Latest 8.0.0 Release https://github.com/lf-edge/eve/releases/tag/8.0.0 🎉
NEW:
- Implement configurators for VLANs and Bonds ✅
This is the last missing piece needed to enable support for VLANs and LAGs for EVE management and local network instances. This functionality is described and designed in this document: https://wiki.lfedge.org/display/EVE/EVE+VLAN+support+-+create+VLAN+and+bond+interfaces . A part of this commit is also a fix for Switch network VLANs, where we forgot to configure the network uplink port as the trunk, therefore all tagged packets coming in and out of it would be dropped by bridge VLAN filtering. As a result, VLANs were working correctly only for air-gapped switch networks. - Handle EVE-OS reinstall with TPM + ZFS 🔒
If we have previously installed EVE-OS on this device and there was no TPM clear done in the BIOS, then we need to clear the keys associated with persist/vault as part of creating persist/vault. - Do not skip DNS State check in client 🚦
We do not update networkState in the client if only DNS State changes. It may block the onboarding process.| - add zinfo type for edgeview and zedagent publish to controller ℹ️
Missed the zinfo type in proto define for edgeview in PR Edge-View API and JWT #2427 and added zedagent publish the edgeviewStatus to the controller. - Reduce memory usage for DownloadedParts Hash 📉
We can use a JSON encoder to stream checksum calculations instead of using all data in place to reduce memory usage. Around 25KB per GB of image.
DOCS:
- Update more tunables to the document 📃
Added Minimum recommended system requirements and tunables. - Document how onboarding certificates can be generated 📃
In some cases one might want different certificates than the default in conf/onboard.cert.pem
FIX:
- Fix ntpd.pid watchdog after server change 🛠
We sometimes see a watchdog due to ntpd.pid not running in the case when EVE-OS picks up a NTP server from DHCP thus we see a log line of the form: NTP server changed from poll.ntp.org to $ns. The attempt to track this down has been to record the exit value from starting ntpd after it was killed, but that returns zero even when ntpd was not actually started. So adding a wait for the killed process to go away. - Fix filtering of unecessary info messages 🛠
Functions *HasRealChange() in zedagent that try to filter uninteresting changes from being logged have unintended side effects and cause zedagent to lose all timestamps and other information. This is because internally they clear these frequently-changing fields before comparing new and previous values, but do so without properly deep-copying values and thus changing the originals. - Fix multiple DNS servers configured for network instance 🛠
Multiple DNS servers (to advertise) should be configured for dnsmasq as a one-line "dns-server" DHCP option, with comma-separated DNS server IP addresses. Putting DNS servers each on a separate line is not correct, dnsmasq will only advertize the last entry. - Fix verification of persisted DPCs 🛠
With persisted DPCs from the previous run but with last-resort DPC disabled, there is only dpcTestTimer that will trigger DPC verification. And since this timer is set (by default) to 5 minutes, there is quite a delay until device applies working DPC after a reboot. This commit makes sure that persisted DPCs are tested as soon as possible after a reboot. DPC manager only waits for the global configuration before it starts verification. - Fix locally triggered purge 🛠
PR introduces a local generation counter for volume, which is added to the remote generation counter (from the controller) to form a volume key changing remotely as well as a locally issued purge. Similarly, the PR adds separate purge and restart counters for locally triggered operations to the application config. Note that most of the logic for local operations is currently handled by zedagent. Later, this could be refactored and moved to zedmanager to keep only config parsing and info/metrics publishing inside zedagent.
LATEST 7.11.0 Release Released https://github.com/lf-edge/eve/releases/tag/7.11.0 🎉
NEW:
- NIM refactoring ✍️
This PR substantially refactors NIM microservice. Contains several commits to improve the code of NIM, split code into several files, and avoid files with 2000+ lines. - Support zfs raid levels during install 🎛
Provides grub parameters to explicitly install zfs and pick the raid level. Support for single disk installation of ZFS is added. - Show string status for zpool in case of not online ℹ️
Show string status for zpool in case of not online (i.e. One or more devices have been taken offline by the administrator. Sufficient replicas exist for the pool to continue functioning in a degraded state.). The library we use has no support for showing this, so I parse the output of zpool status here. - Support for multiple top-level vdevs in pool 🛠
We will fill children info for multiple top-level vdevs and fill CurrentRaid as the lowest redundancy of all included vdevs. - Support to install EVE and ZFS on same disk 🎛
Installed with grub parameters eve_install_zfs_with_raid_level=none eve_install_disk=nvme0n1 - Pass grub config file for iso installer 💿
Seems we still need to have the possibility to pass options from grub.cfg comes with config.img file in case of iso installer.
The solution to sort disks (#2309) discussed #2303 (comment) is not enough and we still need to define explicitly the disk to install EVE onto with eve_install_disk option
...
STATS:
Github:⭐️340(+1) stars 121(+3) forks DockerHub: 280472(+1351)pulls🚀
Changelog: https://github.com/lf-edge/eve/compare/7.11.0...8.0.0
7.10.0 ...7.11.0Released https://github.com/lf-edge/eve/releases/tag/7.10.0
NEW:
- Extract raw filename from mime
This is necessary to handle new version of the mime package and allow creating the CDROM directory layout for cloud-init. Note that the handling guards against the directory/filename escaping from the target directory. - Use 32byte TPM keys only for vault protection 🔒
Starting this commit a new install of EVE-OS will create a vault config file on systems with TPM support. That file will be used to determine whether to use only the TPM key or merge the TPM and controller key. This applies to both ext4 and zfs filesystems. - Add functionality to send information about disks ℹ️
Add functionality to send information about disks via a separate HardwareInfo message with a rare sending rate. Add serial number assembly for disks in ZFS. Add information about the disk from which information could not be retrieved. Also rewrote the GetSerialNumberForDisk function because an error occurred if the input disk name was a partition (eg /dev/sda1). - Run tests against zfs-kvm 🛠
We can use zfs-KVM HV to run the single-disk zfs mode of EVE and use it in our tests. We changed the version of EVE in eveupdate tests to recent ones. - Add S.M.A.R.T data collector for disks 🎛
This PR adds features for collecting disk information, including SMART attributes. Also, a package has been added here that allows you to read the file system, to obtain information about available disks and information about them. - API update to send more disks information for storage system to EVE ℹ️
Update API to send more disk information (including s.m.a.r.t ones) for the storage system in EVE. - Add possibility to define nested structures in DisksConfig 🎛
To use stripe of two pairs of mirrored disks we should define DisksConfig without disks with array_type DISKS_ARRAY_TYPE_RAID0 with two children with properly defined disks inside and with array_type DISKS_ARRAY_TYPE_RAID1 and empty children - Set max_sectors explicitly to run Windows VM with vhost-scsi-pci 🪟
We can see [ 259.573575] vhost_scsi_calc_sgls: requested sgl_count: 2649 exceeds pre-allocated max_sgls: 2048 in kernel messages and Windows VM do not boot with zfs/vhost-scsi-pci. As discussed in https://edk2.groups.io/g/discuss/topic/windows_2019_vm_fails_to_boot/74465994: I/O size exceeds the max SCSI I/O limitation(8M) of vhost-scsi in KVM and we should adjust options to run Windows VM with vhost-scsi-pci. - Split bucket and path from ds config for AWS ☁️
We can have files located in directories inside the bucket, but now path from datastore assuming as bucket name. We should split the path into bucket names and file paths if we can see '/' inside the bucket. - Have installer default to fixed disk/partition UUIDs 📝
This is needed to make PCR5 in the TPM measured boot be the same for otherwise identical hardware and firmware/software. The new eve_install_random_disk_uuids can be set to get the old behavior. storage-init recreates as fixed if IMGA has the fixed UUID.
STATS:
Github:⭐️339 stars 119(+1) forks DockerHub: 279121(+ 1606) pulls🚀
Changelog: https://github.com/lf-edge/eve/compare/7.9.0...7.10.0
7.9.0 Released https://github.com/lf-edge/eve/releases/tag/7.9.0
NEW:
- Config api to work with disks in zfs
We expect information about disks to be filled in config API and will try to adjust disks states accordingly. If we want to change state to online/offline we should define its state and progress will be available in information messages. - Update API for sending status for storage system
We created informational messages for the disk statuses. - Log install steps
Capture the installation status at various stages and save it to the installer.log file on USB.
Check hash of verified images after reboot
SHA checks the files in the verified directory. We are checking that the files are not changed after reboot. In case, of unexpectable reboot during volume creation.
...
STATS:
Github:⭐️339(+2) stars 118 forks DockerHub: 277515(+1190) pulls🚀
Changelog: https://github.com/lf-edge/eve/compare/7.8.0...7.9.0
7.8.0 Released https://github.com/lf-edge/eve/releases/tag/7.9.0
NEW:
- Run potentialUUIDUpdate on 400 and on attest problems ☑️
As described in the APIv2 documentation, we should assume that the device does not exist in the controller if the controller returns 400.
Also seems we do not run potentialUUIDUpdate before successful attestation, but we should. Also, we must remove the old attest message on change and push new. - CONFIG_IGC for Intel Ethernet Controller 🎛
CONFIG_IGC for Intel Ethernet Controller I225-LM/I225-V/I225-IT - Use TLS with S3 🔑
Some old code had this disabled, thus we relied on the image SHA256 for verification. However, this means that firewalls need to open up outbound port 80 when port 443 should be sufficient. Verified that the S3 downloads work correctly even when a TLS MiTM proxy is in use thus the proxy certificate is passed into the S3 download code. - Implement appinfo extension for purge/restart command requests ℹ️
This commit implements the extension to the /api/v1/appinfo local profile endpoint, which allows the server to submit purge/restart commands for locally running application instances. This functionality is already documented in api/PROFILE.md under "AppInfo". Plus test lf-edge/eden#744 - Rework ECO to show information to log and VNC 📺
Now we cannot see information from the app in logs if VNC is enabled, with this change we will output information to both places. - Allow /30 subnets for local network instance 📡
The current MinSubnetSize of > 8 is too restrictive. We these changes we can handle /30 subnet, which means that there is one IP address available for an app instance (and one for "zedrouter").
...