Add initial support for the OpenBSD operating system #712
Conversation
|
@reyk, It will cover your contributions to all Microsoft-managed open source projects. |
| return | ||
| if retry < max_retry - 1: | ||
| mountlist = shellutil.run_get_output("/sbin/mount")[1] | ||
| logger.info("mountlist: '{0}'", mountlist) |
There was a problem hiding this comment.
line 254 is a debug message that should be removed.
|
@reyk, thanks for signing the contribution license agreement. We will now validate the agreement and then the pull request. |
|
Hi, thank you for your work, really appreciated. Do you think your changes are able to make WALinuxAgent working fine with LibreSSL on a FreeBSD? Thanks |
|
@lordgordon: As LibreSSL comes from OpenBSD, I looked into using it directly. But we have to use the OpenSSL port instead because LibreSSL is not compatible with WALinuxAgent (pkg_add openssl; binary is installed as "eopenssl" on OpenBSD) . Details: the Azure wire protocol uses CMS to encrypt the certificates payload that includes the SSH public keys. I don't know why public keys have to be encrypted this way, but the agent needs "openssl cms" to decrypt them. But CMS has been removed from LibreSSL because it was poor and complex code and not even enabled in OpenSSL for a long time (http://marc.info/?l=openbsd-cvs&m=147301176512716&w=2). @mbelop and me managed to port CMS as a stand-alone binary that links with LibreSSL, but it is a big and ugly port that needs to provide its own versions for many internal functions within libcrypto. I can try to release it separately, but the best solution for OpenBSD and maybe FreeBSD is to use upstream OpenSSL for WALinuxAgent. I know that kind of hurts when you try to move away from using it. I also wonder why Azure doesn't just include the SSH public keys as Values in the ovf-env.xml file; this way we wouldn't need CMS. |
|
@reyk thank you very much for your detailed explanation. I agree, the real issue here is Azure's forcing to use CMS. As I mainly need LibreSSL for nginx I think the easiest workaround is to install LibreSSL with nginx in a jail. |
|
@hglkrijger Could you please review the patch from Reyk? They develop the patch to enable waagent for OpenBSD. |
config/openbsd/waagent.conf
Outdated
| # OS.EnableRDMA=y | ||
|
|
||
| # Enable or disable goal state processing auto-update, default is enabled | ||
| AutoUpdate.Enabled=n |
There was a problem hiding this comment.
I recommend leaving this enabled
There was a problem hiding this comment.
Sure, I can enable it again. I turned it off because it wouldn't work before the merge.
| @@ -95,6 +104,9 @@ def del_dhcp_lease(self, warnings, actions): | |||
| actions.append(DeprovisionAction(fileutil.rm_files, ["/var/db/dhclient.leases.hn0", | |||
| "/var/lib/NetworkManager/dhclient-*.lease"])) | |||
|
|
|||
| # For OpenBSD | |||
| actions.append(DeprovisionAction(fileutil.rm_files, ["/var/db/dhclient.leases.hvn0"])) | |||
There was a problem hiding this comment.
Should this have a wildcard?
There was a problem hiding this comment.
I modeled it after the FreeBSD one above that only deletes hn0 (I don't know what NetworkManager is). But, yes, that should be OK to remove /var/db/dhclient.leases.hvn* in case that there was any additional configured NIC.
| if os.path.isdir("/proc"): | ||
| pids = [pid for pid in os.listdir('/proc') if pid.isdigit()] | ||
| else: | ||
| pids = [] |
There was a problem hiding this comment.
What is the behavior of waagent --version here?
There was a problem hiding this comment.
WALinuxAgent-2.2.11 running on openbsd 6.1
Python: 2.7.13
Goal state agent: 2.2.11
Could you introduce a new osutil callback that allows OS without /proc to implement their own method to get a running process? On OpenBSD, we could implement a callback with the pgrep system utility. There are two places that could use it instead of accessing /proc directly: set_goal_state_agent() in common/version.py and validate_cloud_init() in pa/provision/default.py.
There was a problem hiding this comment.
@hglkrijger I rebased and force-pushed an update based your recommendations, see the individual commits for the changes. Can we get it merged now?
There was a problem hiding this comment.
@reyk, sure, that sounds reasonable. Would you please open an issue to track?
There are some differences between FreeBSD, OpenBSD, and Linux. Notes: - OpenBSD ships LibreSSL, but WALinuxAgent needs OpenSSL for CMS, so use the openssl port and the "eopenssl" binary instead. - Don't run the custom DHCP client but parse /var/db/dhclient.leases.hvn0. OpenBSD's lease file uses a modified syntax. - OpenBSD does not have /proc. WALinuxAgent should never assume that the /proc filesystem is available. - OpenBSD does not have sudo, but its replacement doas. The OpenBSD class implements support for modifying the doas.conf file. - Unlike FreeBSD, OpenBSD supports and mounts UDF DVDs just fine. - Create a swap partition instead of a swap file on the resource disk. - Many other minor changes for OpenBSD TODO: - The /proc checks needs to be replaced with pgrep/ps etc. checks for OpenBSD. For now it just checks if /proc is available or returns without error. Make sure to install waagent with --register-service as setuptools will not set the permissions of /etc/rc.d/waagent correctly (the file has to be executable to be used by OpenBSD's rc system).
The OpenBSD disk handler is an addition, not a replacement. Found by jonathangray
Issue reported by Lili Deng.
There are some differences between FreeBSD, OpenBSD, and Linux.
Notes:
OpenBSD ships LibreSSL, but WALinuxAgent needs OpenSSL for CMS, so
use the openssl port and the "eopenssl" binary instead.
Don't run the custom DHCP client but parse /var/db/dhclient.leases.hvn0.
OpenBSD's lease file uses a modified syntax.
OpenBSD does not have /proc. WALinuxAgent should never assume that
the /proc filesystem is available.
OpenBSD does not have sudo, but its replacement doas. The OpenBSD
class implements support for modifying the doas.conf file.
Unlike FreeBSD, OpenBSD supports and mounts UDF DVDs just fine.
Create a swap partition instead of a swap file on the resource disk.
Many other minor changes for OpenBSD
TODO:
OpenBSD. For now it just checks if /proc is available or returns
without error.
Make sure to install waagent with --register-service as setuptools
will not set the permissions of /etc/rc.d/waagent correctly (the file
has to be executable to be used by OpenBSD's rc system).