particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
435 commits 1 branch 0 tags 688 MiB
Find a file
Ondřej Budai 820d23fd9d Add tcp and tls support for worker and job API 
There's a usecase for running workers at a different machine than
the composer. For example when there's need for making images for
architecture different then the composer is running at. Although osbuild has
some kind of support for cross-architecture builds, we still consider it
as experimental, not-yet-production-ready feature.

This commit adds a support to composer and worker to communicate using TCP.
To ensure safe communication through the wild worlds of Internet, TLS is not
only supported but even required when using TCP. Both server and client
TLS authentication are required. This means both sides must have their own
private key/certificate pair and both certificates must be signed using one
certificate authority. Examples how to generate all this fancy crypto stuff
can be found in Makefile.

Changes on the composer side:
When osbuild-remote-worker.socket is started before osbuild-composer.service,
osbuild-composer also serves jobqueue API on this socket. The unix domain
socket is not affected by this changes - it is enabled at all times
independently on the remote one. The osbuild-remote-worker.socket listens
by default on TCP port 8700.

When running the composer with remote worker socket enabled, the following
files are required:
- /etc/osbuild-composer/ca-crt.pem     (CA certificate)
- /etc/osbuild-composer/composer-key.pem (composer private key)
- /etc/osbuild-composer/composer-crt.pem (composer certificate)

Changes on the worker side:
osbuild-worker has now --remote argument taking the address to a composer
instance. When present, the worker will try to establish TLS secured TCP
connection with the composer. When not present, the worker will use
the unix domain socket method. The unit template file osbuild-remote-worker
was added to simplify the spawning of workers. For example

systemctl start osbuild-remote-worker@example.com

starts a worker which will attempt to connect to the composer instance
running on the address example.com.

When running the worker with --remote argument, the following files are
required:
- /etc/osbuild-composer/ca-crt.pem     (CA certificate)
- /etc/osbuild-composer/worker-key.pem (worker private key)
- /etc/osbuild-composer/worker-crt.pem (worker certificate)

By default osbuild-composer.service will always spawn one local worker.
If you don't want it you need to mask the default worker unit by:
systemctl mask osbuild-worker@1.service

Closing remarks:
Remember that both composer and worker certificate must be signed by
the same CA!
2020-02-20 13:47:59 +01:00
cmd Add tcp and tls support for worker and job API 2020-02-20 13:47:59 +01:00
distribution Add tcp and tls support for worker and job API 2020-02-20 13:47:59 +01:00
docs README: Define terminology as a base for internal refactoring 2020-01-30 14:42:25 +01:00
internal rcm: introduce rpmmd member of the api structure 2020-02-20 13:04:28 +01:00
osbuild@e0bb65dd71 submodule: bump to current osbuild master 2019-12-15 20:57:40 +01:00
repositories distro: add fedora 32 support 2020-02-19 14:18:58 +01:00
test Add quick README about testing 2020-02-19 23:41:58 +01:00
tools tools: add prepare-source.sh 2020-02-17 16:09:17 +01:00
vendor go: include vendored modules 2020-02-17 16:09:17 +01:00
.gitignore Makefile: include tests in make build 2020-02-20 13:04:28 +01:00
.gitmodules image-info: add test 2019-10-05 14:47:35 +02:00
.packit.yaml add packit 2019-11-29 12:16:27 +01:00
.travis.yml tools: add prepare-source.sh 2020-02-17 16:09:17 +01:00
dnf-json dnf-json: make independent from the host 2020-02-14 14:43:27 +01:00
go.mod go: include vendored modules 2020-02-17 16:09:17 +01:00
go.sum go: include vendored modules 2020-02-17 16:09:17 +01:00
golang-github-osbuild-composer.spec osbuild-tests: create repository test 2020-02-20 13:04:28 +01:00
LICENSE Revert "Fill in the license template" 2019-11-15 15:26:51 +01:00
Makefile Add tcp and tls support for worker and job API 2020-02-20 13:47:59 +01:00
README.md Add quick README about testing 2020-02-19 23:41:58 +01:00

README.md

osbuild-composer

An HTTP service for building bootable OS images. It provides the same API as lorax-composer but in the background it uses osbuild to create the images.

You can control it in Cockpit or using the composer-cli. To get started on Fedora, run:

# dnf install cockpit-composer golang-github-osbuild-composer composer-cli
# systemctl enable --now cockpit.socket
# systemctl enable --now osbuild-composer.socket

Now you can access the service using composer-cli, for example:

composer-cli status show

or using a browser: http://localhost:9090

API documentation

Please refer to the lorax-composer's documenation as osbuild-composer is a drop-in replacement.

High-level overview

overview

Frontends

osbuild-composer is meant to be used with 2 different front-ends. The primary one, which is meant for general use, is cockpit-composer. It is part of the Cockpit project and unless you have a strong reason not to use it, you should use it. composer-cli is a command line tool that can be used with osbuild-composer.

Compose

  • Compose is what the user submits over one of the frontends
  • It contains of one or more image builds
  • It contains zero or more upload actions

Image build

Job

  • What composer submits to a worker
  • Is a unit of work performed by osbuild (internally it is a single execution of osbuild)
  • Consists of one image build and zero or more Upload actions

Image type

  • In the cockpit-composer, for examples these are image types:
    • Openstack
    • Azure
    • AWS
  • As of now, we name them internally by their file format: vhd, ami, etc.
  • You can see a list of types by executing: composer-cli compose types

Upload action

  • Each image can be, but does not have to be, uploaded to a remote location
  • One image can be uploaded to multiple locations

Testing

See test/README.md