From 3b3e914b97784eda6e25555bb98522e9f97ac2a1 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Wed, 26 Aug 2020 09:13:47 +0200 Subject: [PATCH 1/7] Prepare 2020.9 release. Signed-off-by: Patrick Vacek --- CHANGELOG.md | 33 +++++++++++++++---- docs/README.adoc | 1 + docs/ota-client-guide/antora.yml | 2 +- .../pages/_partials/aktualizr-version.adoc | 2 +- 4 files changed, 29 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 287f5aaf82..3cc44e2ef5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,25 @@ Our versioning scheme is `YEAR.N` where `N` is incremented whenever a new releas ## [upcoming release] +## [2020.9] - 2020-08-26 + +### Added + +- Exceptions thrown through the API are now [documented](include/libaktualizr/aktualizr.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1737) +- The client TLS certifcate and key can be re-imported from the filesystem as long as the device ID is unchanged: [PR](https://github.com/advancedtelematic/aktualizr/pull/1743) + +### Changed + +- More required headers for libaktualizr usage have been refactored for easier use: [PR](https://github.com/advancedtelematic/aktualizr/pull/1719) +- All code is now checked with clang-tidy-10: [PR](https://github.com/advancedtelematic/aktualizr/pull/1724) + +### Removed + +- The Debain package manager has been removed as it was never fully functional: [PR](https://github.com/advancedtelematic/aktualizr/pull/1739) +- Android support has been removed as it was an unfinished prototype: [PR](https://github.com/advancedtelematic/aktualizr/pull/1732) +- The ISO-TP Secondary has been removed as it was an unmaintained prototype: [PR](https://github.com/advancedtelematic/aktualizr/pull/1732) + + ## [2020.8] - 2020-07-09 ### Special considerations @@ -38,7 +57,7 @@ As a result of changes to the IP/POSIX Secondary protocol (see below), users of ### Fixed -- Various docker-app fixes: [PR](https://github.com/advancedtelematic/aktualizr/pull/1664) [PR](https://github.com/advancedtelematic/aktualizr/pull/1665) +- Various docker-app fixes: [PR #1664](https://github.com/advancedtelematic/aktualizr/pull/1664) and [PR #1665](https://github.com/advancedtelematic/aktualizr/pull/1665) - Use ED25519 to sign manifests when set as key type: [PR](https://github.com/advancedtelematic/aktualizr/pull/1608) ## [2020.6] - 2020-04-30 @@ -252,9 +271,9 @@ As a result of changes to the IP/POSIX Secondary protocol (see below), users of - Target object equality requires that hardware IDs match: [PR](https://github.com/advancedtelematic/aktualizr/pull/1258) - aktualizr-repo image command now requires a hardware ID: [PR](https://github.com/advancedtelematic/aktualizr/pull/1258) - `GetStoredTargets` and `DeleteStoredTarget` aktualizr API methods: [PR](https://github.com/advancedtelematic/aktualizr/pull/1290) -- [aktualizr-get](https://github.com/advancedtelematic/aktualizr/blob/master/src/aktualizr_get/main.cc) debugging tool: [PR](https://github.com/advancedtelematic/aktualizr/pull/1276) +- [aktualizr-get](src/aktualizr_get/main.cc) debugging tool: [PR](https://github.com/advancedtelematic/aktualizr/pull/1276) - Automatic reboot command is now customizable: [PR](https://github.com/advancedtelematic/aktualizr/pull/1274) -- Basic [C API](https://github.com/advancedtelematic/aktualizr/blob/master/include/libaktualizr-c.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1263) +- Basic [C API](include/libaktualizr-c.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1263) - Ability to pass custom headers in HTTP requests: [PR](https://github.com/advancedtelematic/aktualizr/pull/1251) - Mutual TLS support in garage tools: [PR #1243](https://github.com/advancedtelematic/aktualizr/pull/1243) and [PR #1288](https://github.com/advancedtelematic/aktualizr/pull/1288) @@ -323,10 +342,10 @@ As a result of changes to the IP/POSIX Secondary protocol (see below), users of ### Added - New tool aktualizr-lite for anonymous TUF-only updates: [PR](https://github.com/advancedtelematic/aktualizr/pull/1107) -- [Abort() API call](src/libaktualizr/primary/aktualizr.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1122) +- [Abort() API call](include/libaktualizr/aktualizr.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1122) - [Option to print delegation metadata with aktualizr-info](src/aktualizr_info/main.cc): [PR](https://github.com/advancedtelematic/aktualizr/pull/1138) - Support for custom URIs for downloading targets: [PR](https://github.com/advancedtelematic/aktualizr/pull/1147) -- [SendManifest() API call](src/libaktualizr/primary/aktualizr.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1176) +- [SendManifest() API call](include/libaktualizr/aktualizr.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1176) - [Support for Android package management](src/libaktualizr/package_manager/androidmanager.h): [PR](https://github.com/advancedtelematic/aktualizr/pull/1034) ### Changed @@ -367,7 +386,7 @@ As a result of changes to the IP/POSIX Secondary protocol (see below), users of ### Changed -- [Most API calls refactored to return immediately with a future](src/libaktualizr/primary/aktualizr.h) +- [Most API calls refactored to return immediately with a future](include/libaktualizr/aktualizr.h) - With an OSTree Primary, an installation is now considered successful when the device reboots with the new file system version. Before that, the installation is still considered in progress. - [Running modes in libaktualizr have been replaced by simpler logic in the aktualizr wrapper](src/aktualizr_primary/main.cc): [PR](https://github.com/advancedtelematic/aktualizr/pull/1039) - Tests now use ed25519 as the default key type: [PR](https://github.com/advancedtelematic/aktualizr/pull/1038) @@ -393,7 +412,7 @@ As a result of changes to the IP/POSIX Secondary protocol (see below), users of ### Added -- [Ability to pause and resume binary update downloads](src/libaktualizr/primary/aktualizr.h) +- [Ability to pause and resume binary update downloads](include/libaktualizr/aktualizr.h) - Expose download binary targets in API ### Changed diff --git a/docs/README.adoc b/docs/README.adoc index ae882f09aa..04ea20bed6 100644 --- a/docs/README.adoc +++ b/docs/README.adoc @@ -40,6 +40,7 @@ The link above is for the doxygen docs on master. Doxygen docs for the following * https://advancedtelematic.github.io/aktualizr/2020.6/index.html[2020.6] * https://advancedtelematic.github.io/aktualizr/2020.7/index.html[2020.7] * https://advancedtelematic.github.io/aktualizr/2020.8/index.html[2020.8] +* https://advancedtelematic.github.io/aktualizr/2020.9/index.html[2020.9] ==== == Release process diff --git a/docs/ota-client-guide/antora.yml b/docs/ota-client-guide/antora.yml index fe5335f2d5..852da5f20d 100644 --- a/docs/ota-client-guide/antora.yml +++ b/docs/ota-client-guide/antora.yml @@ -1,6 +1,6 @@ name: ota-client title: OTA Connect Developer Guide version: latest -display_version: 2020.8 (latest) +display_version: 2020.9 (latest) nav: - modules/ROOT/nav.adoc diff --git a/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc b/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc index f81eb41d9f..c112676faf 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc @@ -3,7 +3,7 @@ // the version being viewed, but when we are referencing aktualizr from // the other, non-versioned docs, we want to make sure we're using the // latest version. -:aktualizr-version: 2020.8 +:aktualizr-version: 2020.9 :yocto-version: 3.0 From 1ead13e9eb7012561d630d5d3c88dbca283f64bc Mon Sep 17 00:00:00 2001 From: Halyna Dumych Date: Mon, 13 Jul 2020 18:21:51 +0300 Subject: [PATCH 2/7] Change the guide version & modify 1 instruction * Change the Developer Guide version to 2020.8. * Modify the instruction on how to create a custom device ID. Relates-to: OTA-5118 Signed-off-by: Halyna Dumych --- .../ROOT/pages/use-your-own-deviceid.adoc | 38 ++++++++----------- 1 file changed, 15 insertions(+), 23 deletions(-) diff --git a/docs/ota-client-guide/modules/ROOT/pages/use-your-own-deviceid.adoc b/docs/ota-client-guide/modules/ROOT/pages/use-your-own-deviceid.adoc index ed6e6b4371..b159a5f002 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/use-your-own-deviceid.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/use-your-own-deviceid.adoc @@ -8,32 +8,24 @@ We recommend that you link:https://docs.ota.here.com/ota-client/latest/{docname} endif::[] -In OTA Connect, a device has two types of identifier: an internal device UUID, and a standard device ID. +In OTA Connect, a device has two types of identifiers: an internal device UUID and a standard device ID. By default, OTA Connect generates a random device ID for you, but you can also create your own device ID. You can later use this unique device ID to xref:ota-web::create-custom-device-fields.adoc[create custom device fields] and xref:ota-web::create-smart-group.adoc[group devices]. -// MC: use xref:otaconnect-identifiers.adoc[identifier]: when topic is finished -By default, OTA Connect generates a random device ID for you, but you can override this behavior. +You can create a custom device ID in one of the following ways: -The standard way to specify device identity is in the device certificate -- specifically, in the Subject Distinguished Name (DN) field. +* Specify your unique device ID in the aktualizr configuration. For more information, see the xref:aktualizr-config-options.adoc#_provision[reference documentation]. -This method requires that you use device-credential provisioning which tells OTA Connect to use your device certificates for authentication. This method is a little more complicated than the "shared-credential" provisioning method that you might have used in the "Get Started" guide. - -However you can try our test procedures to specify your own Device IDs. Earlier in this guide, we showed you how to xref:generate-devicecert.adoc[generate and sign a device certificate] using a self-signed root certificate. - -* You can define your own device ID in the device certificate, by changing step 1 of that procedure - -** Replace the existing sample command: -+ -`export device_id=${DEVICE_ID:-$\{DEVICE_UUID}}` -+ -Update the command with your device ID instead: +* If you use the device-credential provisioning method, when you xref:generate-devicecert.adoc[generate a device certificate], update the following command with your custom device ID: + -`export device_id=` +``` +export device_id=${DEVICE_ID:-$\{DEVICE_UUID}} +``` + -For example: -`export device_id=1HTHCATR81H391382` - -** You can then continue the test procedure to provision your device. - -* If you already have your own procedure for generating device certificates, then you're probably already using your own device IDs to bind each certificate to the device. +.Custom device ID +==== +You want to use the following link:https://en.wikipedia.org/wiki/Vehicle_identification_number[vehicle identification number (VIN)] as your device ID: `SAJWA1C78D8V38055`. +``` +export device_id=SAJWA1C78D8V38055 +``` +==== -In any case, OTA Connect uses the device ID that you've defined in your device certificates instead of automatically generating one. +OTA Connect will not generate a new device ID but use the device ID that you have defined in your device certificates. From cceb86af8aa5d4da0edaea76dd314127eed30ddc Mon Sep 17 00:00:00 2001 From: Halyna Dumych Date: Thu, 16 Jul 2020 19:49:55 +0300 Subject: [PATCH 3/7] Garage-sign documentation Document how to: * Remove a sw version. * Store keys on external storage. * Use signature thresholds. Relates-to: OTA-5062 Signed-off-by: Halyna Dumych --- docs/ota-client-guide/modules/ROOT/nav.adoc | 3 + .../pages/change-signature-thresholds.adoc | 58 +++++++++++++++++++ .../ROOT/pages/garage-sign-reference.adoc | 5 +- .../keep-local-repo-on-external-storage.adoc | 31 ++++++++++ .../modules/ROOT/pages/remove-sw-version.adoc | 38 ++++++++++++ .../ROOT/pages/upload-large-binary.adoc | 11 +++- 6 files changed, 144 insertions(+), 2 deletions(-) create mode 100644 docs/ota-client-guide/modules/ROOT/pages/change-signature-thresholds.adoc create mode 100644 docs/ota-client-guide/modules/ROOT/pages/keep-local-repo-on-external-storage.adoc create mode 100644 docs/ota-client-guide/modules/ROOT/pages/remove-sw-version.adoc diff --git a/docs/ota-client-guide/modules/ROOT/nav.adoc b/docs/ota-client-guide/modules/ROOT/nav.adoc index 32afcba86d..9c638ce156 100644 --- a/docs/ota-client-guide/modules/ROOT/nav.adoc +++ b/docs/ota-client-guide/modules/ROOT/nav.adoc @@ -71,7 +71,9 @@ ifndef::env-github[:pageroot:] * xref:{pageroot}secure-software-updates.adoc[Secure your software repository] ** xref:{pageroot}install-garage-sign-deploy.adoc[Install the garage-deploy tool] +** xref:{pageroot}keep-local-repo-on-external-storage.adoc[Keep your repository on external storage] ** xref:{pageroot}rotating-signing-keys.adoc[Rotate keys for Root and Targets metadata] +** xref:{pageroot}change-signature-thresholds.adoc[Change signature thresholds] ** xref:{pageroot}metadata-expiry.adoc[Manage metadata expiry dates] .Deploy your OTA-enabled solution @@ -86,6 +88,7 @@ ifndef::env-github[:pageroot:] * xref:{pageroot}rollback.adoc[Set up rollback behavior] * xref:{pageroot}deb-package-install.adoc[Install the client from a deb package] * xref:{pageroot}upload-large-binary.adoc[Upload a binary file] +* xref:{pageroot}remove-sw-version.adoc[Remove a software version] * xref:{pageroot}push-images-with-bitbake.adoc[Upload Yocto images using offline credentials] * xref:{pageroot}virtual-secondaries.adoc[Use Virtual Secondaries] diff --git a/docs/ota-client-guide/modules/ROOT/pages/change-signature-thresholds.adoc b/docs/ota-client-guide/modules/ROOT/pages/change-signature-thresholds.adoc new file mode 100644 index 0000000000..749b1d4903 --- /dev/null +++ b/docs/ota-client-guide/modules/ROOT/pages/change-signature-thresholds.adoc @@ -0,0 +1,58 @@ += Change signature thresholds +ifdef::env-github[] + +[NOTE] +==== +We recommend that you link:https://docs.ota.here.com/ota-client/latest/{docname}.html[view this article in our documentation portal]. Not all of our articles render correctly in GitHub. +==== +endif::[] + +One way you can keep your software repository more secure is by adding extra signing keys, and then setting up *key thresholds* to require metadata to be signed by multiple different keys. By default, each role on the repository has one signing key and a threshold of one. For more security in the Root role, for example, you might want to create 5 different keys, keep them locked up at different locations around the world, and require that at least three of the keys sign off on any change to Root metadata. You can also use key thresholds for delegations. + +*To change the thresholds for signing Root metadata:* + +. Generate a new Root key. ++ +[source,bash] +---- +garage-sign key generate --repo --name root-key-1 --type rsa +---- + +. Add the new Root key to the `root.json` file. ++ +[source,bash] +---- +garage-sign root key add --repo --key-name +---- + +. If you need more Root keys, repeat steps 1 and 2. +. In the *Roles* folder of your local software repository, open the *Unsigned* folder, and then open the `root.json` file. +. Depending on the threshold that you want to change, in the `signed` block, in the `root` subsection, for the `keyids` object, specify the list of valid keys that you want to use for signing. ++ +You can find the list of all your Root keys in the `keys` subsection. ++ +NOTE: The new version of Root metadata should be valid according to the rules of the previous and current versions. So you must sign Root metadata with the threshold of keys specified in the previous Root metadata file and the threshold of keys specified in the new Root metadata file. For more information, see the https://uptane.github.io/papers/uptane-standard.1.0.1.html#rfc.section.5.4.4.3[related section] of the Uptane standard. + +. For the `version` object, specify the version number of the new Root metadata. +. Sign the `root.json` file with the same number of valid signatures that you specified in the Root key threshold. ++ +[source,bash] +---- +garage-sign root sign \ + --repo \ + -k \ + -k \ + --expires +---- + +. Push the modified `root.json` file to OTA Connect. ++ +[source,bash] +---- +garage-sign root push \ + --repo +---- + +To change the threshold of delegations, modify the .json file with the delegation metadata in the same way as the `root.json` file. + +To learn more about the `garage-sign` commands and options, see its xref:garage-sign-reference.adoc[reference] documentation. diff --git a/docs/ota-client-guide/modules/ROOT/pages/garage-sign-reference.adoc b/docs/ota-client-guide/modules/ROOT/pages/garage-sign-reference.adoc index 1f4df4a27d..9f5b211c09 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/garage-sign-reference.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/garage-sign-reference.adoc @@ -391,7 +391,10 @@ Note that this *will not* make the binary available on its own. After the upload To learn how to use the garage-sign tool, see the following documentation: +* xref:keep-local-repo-on-external-storage.adoc[Keep your repository on external storage] * xref:rotating-signing-keys.adoc[Rotate keys for Root and Targets metadata] +* xref:change-signature-thresholds.adoc[Change signature thresholds] * xref:metadata-expiry.adoc[Manage metadata expiry dates] -* xref:upload-large-binary.adoc[Upload a binary file] * xref:customise-targets-metadata.adoc[Add custom metadata fields to Targets metadata] +* xref:upload-large-binary.adoc[Upload a binary file] +* xref:remove-sw-version.adoc[Remove a software version] diff --git a/docs/ota-client-guide/modules/ROOT/pages/keep-local-repo-on-external-storage.adoc b/docs/ota-client-guide/modules/ROOT/pages/keep-local-repo-on-external-storage.adoc new file mode 100644 index 0000000000..56a10a3bad --- /dev/null +++ b/docs/ota-client-guide/modules/ROOT/pages/keep-local-repo-on-external-storage.adoc @@ -0,0 +1,31 @@ += Keep your repository on external storage +ifdef::env-github[] + +[NOTE] +==== +We recommend that you link:https://docs.ota.here.com/ota-client/latest/{docname}.html[view this article in our documentation portal]. Not all of our articles render correctly in GitHub. +==== +endif::[] + +Your software repository contains information on your software images and packages, as well as your Root and Targets keys. +For safety reasons, we recommend keeping your keys offline on an external storage device, and for convenience, we recommend to simply keep the entire repository structure (with the keys included) on external storage. This external device should be kept offline, in a securely locked location, and only plugged into a computer when you need to make changes to the repository. + +*To get a copy of a software repository on external storage:* + +. Connect the external storage to your computer. +. Make sure you have the link:https://tuf-cli-releases.ota.here.com/index.html[latest version,window="_blank"] of the `garage-sign` tool. +. Get the .zip file with your provisioning credentials and save it to your external storage. ++ +For instructions, see the xref:ota-client::generating-provisioning-credentials.adoc[related] section in this guide. +. In the folder of your external storage, initialize a local repository. ++ +[source, bash] +---- +garage-sign init \ + --repo \ + --credentials +---- + +Work with your local repository only on the external storage. + +To learn more about the `garage-sign` commands and options, see its xref:garage-sign-reference.adoc[reference] documentation. \ No newline at end of file diff --git a/docs/ota-client-guide/modules/ROOT/pages/remove-sw-version.adoc b/docs/ota-client-guide/modules/ROOT/pages/remove-sw-version.adoc new file mode 100644 index 0000000000..a84af0eaf1 --- /dev/null +++ b/docs/ota-client-guide/modules/ROOT/pages/remove-sw-version.adoc @@ -0,0 +1,38 @@ += Remove a software version +ifdef::env-github[] + +[NOTE] +==== +We recommend that you link:https://docs.ota.here.com/ota-client/latest/{docname}.html[view this article in our documentation portal]. Not all of our articles render correctly in GitHub. +==== +endif::[] + +To remove a software version, you need to delete a target in the Targets metadata file. +include::garage-sign-reference.adoc[tags=target-term] + +Once you delete a target, you can no longer install it on devices. + +*To delete a target:* + +include::upload-large-binary.adoc[tags=gs-initialize] + +include::upload-large-binary.adoc[tags=gs-pull-targets] + +. To delete the target, depending on the type of image, specify the target name and version in one of the following forms: + +** For OSTree images, `_` +** For binary images, `-` ++ +[source,bash] +---- +garage-sign targets delete \ + --filename - +---- + +include::upload-large-binary.adoc[tags=gs-sign-targets] + +include::upload-large-binary.adoc[tags=gs-push-targets] + +You can no longer see the deleted software version in your portal software repository. + +To learn more about the `garage-sign` commands and options, see its xref:garage-sign-reference.adoc[reference] documentation. diff --git a/docs/ota-client-guide/modules/ROOT/pages/upload-large-binary.adoc b/docs/ota-client-guide/modules/ROOT/pages/upload-large-binary.adoc index b189c2c20c..cb7388c3c9 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/upload-large-binary.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/upload-large-binary.adoc @@ -13,6 +13,7 @@ NOTE: You can upload software packages of up to 1 GB on the OTA Connect Portal. *To upload a binary file using `garage-sign`:* +// tag::gs-initialize[] . Make sure you have the link:https://tuf-cli-releases.ota.here.com/index.html[latest version,window="_blank"] of the `garage-sign` tool. . Get the .zip file with your provisioning credentials. + @@ -20,14 +21,17 @@ For instructions, see the xref:ota-client::generating-provisioning-credentials.a . Initialize a local repository. + +NOTE: For safety reasons, we recommend xref:keep-local-repo-on-external-storage.adoc[keeping your local repository on an external storage device]. ++ [source, bash] ---- garage-sign init \ --repo \ --credentials ---- -+ +// end::gs-initialize[] +// tag::gs-pull-targets[] . Pull the latest version of the `targets.json` file. + [source,bash] @@ -35,6 +39,7 @@ garage-sign init \ garage-sign targets pull \ --repo ---- +// end::gs-pull-targets[] . To upload your binary to OTA Connect, specify its name and version. + @@ -63,6 +68,7 @@ garage-sign targets add-uploaded \ --hardwareids , ---- +// tag::gs-sign-targets[] . Sign the new `targets.json` file with your Targets key. + [source,bash] @@ -71,7 +77,9 @@ garage-sign targets sign \ --repo \ --key-name mytargets ---- +// end::gs-sign-targets[] +// tag::gs-push-targets[] . Push the new `targets.json` file to OTA Connect. + [source,bash] @@ -79,5 +87,6 @@ garage-sign targets sign \ garage-sign targets push \ --repo ---- +// end::gs-push-targets[] To learn more about the `garage-sign` commands and options, see its xref:garage-sign-reference.adoc[reference] documentation. From b665be6042c1c6ef92d32c2704a9e613703bd924 Mon Sep 17 00:00:00 2001 From: Halyna Dumych Date: Thu, 30 Jul 2020 18:10:50 +0300 Subject: [PATCH 4/7] Add info on the aktualizr config options page Mention that users should not use `/` as a path in config. Relates-to: OTA-5095 Signed-off-by: Halyna Dumych --- .../modules/ROOT/pages/aktualizr-config-options.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc b/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc index 9d4c72bb1f..67f10f0fd6 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/aktualizr-config-options.adoc @@ -153,7 +153,10 @@ Options for how aktualizr stores data locally. |========================================================================================== | Name | Default | Description | `type` | `"sqlite"` | What type of storage driver to use. Options: `"sqlite"`. The former `"filesystem"` option is now disabled, existing devices will be migrated (see note below) -| `path` | `"/var/sota"` | Directory for storage +| `path` | `"/var/sota"` | Directory for storage. + +This should be a directory dedicated to aktualizr data. Aktualizr will attempt to set permissions on this directory, so this option should not be set to anything that is used for another purpose. In particular, do not set it to `/` or to your home directory, as this may render your system unusable. + | `sqldb_path` | `"sql.db"` | Relative path to the database file. | `uptane_metadata_path` | `"metadata"` | Path to the uptane metadata store, for migration from `filesystem`. | `uptane_private_key_path` | `"ecukey.der"` | Relative path to the Uptane specific private key, for migration from `filesystem`. From 0dd18aa51fbf70576dd69c16b6b1c1c1c34a5348 Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Fri, 7 Aug 2020 11:12:52 +0200 Subject: [PATCH 5/7] Bump the default Yocto branch to dunfell. Signed-off-by: Patrick Vacek --- .../modules/ROOT/pages/_partials/aktualizr-version.adoc | 4 ++-- .../modules/ROOT/pages/yocto-release-branches.adoc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc b/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc index c112676faf..064297f8b5 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/_partials/aktualizr-version.adoc @@ -5,6 +5,6 @@ // latest version. :aktualizr-version: 2020.9 -:yocto-version: 3.0 +:yocto-version: 3.1 -:yocto-branch: zeus +:yocto-branch: dunfell diff --git a/docs/ota-client-guide/modules/ROOT/pages/yocto-release-branches.adoc b/docs/ota-client-guide/modules/ROOT/pages/yocto-release-branches.adoc index 2d8e4ea2ee..8811a2d10d 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/yocto-release-branches.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/yocto-release-branches.adoc @@ -10,7 +10,7 @@ endif::[] == Supported branches -Yocto has a number of release branches. Their details are documented in the https://wiki.yoctoproject.org/wiki/Releases[Yocto wiki]. HERE OTA Connect currently actively supports the following branches: +Yocto has a number of release branches. Their details are documented in the https://wiki.yoctoproject.org/wiki/Releases[Yocto wiki]. HERE OTA Connect currently supports the following branches: * dunfell * zeus From 012ed05c46d3e6e2901675e78b239846da0c9e9c Mon Sep 17 00:00:00 2001 From: Ignacio Lucero Date: Thu, 13 Aug 2020 12:26:53 +0200 Subject: [PATCH 6/7] Add missing configuration values to simulate a device. Signed-off-by: Ignacio Lucero --- docs/ota-client-guide/modules/ROOT/examples/sota-local.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/ota-client-guide/modules/ROOT/examples/sota-local.toml b/docs/ota-client-guide/modules/ROOT/examples/sota-local.toml index 4708d5b0cb..6134ddb63d 100644 --- a/docs/ota-client-guide/modules/ROOT/examples/sota-local.toml +++ b/docs/ota-client-guide/modules/ROOT/examples/sota-local.toml @@ -1,6 +1,8 @@ [provision] provision_path = "credentials.zip" primary_ecu_hardware_id = "local-fake" +# This setting is for testing purposes only. Do not use in a real device. +mode = "SharedCredReuse" [logger] loglevel = 1 @@ -10,6 +12,7 @@ path = "storage" [pacman] type = "none" +images_path = "storage/images" [uptane] secondary_config_file = "virtualsec.json" From d82bfa00ec194125bcb29df6fd3b27fd4418736b Mon Sep 17 00:00:00 2001 From: Patrick Vacek Date: Tue, 18 Aug 2020 16:36:40 +0200 Subject: [PATCH 7/7] release-process.adoc: Skip master and go straight to dunfell. It is not worth the effort to deal with maintaining master anymore, so we now treat dunfell basically as we used to treat master. Signed-off-by: Patrick Vacek --- docs/ota-client-guide/modules/ROOT/pages/release-process.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ota-client-guide/modules/ROOT/pages/release-process.adoc b/docs/ota-client-guide/modules/ROOT/pages/release-process.adoc index 1ac16b38d9..3012692a0f 100644 --- a/docs/ota-client-guide/modules/ROOT/pages/release-process.adoc +++ b/docs/ota-client-guide/modules/ROOT/pages/release-process.adoc @@ -169,6 +169,6 @@ Newly created releases automatically trigger an OTF pipeline in gitlab. Currentl == Update meta-updater -The version of aktualizr used by link:https://github.com/advancedtelematic/meta-updater/[meta-updater] should be updated to match the new release. First, open a PR against master that updates aktualizr to the same commit used in the newly released tag. This is also a good time to update the aktualizr recipe to pull the latest version of link:https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/index.html[garage-sign]. +The version of aktualizr used by link:https://github.com/advancedtelematic/meta-updater/[meta-updater] should be updated to match the new release. First, open a PR against dunfell that updates aktualizr to the same commit used in the newly released tag. (Historically, we started with master, but we now skip straight to dunfell.) This is also a good time to update the aktualizr recipe to pull the latest version of link:https://ats-tuf-cli-releases.s3-eu-central-1.amazonaws.com/index.html[garage-sign]. -Once that PR has passed oe-selftest, successfully passed review, and gotten merged, you should then backport that change, along with anything else relevant since the last backport was done, to the xref:yocto-release-branches.adoc[currently supported release branches]. Note that while master is allowed to use arbitrary recent version of aktualizr, the release branches should only use released versions of aktualizr. +Once that PR has passed oe-selftest, successfully passed review, and gotten merged, you should then backport that change, along with anything else relevant since the last backport was done, to the other xref:yocto-release-branches.adoc[currently supported release branches]. Note that while master is allowed to use arbitrary recent version of aktualizr, the release branches should only use released versions of aktualizr.