Merge pull request #3514 from reubenmiller/feat-tedge-p11-server-packaging

feat: tedge-p11-server packaging

Author: reubenmiller

ci/build_scripts/package.sh

@@ -280,6 +280,11 @@ cmd_build() {
 
     if [[ "$PACKAGE_TYPES" =~ tarball ]]; then
         build_tarball "tedge" "$TARGET" "tedge"
+
+        # Optionally build tedge-p11-server to allow users to package it
+        if [[ " ${PACKAGES[*]} " =~ [[:space:]]tedge-p11-server[[:space:]] ]]; then
+            build_tarball "tedge-p11-server" "$TARGET" "tedge-p11-server"
+        fi
     fi
 }
 

ci/package_list.sh

@@ -9,11 +9,13 @@ RELEASE_PACKAGES=(
     tedge-apt-plugin
     c8y-remote-access-plugin
     c8y-firmware-plugin
+    tedge-p11-server
 )
 export RELEASE_PACKAGES
 
 # List of binaries which should be built
 BINARIES=(
     tedge
+    tedge-p11-server
 )
 export BINARIES

configuration/contrib/tedge-p11-server/tedge-p11-server.conf

@@ -0,0 +1,14 @@
+TEDGE_DEVICE_CRYPTOKI_MODULE_PATH=
+TEDGE_DEVICE_CRYPTOKI_PIN=
+
+#
+# Examples
+#
+# Yubikiey / Nitrokey
+# You will need to change the exact path to the opensc-pkcs11 file depending on your devices CPU architecture
+#TEDGE_DEVICE_CRYPTOKI_MODULE_PATH=/usr/lib/aarch64-linux-gnu/opensc-pkcs11.so
+#TEDGE_DEVICE_CRYPTOKI_PIN=123456
+
+# TPM 2.0
+#TEDGE_DEVICE_CRYPTOKI_MODULE_PATH=/usr/lib/aarch64-linux-gnu/pkcs11/libtpm2_pkcs11.so
+#TPM2_PKCS11_STORE="/etc/tedge/tpm2"

configuration/init/systemd/75-tedge.preset

@@ -18,3 +18,6 @@ disable tedge-mapper-collectd.service
 
 # Misc
 disable tedge-watchdog.service
+
+# pkcs11 server for HSM support
+disable tedge-p11-server.socket

configuration/init/systemd/tedge-p11-server.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=tedge-p11-server
+Requires=tedge-p11-server.socket
+
+[Service]
+Type=simple
+StandardError=journal
+EnvironmentFile=-/etc/tedge/plugins/tedge-p11-server.conf
+ExecStart=/usr/bin/tedge-p11-server --module-path "${TEDGE_DEVICE_CRYPTOKI_MODULE_PATH}" --pin "${TEDGE_DEVICE_CRYPTOKI_PIN}"
+Restart=on-failure
+
+[Install]
+Also=tedge-p11-server.socket
+WantedBy=default.target

configuration/init/systemd/tedge-p11-server.socket

@@ -0,0 +1,13 @@
+[Unit]
+Description=tedge-p11-server socket
+
+[Socket]
+Priority=6
+Backlog=5
+ListenStream=%t/tedge-p11-server/tedge-p11-server.sock
+SocketUser=tedge
+SocketGroup=tedge
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target

configuration/package_manifests/nfpm.tedge-p11-server.yaml

@@ -0,0 +1,80 @@
+# yaml-language-server: $schema=https://nfpm.goreleaser.com/static/schema.json
+---
+name: tedge-p11-server
+description: |
+  thin-edge.io service to interface with PKCS11 cryptoki modules
+arch: "${PKG_ARCH}"
+platform: "linux"
+version: "${GIT_SEMVER}"
+release: "${RELEASE}"
+section: misc
+priority: "optional"
+maintainer: "thin-edge.io team <info@thin-edge.io>"
+vendor: "thin-edge.io"
+homepage: "https://thin-edge.io"
+license: "Apache-2.0"
+
+deb:
+  fields:
+    Vcs-Browser: ${CI_PROJECT_URL}
+    Vcs-Git: ${CI_PROJECT_URL}
+  compression: xz
+
+contents:
+  # binary
+  - src: .build/tedge-p11-server
+    dst: /usr/bin/
+
+  # service definitions
+  - src: ./configuration/init/systemd/tedge-p11-server.socket
+    dst: /lib/systemd/system/tedge-p11-server.socket
+    file_info:
+      mode: 0644
+    packager: deb
+
+  - src: ./configuration/init/systemd/tedge-p11-server.socket
+    dst: /lib/systemd/system/tedge-p11-server.socket
+    file_info:
+      mode: 0644
+    packager: rpm
+  
+  - src: ./configuration/init/systemd/tedge-p11-server.service
+    dst: /lib/systemd/system/tedge-p11-server.service
+    file_info:
+      mode: 0644
+    packager: deb
+
+  - src: ./configuration/init/systemd/tedge-p11-server.service
+    dst: /lib/systemd/system/tedge-p11-server.service
+    file_info:
+      mode: 0644
+    packager: rpm
+  
+  # Config
+  - src: ./configuration/contrib/tedge-p11-server/tedge-p11-server.conf
+    dst: /etc/tedge/plugins/tedge-p11-server.conf
+    type: config
+    file_info:
+      mode: 0644
+
+overrides:
+  apk:
+    scripts:
+      preinstall: configuration/package_scripts/_generated/tedge-p11-server/apk/preinst
+      postinstall: configuration/package_scripts/_generated/tedge-p11-server/apk/postinst
+      preremove: configuration/package_scripts/_generated/tedge-p11-server/apk/prerm
+      postremove: configuration/package_scripts/_generated/tedge-p11-server/apk/postrm
+
+  rpm:
+    scripts:
+      preinstall: configuration/package_scripts/_generated/tedge-p11-server/rpm/preinst
+      postinstall: configuration/package_scripts/_generated/tedge-p11-server/rpm/postinst
+      preremove: configuration/package_scripts/_generated/tedge-p11-server/rpm/prerm
+      postremove: configuration/package_scripts/_generated/tedge-p11-server/rpm/postrm
+
+  deb:
+    scripts:
+      preinstall: configuration/package_scripts/_generated/tedge-p11-server/deb/preinst
+      postinstall: configuration/package_scripts/_generated/tedge-p11-server/deb/postinst
+      preremove: configuration/package_scripts/_generated/tedge-p11-server/deb/prerm
+      postremove: configuration/package_scripts/_generated/tedge-p11-server/deb/postrm

configuration/package_scripts/_generated/tedge-p11-server/apk/postinst

@@ -0,0 +1,2 @@
+#!/bin/sh
+set -e

configuration/package_scripts/_generated/tedge-p11-server/apk/postrm

@@ -0,0 +1,2 @@
+#!/bin/sh
+set -e

configuration/package_scripts/_generated/tedge-p11-server/apk/preinst

@@ -0,0 +1,55 @@
+#!/bin/sh
+set -e
+
+command_exists() {
+    command -V "$1" >/dev/null 2>&1
+}
+
+group_exists() {
+    name="$1"
+    if command_exists id; then
+        id -g "$name" >/dev/null 2>&1
+    elif command_exists getent; then
+        getent group "$name" >/dev/null 2>&1
+    else
+        # Fallback to plain grep, as busybox does not have getent
+        grep -q "^${name}:" /etc/group
+    fi
+}
+
+user_exists() {
+    name="$1"
+    if command_exists id; then
+        id -u "$name" >/dev/null 2>&1
+    elif command_exists getent; then
+        getent passwd "$name" >/dev/null 2>&1
+    else
+        # Fallback to plain grep, as busybox does not have getent
+        grep -q "^${name}:" /etc/passwd
+    fi
+}
+
+### Create groups
+if ! group_exists tedge; then
+    if command_exists groupadd; then
+        groupadd --system tedge
+    elif command_exists addgroup; then
+        addgroup -S tedge
+    else
+        echo "WARNING: Could not create group: tedge" >&2
+    fi
+fi
+
+### Create users
+# Create user tedge with no home(--no-create-home), no login(--shell) and in group tedge(--gid)
+if ! user_exists tedge; then
+    if command_exists useradd; then
+        useradd --system --no-create-home --shell /sbin/nologin --gid tedge tedge
+    elif command_exists adduser; then
+        adduser -g "" -H -D tedge -G tedge
+    else
+        echo "WARNING: Could not create user: tedge" >&2
+    fi
+fi
+
+