v2.5.0

Author: brod-intel

.bdsignore.all

@@ -0,0 +1,3 @@
+artifacts
+avvdat.ini
+vsreports

.gitignore

@@ -44,3 +44,10 @@ dockerfiles/uos/lib/docker
 
 # Configuration that should never be committed to git
 # conf/config.yml
+conf/secrets.yml
+
+#used for core
+dockerfiles/core/files/
+
+#used for certbot
+dockerfiles/certbot/scripts/

CHANGELOG.md

@@ -0,0 +1,165 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+ 
+The format is based on [Keep a Changelog](http://keepachangelog.com/)
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased][1.0.0] - 2019-04-24
+### Initial internal publication
+- An easy way to provision target systems that are bare metal or virtual machines using a just-in-time provisioning process over PXE
+
+## [1.2.0] - 2020-04-01
+### Added
+- Created a proper README.md file
+- Samba service is now availble to allow Windows Profiles to mount ESP directory
+- Introduced Edge Software Provisioner Utility Operating System called ESP UOS
+- Now automatically detects network settings if omitted in conf/config.yml
+
+### Changed
+- Updated error handling
+
+## [1.3.0] - 2020-11-04
+### Added
+- Bash yaml parsing
+- ISO PXE Booting
+
+### Changed
+- Fixed Samba mmounting 
+- Set the Linuxkit version to v0.8
+
+## [1.5.0] - 2021-01-26
+### Added
+- Rebranded product name
+- In-line caching of RPMs, DEBs, TAR and other package management applications
+- You can now pre-build certain tasks, for example compile a kernel or mirror a repo on ESP
+- Mirroring GitHub repos on ESP
+- Virtual PXE - can test profiles or create VMs directly in ESP.  Can be used in a Jenkins pipeline for testing ESP Profiles
+- Added multiple kernel support
+- Input validation types for profile configuration
+
+### Changed
+- Improved Nginx and web services
+- Improved UOS
+- Kernel version
+- Error handling to console
+- README.md
+- Improved UOS process
+- Fixed ISO mounting and unmounting
+- Improved support for different system BIOS and uEFI
+
+## [1.5.1] - 2021-02-09
+### Added
+- Let's Encrypt to generate public certificates
+- Introduced TLS for all ESP services
+
+### Changed
+- Fixed miscellaneous bugs
+
+## [1.6.0] - 2021-02-09
+### Added
+- Ability to change kernel from different Linux distros, defaults to Clear Linux
+- Proxy support to docker-compose.yml
+- Github mirror to docker-compose.yml
+- Podman support for Red Hat
+
+### Changed
+- Gitea is built during the build.sh process instead of run.sh
+- Default config.yml to latest LTS Ubuntu
+- Fixed miscellaneous bugs
+
+## [1.6.1] - 2021-05-27
+### Changed
+- UOS now ignores self-signed certificate on ESP
+- Gitea startup processes
+
+## [1.6.2] - 2021-06-30
+### Changed
+- UOS Display  name
+- login support to UOS when there is an error
+
+## [2.0.0] - 2021-08-27
+### Added
+- Create Bootable USB to provision devices with no PXE support or ethernet. See “Bootable USB” in the README.md.
+- Flash USB Utility to protect from overwriting the wrong drive.
+- Utility OS has been rebranded to Micro OS – uOS.
+- uOS now supports WiFI and Mobile Cell phone network deployments.
+- TLS encryption enabled using self-signed certificate including optional Let’s Encrypt for Web Services.
+- All other services except PXE Boot are TLS enabled.
+- New ESP one line start command; instead of having to build ESP container images every install, you can start ESP from a single command line. See step 8 of “Quick Installation Guide” in the README.md.
+- ESP Core service now monitors for config.yml file changes and automatically runs build.sh command when a change occurs
+- ESP supports the ability to provision target devices while being disconnected from the internet.
+- Ubuntu Profile now supports config.yml variables network=[default|bridged|network-manager], wifissid= and wifipsk=
+- Ubuntu Profile will now search for a Debian mirror on ESP to pull packages directly.
+- Virtual PXE now supports building VMs inside a container for distribution and execution on Docker. See ./vpxe.sh -h
+
+### Changed
+- uOS Kernel Selection – you can now choose different kernels for the uOS kernel. See ./build.sh -h
+- Updated Podman to support network proxies
+- Fixed miscellaneous bugs
+
+## [2.0.1] - 2021-10-08
+### Added
+- "--skip-memory" to makeusb.sh to skip memory check for systems with small off memory.
+
+### Changed
+- Fixed typo in the help
+- Fixed build ESP containers behind proxy
+- Upgraded container base version of nginx, gitea, core and certbot to address CVEs
+- Fixed Docker-in-Docker /dev/null deletion on build failing behind proxy
+- Fixed detection of failure of docker-builder program to restart
+- Fixed makeusb.sh creating legacy BIOS USB images not booting correctly in QEMU
+- Fixed squid caching of Linux distro packages
+- Fixed miscellaneous bugs
+
+## [2.0.2] - 2021-10-12
+### Changed
+- Fixed Certbot cert renewal detection
+- Fixed Gitea database initialization
+- Fixed Podman run for Gitea
+- Fixed Podman run for Certbot
+
+## [2.0.3] - 2021-11-19
+### Added
+- Environment variable for NO_PROXY during build.sh
+- Ability to specify Git TAG Names for branches in config.yml
+
+### Changed
+- Fixed /dev/null being deleted
+- Fixed CVE is in Dockerfiles
+- Fixed missing DOCKER_RUN_ARGS
+- Fixed Miscellaneous typos
+
+## [2.5.0] - 2022-06-17
+### Added
+- Dynamic Profiles - The Dynamic Profile feature allows ESP to install software on a target machine without any user interaction.  See https://github.com/intel/Edge-Software-Provisioner#dynamic-profile
+- Build Red Hat kernels into ESP uOS using Podman.  See ./build.sh -k
+- Now can designate the interface ESP to listen on for all DHCP requests.  See https://github.com/intel/Edge-Software-Provisioner/blob/master/conf/config.yml
+- Signed Kernels and Secure Boot ESP uOS will be released in the next version
+- Can dynamically inject secretes using environment variables.  See https://github.com/intel/Edge-Software-Provisioner/blob/master/conf/secrets.sample.yml
+- Additional support for air-gapped environments
+- The ability to resume an ESP Profile deployment after failure instead of starting all over.  To enable, add kernel parameter "resume=true" in the profile config.yml
+- Can specify an ethernet interface for ESP to listen on when running on system with more than one ethernet interface. See https://github.com/intel/Edge-Software-Provisioner/blob/master/conf/config.yml
+
+### Changed
+- Updated all kernels to 5.17 and introduced an Intel kernel for latest hardware
+- Fixed missing /dev/null when Docker cleans up mounts
+- Proxy problems fixed - missing "no_proxy" values were not being passed to all containers
+- Ensure previously mounted ISO images are properly unmounted
+- Fixed Nginx bugs that stopping bootstrapping in different situations
+- Enhanced Code Quality
+
+### Known Issue
+- Virtual PXE (vpxe.sh) may cause a kernel panic under a nested VM.  Work around is to build a different kernel.  For example, `./build.sh -k ubuntu -P`
+
+
+
+
+[1.5.1]: https://github.com/intel/Edge-Software-Provisioner/compare/v1.5...v1.5.1
+[1.6.0]: https://github.com/intel/Edge-Software-Provisioner/compare/v1.5.1...v1.6
+[1.6.1]: https://github.com/intel/Edge-Software-Provisioner/compare/v1.6...v1.6.1
+[1.6.2]: https://github.com/intel/Edge-Software-Provisioner/compare/v1.6.1...v1.6.2
+[2.0.0]: https://github.com/intel/Edge-Software-Provisioner/compare/v1.6.2...v2.0
+[2.0.1]: https://github.com/intel/Edge-Software-Provisioner/compare/v2.0...v2.0.1
+[2.0.2]: https://github.com/intel/Edge-Software-Provisioner/compare/v2.0.1...v2.0.2
+[2.0.3]: https://github.com/intel/Edge-Software-Provisioner/compare/v2.0.2...v2.0.3
+[2.5.0]: https://github.com/intel/Edge-Software-Provisioner/compare/v2.0.3...v2.5

Jenkinsfile

@@ -0,0 +1,93 @@
+pipeline {
+    agent { label 'rbhe' }
+    stages {
+        stage('Build') {
+            environment {
+                DOCKER_BUILD_ARGS = '--build-arg http_proxy --build-arg https_proxy' // add --no-cache for a clean build
+            }
+            steps {
+                // This really should be pulled out into a script in the source code repo
+                // like ./ci-build.sh or something similar
+                sh '''
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-aws-cli dockerfiles/aws-cli
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-wget dockerfiles/wget
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-git dockerfiles/git
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-dnsmasq dockerfiles/dnsmasq
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-squid dockerfiles/squid
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-web dockerfiles/nginx
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-gitea dockerfiles/gitea
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-qemu dockerfiles/qemu
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-smb dockerfiles/smb
+
+                # just need to trick the core builder. This image will not run, just needs to be built to be scanned by Snyk
+                for dir in conf data dockerfiles/core scripts template; do mkdir -p dockerfiles/core/files/${dir}; done
+                cp ./*.sh dockerfiles/core/files/
+                cp ./dockerfiles/core/init.sh dockerfiles/core/files/dockerfiles/core/init.sh
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-core dockerfiles/core
+                rm -rf dockerfiles/core/files
+
+                # just need to trick the certbot builder. This image will not run, just needs to be built to be scanned by Snyk
+                mkdir -p dockerfiles/certbot/scripts
+                docker build ${DOCKER_BUILD_ARGS} -t edgebuilder-certbot dockerfiles/certbot
+                rm -rf dockerfiles/certbot/scripts
+
+                docker images | grep "edgebuilder"
+                '''
+            }
+        }
+
+        stage('Static Code Scan') {
+            when {
+                expression { env.GIT_BRANCH == 'master' }
+            }
+            stages {
+                stage('Prep Snyk Env') {
+                    steps {
+                        script {
+                            def _files = [
+                                'edgebuilder-aws-cli': 'dockerfiles/aws-cli/Dockerfile',
+                                'edgebuilder-wget': 'dockerfiles/wget/Dockerfile',
+                                'edgebuilder-git': 'dockerfiles/git/Dockerfile',
+                                'edgebuilder-dnsmasq': 'dockerfiles/dnsmasq/Dockerfile',
+                                'edgebuilder-squid': 'dockerfiles/squid/Dockerfile',
+                                'edgebuilder-web': 'dockerfiles/nginx/Dockerfile',
+                                'edgebuilder-gitea': 'dockerfiles/gitea/Dockerfile',
+                                'edgebuilder-qemu': 'dockerfiles/qemu/Dockerfile',
+                                'edgebuilder-smb': 'dockerfiles/smb/Dockerfile',
+                                'edgebuilder-core': 'dockerfiles/core/Dockerfile',
+                                'edgebuilder-certbot': 'dockerfiles/certbot/Dockerfile',
+                            ]
+
+                            env.SNYK_MANIFEST_FILE = _files.collect { k,v -> v }.join(',')
+                            env.SNYK_PROJECT_NAME  = _files.collect { k,v -> "${k}-docker" }.join(',')
+                            env.SNYK_DOCKER_IMAGE  = _files.collect { k,v -> k }.join(',')
+
+                            env.SNYK_ALLOW_LONG_PROJECT_NAME = 'true'
+                            env.SNYK_SEVERITY_THRESHOLD_CVE  = 'high'
+                        }
+                    }
+                }
+
+                stage('Scan') {
+                    environment {
+                        SCANNERS = 'protex,snyk'
+                        PROJECT_NAME = 'NEX – Container First Architecture'
+                    }
+                    steps {
+                        rbheStaticCodeScan()
+                    }
+                }
+
+                stage('Virus Scan') {
+                    steps {
+                        script {
+                            virusScan {
+                                dir = '.'
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

LICENSE

@@ -1,6 +1,11 @@
-The following files describe the licenses that apply to this software:
+Copyright © 2022, Intel Corporation
 
-licenses/bsd.license
-licenses/intel.license
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 
-Any other files with the suffix ".license" also apply to this software.
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -34,6 +34,8 @@ To quickly get started follow the [Quick Installation Guide](#quick-installation
 
 1. [Bootable USB](#bootable-usb)
 
+1. [Dynamic Profile](#dynamic-profile)
+
 ## What is it?
 
 The Edge Software Provisioner (ESP) enables ODMs, System Integrators and Developers to automate the installation of a complete operating system and software stack (defined by a Profile) on bare-metal or virtual machines using a "Just-in-Time" provisiong process. The software stack can include software components, middleware, firmware, and applications.  Automating this process increases velocity by focusing resources on rapid development, validation of use cases and scalable deployment.  ESP simplifies customer adoption through confidence gained validating Profiles.  Profiles are cloned and distributed through GitHub containing the human readable prescriptive literature to deploy the complete operating system and software stack.  In summary, this a scalable, simple bare metal provisioning process including virtual machine provisioning.
@@ -268,6 +270,7 @@ The following kernel parameters can be added to `conf/config.yml`
 * `bootstrap` - RESERVED, do not change
 * `ubuntuversion` - Use the Ubuntu release name. Defaults to 'cosmic' release
 * `debug` - [TRUE | FALSE] Enables a more verbose output
+* `resume` - [TRUE | FALSE] Enables the profile to resume opperation after the last fail.  Useful for developing profiles
 * `httppath` - RESERVED, do not change
 * `kernparam` - Used to pass additional kernel parameters to the targeted system.  Example format: kernparam=splash:quiet#enable_gvt:1
 * `parttype` - RESERVED, do not change
@@ -467,6 +470,68 @@ under [Installation](#installation)
 
   Type `./makeusb.sh -h` to see othe syntax options.
 
+## Dynamic Profile
+
+### Scope
+
+The Dynamic Profile feature allows ESP to install software on a target system without using ESP Menu selection on systems without a monitor or scale production.
+
+### Profile selection
+
+A json file in the following format is used to associate a profile with either the hardware mac address of at least one of the ethernets or cpu type on the target system.  An example json file can be found at `conf/dynamic_profiles.json`, edit this file or place the file on github or http server.
+Example JSON File:
+
+```json
+{
+  "hardwares": [
+   {
+     "id": "1",
+     "mac": "AA:BB:CC:11:22:33",
+     "profile": "Ubuntu_21.04"
+   },
+   {
+     "id": "2",
+     "cpu": "Intel(R) Xeon(R) CPU D-1557",
+     "profile": "Ubuntu_20.04_Desktop"
+   }
+  ]
+}
+```
+
+**IMPORTANT: The json structure has to follow the structure above. The current implementation relies on these keys. The implemented hardware related information is "macaddress". If others are desired, the implementation needs to be adapted**
+
+### Enabling the Dynamic Profile
+
+Several things need to be done to enable the Dynamic Profile
+
+#### Adapting config.yml
+ In the config.yml, the following section must be present:
+
+ ```yaml
+ dynamic_profile:
+    enabled: true
+    url: "https://###SOME_URL###/dynamic_profiles.json" or leave blank to read from conf/dynamic_profiles.json
+    user: "###USE_IF_HOSTED_ON_GITHUB###" or leave blank
+    token: "###USE_IF_HOSTED_ON_GITHUB###" or leave blank
+
+ ```
+ #### Building and running ESP with Dynamic Profile
+ If building for the first time please use the following command
+ ```
+ ./build.sh
+ ```
+ Or if you have already built images you use the following command to update configuration
+ ```
+ ./build.sh -S -P
+ ```
+ 
+ you must run is ESP in dynamic mode in order to support the feature with the following command
+ ```
+ ./run.sh
+ ```
+ 
+ 
+
 ## Known Limitations
 
 * The `conf/config.yml` file must specify ALL values comprehensively, as shown in the `conf/config.sample.yml`. Please use `""` for empty values.