Wait for server and root-certificate.pem

Add FDO scripts for demo

Signed-off-by: eriknordmark <erik@zededa.com>

pkg/pillar/Dockerfile

@@ -144,6 +144,8 @@ COPY --from=build /final /out
 # the default /config (since that is expected to be an empty mount point)
 ADD conf/root-certificate.pem conf/server conf/server.production /out/opt/zededa/examples/config/
 ADD scripts/device-steps.sh \
+    scripts/run-fdo.sh \
+    scripts/fdo-demo-clean.sh \
     scripts/onboot.sh \
     scripts/handlezedserverconfig.sh \
     scripts/veth.sh \

pkg/pillar/scripts/device-steps.sh

@@ -351,13 +351,14 @@ if [ ! -s "$DEVICE_CERT_NAME" ]; then
 else
     echo "$(date -Ins -u) Using existing device key pair"
 fi
-if [ ! -s $CONFIGDIR/server ] || [ ! -s $CONFIGDIR/root-certificate.pem ]; then
-    echo "$(date -Ins -u) No server or root-certificate to connect to. Done" | tee /dev/console
-    # XXX insert FDO client here
-    # Should we delay for 60 seconds and then copy files from /config/bak?
-    sleep inf
-    exit 0
-fi
+while [ ! -s $CONFIGDIR/server ] || [ ! -s $CONFIGDIR/root-certificate.pem ]; do
+    if ! [ -f /opt/zededa/bin/run-fdo.sh ]; then
+        echo "$(date -Ins -u) No server or root-certificate to connect to. Done" | tee /dev/console
+        exit 0
+    fi
+    echo "$(date -Ins -u) No server or root-certificate to connect to. Run FDO" | tee /dev/console
+    /opt/zededa/bin/run-fdo.sh | tee /dev/console
+done
 
 if [ -c $TPM_DEVICE_PATH ] && ! [ -f $DEVICE_KEY_NAME ]; then
     echo "$(date -Ins -u) device-steps: TPM device, creating additional security certificates"

pkg/pillar/scripts/fdo-demo-clean.sh

@@ -0,0 +1,59 @@
+#!/bin/sh
+# Copyright (c) 2024 Zededa, Inc.
+# SPDX-License-Identifier: Apache-2.0
+# XXX only for demo
+# Remove the files created by fdo client and the device.*.pem from onboarding
+# then reboot
+
+mount_partlabel() {
+  PARTLABEL="$1"
+  if [ -z "$2" ]; then
+    echo "ERROR: no mountpoint provided" && exit 3
+  fi
+  MOUNTPOINT="$2"
+  if ! mkdir -p "$MOUNTPOINT"; then
+     echo "ERROR: failed to ensure $MOUNTPOINT" && exit 1
+  fi
+  MOUNT_DEV=$(/sbin/findfs PARTLABEL="$PARTLABEL")
+  if [ -z "$MOUNT_DEV" ]; then
+    echo "ERROR: no device with PARTLABEL=$PARTLABEL found" && exit 1
+  fi
+  if ! mount -t vfat -o rw,iocharset=iso8859-1 "$MOUNT_DEV" "$MOUNTPOINT"; then
+     echo "ERROR: mount $MOUNT_DEV on $MOUNTPOINT failed" && exit 1
+  fi
+}
+
+unmount_partlabel() {
+  PARTLABEL="$1"
+  MOUNT_DEV=$(/sbin/findfs PARTLABEL="$PARTLABEL")
+  if [ -z "$MOUNT_DEV" ]; then
+    echo "ERROR: no device with PARTLABEL=$PARTLABEL found" && exit 1
+  fi
+  if ! umount "$MOUNT_DEV"; then
+     echo "ERROR: umount $MOUNT_DEV failed" && exit 1
+  fi
+}
+
+
+# Remove for subsequent boots
+MNTPOINT=/tmp/mnt
+mkdir $MNTPOINT
+mount_partlabel "CONFIG" $MNTPOINT
+rm -f $MNTPOINT/server
+rm -f $MNTPOINT/root-certificate.pem
+rm -f $MNTPOINT/device.*.pem
+unmount_partlabel "CONFIG" $MNTPOINT
+
+# Remove from running system
+mount -o remount,rw /config
+rm -f /config/server
+rm -f /config/root-certificate.pem
+rm -f /config/device.*.pem
+mount -o remount,ro /config
+
+sync
+echo "$(date -Ins -u) rebooting in 5 seconds"
+sleep 5
+sync
+reboot
+

pkg/pillar/scripts/run-fdo.sh

@@ -0,0 +1,80 @@
+#!/bin/sh
+# Copyright (c) 2024 Zededa, Inc.
+# SPDX-License-Identifier: Apache-2.0
+# Invoke the fdo client binary and copy files in place
+
+FDO_CLIENT=/opt/zededa/bin/fdo-alpine-3.16/linux-client
+FDO_DIR=/tmp/fdo-files
+# Files are deposited in CWD. Really painful to not be able to specify an outdir
+rm -rf $FDO_DIR
+mkdir $FDO_DIR
+
+mount_partlabel() {
+  PARTLABEL="$1"
+  if [ -z "$2" ]; then
+    echo "ERROR: no mountpoint provided" && exit 3
+  fi
+  MOUNTPOINT="$2"
+  if ! mkdir -p "$MOUNTPOINT"; then
+     echo "ERROR: failed to ensure $MOUNTPOINT" && exit 1
+  fi
+  MOUNT_DEV=$(/sbin/findfs PARTLABEL="$PARTLABEL")
+  if [ -z "$MOUNT_DEV" ]; then
+    echo "ERROR: no device with PARTLABEL=$PARTLABEL found" && exit 1
+  fi
+  if ! mount -t vfat -o rw,iocharset=iso8859-1 "$MOUNT_DEV" "$MOUNTPOINT"; then
+     echo "ERROR: mount $MOUNT_DEV on $MOUNTPOINT failed" && exit 1
+  fi
+}
+
+unmount_partlabel() {
+  PARTLABEL="$1"
+  MOUNT_DEV=$(/sbin/findfs PARTLABEL="$PARTLABEL")
+  if [ -z "$MOUNT_DEV" ]; then
+    echo "ERROR: no device with PARTLABEL=$PARTLABEL found" && exit 1
+  fi
+  if ! umount "$MOUNT_DEV"; then
+     echo "ERROR: umount $MOUNT_DEV failed" && exit 1
+  fi
+}
+
+
+echo "$(date -Ins -u) Starting FDO client"
+# Painful
+cp -rp /opt/zededa/bin/fdo-alpine-3.16/data $FDO_DIR
+(cd $FDO_DIR || exit 2; $FDO_CLIENT)
+echo "$(date -Ins -u) FDO client got files:" $FDO_DIR/*
+
+# In case there are .txt extensions
+if [ -f $FDO_DIR/server.txt ]; then
+    mv $FDO_DIR/server.txt $FDO_DIR/server
+fi
+if [ -f $FDO_DIR/root-certificate.pem.txt ]; then
+    mv $FDO_DIR/root-certificate.pem.txt $FDO_DIR/root-certificate.pem
+fi
+if ! [ -f $FDO_DIR/server ] && ! [ -f $FDO_DIR/root-certificate.pem ]; then
+    echo "$(date -Ins -u) FDO client - no files. Wait a bit"
+    sleep 10
+    exit 1
+fi
+# Make available for subsequent boots
+MNTPOINT=/tmp/mnt
+mkdir $MNTPOINT
+mount_partlabel "CONFIG" $MNTPOINT
+cp -p $FDO_DIR/server $MNTPOINT/server
+cp -p $FDO_DIR/root-certificate.pem $MNTPOINT/root-certificate.pem
+unmount_partlabel "CONFIG" $MNTPOINT
+
+# Make available to running system
+mount -o remount,rw /config
+cp -p $FDO_DIR/server /config/server
+cp -p $FDO_DIR/root-certificate.pem /config/root-certificate.pem
+mount -o remount,ro /config
+
+echo "$(date -Ins -u) FDO client saved files:" /config/*
+if [ -f /config/server ] && [ -f /config/root-certificate.pem ]; then
+    exit 0
+else
+    sleep 60
+    exit 0
+fi