update and migrator: signed migrations

packages/os/migrator.service

@@ -3,7 +3,7 @@ Description=Bottlerocket data store migrator
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/migrator --datastore-path /var/lib/bottlerocket/datastore/current --migration-directories /var/lib/bottlerocket-migrations --migrate-to-version-from-os-release
+ExecStart=/usr/bin/migrator --datastore-path /var/lib/bottlerocket/datastore/current --migration-directory /var/lib/bottlerocket-migrations --root-path /usr/share/updog/root.json --metadata-directory /var/cache/bottlerocket-metadata --migrate-to-version-from-os-release
 RemainAfterExit=true
 StandardError=journal+console
 

sources/api/migration/migrator/Cargo.toml

@@ -18,10 +18,16 @@ semver = "0.9"
 simplelog = "0.7"
 snafu = "0.6"
 update_metadata = { path = "../../../updater/update_metadata" }
+tempfile = "3.1.0"
+tough = { version = "0.5.0" }
+lz4 = "1.23.1"
 
 [build-dependencies]
 cargo-readme = "3.1"
 
+[dev-dependencies]
+tempfile = "3.1"
+
 [[bin]]
 name = "migrator"
 path = "src/main.rs"

sources/api/migration/migrator/src/args.rs

@@ -15,7 +15,10 @@ fn usage() -> ! {
     eprintln!(
         r"Usage: {}
             --datastore-path PATH
-            --migration-directories PATH[:PATH:PATH...]
+            --migration-directory PATH
+            --root-path PATH
+            --metadata-directory PATH
+            --working-directory PATH
             (--migrate-to-version x.y | --migrate-to-version-from-os-release)
             [ --no-color ]
             [ --log-level trace|debug|info|warn|error ]",
@@ -34,8 +37,10 @@ fn usage_msg<S: AsRef<str>>(msg: S) -> ! {
 pub(crate) struct Args {
     pub(crate) datastore_path: PathBuf,
     pub(crate) log_level: LevelFilter,
-    pub(crate) migration_directories: Vec<PathBuf>,
+    pub(crate) migration_directory: PathBuf,
     pub(crate) migrate_to_version: Version,
+    pub(crate) root_path: PathBuf,
+    pub(crate) metadata_directory: PathBuf,
 }
 
 impl Args {
@@ -44,8 +49,10 @@ impl Args {
         // Required parameters.
         let mut datastore_path = None;
         let mut log_level = None;
-        let mut migration_directories = None;
+        let mut migration_directory = None;
         let mut migrate_to_version = None;
+        let mut root_path = None;
+        let mut metadata_path = None;
 
         let mut iter = args.skip(1);
         while let Some(arg) = iter.next() {
@@ -84,16 +91,12 @@ impl Args {
                     }));
                 }
 
-                "--migration-directories" => {
-                    let paths_str = iter.next().unwrap_or_else(|| {
-                        usage_msg("Did not give argument to --migration-directories")
+                "--migration-directory" => {
+                    let path_str = iter.next().unwrap_or_else(|| {
+                        usage_msg("Did not give argument to --migration-directory")
                     });
-                    trace!("Given --migration-directories: {}", paths_str);
-                    let paths: Vec<_> = paths_str.split(':').map(PathBuf::from).collect();
-                    if paths.is_empty() {
-                        usage_msg("Found no paths in argument to --migration-directories");
-                    }
-                    migration_directories = Some(paths);
+                    trace!("Given --migration-directory: {}", path_str);
+                    migration_directory = Some(PathBuf::from(path_str));
                 }
 
                 "--migrate-to-version" => {
@@ -114,15 +117,36 @@ impl Args {
                     migrate_to_version = Some(br.version_id)
                 }
 
-                _ => usage(),
+                "--root-path" => {
+                    let path_str = iter
+                        .next()
+                        .unwrap_or_else(|| usage_msg("Did not give argument to --root-path"));
+                    trace!("Given --root-path: {}", path_str);
+                    root_path = Some(PathBuf::from(path_str));
+                }
+
+                "--metadata-directory" => {
+                    let path_str = iter.next().unwrap_or_else(|| {
+                        usage_msg("Did not give argument to --metadata-directory")
+                    });
+                    trace!("Given --metadata-directory: {}", path_str);
+                    metadata_path = Some(PathBuf::from(path_str));
+                }
+                _ => usage_msg(format!("Unable to parse input '{}'", arg)),
             }
         }
 
         Self {
-            datastore_path: datastore_path.unwrap_or_else(|| usage()),
+            datastore_path: datastore_path
+                .unwrap_or_else(|| usage_msg("--datastore_path is empty")),
             log_level: log_level.unwrap_or_else(|| LevelFilter::Info),
-            migration_directories: migration_directories.unwrap_or_else(|| usage()),
-            migrate_to_version: migrate_to_version.unwrap_or_else(|| usage()),
+            migration_directory: migration_directory
+                .unwrap_or_else(|| usage_msg("--migration_directory is empty")),
+            migrate_to_version: migrate_to_version
+                .unwrap_or_else(|| usage_msg("--migrate_to_version is empty")),
+            root_path: root_path.unwrap_or_else(|| usage_msg("--root_path is empty")),
+            metadata_directory: metadata_path
+                .unwrap_or_else(|| usage_msg("--metadata_directory is empty")),
         }
     }
 }

sources/api/migration/migrator/src/error.rs

@@ -1,7 +1,7 @@
 //! This module owns the error type used by the migrator.
 
 use semver::Version;
-use snafu::Snafu;
+use snafu::{Backtrace, Snafu};
 use std::io;
 use std::path::PathBuf;
 use std::process::{Command, Output};
@@ -13,6 +13,12 @@ pub(crate) enum Error {
     #[snafu(display("Internal error: {}", msg))]
     Internal { msg: String },
 
+    #[snafu(display("Unable to create tempdir for migration binaries: '{}'", source))]
+    CreateRunDir { source: std::io::Error },
+
+    #[snafu(display("Unable to create tempdir for tough datastore: '{}'", source))]
+    CreateToughTempDir { source: std::io::Error },
+
     #[snafu(display("Data store path '{}' contains invalid UTF-8", path.display()))]
     DataStorePathNotUTF8 { path: PathBuf },
 
@@ -22,6 +28,21 @@ pub(crate) enum Error {
     #[snafu(display("Data store link '{}' points to /", path.display()))]
     DataStoreLinkToRoot { path: PathBuf },
 
+    #[snafu(display("Unable to delete directory '{}': {}", path.display(), source))]
+    DeleteDirectory {
+        path: PathBuf,
+        source: std::io::Error,
+    },
+
+    #[snafu(display("Failed to convert '{}' to a URL", path.display()))]
+    DirectoryUrl { path: PathBuf, backtrace: Backtrace },
+
+    #[snafu(display("Error finding migration: {}", source))]
+    FindMigrations {
+        source: update_metadata::error::Error,
+        backtrace: Backtrace,
+    },
+
     #[snafu(display("Data store path '{}' contains invalid version: {}", path.display(), source))]
     InvalidDataStoreVersion {
         path: PathBuf,
@@ -59,9 +80,58 @@ pub(crate) enum Error {
     #[snafu(display("Failed listing migration directory '{}': {}", dir.display(), source))]
     ListMigrations { dir: PathBuf, source: io::Error },
 
+    #[snafu(display("Error loading manifest: {}", source))]
+    LoadManifest {
+        source: update_metadata::error::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Error loading migration '{}': {}", migration, source))]
+    LoadMigration {
+        migration: String,
+        source: tough::error::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Failed to decode LZ4-compressed migration {}: {}", migration, source))]
+    Lz4Decode {
+        migration: String,
+        source: std::io::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Migration '{}' not found", migration))]
+    MigrationNotFound {
+        migration: String,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Error saving migration '{}': {}", path.display(), source))]
+    MigrationSave {
+        path: PathBuf,
+        source: std::io::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Failed to open trusted root metadata file {}: {}", path.display(), source))]
+    OpenRoot {
+        path: PathBuf,
+        source: std::io::Error,
+        backtrace: Backtrace,
+    },
+
+    #[snafu(display("Unable to create URL from path '{}'", path.display()))]
+    PathUrl { path: PathBuf, backtrace: Backtrace },
+
     #[snafu(display("Failed reading migration directory entry: {}", source))]
     ReadMigrationEntry { source: io::Error },
 
+    #[snafu(display("Failed to load TUF repo: {}", source))]
+    RepoLoad {
+        source: tough::error::Error,
+        backtrace: Backtrace,
+    },
+
     #[snafu(display("Failed reading metadata of '{}': {}", path.display(), source))]
     PathMetadata { path: PathBuf, source: io::Error },
 
@@ -70,9 +140,6 @@ pub(crate) enum Error {
 
     #[snafu(display("Migration path '{}' contains invalid UTF-8", path.display()))]
     MigrationNameNotUTF8 { path: PathBuf },
-
-    #[snafu(display("Logger setup error: {}", source))]
-    Logger { source: simplelog::TermLogError },
 }
 
 /// Result alias containing our Error type.