Refact/ota 4814/install on secondary

[mike-sul]

verified the given PR's aktualizr-primary against aktualizr-secondary of the given PR, the current master and 2020.5, both types of an update were verified, ostree and binary/file (qemu).

Also, a basic test to verify the backward compatibility is added to this test suite

aktualizr/src/aktualizr_secondary/secondary_rpc_test.cc

Line 364 in 7c6ad01

std::make_pair(1024 * 3 + 1, false /* old messages/sendFirmware, fallback testing */),

.

[codecov-io]

Codecov Report

Merging #1642 into master will decrease coverage by 0.00%.
The diff coverage is 80.52%.

@@            Coverage Diff             @@
##           master    #1642      +/-   ##
==========================================
- Coverage   82.71%   82.71%   -0.01%     
==========================================
  Files         190      194       +4     
  Lines       12087    12266     +179     
==========================================
+ Hits         9998    10146     +148     
- Misses       2089     2120      +31     

Impacted Files	Coverage Δ
src/aktualizr_secondary/secondary_tcp_server.h	100.00% <ø> (ø)
src/aktualizr_secondary/update_agent_ostree.h	100.00% <ø> (ø)
src/libaktualizr-isotp/isotpsecondary.cc	0.00% <0.00%> (ø)
src/libaktualizr-isotp/isotpsecondary.h	0.00% <ø> (ø)
src/libaktualizr-posix/ipuptanesecondary.h	100.00% <ø> (ø)
src/libaktualizr/primary/sotauptaneclient.h	100.00% <ø> (ø)
src/virtual_secondary/managedsecondary.h	100.00% <ø> (ø)
.../virtual_secondary/partialverificationsecondary.cc	67.34% <0.00%> (ø)
...c/virtual_secondary/partialverificationsecondary.h	63.63% <ø> (ø)
src/virtual_secondary/virtualsecondary.h	100.00% <ø> (ø)
... and 45 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 48dcb6e...d948dec. Read the comment docs.

[lbonn]

Quite a lot to review! Here are mostly small comments on my first pass.

[pattivacek]

I'm not done, but here's what I've got so far until I get another break.

[eu-siemann]

Overall looks good! Do I understand correctly that the main change in secondary iface is to remove sendFirmware step and to provide an image reader callback instead, that will be called internally in install?

[eu-siemann]

Removing some code from sotauptaneclient.cc is nice!

[mike-sul]

the main change in secondary iface is to remove sendFirmware step and to provide an image reader callback instead, that will be called internally in install?

Yes, the main change in the secondary interface is getting rid of sendFirmware() method.
The image reader callback is not exactly part of the interface (SecondaryInterface), this is rather an optional parameter of a specific secondary that might need it (e.g. the ostree secondary does not need it).

The whole point of this removal (sendFirmware) is to let a specific secondary decide what exactly to do in order to install a target and don't put any its specifics into a common interface. So, a concrete secondary needs to implement install(const Target&) method and how exactly it's done and what is an internal protocol/communication between primary and secondary ECUs is solely at its discretion. This is the next step after "freeing" the IP Secondary from dependency on the secondary interface.

Before that the secondary interface reflected a specific use-case (file/binary update with full Uptnae verification) so any other implementation had a headache of adjusting its implementation into that interface and protocol.

The next logical step, IMHO, would be changing 'putMetadata(const RawMetaPack& meta_pack)' to 'putMetadata(const Target& target)'.

And the whole strategy here is to bring the update procedure on Primary and Secondary to a common denominator so the sotauptaneclient would perform the Uptane update on different entities (Primary ECU, different types of Virtual ECUs, different types of real ECUs) in a uniform way.

[pattivacek]

Finally got all the way through. Generally does look quite good, but I have several comments and questions. We still need to decide whether we want to merge this soonish or wait until we have all of our intended refactorings and interface changes complete.

I do remember now why we had inherited from the SecondaryInterface on the Secondary before. It was so that you would immediately know if you changed something that could break the compatibility between them. Obviously that's not perfect but it was meant to help track those types of changes. Now we just need to be vigilant when making changes in these parts of the code.

[mike-sul]

It was so that you would immediately know if you changed something that could break the compatibility between them.

First of all, that what tests are for, secondary the previous design could not help with detecting changes in the RPC messages itself. The bigger changes, e.g. RPC message format is changed will be detected by the given PR's design. too as well as any changes in the secondary interface will require changes in the secondary implementation on Primary.

[eu-siemann]

I must admit I am not so sure about merging sendFirmware and install into one call.

Those are the separate steps in the Uptane spec:
5.4.2.7. Send images to Secondaries
and
5.4.3.x Installing images on Primary or Secondary ECUs

And I see at least one good reason for that: if primary doesn't have enough space to store the secondary image it can utilize secondary storage via the sendFirmware call, while still verifying the hash. If hash verification by the primary fails, it will not proceed to the installation step.

[mike-sul]

I must admit I am not so sure about merging sendFirmware and install into one call.

Those are the separate steps in the Uptane spec:
5.4.2.7. Send images to Secondaries
and
5.4.3.x Installing images on Primary or Secondary ECUs

And I see at least one good reason for that: if primary doesn't have enough space to store the secondary image it can utilize secondary storage via the sendFirmware call, while still verifying the hash. If hash verification by the primary fails, it will not proceed to the installation step.

That's not exactly what happens here, there are still two phases, firmware upload/delivery, and installation, it just moved from sotauptaneclient to the Primary's part of secondary implementation.

And I see at least one good reason for that: if primary doesn't have enough space to store the ?> > > secondary image it can utilize secondary storage via the sendFirmware call, while still verifying the > hash. If hash verification by the primary fails, it will not proceed to the installation step.

I think, the functionality you are describing would be even easier to implement with the given API/interface compared to previous version of SecondaryInterface. Moreover, I actually, think that both the previous version and the one in the given PR are not good enough to solve to given issue properly. IMHO, the right design here would be the introduction of a logical ECU notion, so specific logical ECU would be responsible not just for sending firmware from Primary to Secondary but also for downloading of an image from BE. In this case, specific Secondary implementation (Primary part) will be able to implement a download mechanism in such a way that it will actually stream it directly to Secondary. Otherwise, with having this fake package manager and multi-types Secondaries it would really hard to implement the business logic within sotauptaneclient that accommodates all use cases of each Secondary type.

[pattivacek]

Two more questions:

1. How does this impact downloading large objects on the Secondary and storing them in memory? I know this gets rid of the std::string, though.
2. Have you tested manually upgrading a Secondary from the old version to the new version with qemu or whatever?

[mike-sul]

Two more questions:

1. How does this impact downloading large objects on the Secondary and storing them in memory? I know this gets rid of the std::string, though.

It improves the uploading of large objects from Primary to Secondary as it doesn't store overall image data in RAM in general and doesn't pass them via function call stack (passing a string with >1GB size as a parameter is not exactly what we wanna do). Image data are transferred from Primary to Secondary by pieces.

2. Have you tested manually upgrading a Secondary from the old version to the new version with qemu or whatever?

Yes, details are in my first comment to this PR.

[pattivacek]

I've added a couple commits to clean things up and I have one lingering question to look into.

[pattivacek]

Well, it's only taken two months, but this PR is finally ready for review. I think all of it has already been reviewed at least once at some point, and I feel comfortable merging it after having done substantial testing on it. However, I'd like to provide one more chance for others to take a look and provide their input. @mike-sul I'm also curious if you see any causes for concern.

[lgtm-com]

This pull request introduces 3 alerts when merging c8b6be5 into f868186 - view on LGTM.com

new alerts:

• 3 for Expression has no effect

[mike-sul]

I'm also curious if you see any causes for concern

@patrickvacek At first glance, I don't see any reasons for concern, will look into it closer later today.
In any case, I suppose, that it makes sense to communicate to the customers about the correct procedure of deployment/switching to the new version. (at first, deploy on Primary and then on Secondaries, iirc).

[eu-siemann]

Great job, @mike-sul , and @patrickvacek ! Everything looks good to me, let's finally merge it :)