v2.0.3

docs: Add PSA about balenaOS version breakage

.versionbot/CHANGELOG.yml

@@ -1,3 +1,75 @@
+- commits:
+    - subject: 'docs: Add PSA about balenaOS version breakage'
+      hash: d33560755f5e121b1ee6524615b995d14982d35d
+      body: |
+        Due to a change in the balena-supervisor codebase, only balenaOS
+        versions <= 2.49.0 are working with open-balena.
+
+        This documentation change is a band-aid while we resolve the issue.
+      footer:
+        Change-type: patch
+        change-type: patch
+        Signed-off-by: Rich Bayliss <rich@balena.io>
+        signed-off-by: Rich Bayliss <rich@balena.io>
+      author: Rich Bayliss
+  version: 2.0.3
+  date: 2020-06-01T09:37:09.224Z
+- commits:
+    - subject: Added units to haproxy.cfg default timeouts
+      hash: de0293563f32961ff756df63d096af0fb2203d12
+      body: >
+        I added unit 's' (second) to the default timeouts in order to make them
+        more readable.
+      footer:
+        Change-type: patch
+        change-type: patch
+      author: Frederic Tausch
+  version: 2.0.2
+  date: 2020-04-03T13:47:29.358Z
+- commits:
+    - subject: 'cert-provider: Update to support ACMEv2 on staging provider'
+      hash: d67e29223ff314b40fd745ce78301e550c2c9148
+      body: >
+        Acquiring a staging certificiate from LetsEncrypt was failing, so
+        acme.sh was
+
+        updated to version 2.8.5, which includes support for using ACMEv2 on the
+
+        LetsEncrypt servers.
+
+
+        Changes to the state flow to make access retries infinite as it became
+        apparent
+
+        that in some scenarios the certificate acquisition could fail to occur
+        due to
+
+        containers taking longer to become accessible.
+      footer:
+        Change-type: patch
+        change-type: patch
+        Signed-off-by: Rich Bayliss <rich@balena.io>
+        signed-off-by: Rich Bayliss <rich@balena.io>
+      author: Rich Bayliss
+  version: 2.0.1
+  date: 2020-01-17T10:27:22.097Z
+- commits:
+    - subject: 'feature: Use S3 bucket for Registry service backend'
+      hash: 2a7d0687a22f6b4b3bedc88e18bee165ef03c932
+      body: |
+        Update open-balena-s3 to 2.8.3
+
+        This makes new installations of openBalena use the S3 container as a
+        storage backend for the Registry service by default. Existing installs
+        should not be affected.
+      footer:
+        Change-type: major
+        change-type: major
+        Signed-off-by: Rich Bayliss <rich@balena.io>
+        signed-off-by: Rich Bayliss <rich@balena.io>
+      author: Rich Bayliss
+  version: 2.0.0
+  date: 2019-09-02T09:32:56.813Z
 - commits:
     - subject: 'services: Update Registry service version'
       hash: 853ffb33e8e29b085db57df1773f8875dca5bbe3

CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+# v2.0.3
+## (2020-06-01)
+
+* docs: Add PSA about balenaOS version breakage [Rich Bayliss]
+
+# v2.0.2
+## (2020-04-03)
+
+* Added units to haproxy.cfg default timeouts [Frederic Tausch]
+
+# v2.0.1
+## (2020-01-17)
+
+* cert-provider: Update to support ACMEv2 on staging provider [Rich Bayliss]
+
+# v2.0.0
+## (2019-09-02)
+
+* feature: Use S3 bucket for Registry service backend [Rich Bayliss]
+
 # v1.3.0
 ## (2019-07-30)
 

README.md

@@ -60,6 +60,8 @@ Our [Getting Started][getting-started] guide is the most direct path to getting
 an openBalena installation up and running and successfully deploying your
 application to your device(s).
 
+> **IMPORTANT:** Due to changes in [balenaOS][balena-os], only versions up to and including `2.49.0` are currently supported.
+
 
 ## Documentation
 

VERSION

@@ -1 +1 @@
-1.3.0
+2.0.3

compose/services.yml

@@ -73,15 +73,16 @@ services:
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
       BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION:
+      COMMON_REGION: ${OPENBALENA_S3_REGION}
       REGISTRY2_CACHE_ENABLED: "false"
       REGISTRY2_CACHE_ADDR: 127.0.0.1:6379
       REGISTRY2_CACHE_DB: 0
       REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes
       REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru
-      REGISTRY2_S3_BUCKET:
-      REGISTRY2_S3_KEY:
-      REGISTRY2_S3_SECRET:
+      REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT}
+      REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET}
+      REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY}
       REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
       REGISTRY2_STORAGEPATH: /data
 
@@ -125,8 +126,9 @@ services:
     volumes:
       - s3:/export
     environment:
-      S3_MINIO_ACCESS_KEY: abcdef1234
-      S3_MINIO_SECRET_KEY: "1234567890"
+      S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY}
+      BUCKETS: ${OPENBALENA_S3_BUCKETS}
 
   redis:
     extends:

compose/versions

@@ -1,6 +1,6 @@
 export OPENBALENA_API_VERSION_TAG=v0.19.5
 export OPENBALENA_DB_VERSION_TAG=v2.0.3
-export OPENBALENA_REGISTRY_VERSION_TAG=v2.11.1
-export OPENBALENA_S3_VERSION_TAG=v2.6.2
-export OPENBALENA_VPN_VERSION_TAG=v8.10.0
 export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.6.2
+export OPENBALENA_REGISTRY_VERSION_TAG=v2.11.1
+export OPENBALENA_S3_VERSION_TAG=v2.8.5
+export OPENBALENA_VPN_VERSION_TAG=v8.10.0

scripts/logger.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+log_raw () {
+    local COLOR="${WHITE}"
+    local LEVEL="${1}"
+    local MESSAGE="${2}"
+    case "${LEVEL}" in
+        info)
+            COLOR="${BLUE}"
+            ;;
+        warn)
+            COLOR="${YELLOW}"
+            ;;
+        fatal)
+            COLOR="${RED}"
+            ;;
+        *)
+            LEVEL="debug"
+            ;;
+    esac
+    LEVEL="${LEVEL}     "
+    echo "[$(date +%T)] ${COLOR}$(echo "${LEVEL:0:5}" | tr '[:lower:]' '[:upper:]')${RESET} ${MESSAGE}";
+}
+
+log () {
+    log_raw "debug" "${1}"
+}
+
+info () {
+    log_raw "info" "${1}";
+}
+
+warn () {
+    log_raw "warn" "${1}";
+}
+
+die () {
+    log_raw "fatal" "${1}";
+    exit 1;
+}
+
+die_unless_forced () {
+    if [ ! -z "$1" ]; then
+        log_raw "warn" "$2";
+        return;
+    fi
+    
+    log_raw "fatal" "$2";
+    die "Use -f to forcibly upgrade.";
+}

scripts/make-env

@@ -40,11 +40,15 @@ b64file() {
   b64encode "$(cat "$@")"
 }
 
+# buckets to create in the S3 service...
+REGISTRY2_S3_BUCKET="registry-data"
+
 cat <<STR
 export OPENBALENA_PRODUCTION_MODE=false
 export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
+export OPENBALENA_REGISTRY2_S3_BUCKET=${REGISTRY2_S3_BUCKET}
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
 export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
 export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
@@ -61,6 +65,11 @@ export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
+export OPENBALENA_S3_ACCESS_KEY=$(randstr 32)
+export OPENBALENA_S3_BUCKETS="${REGISTRY2_S3_BUCKET}"
+export OPENBALENA_S3_ENDPOINT="https://s3.${DOMAIN}"
+export OPENBALENA_S3_REGION=us-east-1
+export OPENBALENA_S3_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
 export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
 export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")

scripts/migrate-registry-storage

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+migrate_data_to_s3 () {
+  BUCKET="${1:-registry-data}"
+
+  if [ -z "${BUCKET}" ]; then return 1; fi
+
+  if [ -n "${DOCKER_HOST}" ]; then
+      log "Using docker host: ${DOCKER_HOST}"
+      export DOCKER_HOST="${DOCKER_HOST}"
+  fi
+
+  REGISTRY_CONTAINER="$(docker ps | grep registry_ | awk '{print $1}')"
+  S3_CONTAINER="$(docker ps | grep s3_ | awk '{print $1}')"
+
+  if [ -z "${REGISTRY_CONTAINER}" ] || [ -z "${S3_CONTAINER}" ]; then return 2; fi
+
+  REGISTRY_VOLUME="$(docker inspect "${REGISTRY_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/data")) | .[0].Source')"
+  S3_VOLUME=$(docker inspect "${S3_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/export")) | .[0].Source')
+
+  if [ -z "${REGISTRY_VOLUME}" ] || [ -z "${S3_VOLUME}" ]; then return 3; fi
+
+  # run the S3 container image, and copy the data partition into S3...
+  docker run -it --rm \
+      -v "${REGISTRY_VOLUME}:/data" \
+      -v "${S3_VOLUME}:/s3" \
+      --name "migrate-registry" alpine \
+      sh -c "mkdir -p /s3/${BUCKET}/data && cp -r /data/docker /s3/${BUCKET}/data/"
+}

scripts/upgrade-1.x-to-2.0

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+source "${BASH_SOURCE%/*}/logger.sh"
+source "${BASH_SOURCE%/*}/migrate-registry-storage"
+
+# This script takes a v1.x.x install and updates the compose stack to use S3 as your
+# registry storage.
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+DIR="$(dirname $(realpath "$0"))"
+BASE_DIR="$(dirname "${DIR}")"
+CONFIG_DIR="${BASE_DIR}/config"
+CONFIG_FILE="${CONFIG_DIR}/activate"
+
+# Step 1. Make sure a config exists...
+[ -f "${CONFIG_FILE}" ] || die "Unable to find existing config!";
+
+info "Preparing to upgrade..."
+source "${CONFIG_FILE}"
+
+while getopts "f" opt; do
+  case "${opt}" in
+    f) 
+        warn "Forcing upgrade! I hope you know what you're doing..."
+        FORCE_UPGRADE=1
+        ;;
+    *)
+      echo "Invalid argument: ${OPTARG}"
+      exit 1
+      ;;
+  esac
+done
+shift $((OPTIND-1))
+
+# Step 2. Check if the S3 configuration already exists...
+upgrade_required () {
+    [ -z "${OPENBALENA_REGISTRY2_S3_BUCKET}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ACCESS_KEY}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ENDPOINT}" ] || return 1;
+    [ -z "${OPENBALENA_S3_REGION}" ] || return 1;
+    [ -z "${OPENBALENA_S3_SECRET_KEY}" ] || return 1;
+}
+upgrade_required || die_unless_forced "${FORCE_UPGRADE}" "Configuration may already be using S3 for Registry storage!"
+
+# Step 3. Create missing S3 configuration...
+randstr() {
+  LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w "${1:-32}" | head -n 1
+}
+
+upsert_config () {
+    var="${1}"
+    value="${2}"
+
+    if [ -z "${!var}" ]; then
+        echo "export ${1}=${2}" >> "${CONFIG_FILE}"
+    else
+        sed -i '' "s~export ${1}=.*~export ${1}=${2}~" "${CONFIG_FILE}"
+    fi
+}
+
+upsert_config "OPENBALENA_REGISTRY2_S3_BUCKET" "registry-data" || warn "Failed to update config value OPENBALENA_REGISTRY2_S3_BUCKET"
+upsert_config "OPENBALENA_S3_ACCESS_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_ACCESS_KEY"
+upsert_config "OPENBALENA_S3_ENDPOINT" "https://s3.${OPENBALENA_HOST_NAME}" || warn "Failed to update config value OPENBALENA_S3_ENDPOINT"
+upsert_config "OPENBALENA_S3_REGION" "us-east-1" || warn "Failed to update config value OPENBALENA_S3_REGION"
+upsert_config "OPENBALENA_S3_SECRET_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_SECRET_KEY"
+
+# Step 4. Migrate Registry data to S3...
+info "Copying data from the Registry volume to the S3 volume..."
+migrate_data_to_s3 "registry-data"
+case $? in
+    1)  die "Invalid bucket name";;
+    2)  die "Unable to find the running Registry or S3 containers";;
+    3)  die "Unable to determine the data volumes for the Registry or S3 containers";;
+    *)  info "Registry data copied"
+        ;;
+esac
+info "Upgrade complete"

src/cert-provider/Dockerfile

@@ -6,9 +6,11 @@ VOLUME [ "/usr/src/app/certs" ]
 
 RUN apk add --update bash curl git openssl ncurses socat
 
+# from https://github.com/Neilpang/acme.sh/releases/tag/2.8.5
 RUN git clone https://github.com/Neilpang/acme.sh.git && \
     cd acme.sh && \
-    git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \
+    git fetch && git fetch --tags && \
+    git checkout 2.8.5 . && \
     ./acme.sh --install  \
     --cert-home /usr/src/app/certs
 

src/cert-provider/cert-provider.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # the acme.sh client script, installed via Git in the Dockerfile...
 ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
@@ -45,14 +45,20 @@ retryWithDelay() {
     DELAY=${3:-5}
 
     local ATTEMPT=0
-    while [ $RETRIES -gt $ATTEMPT ]; do
-        let "ATTEMPT++"
+    while [ "$RETRIES" -gt "$ATTEMPT" ]; do
+        (( ATTEMPT++ ))
+        logInfo "($ATTEMPT/$RETRIES) Connecting..."
         if $1; then
+            logInfo "($ATTEMPT/$RETRIES) Success!"
             return $?
         fi
 
-        echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..."
-        sleep $DELAY
+        if [ "$RETRIES" -gt "$ATTEMPT" ]; then
+            logInfo "($ATTEMPT/$RETRIES) Failed. Retrying in ${DELAY} seconds..."
+            sleep "$DELAY"
+        else
+            logInfo "($ATTEMPT/$RETRIES) Failed!"
+        fi
     done
 
     return 1
@@ -62,7 +68,7 @@ waitForOnline() {
     ADDRESS="${1,,}"
 
     logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
-    retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5
+    retryWithDelay "curl --output /dev/null --silent --head --fail --max-time 5 http://${ADDRESS}"
 }
 
 isUsingStagingCert() {
@@ -167,7 +173,10 @@ acquireCertificate() {
 
 pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
 
-waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation."
+while ! waitForOnline "${ACME_DOMAINS[0]}"; do
+    logInfo "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation. Retrying in 30 seconds..."
+    sleep 30
+done
 
 if ! lastAcquiredCertFor "production"; then
     acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."

src/haproxy/haproxy.cfg

@@ -2,9 +2,9 @@ global
   tune.ssl.default-dh-param 1024
 
 defaults
-  timeout connect 5000
-  timeout client 50000
-  timeout server 50000
+  timeout connect 5s
+  timeout client 50s
+  timeout server 50s
 
 frontend http-in
   mode http