Make updates for v1.5 (#606)

Note we typically cut a release branch and make version changes there. This time we'll start by working directly from main. We can move to a release branch at any time if needed.

Changes:
- Removed support for CentOS 7 and Debian 10. These will continue to be supported in v1.4 until they go out of support this summer (June 2024), but they won't be supported in 1.5.
- Bumped the version in various files.

.github/workflows/e2e-tests-manual.yaml

@@ -52,8 +52,6 @@ jobs:
 
       matrix:
         os:
-        - 'centos:7'
-        - 'debian:10'
         - 'debian:11'
         # EL8 VMs spontaneously lose ssh after installing updates. Disable it for now.
         # - 'platform:el8'

.github/workflows/e2e-tests-scheduled.yaml

@@ -68,8 +68,6 @@ jobs:
         - 'main'
         - 'release/1.4'
         os:
-        - 'centos:7'
-        - 'debian:10'
         - 'debian:11'
         # EL8 VMs spontaneously lose ssh after installing updates. Disable it for now.
         # - 'platform:el8'

.github/workflows/packages.yaml

@@ -13,8 +13,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -27,12 +25,6 @@ jobs:
         os:
         - ''
         exclude:
-        # CentOS 7 does not have functioning cross compilers. The Azure/iotedge repo builds CentOS 7 arm32v7 and aarch64 packages
-        # by running the arm32v7 / aarch64 containers under qemu. For now we don't care to replicate that here.
-        - container_os: 'centos:7'
-          arch: 'arm32v7'
-        - container_os: 'centos:7'
-          arch: 'aarch64'
         # More investigation needed for RHEL 8 and 9. Excluding for now.
         - container_os: 'redhat/ubi8:latest'
           arch: 'arm32v7'
@@ -69,8 +61,7 @@ jobs:
       env:
         ARCH: "${{ matrix.arch }}"
         OS: "${{ matrix.os }}"
-        # PACKAGE_VERSION should end with '~dev' on the main branch.
-        PACKAGE_VERSION: '1.4.0~dev'
+        PACKAGE_VERSION: '1.5.0'
         # PACKAGE_RELEASE should always be '1'.
         PACKAGE_RELEASE: '1'
     - name: 'Generate artifact properties'

.github/workflows/test.yaml

@@ -17,8 +17,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -75,8 +73,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -139,8 +135,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
         arch:

Makefile

@@ -280,7 +280,7 @@ codecov: default
 # Packaging
 #
 # - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' deb` builds deb packages for Debian and Ubuntu.
-# - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' rpm` builds RPM packages for CentOS.
+# - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' rpm` builds RPM packages for RHEL.
 
 # Creates a source tarball at /tmp/aziot-identity-service-$(PACKAGE_VERSION).tar.gz
 dist:
@@ -352,19 +352,10 @@ rpm:
 	# Copy spec file to rpmbuild specs directory
 	mkdir -p $(RPMBUILDDIR)/SPECS
 
-	# Engine needs to be installed to what openssl considers the enginesdir,
-	# which we can get from openssl 1.1 with `openssl version -e` but not from openssl 1.0.
-	# Also, the filename for 1.0 should have a `lib` prefix.
-	#
-	# CentOS 7 has 1.0 and RedHat 8 has 1.1, so we need to support both here. RedHat 9 has 3.0.
-	#
-	# Since there is no RPM macro for those two things, we have to infer them from
-	# the output of `openssl version` and `openssl version -e` ourselves. This wouldn't be right
-	# if we were cross-compiling, but we don't support cross-compiling for either of those two OSes,
-	# so it's fine.
+	# Engine needs to be installed to what openssl considers the enginesdir, which we can get from
+	# openssl 1.1 and 3.0 with `openssl version -e`.
 	command -v openssl # Assert that openssl exists
 	case "$$(openssl version)" in \
-		'OpenSSL 1.0.'*) OPENSSL_ENGINE_FILENAME='%\{_libdir\}/openssl/engines/libaziot_keys.so' ;; \
 		'OpenSSL 1.1.'* | 'OpenSSL 3.0.'*) OPENSSL_ENGINE_FILENAME="$$(openssl version -e | sed 's/^ENGINESDIR: "\(.*\)"$$/\1/')/aziot_keys.so" ;; \
 		*) echo "Unknown openssl version [$$(openssl version)]"; exit 1 ;; \
 	esac; \

aziotctl/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aziotctl"
-version = "1.4.0"
+version = "1.5.0"
 authors = ["Azure IoT Edge Devs"]
 edition = "2021"
 homepage = "https://azure.github.io/iot-identity-service/"

aziotd/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "aziotd"
-version = "1.4.0"
+version = "1.5.0"
 authors = ["Azure IoT Edge Devs"]
 edition = "2021"
 homepage = "https://azure.github.io/iot-identity-service/"

ci/e2e-tests/test-run.sh

@@ -85,14 +85,6 @@ get_package() {
     echo "Artifacts URL: $artifacts_url" >&2
 
     case "$OS" in
-        'centos:7')
-            artifact_name='centos-7'
-            ;;
-
-        'debian:10')
-            artifact_name='debian-10-slim'
-            ;;
-
         'debian:11')
             artifact_name='debian-11-slim'
             ;;
@@ -175,16 +167,6 @@ get_package() {
 
     echo 'Extracting package...' >&2
     case "$OS" in
-        'centos:7')
-            unzip -j package.zip 'centos7/amd64/aziot-identity-service-*.x86_64.rpm' -x '*-debuginfo-*.rpm' '*-devel-*.rpm' >&2
-            printf '%s/%s\n' "$PWD" aziot-identity-service-*.x86_64.rpm
-            ;;
-
-        'debian:10')
-            unzip -j package.zip 'debian10/amd64/aziot-identity-service_*_amd64.deb' >&2
-            printf '%s/%s\n' "$PWD" aziot-identity-service_*_amd64.deb
-            ;;
-
         'debian:11')
             unzip -j package.zip 'debian11/amd64/aziot-identity-service_*_amd64.deb' >&2
             printf '%s/%s\n' "$PWD" aziot-identity-service_*_amd64.deb
@@ -549,22 +531,6 @@ echo 'Creating VM...' >&2
 # Choice of publisher is determined by
 # https://docs.microsoft.com/en-us/troubleshoot/azure/cloud-services/support-linux-open-source-technology
 case "$OS" in
-    'centos:7')
-        # az vm image list --all \
-        #     --publisher 'OpenLogic' --offer 'CentOS' --sku '7' \
-        #     --query "[?publisher == 'OpenLogic' && offer == 'CentOS'].{ sku: sku, version: version, urn: urn }" --output table
-        vm_image='OpenLogic:CentOS:7_9-gen2:latest'
-        ;;
-
-    'debian:10')
-        # Not listed on the docs.microsoft.com page, but credativ doesn't publish Debian 10+ images.
-        #
-        # az vm image list --all \
-        #     --publisher 'Debian' --offer 'debian-10' --sku '10' \
-        #     --query "[?publisher == 'Debian' && offer == 'debian-10'].{ sku: sku, version: version, urn: urn }" --output table
-        vm_image='Debian:debian-10:10-gen2:latest'
-        ;;
-
     'debian:11')
         # Not listed on the docs.microsoft.com page, but credativ doesn't publish Debian 10+ images.
         #
@@ -673,19 +639,6 @@ fi
 
 echo 'Updating VM...' >&2
 case "$OS" in
-    centos:*)
-        ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '
-            set -euxo pipefail
-
-            sudo yum -y clean all
-            sudo yum -y makecache
-            sudo yum -y update
-
-            # The test needs jq
-            sudo yum -y install epel-release
-        '
-        ;;
-
     debian:*|ubuntu:*)
         ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '
             for retry in {0..3}; do
@@ -758,7 +711,7 @@ fi
 
 echo 'Installing package...' >&2
 case "$OS" in
-    centos:*|platform:el*)
+    platform:el*)
         scp -i "$PWD/vm-ssh-key" "$package" "aziot@$vm_public_ip:/home/aziot/aziot-identity-service.rpm"
 
         ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '

ci/install-build-deps.sh

@@ -11,38 +11,6 @@ fi
 # OS packages
 
 case "$OS:$ARCH" in
-    'centos:7:amd64')
-        export VENDOR_LIBTSS=1
-
-        yum install -y centos-release-scl epel-release
-        yum install -y \
-            autoconf autoconf-archive automake curl devtoolset-9-gcc devtoolset-9-gcc-c++ \
-            git jq libcurl-devel libtool llvm-toolset-7-clang llvm-toolset-7-llvm-devel \
-            make openssl openssl-devel pkgconfig
-
-        set +eu # scl_source fails with -eu
-        . scl_source enable devtoolset-9 llvm-toolset-7
-        set -eu
-        ;;
-
-    'centos:7:arm32v7'|'centos:7:aarch64')
-        echo "Cross-compilation on $OS $ARCH is not supported" >&2
-        exit 1
-        ;;
-
-    'debian:10:amd64')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y \
-            acl autoconf autoconf-archive automake build-essential clang cmake \
-            curl git jq libclang1 libltdl-dev libssl-dev libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:amd64'|'ubuntu:20.04:amd64'|'ubuntu:22.04:amd64')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC
@@ -55,22 +23,6 @@ case "$OS:$ARCH" in
             llvm-dev pkg-config
         ;;
 
-    'debian:10:arm32v7')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        dpkg --add-architecture armhf
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y --no-install-recommends \
-            acl autoconf autoconf-archive automake build-essential ca-certificates \
-            clang cmake crossbuild-essential-armhf curl git jq \
-            libc-dev:armhf libclang1 libcurl4-openssl-dev:armhf \
-            libltdl-dev:armhf libssl-dev:armhf libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:arm32v7')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC
@@ -86,22 +38,6 @@ case "$OS:$ARCH" in
             llvm-dev pkg-config
         ;;
 
-    'debian:10:aarch64')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        dpkg --add-architecture arm64
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y --no-install-recommends \
-            acl autoconf autoconf-archive automake build-essential ca-certificates \
-            clang cmake crossbuild-essential-arm64 curl git jq \
-            libc-dev:arm64 libclang1 libcurl4-openssl-dev:arm64 \
-            libltdl-dev:arm64 libssl-dev:arm64 libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:aarch64')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC

ci/install-runtime-deps.sh

@@ -6,9 +6,7 @@
 OS="$(. /etc/os-release; echo "${PLATFORM_ID:-$ID:$VERSION_ID}")"
 
 case "$OS" in
-    'centos:7'|'platform:el8'|'platform:el9')
-        # openssl 1.0
-
+    'platform:el8'|'platform:el9')
         # If using RHEL 8/9 UBI images without a subscription then they only have access to a
         # subset of packages. Workaround to enable EPEL.
         if [ "$OS" = 'platform:el8' ] && [ "$(. /etc/os-release; echo "$ID")" = 'rhel' ]; then
@@ -44,9 +42,9 @@ case "$OS" in
         esac
         ;;
 
-    'debian:10'|'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
-        # openssl 1.1.1 for Debian 10/11 and Ubuntu 20.04
-        # openssl 3.0 for Ubuntu 22.04
+    'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
+        # openssl 1.1.1 for Debian 11, Ubuntu 20.04, RHEL 8
+        # openssl 3.0 for Ubuntu 22.04, RHEL 9
 
         apt-get update -y
         DEBIAN_FRONTEND=noninteractive TZ=UTC apt-get install -y curl jq openssl ca-certificates libtss2-dev

ci/install-test-deps.sh

@@ -10,13 +10,6 @@
 # OS packages
 
 case "$OS" in
-    'centos:7')
-        export SKIP_TSS_MINIMAL=0
-        export USE_SWTPM_PKG=0
-
-        yum install -y expect json-glib-devel libtasn1-devel net-tools python3 socat
-        ;;
-
     # NOTE: ubuntu:20.04 uses libtss2-dev provided through the package
     # repositories, but the available version does not provide a TCTI
     # module for swtpm.  So, we skip testing tss-minimal on

ci/mock-iot-tests/mock-iot-setup.sh

@@ -5,12 +5,7 @@ set -eu
 # Install mock-iot-server's root CA certificate.
 # Don't modify trusted certificates if not running on a CI container OS.
 case "$CONTAINER_OS" in
-    'debian:10-slim')
-        mkdir -p /usr/local/share/ca-certificates
-        cp "$ROOT_CERT" /usr/local/share/ca-certificates/dps_root_cert.crt
-        update-ca-certificates
-        ;;
-    'centos:7' | 'redhat/ubi8:latest' | 'redhat/ubi9:latest')
+    'redhat/ubi8:latest' | 'redhat/ubi9:latest')
         mkdir -p /etc/pki/ca-trust/source/anchors
         cp "$ROOT_CERT" /etc/pki/ca-trust/source/anchors/dps_root_cert.crt
         update-ca-trust