(-) diff --git a/aziotctl/aziotctl-common/src/config/mod.rs b/aziotctl/aziotctl-common/src/config/mod.rs index 493e4c0ef..c6e5a783e 100644 --- a/aziotctl/aziotctl-common/src/config/mod.rs +++ b/aziotctl/aziotctl-common/src/config/mod.rs @@ -66,6 +66,7 @@ pub fn write_file( .with_context(|| format!("could not create {}", path_displayable))?; let () = unistd::chown(path, Some(user.uid), Some(user.gid)) .with_context(|| format!("could not set ownership on {}", path_displayable))?; + #[cfg(not(feature = "snapctl"))] // Workaround - set_permissions hits a permission denied in a snapped environment. The 2 above work. let () = fs::set_permissions(path, fs::Permissions::from_mode(mode)) .with_context(|| format!("could not set permissions on {}", path_displayable))?; diff --git a/aziotctl/aziotctl-common/src/system/mod.rs b/aziotctl/aziotctl-common/src/system/mod.rs index e584de827..b219b6065 100644 --- a/aziotctl/aziotctl-common/src/system/mod.rs +++ b/aziotctl/aziotctl-common/src/system/mod.rs @@ -42,19 +42,19 @@ pub const SERVICE_DEFINITIONS: &[&ServiceDefinition] = &[ #[cfg(feature = "snapctl")] pub const SERVICE_DEFINITIONS: &[&ServiceDefinition] = &[ &ServiceDefinition { - service: "identityd", + service: "snap.azure-iot-identity.identityd.service", sockets: &["aziot-identityd.socket"], }, &ServiceDefinition { - service: "keyd", + service: "snap.azure-iot-identity.keyd.service", sockets: &["aziot-keyd.socket"], }, &ServiceDefinition { - service: "certd", + service: "snap.azure-iot-identity.certd.service", sockets: &["aziot-certd.socket"], }, &ServiceDefinition { - service: "tpmd", + service: "snap.azure-iot-identity.tpmd.service", sockets: &["aziot-tpmd.socket"], }, ]; diff --git a/aziotctl/aziotctl-common/src/system/restart.rs b/aziotctl/aziotctl-common/src/system/restart.rs index ba32aeb28..7ac530510 100644 --- a/aziotctl/aziotctl-common/src/system/restart.rs +++ b/aziotctl/aziotctl-common/src/system/restart.rs @@ -60,7 +60,11 @@ pub fn start(services: &[&ServiceDefinition]) -> Result<()> { let service_names = services .iter() - .map(|s| format!("{}.{}", snap_instance_name, s.service)); + .map(|s| { + s.service + .trim_start_matches("snap.") + .trim_end_matches(".service") + }); let result = Command::new("snapctl") .arg("start") diff --git a/aziotctl/aziotctl-common/src/system/status.rs b/aziotctl/aziotctl-common/src/system/status.rs index b6b243cbf..ebef1be69 100644 --- a/aziotctl/aziotctl-common/src/system/status.rs +++ b/aziotctl/aziotctl-common/src/system/status.rs @@ -3,11 +3,21 @@ use std::fmt; use std::process::Command; -use anyhow::{Context, Result}; +use anyhow::{Context, Result, anyhow}; use super::ServiceDefinition; pub fn get_status(processes: &[&ServiceDefinition]) -> Result<()> { + if cfg!(feature = "snapctl") { + let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { + Ok(snap_instance_name) => snap_instance_name, + Err(_) => { + std::env::var("SNAP_NAME").expect("snapctl must be used within the context of a snap") + } + }; + return Err(anyhow!("Command not supported in a snapped environment. Use 'snap services {}'", snap_instance_name)); + } + let services: Vec> = processes .iter() .map(|process| -> Result> { diff --git a/aziotctl/aziotctl-common/src/system/stop.rs b/aziotctl/aziotctl-common/src/system/stop.rs index 733108f9b..e03f2558c 100644 --- a/aziotctl/aziotctl-common/src/system/stop.rs +++ b/aziotctl/aziotctl-common/src/system/stop.rs @@ -39,7 +39,11 @@ pub fn stop(services: &[&ServiceDefinition]) -> Result<()> { let service_names = services .iter() - .map(|s| format!("{}.{}", snap_instance_name, s.service)); + .map(|s| { + s.service + .trim_start_matches("snap.") + .trim_end_matches(".service") + }); let result = Command::new("snapctl") .arg("stop") diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 78004028c..2dc06a8eb 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-006' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4-007' # just for humans, typically '1.2+git' or '1.3.2' summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | The Identity Service provisions a device's identity and any modules it runs. The device identity can be based @@ -16,8 +16,8 @@ parts: build-packages: - curl build-environment: - - BINDGEN_VERSION: '0.54.0' - - CBINDGEN_VERSION: '0.15.0' + - BINDGEN_VERSION: '0.60.0' + - CBINDGEN_VERSION: '0.24.2' - PATH: "$PATH:$HOME/.cargo/bin" override-build: | mkdir -p $HOME/.cargo/bin From 4a39b00cecc4df5e7c593125980e370acb5302eb Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Fri, 17 Feb 2023 02:04:10 -0800 Subject: [PATCH 19/38] improve install hook logging --- snap/hooks/install | 2 ++ 1 file changed, 2 insertions(+) diff --git a/snap/hooks/install b/snap/hooks/install index 8814073e7..2092cc443 100755 --- a/snap/hooks/install +++ b/snap/hooks/install @@ -1,5 +1,7 @@ #!/bin/bash +exec 1> >(logger -s -t $(basename $0)) 2>&1 + mkdir -p $SNAP_DATA/shared/{secrets,sockets}/aziot mkdir -p $SNAP_DATA/shared/config/aziot/{keyd,certd,identityd,tpmd}/config.d mkdir -p $SNAP_DATA/var/lib/{aziot/{keyd,certd,identityd,tpmd},tpm} From a748d580b37b55f7157a762c44fcd8ed71df330e Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Sat, 18 Feb 2023 01:37:51 -0800 Subject: [PATCH 20/38] Fixes to unblock publishing to snapcraft --- snap/snapcraft.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 2dc06a8eb..00a03b765 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -7,6 +7,8 @@ description: | on symmetric keys or X.509 certificates. It supports manual device registrations or individual/group enrollments with the Azure Device Provisioning Service. +license: MIT + grade: devel # must be 'stable' to release into candidate/stable channels confinement: strict @@ -68,12 +70,17 @@ parts: DESTDIR=$SNAPCRAFT_PART_INSTALL organize: usr/: . + filesets: + exclude-symlinks: [ -libexec/aziot-identity-service/aziot-* ] stage: - -include # - -lib/systemd - -var + - $exclude-symlinks override-prime: | snapcraftctl prime + # Recreate expected relative symlinks that were not staged from the install because they link external to the snap + # and prevent publishing to snapcraft. ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-certd ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-identityd ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-keyd From 66fef30b438a2ce3aedd8eb7be985842d43648f5 Mon Sep 17 00:00:00 2001 From: Micah Lewis <1009123+micahl@users.noreply.github.com> Date: Wed, 1 Mar 2023 01:57:40 -0800 Subject: [PATCH 21/38] Use env::current_exe instead of cmdline args --- aziotctl/aziotctl-common/src/lib.rs | 9 +++++---- aziotctl/aziotctl-common/src/system/status.rs | 3 ++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/aziotctl/aziotctl-common/src/lib.rs b/aziotctl/aziotctl-common/src/lib.rs index 25e3ed7d7..1e18a085a 100644 --- a/aziotctl/aziotctl-common/src/lib.rs +++ b/aziotctl/aziotctl-common/src/lib.rs @@ -139,10 +139,11 @@ pub fn is_rfc_1035_valid(hostname: &str) -> bool { } fn program_name() -> String { - std::env::args_os() - .next() - .and_then(|arg| arg.into_string().ok()) - .unwrap_or_else(|| "".to_owned()) + std::env::current_exe().ok() + .expect("Cannot get the exec path") + .file_name() + .and_then(|arg| arg.to_str()) + .unwrap_or_else(|| "").to_owned() } #[cfg(test)] diff --git a/aziotctl/aziotctl-common/src/system/status.rs b/aziotctl/aziotctl-common/src/system/status.rs index ebef1be69..2ed296a09 100644 --- a/aziotctl/aziotctl-common/src/system/status.rs +++ b/aziotctl/aziotctl-common/src/system/status.rs @@ -12,9 +12,10 @@ pub fn get_status(processes: &[&ServiceDefinition]) -> Result<()> { let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { Ok(snap_instance_name) => snap_instance_name, Err(_) => { - std::env::var("SNAP_NAME").expect("snapctl must be used within the context of a snap") + std::env::var("SNAP_NAME").expect("A snap's instance name should only exist within the context of a snap") } }; + return Err(anyhow!("Command not supported in a snapped environment. Use 'snap services {}'", snap_instance_name)); } From 15f2e69e7f704a115279cccfc833730c56f0b43b Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Wed, 15 Mar 2023 17:55:28 -0400 Subject: [PATCH 22/38] Do not require CAP_FOWNER for aziotctl_common::config::write_file (#520) The aziotctl_common::config::write_file function first changes ownership of a file, then changes the permissions. Changing the permissions on a file owned by another user requires CAP_FOWNER. While this is not normally a problem for root, the assumption that root ALWAYS has CAP_FOWNER is erroneous (snaps are a counter example). This commit simply reorders the operation, so that the file is still owned by the creator when the permissions get changed. Signed-off-by: Alex Lewontin --- aziotctl/aziotctl-common/src/config/mod.rs | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/aziotctl/aziotctl-common/src/config/mod.rs b/aziotctl/aziotctl-common/src/config/mod.rs index c6e5a783e..51d85014e 100644 --- a/aziotctl/aziotctl-common/src/config/mod.rs +++ b/aziotctl/aziotctl-common/src/config/mod.rs @@ -62,13 +62,22 @@ pub fn write_file( let path = path.as_ref(); let path_displayable = path.display(); + // We're about to truncate the file anyway, but it is a little safer to + // fully remove it, as a truncating write does not actually reset ownership + // or user permissions (which can lead to needing CAP_FOWNER, as then we + // encounter a set_permissions call on a file we may or may not own). We + // can just ignore any errors returned here as they either mean a) the file + // doesn't exist, in which case great, or b) there is some sort of permission + // or path error which will just crop up in the fs::write call anyway + + let _ = fs::remove_file(path); + let () = fs::write(path, content) .with_context(|| format!("could not create {}", path_displayable))?; - let () = unistd::chown(path, Some(user.uid), Some(user.gid)) - .with_context(|| format!("could not set ownership on {}", path_displayable))?; - #[cfg(not(feature = "snapctl"))] // Workaround - set_permissions hits a permission denied in a snapped environment. The 2 above work. let () = fs::set_permissions(path, fs::Permissions::from_mode(mode)) .with_context(|| format!("could not set permissions on {}", path_displayable))?; + let () = unistd::chown(path, Some(user.uid), Some(user.gid)) + .with_context(|| format!("could not set ownership on {}", path_displayable))?; Ok(()) } From af796f07c9689e357aaabd13bcb7746363e8bd34 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Tue, 21 Mar 2023 14:06:37 -0400 Subject: [PATCH 23/38] snapping: fix hostname reading on Ubuntu Core (#521) Signed-off-by: Alex Lewontin --- snap/hooks/configure | 14 +++++++++++++- snap/snapcraft.yaml | 7 +++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/snap/hooks/configure b/snap/hooks/configure index f32a9f7f1..7c4b9cee5 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -10,8 +10,20 @@ toml_new_section() { printf "[%s]\n" "$1" } +# Work around the fact that there is no consolidated, machine readable +# output of `hostnamectl` in the version included in core20. Core22 will +# be more elegant (i.e. `hostnamectl hostname`) +get_hostname() { + hostname="$(/usr/bin/hostnamectl --static)" + if [ -z "$hostname" ] ; then + hostname="$(/usr/bin/hostnamectl --transient)" + fi + + printf "$hostname" +} + { - toml_kvp "hostname" "$(cat /etc/hostname)" + toml_kvp "hostname" "$(get_hostname)" snapctl get raw-config diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 00a03b765..feb53fd4b 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -140,6 +140,13 @@ apps: listen-stream: $SNAP_DATA/shared/sockets/aziot/tpmd.sock socket-mode: 0666 +hooks: + configure: + plugs: + - hostname-control + - log-observe + - mount-observe + environment: LD_LIBRARY_PATH: $SNAP/lib/aziot-identity-service From 3db604cb34ba606908346afec263773e12a7e610 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Thu, 13 Apr 2023 17:58:50 -0400 Subject: [PATCH 24/38] snapping: enable building on arm64 (#522) Signed-off-by: Alex Lewontin --- Makefile | 4 ++-- snap/snapcraft.yaml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d5b350988..1fc0416b2 100644 --- a/Makefile +++ b/Makefile @@ -56,11 +56,11 @@ else CARGO_PROFILE_DIRECTORY = release endif -ifeq ($(ARCH), arm32v7) +ifneq (,$(filter $(ARCH), arm32v7 armhf)) CARGO_TARGET = armv7-unknown-linux-gnueabihf CROSS_HOST_TRIPLE = arm-linux-gnueabihf DPKG_ARCH_FLAGS = --host-arch armhf -else ifeq ($(ARCH), aarch64) +else ifneq (,$(filter $(ARCH), aarch64 arm64)) CARGO_TARGET = aarch64-unknown-linux-gnu CROSS_HOST_TRIPLE = aarch64-linux-gnu DPKG_ARCH_FLAGS = --host-arch arm64 --host-type aarch64-linux-gnu --target-type aarch64-linux-gnu diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index feb53fd4b..1d82922dc 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -59,6 +59,7 @@ parts: override-build: | contrib/third-party-notices.sh > THIRD-PARTY-NOTICES make install-deb \ + ARCH=$SNAPCRAFT_TARGET_ARCH \ RELEASE=1 \ VENDOR_LIBTSS=0 \ PLATFORM_FEATURES=snapd \ From 65b25c48c0f7b32a97297954bd1c171553db20da Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Fri, 8 Sep 2023 20:25:09 -0400 Subject: [PATCH 25/38] snapping: more robust configuration management in a snap (#546) Signed-off-by: Alex Lewontin Co-authored-by: Damon Barry --- aziotctl/aziotctl-common/src/config/mod.rs | 4 ++-- aziotctl/aziotctl-common/src/lib.rs | 7 ++++--- aziotctl/aziotctl-common/src/system/restart.rs | 12 +++++------- aziotctl/aziotctl-common/src/system/status.rs | 12 +++++++----- aziotctl/aziotctl-common/src/system/stop.rs | 12 +++++------- snap/hooks/configure | 10 +++------- 6 files changed, 26 insertions(+), 31 deletions(-) diff --git a/aziotctl/aziotctl-common/src/config/mod.rs b/aziotctl/aziotctl-common/src/config/mod.rs index 3c7f4a995..f60025bb8 100644 --- a/aziotctl/aziotctl-common/src/config/mod.rs +++ b/aziotctl/aziotctl-common/src/config/mod.rs @@ -64,13 +64,13 @@ pub fn write_file( // We're about to truncate the file anyway, but it is a little safer to // fully remove it, as a truncating write does not actually reset ownership - // or user permissions (which can lead to needing CAP_FOWNER, as then we + // or user permissions (which can lead to needing CAP_FOWNER, as then we // encounter a set_permissions call on a file we may or may not own). We // can just ignore any errors returned here as they either mean a) the file // doesn't exist, in which case great, or b) there is some sort of permission // or path error which will just crop up in the fs::write call anyway - let _ = fs::remove_file(path); + let _file = fs::remove_file(path); let () = fs::write(path, content) .with_context(|| format!("could not create {}", path_displayable))?; diff --git a/aziotctl/aziotctl-common/src/lib.rs b/aziotctl/aziotctl-common/src/lib.rs index 1e18a085a..da8778710 100644 --- a/aziotctl/aziotctl-common/src/lib.rs +++ b/aziotctl/aziotctl-common/src/lib.rs @@ -139,11 +139,12 @@ pub fn is_rfc_1035_valid(hostname: &str) -> bool { } fn program_name() -> String { - std::env::current_exe().ok() + std::env::current_exe() .expect("Cannot get the exec path") .file_name() - .and_then(|arg| arg.to_str()) - .unwrap_or_else(|| "").to_owned() + .and_then(std::ffi::OsStr::to_str) + .unwrap_or("") + .to_owned() } #[cfg(test)] diff --git a/aziotctl/aziotctl-common/src/system/restart.rs b/aziotctl/aziotctl-common/src/system/restart.rs index 7ac530510..513467573 100644 --- a/aziotctl/aziotctl-common/src/system/restart.rs +++ b/aziotctl/aziotctl-common/src/system/restart.rs @@ -58,13 +58,11 @@ pub fn start(services: &[&ServiceDefinition]) -> Result<()> { print!("Starting {} services...", snap_instance_name); - let service_names = services - .iter() - .map(|s| { - s.service - .trim_start_matches("snap.") - .trim_end_matches(".service") - }); + let service_names = services.iter().map(|s| { + s.service + .trim_start_matches("snap.") + .trim_end_matches(".service") + }); let result = Command::new("snapctl") .arg("start") diff --git a/aziotctl/aziotctl-common/src/system/status.rs b/aziotctl/aziotctl-common/src/system/status.rs index 2ed296a09..7e4042079 100644 --- a/aziotctl/aziotctl-common/src/system/status.rs +++ b/aziotctl/aziotctl-common/src/system/status.rs @@ -3,7 +3,7 @@ use std::fmt; use std::process::Command; -use anyhow::{Context, Result, anyhow}; +use anyhow::{anyhow, Context, Result}; use super::ServiceDefinition; @@ -11,12 +11,14 @@ pub fn get_status(processes: &[&ServiceDefinition]) -> Result<()> { if cfg!(feature = "snapctl") { let snap_instance_name = match std::env::var("SNAP_INSTANCE_NAME") { Ok(snap_instance_name) => snap_instance_name, - Err(_) => { - std::env::var("SNAP_NAME").expect("A snap's instance name should only exist within the context of a snap") - } + Err(_) => std::env::var("SNAP_NAME") + .expect("A snap's instance name should only exist within the context of a snap"), }; - return Err(anyhow!("Command not supported in a snapped environment. Use 'snap services {}'", snap_instance_name)); + return Err(anyhow!( + "Command not supported in a snapped environment. Use 'snap services {}'", + snap_instance_name + )); } let services: Vec> = processes diff --git a/aziotctl/aziotctl-common/src/system/stop.rs b/aziotctl/aziotctl-common/src/system/stop.rs index e03f2558c..4b5f22040 100644 --- a/aziotctl/aziotctl-common/src/system/stop.rs +++ b/aziotctl/aziotctl-common/src/system/stop.rs @@ -37,13 +37,11 @@ pub fn stop(services: &[&ServiceDefinition]) -> Result<()> { print!("Stopping {} services...", snap_instance_name); - let service_names = services - .iter() - .map(|s| { - s.service - .trim_start_matches("snap.") - .trim_end_matches(".service") - }); + let service_names = services.iter().map(|s| { + s.service + .trim_start_matches("snap.") + .trim_end_matches(".service") + }); let result = Command::new("snapctl") .arg("stop") diff --git a/snap/hooks/configure b/snap/hooks/configure index 7c4b9cee5..7c4ba8bb8 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -22,14 +22,10 @@ get_hostname() { printf "$hostname" } +snapctl get raw-config > /etc/aziot/config.toml + { toml_kvp "hostname" "$(get_hostname)" - - snapctl get raw-config - - toml_new_section "aziot_keys" - toml_kvp "homedir_path" "$SNAP_COMMON/libaziot_keys_homedir" - -} > /etc/aziot/config.toml +} | tee /etc/aziot/keyd/config.d/01-snap.toml /etc/aziot/certd/config.d/01-snap.toml /etc/aziot/identityd/config.d/01-snap.toml /etc/aziot/tpmd/config.d/01-snap.toml $SNAP/bin/aziotctl config apply From 0ebf7b5f0cb533442c0678bcc299e5383ee7ea40 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Tue, 26 Dec 2023 17:06:35 -0800 Subject: [PATCH 26/38] Add snap build to packages workflow (#576) --- .github/workflows/packages.yaml | 34 +++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 789f7c0fb..7a99b4a0f 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -5,6 +5,40 @@ on: - 'push' jobs: + snap: + strategy: + fail-fast: false + + matrix: + runner: + - arch: amd64 + pool: iot-identity-1es-hosted-linux-amd64 + image: agent-aziotedge-ubuntu-20.04-msmoby + - arch: aarch64 + pool: iot-identity-1es-hosted-linux-arm64 + image: agent-aziotedge-ubuntu-20.04-arm64-docker + + runs-on: + - self-hosted + - 1ES.Pool=${{ matrix.runner.pool }} + - 1ES.ImageOverride=${{ matrix.runner.image }} + + steps: + - uses: 'actions/checkout@v3' + with: + submodules: 'recursive' + + - name: 'Run' + run: | + sudo snap install snapcraft --classic + snapcraft --destructive-mode + + - name: 'Upload' + uses: 'actions/upload-artifact@v3' + with: + name: "packages_snap_${{ matrix.runner.arch }}" + path: '*.snap' + packages: runs-on: 'ubuntu-22.04' From abc7676080b5585afe741b984fbcd1b59e40a6c7 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Wed, 27 Dec 2023 14:55:00 -0800 Subject: [PATCH 27/38] Forward VENDOR_LIBTSS to make in test script --- ci/test-basic.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/test-basic.sh b/ci/test-basic.sh index 6fe5120a7..3aedd835c 100755 --- a/ci/test-basic.sh +++ b/ci/test-basic.sh @@ -23,4 +23,4 @@ if [ "$SKIP_TSS_MINIMAL" = 0 ]; then trap "kill '$SWTPM_PID'; rm -rf '$TPM_STATE';" EXIT fi -make SKIP_TSS_MINIMAL="$SKIP_TSS_MINIMAL" V=1 test-release +make SKIP_TSS_MINIMAL="$SKIP_TSS_MINIMAL" VENDOR_LIBTSS="${VENDOR_LIBTSS:-0}" V=1 test-release From d1958c4d133ed63de4e24858f4748c4a55089adc Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Thu, 28 Dec 2023 17:02:49 -0800 Subject: [PATCH 28/38] Only include path to vendored tpm2-tss if it was built --- key/test-aziot-key-openssl-engine-shared.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/key/test-aziot-key-openssl-engine-shared.sh b/key/test-aziot-key-openssl-engine-shared.sh index 860ac3128..def9e821e 100755 --- a/key/test-aziot-key-openssl-engine-shared.sh +++ b/key/test-aziot-key-openssl-engine-shared.sh @@ -41,12 +41,13 @@ set -euxo pipefail # For a local build, this would be target/x86_64-unknown-linux-gnu/debug. # For CI, this would be target/debug cd "$(find target -type f -name aziot-key-openssl-engine-shared-test -exec dirname {} \; -quit)" -PRIVATE_LIBS="$(find fakeroot -name aziot-identity-service -exec readlink -f {} \; -quit)" +if [ -d fakeroot ]; then + PRIVATE_LIBS="$(find fakeroot -name aziot-identity-service -exec readlink -f {} \; -quit)" -# Set constants and LD_LIBRARY_PATH (to be able to load libaziot_keys.so from the same directory) - -export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${PRIVATE_LIBS:-}:$PWD" + # Set constants and LD_LIBRARY_PATH (to be able to load libaziot_keys.so from the same directory) + export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${PRIVATE_LIBS:-}:$PWD" +fi OS="$(. /etc/os-release; echo "$ID:$VERSION_ID")" From 0aa863c691ed6c08e796c2b39f4326d3cceb63d6 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Fri, 29 Dec 2023 14:21:48 -0800 Subject: [PATCH 29/38] Install libtss2-dev for platforms that don't build it --- ci/install-runtime-deps.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ci/install-runtime-deps.sh b/ci/install-runtime-deps.sh index b3ad37857..73b19985a 100755 --- a/ci/install-runtime-deps.sh +++ b/ci/install-runtime-deps.sh @@ -49,7 +49,7 @@ case "$OS" in # openssl 3.0 for Ubuntu 22.04 apt-get update -y - DEBIAN_FRONTEND=noninteractive TZ=UTC apt-get install -y curl jq openssl ca-certificates + DEBIAN_FRONTEND=noninteractive TZ=UTC apt-get install -y curl jq openssl ca-certificates libtss2-dev case "${PKCS11_BACKEND:-}" in 'softhsm') From 96a579e75a7145a3a9522691c7b684bc1c768b0a Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Fri, 29 Dec 2023 14:46:02 -0800 Subject: [PATCH 30/38] Always add target/ to LD_LIBRARY_PATH --- key/test-aziot-key-openssl-engine-shared.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/key/test-aziot-key-openssl-engine-shared.sh b/key/test-aziot-key-openssl-engine-shared.sh index def9e821e..89f195410 100755 --- a/key/test-aziot-key-openssl-engine-shared.sh +++ b/key/test-aziot-key-openssl-engine-shared.sh @@ -42,11 +42,11 @@ set -euxo pipefail # For CI, this would be target/debug cd "$(find target -type f -name aziot-key-openssl-engine-shared-test -exec dirname {} \; -quit)" +# Set constants and LD_LIBRARY_PATH (to be able to load libaziot_keys.so from the same directory) +export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:$PWD" if [ -d fakeroot ]; then PRIVATE_LIBS="$(find fakeroot -name aziot-identity-service -exec readlink -f {} \; -quit)" - - # Set constants and LD_LIBRARY_PATH (to be able to load libaziot_keys.so from the same directory) - export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${PRIVATE_LIBS:-}:$PWD" + export LD_LIBRARY_PATH="${LD_LIBRARY_PATH:-}:${PRIVATE_LIBS:-}" fi From 347074f26cb480f8dcb0f3de53d5fb835a242ce0 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Mon, 1 Jan 2024 11:30:13 -0800 Subject: [PATCH 31/38] Build snaps with LXD --- .github/workflows/packages.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 7a99b4a0f..c088a45a5 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -31,7 +31,8 @@ jobs: - name: 'Run' run: | sudo snap install snapcraft --classic - snapcraft --destructive-mode + lxd init --minimal + snapcraft --use-lxd - name: 'Upload' uses: 'actions/upload-artifact@v3' From 1754d16f55bdf6445a69abe1a1bd72a37f9e9375 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Tue, 2 Jan 2024 10:29:04 -0800 Subject: [PATCH 32/38] Move snap job to the bottom of the packages workflow --- .github/workflows/packages.yaml | 70 ++++++++++++++++----------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index c088a45a5..9ffcdde43 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -5,41 +5,6 @@ on: - 'push' jobs: - snap: - strategy: - fail-fast: false - - matrix: - runner: - - arch: amd64 - pool: iot-identity-1es-hosted-linux-amd64 - image: agent-aziotedge-ubuntu-20.04-msmoby - - arch: aarch64 - pool: iot-identity-1es-hosted-linux-arm64 - image: agent-aziotedge-ubuntu-20.04-arm64-docker - - runs-on: - - self-hosted - - 1ES.Pool=${{ matrix.runner.pool }} - - 1ES.ImageOverride=${{ matrix.runner.image }} - - steps: - - uses: 'actions/checkout@v3' - with: - submodules: 'recursive' - - - name: 'Run' - run: | - sudo snap install snapcraft --classic - lxd init --minimal - snapcraft --use-lxd - - - name: 'Upload' - uses: 'actions/upload-artifact@v3' - with: - name: "packages_snap_${{ matrix.runner.arch }}" - path: '*.snap' - packages: runs-on: 'ubuntu-22.04' @@ -127,3 +92,38 @@ jobs: with: name: "${{ steps.generate-artifact-properties.outputs.artifact-name }}" path: 'packages' + + snap: + strategy: + fail-fast: false + + matrix: + runner: + - arch: amd64 + pool: iot-identity-1es-hosted-linux-amd64 + image: agent-aziotedge-ubuntu-20.04-msmoby + - arch: aarch64 + pool: iot-identity-1es-hosted-linux-arm64 + image: agent-aziotedge-ubuntu-20.04-arm64-docker + + runs-on: + - self-hosted + - 1ES.Pool=${{ matrix.runner.pool }} + - 1ES.ImageOverride=${{ matrix.runner.image }} + + steps: + - uses: 'actions/checkout@v3' + with: + submodules: 'recursive' + + - name: 'Run' + run: | + sudo snap install snapcraft --classic + lxd init --minimal + snapcraft --use-lxd + + - name: 'Upload' + uses: 'actions/upload-artifact@v3' + with: + name: "packages_snap_${{ matrix.runner.arch }}" + path: '*.snap' From 78a6560c388ab09567ada6d4a5c51db18c89bc12 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Tue, 2 Jan 2024 10:59:05 -0800 Subject: [PATCH 33/38] Make snap version consistent with other packages --- snap/snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 1d82922dc..7e9befe3b 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,6 +1,6 @@ name: azure-iot-identity base: core20 # the base snap is the execution environment for this snap -version: '1.4-007' # just for humans, typically '1.2+git' or '1.3.2' +version: '1.4.0~dev' # should end with '~dev' on the main branch summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | The Identity Service provisions a device's identity and any modules it runs. The device identity can be based From 79839ef359f47bbdbf1d20da0ac767260680c5dc Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Fri, 5 Jan 2024 11:03:52 -0800 Subject: [PATCH 34/38] Use snapcraft build action --- .github/workflows/packages.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 9ffcdde43..c6848c8bb 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -117,13 +117,13 @@ jobs: submodules: 'recursive' - name: 'Run' - run: | - sudo snap install snapcraft --classic - lxd init --minimal - snapcraft --use-lxd + uses: 'snapcore/action-build@v1' + id: 'snapcraft' + with: + build-info: true - name: 'Upload' uses: 'actions/upload-artifact@v3' with: - name: "packages_snap_${{ matrix.runner.arch }}" - path: '*.snap' + name: 'packages_snap_${{ matrix.runner.arch }}' + path: '${{ steps.snapcraft.outputs.snap }}' From e7bfcd69ba2d1f9bfff5fdc7a4a5fff28a04b9b7 Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Thu, 18 Jan 2024 12:30:18 -0800 Subject: [PATCH 35/38] feature/snapping: bump snap base to core22 (#583) migrate to base: core22. this also entails a slight shift in snapcraft syntax (mostly documented [here](https://forum.snapcraft.io/t/micro-howto-migrate-from-core20-to-core22/30188), plus filesets no longer supported) --------- Signed-off-by: Alex Lewontin Signed-off-by: Alex Lewontin --- snap/hooks/configure | 14 +------------- snap/snapcraft.yaml | 28 +++++++++++++++------------- 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/snap/hooks/configure b/snap/hooks/configure index 7c4ba8bb8..35ba8b023 100755 --- a/snap/hooks/configure +++ b/snap/hooks/configure @@ -10,22 +10,10 @@ toml_new_section() { printf "[%s]\n" "$1" } -# Work around the fact that there is no consolidated, machine readable -# output of `hostnamectl` in the version included in core20. Core22 will -# be more elegant (i.e. `hostnamectl hostname`) -get_hostname() { - hostname="$(/usr/bin/hostnamectl --static)" - if [ -z "$hostname" ] ; then - hostname="$(/usr/bin/hostnamectl --transient)" - fi - - printf "$hostname" -} - snapctl get raw-config > /etc/aziot/config.toml { - toml_kvp "hostname" "$(get_hostname)" + toml_kvp "hostname" "$(hostnamectl hostname)" } | tee /etc/aziot/keyd/config.d/01-snap.toml /etc/aziot/certd/config.d/01-snap.toml /etc/aziot/identityd/config.d/01-snap.toml /etc/aziot/tpmd/config.d/01-snap.toml $SNAP/bin/aziotctl config apply diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 7e9befe3b..e5313ac81 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,5 +1,5 @@ name: azure-iot-identity -base: core20 # the base snap is the execution environment for this snap +base: core22 # the base snap is the execution environment for this snap version: '1.4.0~dev' # should end with '~dev' on the main branch summary: Provides provisioning and cryptographic services for Azure IoT Hub devices. description: | @@ -29,7 +29,7 @@ parts: iot-identity-services: build-environment: - PATH: "$PATH:$HOME/.cargo/bin" - - ARCH: "$SNAPCRAFT_TARGET_ARCH" + - ARCH: "$CRAFT_ARCH_BUILD_FOR" after: [ rust-toolchain ] plugin: nil source: ./ @@ -55,11 +55,15 @@ parts: - ca-certificates - libcurl4-openssl-dev stage-packages: - - libtss2-esys0 + - libtss2-esys-3.0.2-0 + - libtss2-mu0 + - libtss2-rc0 + - libtss2-sys1 + - libtss2-tctildr0 override-build: | contrib/third-party-notices.sh > THIRD-PARTY-NOTICES make install-deb \ - ARCH=$SNAPCRAFT_TARGET_ARCH \ + ARCH=$CRAFT_ARCH_BUILD_FOR \ RELEASE=1 \ VENDOR_LIBTSS=0 \ PLATFORM_FEATURES=snapd \ @@ -68,24 +72,22 @@ parts: USER_AZIOTKS=root \ USER_AZIOTTPM=root \ SOCKET_DIR=/var/sockets/aziot \ - DESTDIR=$SNAPCRAFT_PART_INSTALL + DESTDIR=$CRAFT_PART_INSTALL organize: usr/: . - filesets: - exclude-symlinks: [ -libexec/aziot-identity-service/aziot-* ] stage: - -include # - -lib/systemd - -var - - $exclude-symlinks + - -libexec/aziot-identity-service/aziot-* override-prime: | - snapcraftctl prime + craftctl default # Recreate expected relative symlinks that were not staged from the install because they link external to the snap # and prevent publishing to snapcraft. - ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-certd - ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-identityd - ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-keyd - ln -vrfs $SNAPCRAFT_PRIME/libexec/aziot-identity-service/aziotd $SNAPCRAFT_PRIME/libexec/aziot-tpmd + ln -vrfs $CRAFT_PRIME/libexec/aziot-identity-service/aziotd $CRAFT_PRIME/libexec/aziot-certd + ln -vrfs $CRAFT_PRIME/libexec/aziot-identity-service/aziotd $CRAFT_PRIME/libexec/aziot-identityd + ln -vrfs $CRAFT_PRIME/libexec/aziot-identity-service/aziotd $CRAFT_PRIME/libexec/aziot-keyd + ln -vrfs $CRAFT_PRIME/libexec/aziot-identity-service/aziotd $CRAFT_PRIME/libexec/aziot-tpmd command-chain: plugin: dump source: ./contrib From 06986d4727e38a0947f47db883e7178619fc2225 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Thu, 18 Jan 2024 13:27:22 -0800 Subject: [PATCH 36/38] Build snaps on Ubuntu 22.04 agents --- .github/workflows/packages.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index c6848c8bb..5523f0ef4 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -101,10 +101,10 @@ jobs: runner: - arch: amd64 pool: iot-identity-1es-hosted-linux-amd64 - image: agent-aziotedge-ubuntu-20.04-msmoby + image: agent-aziotedge-ubuntu-22.04-msmoby - arch: aarch64 pool: iot-identity-1es-hosted-linux-arm64 - image: agent-aziotedge-ubuntu-20.04-arm64-docker + image: agent-aziotedge-ubuntu-22.04-arm64-docker runs-on: - self-hosted From 43a110d3c956faaad41cc54841185d865da4a6ca Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Thu, 18 Jan 2024 14:21:39 -0800 Subject: [PATCH 37/38] Fix agent image name --- .github/workflows/packages.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 5523f0ef4..6eb351249 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -104,7 +104,7 @@ jobs: image: agent-aziotedge-ubuntu-22.04-msmoby - arch: aarch64 pool: iot-identity-1es-hosted-linux-arm64 - image: agent-aziotedge-ubuntu-22.04-arm64-docker + image: agent-aziotedge-ubuntu-22.04-arm64-msmoby runs-on: - self-hosted From fc5f3ca704c70fe5d04eaf309b86207268b2e13b Mon Sep 17 00:00:00 2001 From: Alex Lewontin Date: Wed, 24 Jan 2024 12:19:56 -0500 Subject: [PATCH 38/38] Additional core22 migration (#585) A slight fix above and beyond #583 Signed-off-by: Alex Lewontin --- contrib/snap/command-chain/launch-wrapper.sh | 2 ++ snap/snapcraft.yaml | 3 --- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/contrib/snap/command-chain/launch-wrapper.sh b/contrib/snap/command-chain/launch-wrapper.sh index fcab5737e..ad6f75c0d 100755 --- a/contrib/snap/command-chain/launch-wrapper.sh +++ b/contrib/snap/command-chain/launch-wrapper.sh @@ -7,4 +7,6 @@ if [ -n "$log_level" ]; then export AZIOT_LOG="$log_level" fi +export LD_LIBRARY_PATH="$SNAP/lib/aziot-identity-service${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" + exec "$@" diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index e5313ac81..e3477ce5c 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -150,9 +150,6 @@ hooks: - log-observe - mount-observe -environment: - LD_LIBRARY_PATH: $SNAP/lib/aziot-identity-service - slots: aziotctl-executables: interface: content