feature: Support deployment via balena push to local-mode balenaOS devices

- remove some `.gitignore` entries as this is also honoured by `balena push`
- added a step to `scripts/quickstart` to produce a single, flat `docker-compose.yml` after running
- set the compose file versions to `2.0` to ensure only supported terms are used in the `docker-compose.yml` file output
- quoted empty env values as these need to be passed in as blank, and not ommitted
- include the MDNS publisher service IF the domain being used is a .local one
- corrected spelling of macOS in script messages
- move sidecar container source into ./src as per convention

Change-type: patch
Signed-off-by: Rich Bayliss <rich@balena.io>

.gitignore

@@ -1,6 +1,7 @@
 .DS_Store
 .project
 .vagrant/
-config/
-src/
-package-lock.json
+
+/config
+/docker-compose.yml
+/package-lock.json

compose/common.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: "2.0"
 
 services:
   component:

compose/mdns.yml

@@ -0,0 +1,31 @@
+version: "2.0"
+
+services:
+  balena-mdns-publisher:
+    image: balena/balena-mdns-publisher:${OPENBALENA_MDNS_PUBLISHER_VERSION_TAG}
+    network_mode: "host"
+    cap_add:
+        - SYS_RESOURCE
+        - SYS_ADMIN
+    security_opt:
+        - apparmor:unconfined
+    tmpfs:
+        - /run
+        - /sys/fs/cgroup
+    # balenaOS - Required for host DBus comms. Not required for standalone Linux
+    labels:
+        io.balena.features.dbus: '1'
+        io.balena.features.supervisor-api: '1'
+    environment:
+        CONFD_BACKEND: ENV
+        # The name of the TLD to use. This *must* match certificates used for the rest of
+        # the resin backend (eg. that for BALENA_ROOT_CA if present).
+        MDNS_TLD: ${OPENBALENA_HOST_NAME}
+        # List of subdomains to advertise. This must include all required hosts.
+        MDNS_SUBDOMAINS: '["api", "db", "registry", "s3", "vpn"]'
+        # The expectation is the DBus socket to use is always at the following location.
+        DBUS_SESSION_BUS_ADDRESS: "unix:path=/host/run/dbus/system_bus_socket"
+        # Selects the interface used for incoming connections from the wider subnet.
+        # For NUCs, this is `eno1`. If running natively, pick the appropriate interface.
+        # Alternatively, keep the default commented out to autoselect.
+        #INTERFACE: "eno1"

compose/services.yml

@@ -1,4 +1,4 @@
-version: "2.1"
+version: "2.0"
 
 volumes:
   certs: {}
@@ -13,7 +13,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master}
+    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG}
     depends_on:
       - db
       - s3
@@ -44,7 +44,7 @@ services:
       REDIS_PORT: 6379
       REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
       REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
-      SENTRY_DSN:
+      SENTRY_DSN: ""
       TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}
       TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME}
       TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
@@ -61,7 +61,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master}
+    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG}
     depends_on:
       - s3
       - redis
@@ -89,7 +89,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master}
+    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG}
     depends_on:
       - api
     cap_add:
@@ -101,7 +101,7 @@ services:
       BALENA_VPN_PORT: 443
       PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
       RESIN_VPN_GATEWAY: 10.2.0.1
-      SENTRY_DSN:
+      SENTRY_DSN: ""
       VPN_HAPROXY_USEPROXYPROTOCOL: "true"
       VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
       VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
@@ -113,7 +113,7 @@ services:
     extends:
       file: ./common.yml
       service: system
-    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master}
+    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG}
     volumes:
       - db:/var/lib/postgresql/data
 
@@ -121,7 +121,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
+    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG}
     volumes:
       - s3:/export
     environment:
@@ -140,7 +140,7 @@ services:
     extends:
       file: ./common.yml
       service: system
-    build: ../haproxy
+    build: ../src/haproxy
     depends_on:
       - api
       - cert-provider
@@ -175,7 +175,7 @@ services:
       - certs:/certs:ro
 
   cert-provider:
-    build: ../cert-provider
+    build: ../src/cert-provider
     volumes:
       - certs:/certs
       - cert-provider:/usr/src/app/certs

compose/template.yml

@@ -7,4 +7,4 @@
 # `compose/services.yml` as the "base" config.
 #
 # You may view the effective config with `scripts/compose config`.
-version: '2.1'
+version: "2.0"

compose/versions

@@ -3,3 +3,4 @@ export OPENBALENA_DB_VERSION_TAG=v2.0.3
 export OPENBALENA_REGISTRY_VERSION_TAG=v2.7.0
 export OPENBALENA_S3_VERSION_TAG=v2.6.2
 export OPENBALENA_VPN_VERSION_TAG=v8.10.0
+export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.6.2

repo.yml

@@ -11,3 +11,5 @@ upstream:
     url: https://github.com/balena-io/open-balena-db
   - repo: open-balena-s3
     url: https://github.com/balena-io/open-balena-s3
+  - repo: balena-mdns-publisher
+    url: https://github.com/balena-io/balena-mdns-publisher

scripts/_realpath

@@ -22,7 +22,7 @@ done
 if [ -z "${REALPATH}" ]; then
     echo_error 'Unable to find suitable command for realpath.'
     if [ $(uname) == 'Darwin' ]; then
-        echo 'GNU coreutils are required to build openBalena on MacOS. To install with brew, run'
+        echo 'GNU coreutils are required to build openBalena on macOS. To install with brew, run'
         echo ''
         echo '    brew install coreutils'
         echo ''

scripts/compose

@@ -24,9 +24,17 @@ if [ ! -f "$ENV_FILE" ]; then
   exit 1
 fi
 
+source "${ENV_FILE}"
+
+# only include the MDNS publisher IF the domain is valid...
+if [ ${OPENBALENA_HOST_NAME: -6} == ".local" ]; then
+  INCLUDE_MDNS="-f ${BASE_DIR}/compose/mdns.yml"
+fi
+
 # shellcheck source=/dev/null
-source "${VERSIONS_FILE}"; source "${ENV_FILE}"; docker-compose \
+source "${VERSIONS_FILE}"; docker-compose \
   --project-name 'openbalena' \
   -f "${BASE_DIR}/compose/services.yml" \
+  ${INCLUDE_MDNS} \
   -f "${CONFIG_DIR}/docker-compose.yml" \
   "$@"

scripts/quickstart

@@ -16,6 +16,12 @@ RESET=`tput sgr0`
 OPENSSL_VERSION=$(openssl version -v)
 if [[ "${OPENSSL_VERSION}" =~ ^LibreSSL.*$ ]]; then
   echo -e "${RED}ERROR: You may not have a compatible OpenSSL version (${OPENSSL_VERSION}). Please install OpenSSL version 1.0.2q or above.${RESET}"
+  if [ $(uname) == 'Darwin' ]; then
+        echo 'OpenSSL is required to build openBalena on macOS. To install with brew, run'
+        echo ''
+        echo '    brew install openssl'
+        echo ''
+    fi
   exit 1
 fi
 
@@ -125,7 +131,25 @@ fi
 echo_bold "==> Success!"
 echo '  - Start the instance with: ./scripts/compose up -d'
 echo '  - Stop the instance with: ./scripts/compose stop'
+echo '  - To create a single, flat, docker-compose.yml file, run:'
+echo ''
+echo '      ./scripts/compose config > docker-compose.yml'
+echo ''
 
 if [ -z "${ACME_CERT_ENABLED}" ]; then
   echo "  - Use the following certificate with Balena CLI: ${CERTS_DIR}/root/ca.crt"
+
+  case $(uname) in
+    Darwin)
+      echo ''
+      printf '    On macOS:\n\n'
+      printf '      sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "%s/root/ca.crt"\n' "${CERTS_DIR}"
+      echo ''
+      ;;
+    *)
+      ;;
+  esac
+
+  echo -e "    ${YELLOW}IMPORTANT:${RESET} You will need to restart your Docker daemon after trusting this certificate to allow your workstation to push images to the registry."
+  echo ''
 fi

src/haproxy/haproxy.cfg

@@ -64,34 +64,35 @@ backend backend_api
   mode http
   option forwardfor
   balance roundrobin
-  server resin_api_1 api:80 check port 80
+  server balena_api_1 api:80 check port 80
 
 backend backend_registry
   mode http
   option forwardfor
   balance roundrobin
-  server resin_registry_1 registry:80 check port 80
+  server balena_registry_1 registry:80 check port 80
 
 backend backend_vpn
   mode http
   option forwardfor
   balance roundrobin
-  server resin_vpn_1 vpn:80 check port 80
+  server balena_vpn_1 vpn:80 check port 80
 
 backend backend_s3
   mode http
   option forwardfor
   balance roundrobin
+  server balena_s3_1 s3:80 check port 80
 
 backend cert-provider
   mode http
   option forwardfor
   balance roundrobin
-  server resin_cert-provider_1 cert-provider:80 no-check
+  server balena_cert-provider_1 cert-provider:80 no-check
 
 backend vpn-devices
   mode tcp
-  server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
+  server balena_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
 
 frontend db
   mode tcp
@@ -101,7 +102,7 @@ frontend db
 
 backend backend_db
   mode tcp
-  server resin_db_1 db:5432 check port 5432
+  server balena_db_1 db:5432 check port 5432
 
 frontend redis
   mode tcp
@@ -111,7 +112,7 @@ frontend redis
 
 backend backend_redis
   mode tcp
-  server resin_redis_1 redis:6379 check port 6379
+  server balena_redis_1 redis:6379 check port 6379
 
 listen vpn-tunnel
   mode tcp