Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run new TUF autoupdater side-by-side with notary autoupdater #1081

Merged
merged 44 commits into from
Mar 14, 2023
Merged

Run new TUF autoupdater side-by-side with notary autoupdater #1081

merged 44 commits into from
Mar 14, 2023

Conversation

RebeccaMahany
Copy link
Contributor

@RebeccaMahany RebeccaMahany commented Mar 7, 2023
edited
Loading

Relates to #954.

This is part 1 of moving to use our new TUF infrastructure; here, we run our new TUF autoupdater side-by-side with our older notary autoupdater implementation. The new autoupdater only maintains a TUF repo but does not attempt to perform updates yet.

Subsequent PRs will tackle the following (order is not set in stone)

  1. Improving TUF autoupdater metrics and exposing them in a launcher table
  2. Point to production TUF instead of development
  3. Download, verify, and untar downloads from new TUF, moving them to a new update directory located in the root directory
  4. findnew looks for updates in new location, falling back to old location
  5. Other improvements/refactors
  6. An "update now" functionality tied to control server
  7. Eventually removing the old notary autoupdater

@RebeccaMahany RebeccaMahany changed the title Draft: run new TUF client side-by-side with notary client Draft: Run new TUF autoupdater side-by-side with notary autoupdater Mar 8, 2023
@RebeccaMahany RebeccaMahany changed the title Draft: Run new TUF autoupdater side-by-side with notary autoupdater Run new TUF autoupdater side-by-side with notary autoupdater Mar 9, 2023
directionless
directionless reviewed Mar 10, 2023
View reviewed changes
cmd/launcher/internal/updater/updater.go Outdated Show resolved Hide resolved
cmd/launcher/internal/updater/updater.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated Show resolved Hide resolved
pkg/make/builder.go Outdated Show resolved Hide resolved
cmd/launcher/internal/updater/updater.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf_autoupdate.go Outdated
strippedBinary := strings.TrimSuffix(ta.binary, ".exe")

// The target is in the form `launcher/linux/launcher-0.13.6.tar.gz` -- trim the prefix and the file extension to return the version
prefixToTrim := fmt.Sprintf("%s/%s/%s-", strippedBinary, ta.operatingSystem, strippedBinary)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Urk. I've lost site of how we track archtecture

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't believe it's present in the TUF/dl.kolide.co stuff

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I might have dropped it. (oops)

We want to start supporting windows and linux arm64. And I think we'll eventually want to stop shipping universal binaries.

I'm not sure if we should roll it into the platform specification, or think harder

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also think this is something we'll need. There have been a few times that folks have asked for arm64 on linux / windows. I think number will continue to grow. @RebeccaMahany , do you think this would be difficult to bolt on later?

Copy link
Contributor Author

@RebeccaMahany RebeccaMahany Mar 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we'd decided to punt architecture to later when I was working on the endpoint-releaser work.

Here is a fairly simple way I could imagine us implementing this in the future:

  1. endpoint-releaser begins to publish both to binary/os/file.tar.gz and binary/os/arch/file.tar.gz
  2. endpoint-releaser begins to maintain a binary/os/arch/channel/release.json file to point to architecture-specific releases, in addition to the binary/os/channel/release.json it already maintains
  3. launcher's new autoupdater looks for its release in binary/os/arch/channel/release.json, falling back to preexisting binary/os/channel/release.json if it can't find it for whatever reason

So, I think it wouldn't be too bad?

@RebeccaMahany RebeccaMahany marked this pull request as ready for review March 13, 2023 20:47
James-Pickett
James-Pickett reviewed Mar 14, 2023
View reviewed changes
pkg/autoupdate/tuf/autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf/autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf/autoupdate.go Show resolved Hide resolved
@RebeccaMahany RebeccaMahany mentioned this pull request Mar 14, 2023
Merged
James-Pickett
James-Pickett previously approved these changes Mar 14, 2023
View reviewed changes
directionless
directionless previously approved these changes Mar 14, 2023
View reviewed changes
Copy link
Contributor

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's going to be room for simplification, but we can use this for now!

pkg/autoupdate/tuf/autoupdate.go Outdated Show resolved Hide resolved
pkg/autoupdate/tuf/autoupdate.go
}
}

func NewTufAutoupdater(metadataUrl, binary, rootDirectory string, metadataHttpClient *http.Client, opts ...TufAutoupdaterOption) (*TufAutoupdater, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect we can remove option. But let's go with it and iterate

@RebeccaMahany RebeccaMahany merged commit 5126b12 into kolide:main Mar 14, 2023
@RebeccaMahany RebeccaMahany deleted the becca/tuf branch March 14, 2023 20:44
This was referenced Mar 22, 2023
Merged
Merged
@RebeccaMahany RebeccaMahany mentioned this pull request Apr 6, 2023
Merged
This was referenced Apr 28, 2023
Closed
Merged
Merged
@RebeccaMahany RebeccaMahany mentioned this pull request May 8, 2023
Merged
@RebeccaMahany RebeccaMahany mentioned this pull request May 22, 2023
Closed
@RebeccaMahany RebeccaMahany mentioned this pull request Jul 26, 2023
Merged
18 tasks
This was referenced Aug 29, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless approved these changes

@James-Pickett James-Pickett James-Pickett left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@RebeccaMahany @directionless @James-Pickett