2025-04-18 07:50:15 +00:00
14 changed files with 178 additions and 6221 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -1,27 +0,0 @@
-{
-  "extends": ["github>balena-io/renovate-config"],
-  "ignorePaths": [
-    "**/node_modules/**",
-    "**/bower_components/**",
-    "**/vendor/**",
-    "**/examples/**",
-    "**/__tests__/**",
-    "**/test/**",
-    "**/tests/suites/**",
-    "**/__fixtures__/**",
-    "**/Dockerfile.template"
-  ],
-  "customManagers": [
-    {
-      "customType": "regex",
-      "fileMatch": [
-        ".*"
-      ],
-      "matchStrings": [
-        ".*amiFilter=(?<packageName>.*?)\n(.*currentImageName=(?<currentDigest>.*?)\n)?(.*\n)?.*?(?<depName>[a-zA-Z0-9-_:]*)[ ]*?[:|=][ ]*?[\"|']?(?<currentValue>ami-[a-z0-9]{17})[\"|']?.*"
-      ],
-      "datasourceTemplate": "aws-machine-image",
-      "versioningTemplate": "aws-machine-image"
-    }
-  ]
-}
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@ -8,11 +8,6 @@ on:
    types: [opened, synchronize, closed]
    branches: [main, master]

-permissions:
-  contents: read
-  id-token: "write"  # AWS GitHub OIDC required: write
-  packages: read
-
 jobs:
  flowzone:
    name: Flowzone
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -51,8 +51,8 @@ jobs:
            launch_template_version: ${{ vars.AWS_EC2_LT_VERSION || '6' }}
            # https://docs.renovatebot.com/modules/datasource/aws-machine-image/
            # amiFilter=[{"Name":"owner-id","Values":["099720109477"]},{"Name":"name","Values":["ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*"]},{"region":"us-east-1"}]
-            # currentImageName=ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-20241206
-            ami: ami-00f3c44a2de45a590
+            # currentImageName=unknown
+            ami: ami-04b70fa74e45c3917
            subdomain:  ${{ vars.DNS_SUBDOMAIN || 'auto' }}
            dns_tld: ${{ vars.DNS_TLD || 'balena-devices.com' }}

@ -73,16 +73,13 @@ jobs:
      name: ${{ matrix.target }}

    steps:
-    - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
-      with:
-        persist-credentials: false
-        ref: ${{ github.event.pull_request.head.sha }}
+    - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08

    # https://github.com/unfor19/install-aws-cli-action
    - name: Setup awscli
      uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1

-    - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722
+    - uses: aws-actions/configure-aws-credentials@39228ca2bffc0bfc8f7761ce893f5b80e7eaaf8f
      with:
        aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
        role-session-name: github-${{ github.job }}-${{ github.run_id }}-${{ github.run_attempt }}
@ -181,7 +178,7 @@ jobs:
        AWS_DEFAULT_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}

    # https://github.com/webfactory/ssh-agent
-    - uses: webfactory/ssh-agent@a6f90b1f127823b31d4d4a8d96047790581349bd # v0.9.1
+    - uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
      with:
        ssh-private-key: ${{ steps.generate-key-pair.outputs.ssh_private_key }}

@ -243,8 +240,9 @@ jobs:
        with_backoff balena login --token '${{ secrets.BALENA_API_KEY }}'

        pr_id='${{ github.event.pull_request.id }}'
+        head_sha='${{ github.event.pull_request.head.sha || github.event.head_commit.id }}'
        release_id="$(with_backoff balena releases '${{ matrix.fleet }}' --json \
-          | jq -r --arg pr_id "${pr_id}" --arg head_sha "${COMMIT}" '.[]
+          | jq -r --arg pr_id "${pr_id}" --arg head_sha "${head_sha}" '.[]
          | select(.release_tag[].tag_key=="balena-ci-commit-sha")
          | select(.release_tag[].value==$head_sha)
          | select(.release_tag[].tag_key=="balena-ci-id")
@ -256,9 +254,6 @@ jobs:

        with_backoff balena device ${{ steps.register-test-device.outputs.balena_device_uuid }}

-      env:
-        COMMIT: ${{ github.event.pull_request.head.sha  }}
-
    - name: configure balenaOS test device environment
      if: matrix.target == 'balena-public-pki'
      run: |
@ -390,10 +385,6 @@ jobs:
          --service cert-manager \
          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'

-        with_backoff balena env add AWS_SESSION_TOKEN '${{ env.AWS_SESSION_TOKEN }}' \
-          --service cert-manager \
-          --device '${{ steps.register-test-device.outputs.balena_device_uuid }}'
-
    - name: provision balenaOS ephemeral SUT
      id: balena-sut
      if: matrix.target == 'balena-public-pki'
@ -807,14 +798,6 @@ jobs:
                && rm -f "\${tmphosts}" \
                && getent hosts api.${{ matrix.subdomain }}.${{ matrix.dns_tld }} | grep 127.0.1.1

-              sshd -T
-              service ssh restart
-
-          # https://forums.docker.com/t/docker-compose-through-ssh-failing-and-referring-to-docker-example-com/115165/18
-          - path: /etc/ssh/sshd_config.d/00-cloud-init
-            content: |
-              MaxStartups 100:0:100
-
        # cloud-init runs as root
        # (e.g.) https://cloudinit.readthedocs.io/en/latest/reference/merging.html#example-cloud-config
        runcmd:
@ -856,13 +839,10 @@ jobs:
        aws ec2 wait instance-running --instance-ids "${instance_id}"
        with_backoff aws ec2 wait instance-status-ok --instance-ids "${instance_id}"

-        private_ip="$(aws ec2 describe-instances --instance-id "${instance_id}" \
-          | jq -r .Reservations[].Instances[].PrivateIpAddress)"
-        echo "private_ip=${private_ip}" >>"${GITHUB_OUTPUT}"
-
      env:
        ATTEMPTS: 2
        AWS_DEFAULT_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
+        COMMIT: ${{ github.event.pull_request.head.sha || github.event.head_commit.id || github.event.pull_request.head.ref }}

    - name: SUT&DUT (Ubuntu/compose)
      if: matrix.target == 'compose-private-pki'
@ -896,27 +876,17 @@ jobs:
        trap 'log_output' EXIT

        # https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html
-        mkdir -p "${HOME}/.ssh/controlmasters"
        cat << EOF > "${HOME}/.ssh/config"
-        host *
-            StrictHostKeyChecking no
-            UserKnownHostsFile /dev/null
-
        host i-*
            StrictHostKeyChecking no
            UserKnownHostsFile /dev/null
-            TCPKeepAlive yes
-            ServerAliveInterval 5
-            ControlPath "${HOME}/.ssh/controlmasters/%r@%h:%p"
-            ControlMaster auto
-            ControlPersist 5m
            ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
        EOF

        # docs/getting-started.md
        cmds="set -ax \
          && cloud-init status --wait --long && cat </var/log/cloud-init-output.log \
-          && sudo -u balena git clone https://token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.event.pull_request.head.repo.full_name }}.git /home/balena/open-balena \
+          && sudo -u balena git clone https://token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git /home/balena/open-balena \
          && sudo -u balena git config --global --add safe.directory /home/balena/open-balena \
          && cd /home/balena/open-balena \
          && sudo -u balena git checkout ${COMMIT} \
@ -1028,16 +998,6 @@ jobs:
        with_backoff balena keys | grep ${{ steps.provision-ssh-key.outputs.key_id }} \
          | awk '{print $1}' | xargs --no-run-if-empty balena key rm --yes

-    - name: remove AWS/EC2 key-pair
-      if: always() && matrix.target == 'compose-private-pki'
-      continue-on-error: true
-      run: |
-        set -ue
-
-        [[ '${{ vars.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
-
-        aws ec2 delete-key-pair --key-name ${{ steps.generate-key-pair.outputs.key_name }}
-
    - name: delete balenaOS test device
      if: always() && matrix.target == 'balena-public-pki'
      continue-on-error: true
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,17 +0,0 @@
-# See https://pre-commit.com for more information
-# See https://pre-commit.com/hooks.html for more hooks
-exclude: ^(.versionbot/|CHANGELOG.md|VERSION|README.md)
-repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
-    hooks:
-    -   id: trailing-whitespace
-    -   id: end-of-file-fixer
-    -   id: check-yaml
-        args: [--allow-multiple-documents]
-    -   id: check-added-large-files
-
-   repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.10.0.1
-    hooks:
-    -   id: shellcheck
--- a/.versionbot/CHANGELOG.yml
+++ b/.versionbot/CHANGELOG.yml
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/README.md
+++ b/README.md
@ -16,23 +16,6 @@ images to your devices.

 To learn more about openBalena, visit [balena.io/open][open-balena-website].

- [Features](#features)
- [Getting Started](#getting-started)
- [Compatibility](#compatibility)
- [Documentation](#documentation)
- [Getting Help](#getting-help)
- [Contributing](#contributing)
- [Roadmap](#roadmap)
- [Differences between openBalena and balenaCloud](#differences-between-openbalena-and-balenacloud)
- [License](#license)
- [FAQ](#faq)
-  - [How do you ensure continuity of openBalena? Are there security patches on openBalena?](#how-do-you-ensure-continuity-of-openbalena-are-there-security-patches-on-openbalena)
-  - [How do you ensure the "Join" command actually works between openBalena and](#how-do-you-ensure-the-join-command-actually-works-between-openbalena-and)
-  - [Is it "production ready"?](#is-it-production-ready)
-  - [Can a new device type be added to openBalena?](#can-a-new-device-type-be-added-to-openbalena)
-  - [Are there open-source UI dashboards from the community for openBalena?](#are-there-open-source-ui-dashboards-from-the-community-for-openbalena)
-
-

 ## Features

@ -176,7 +159,7 @@ While we actually have some rather large fleets using openBalena, we consider it
 perpetually in "beta". This means potentially introducing breaking changes between
 releases.

-### Can a new device type be added to openBalena?
+### Can new device type be added to openBalena?
 openBalena imports the following public [device-types] "out of the box". You can specify
 your own contracts repository by overriding `CONTRACTS_PUBLIC_REPO_NAME`,
 `CONTRACTS_PUBLIC_REPO_OWNER` and `IMAGE_STORAGE_BUCKET` environment variables on the API
--- a/2
+++ b/2
@ -1 +1 @@
-4.1.390
+4.1.57
--- a/balena.yml
+++ b/balena.yml
@ -23,4 +23,4 @@ data:
    - generic-amd64
    - genericx86-64-ext
    - intel-nuc
-version: 4.1.390
+version: 4.1.57
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -26,7 +26,7 @@ x-default-environment: &default-environment
  DB_PASSWORD: docker
  DB_USER: docker
  LOG_LEVEL: DEBUG
-  PRODUCTION_MODE: 'true'
+  PRODUCTION_MODE: 'false'

 x-default-healthcheck-trait: &with-default-healthcheck
  healthcheck:
@ -79,7 +79,7 @@ services:
      *with-default-privileges,
      *with-default-volumes,
    ]
-    image: balena/open-balena-api:35.0.0
+    image: balena/open-balena-api:v26.1.6
    depends_on:
      - db
      - redis
@ -119,7 +119,7 @@ services:
      *with-default-healthcheck,
      *with-default-privileges,
    ]
-    image: balena/open-balena-registry:2.41.25
+    image: balena/open-balena-registry:v2.39.65
    volumes:
      - certs-data:/certs
      - resin-data:/balena
@ -146,7 +146,7 @@ services:
      *with-network-privileges,
      *with-default-privileges,
    ]
-    image: balena/open-balena-vpn:11.32.6
+    image: balena/open-balena-vpn:v11.30.31
    depends_on:
      - api
    environment:
@ -156,13 +156,11 @@ services:
      VPN_PORT: 443
      # ensure correct service instance IP is registered with the API
      VPN_SERVICE_REGISTER_INTERFACE: eth0
-    devices:
-      - /dev/net/tun

  # https://github.com/balena-io/open-balena-db
  db:
    <<: *base-service
-    image: balena/open-balena-db:6.0.0
+    image: balena/open-balena-db:v5.2.2
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
@ -177,7 +175,7 @@ services:
      *with-default-healthcheck,
      *with-default-privileges,
    ]
-    image: balena/open-balena-s3:2.28.68
+    image: balena/open-balena-s3:v2.28.50
    volumes:
      - s3-data:/export
      - certs-data:/certs
@ -191,7 +189,7 @@ services:
  redis:
    <<: *base-service
    # https://redis.io/blog/what-redis-license-change-means-for-our-managed-service-providers/
-    image: redis:7.4-alpine
+    image: redis:7.2-alpine
    volumes:
      - redis-data:/data
    healthcheck:
@ -235,7 +233,7 @@ services:
      ALIASES: api,ca,cloudlink,db,delta,logs,redis,registry2,s3,stats,tunnel
    labels:
      io.balena.features.balena-socket: 1
-      io.balena.features.supervisor-api: 1
+      io.balena.features.supervisor-api	: 1

  # https://github.com/balena-io/cert-manager
  # https://certbot.eff.org/docs/using.html
@ -261,7 +259,7 @@ services:
  # https://github.com/cloudflare/cfssl/blob/master/doc/api/intro.txt
  balena-ca:
    <<: *base-service
-    image: balena/ca-private:0.0.15
+    image: balena/ca-private:v0.0.14
    volumes:
      - pki-data:/pki
      - certs-data:/certs
--- a/src/balena-tests/Dockerfile
+++ b/src/balena-tests/Dockerfile
@ -1,7 +1,7 @@
 FROM ubuntu:24.04

 # renovate: datasource=github-releases depName=balena-io/balena-cli
-ARG BALENA_CLI_VERSION=v21.1.0
+ARG BALENA_CLI_VERSION=v18.2.33

 RUN apt-get update && apt-get install -y --no-install-recommends \
 	bash \
--- a/src/balena-tests/balena.sh
+++ b/src/balena-tests/balena.sh
@ -1,17 +1,16 @@
 #!/usr/bin/env bash

-# shellcheck disable=SC2034,SC1090
+# shellcheck disable=SC2154,SC2034,SC1090
 set -aeu

-read -ra curl_opts <<<'--retry 3 --fail'
+curl_opts="--retry 3 --fail"
 if [[ $VERBOSE =~ on|On|Yes|yes|true|True ]]; then
    set -x
-    curl_opts+=('--verbose')
+    curl_opts="${curl_opts} --verbose"
 else
-    curl_opts+=('--silent')
+    curl_opts="${curl_opts} --silent"
 fi

-# shellcheck disable=SC1091
 source /usr/sbin/functions

 function remove_test_assets() {
@ -50,10 +49,10 @@ function shutdown_dut() {

 function set_update_lock {
    if [[ -n "${BALENA_SUPERVISOR_ADDRESS:-}" ]] && [[ -n "${BALENA_SUPERVISOR_API_KEY:-}" ]]; then
-        while [[ $(curl "${curl_opts[@]}" "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
+        while [[ $(curl ${curl_opts} "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
          -H "Content-Type: application/json" | jq -r '.update_pending') == 'true' ]]; do

-            curl "${curl_opts[@]}" "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
+            curl ${curl_opts} "${BALENA_SUPERVISOR_ADDRESS}/v1/device?apikey=${BALENA_SUPERVISOR_API_KEY}" \
              -H "Content-Type: application/json" | jq -r

            sleep "$(( (RANDOM % 3) + 3 ))s"
@ -90,7 +89,7 @@ function update_ca_certificates() {
 }

 function wait_for_api() {
-    while ! curl "${curl_opts[@]}" "https://api.${DNS_TLD}/ping"; do
+    while ! curl ${curl_opts} "https://api.${DNS_TLD}/ping"; do
        echo 'waiting for API...'
        sleep "$(( (RANDOM % 5) + 5 ))s"
    done
@ -164,7 +163,7 @@ function check_device_status() {
        balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"

        if [[ -n $balena_device_uuid ]]; then
-            is_online="$(balena device list --json --fleet "${TEST_FLEET}" \
+            is_online="$(balena devices --json --fleet "${TEST_FLEET}" \
              | jq -r --arg uuid "${balena_device_uuid}" '.[] | select(.uuid==$uuid).is_online == true')"

            if [[ $is_online =~ true ]]; then
@ -184,7 +183,6 @@ function registry_auth() {
    if [[ -n "${REGISTRY_USER:-}" ]] && [[ -n "${REGISTRY_PASS:-}" ]]; then
        with_backoff docker login -u "${REGISTRY_USER}" -p "${REGISTRY_PASS}"

-        # shellcheck disable=SC2016
        printf '{"https://index.docker.io/v1/": {"username":"%s", "password":"$s"}}' \
          "${REGISTRY_USER}" "${REGISTRY_PASS}" | jq -r > ~/.balena/secrets.json
    fi
@ -208,21 +206,23 @@ function deploy_release() {
 }

 function get_releases() {
-      with_backoff balena release list --json "${TEST_FLEET}"
+      with_backoff balena releases --json "${TEST_FLEET}"
 }

 function get_release_commit() {
-      get_releases | jq -re \
-        '[.[] | select((.status=="success")
-        and (.is_invalidated==false)
-        and (.is_final==true))][0].commit'
+      echo "$(get_releases)" | jq -re \
+        'select((.[].status=="success")
+        and (.[].is_invalidated==false)
+        and (.[].is_final==true)
+        and (.[].release_type=="final"))[0].commit'
 }

 function get_release_id() {
-      get_releases | jq -re \
-        '[.[] | select((.status=="success")
-        and (.is_invalidated==false)
-        and (.is_final==true))][0].id'
+      echo "$(get_releases)" | jq -re \
+        'select((.[].status=="success")
+        and (.[].is_invalidated==false)
+        and (.[].is_final==true)
+        and (.[].release_type=="final"))[0].id'
 }

 function supervisor_update_target_state() {
@ -230,7 +230,7 @@ function supervisor_update_target_state() {
    balena_device_uuid="$(cat </balena/config.json | jq -r .uuid)"

    if [[ -n "${balena_device_uuid:-}" ]]; then
-        while ! curl "${curl_opts[@]}" "https://api.${DNS_TLD}/supervisor/v1/update" \
+        while ! curl ${curl_opts} "https://api.${DNS_TLD}/supervisor/v1/update" \
          --header "Content-Type: application/json" \
          --header "Authorization: Bearer $(cat <~/.balena/token)" \
          --data "{\"uuid\": \"${balena_device_uuid}\", \"data\": {\"force\": true}}"; do
@ -263,7 +263,7 @@ function check_running_release() {

 function get_os_version() {
    local BALENARC_BALENA_URL
-    BALENARC_BALENA_URL="${BALENA_API_URL//https:\/\/api\./}"
+    BALENARC_BALENA_URL="$(echo "${BALENA_API_URL}" | sed 's#https://api\.##g')"

    local os_version
    os_version=${OS_VERSION:-$(with_backoff balena os versions "${DEVICE_TYPE}" | head -n 1)}
@ -276,13 +276,13 @@ function upload_release_asset() {
        release_id=${1:-1}
        release_asset="$(find / -type f -name '*.png' | head -n 1)"

-        curl "${curl_opts[@]}" "https://api.${DNS_TLD}/resin/release_asset" \
+        curl ${curl_opts} "https://api.${DNS_TLD}/resin/release_asset" \
          --header "Authorization: Bearer $(cat <~/.balena/token)" \
          --form "asset=@${release_asset}" \
          --form "release=${release_id}" \
-          --form "asset_key=$((RANDOM))-$(basename "${release_asset}")" \
+          --form "asset_key=$((RANDOM))-$(basename ${release_asset})" \
          | jq -re .asset.href \
-          | xargs curl "${curl_opts[@]}" -o "/tmp/$((RANDOM))-$(basename "${release_asset}")"
+          | xargs curl ${curl_opts} -o "/tmp/$((RANDOM))-$(basename ${release_asset})"
    fi
 }

--- a/src/cert-manager/Dockerfile
+++ b/src/cert-manager/Dockerfile
@ -1,4 +1,4 @@
 # https://github.com/balena-io/cert-manager
-FROM balena/cert-manager:0.3.2
+FROM balena/cert-manager:v0.2.2

 COPY *.json /opt/
--- a/src/test-device/Dockerfile
+++ b/src/test-device/Dockerfile
@ -1,6 +1,6 @@
 # https://hub.docker.com/r/qemux/qemu-docker
 # https://github.com/qemus/qemu-docker
-FROM qemux/qemu-docker:6.20
+FROM qemux/qemu-docker:5.16

 RUN apt-get update && apt-get install -y --no-install-recommends \
 	minicom \
 @ -1 +1 @@
 .1.390
 .1.57