diff --git a/.github/aznfs-build.yaml b/.github/aznfs-build.yaml index 22ad311bd..bbad720a3 100644 --- a/.github/aznfs-build.yaml +++ b/.github/aznfs-build.yaml @@ -61,10 +61,11 @@ stages: - script: | mkdir -p $(Build.ArtifactStagingDirectory)/artifacts - for dir in deb rpm suse stunnel; do + for dir in deb rpm suse stunnel azurelinux; do mkdir -p $(Build.ArtifactStagingDirectory)/artifacts/$dir done cp -f $(System.DefaultWorkingDirectory)/deb/aznfs-${{ parameters.versionName }}-1_amd64.deb $(Build.ArtifactStagingDirectory)/artifacts/deb + cp -f $(System.DefaultWorkingDirectory)/rpm/root/rpmbuild/RPMS/x86_64/aznfs-${{ parameters.versionName }}-1.x86_64.rpm $(Build.ArtifactStagingDirectory)/artifacts/azurelinux for dir in rpm suse stunnel; do cp -f $(System.DefaultWorkingDirectory)/$dir/root/rpmbuild/RPMS/x86_64/aznfs-${{ parameters.versionName }}-1.x86_64.rpm $(Build.ArtifactStagingDirectory)/artifacts/$dir done @@ -108,10 +109,11 @@ stages: - script: | mkdir -p $(Build.ArtifactStagingDirectory)/artifacts - for dir in deb rpm suse stunnel; do + for dir in deb rpm suse stunnel azurelinux; do mkdir -p $(Build.ArtifactStagingDirectory)/artifacts/$dir done cp -avf $(System.DefaultWorkingDirectory)/deb/aznfs-${{ parameters.versionName }}-1_arm64.deb $(Build.ArtifactStagingDirectory)/artifacts/deb + cp -avf $(System.DefaultWorkingDirectory)/rpm/root/rpmbuild/RPMS/aarch64/aznfs-${{ parameters.versionName }}-1.aarch64.rpm $(Build.ArtifactStagingDirectory)/artifacts/azurelinux for dir in rpm suse stunnel; do cp -avf $(System.DefaultWorkingDirectory)/$dir/root/rpmbuild/RPMS/aarch64/aznfs-${{ parameters.versionName }}-1.aarch64.rpm $(Build.ArtifactStagingDirectory)/artifacts/$dir done @@ -272,6 +274,35 @@ stages: } ] + - task: EsrpCodeSigning@5 + displayName: 'ESRP CodeSigning MI AzureLinux' + inputs: + ConnectedServiceName: 'Azure AZNFS' + AppRegistrationClientId: $(AppRegistrationClientId) + AppRegistrationTenantId: $(AppRegistrationTenantId) + + UseMSIAuthentication: true + AuthAKVName: $(AuthAKVName) + AuthSignCertName: $(AuthSignCertName) + + FolderPath: $(Build.ArtifactStagingDirectory)/aznfs-temp/artifacts/azurelinux + Pattern: '*.rpm' + SessionTimeout: 90 + ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v2' + MaxConcurrency: 25 + signConfigType: inlineSignParams + VerboseLogin: true + inlineOperation: | + [ + { + "KeyCode": "CP-459159-Pgp", + "OperationCode": "LinuxSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] + # Validate signed images have md5sum changed - script: | chmod 755 $(Build.ArtifactStagingDirectory)/aznfs-temp/artifacts/deb/*.deb @@ -368,6 +399,12 @@ stages: aznfsArcRpmStunnel=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/stunnel/aznfs*-1.aarch64.rpm` echo "AZNFS ARC Stunnel RPM Package ID: $aznfsRpmStunnel" + aznfsRpmAzureLinux=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/azurelinux/aznfs*-1.x86_64.rpm` + echo "AZNFS RPM Package ID: $aznfsRpmAzureLinux" + + aznfsArcRpmAzureLinux=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/azurelinux/aznfs*-1.aarch64.rpm` + echo "AZNFS ARC RPM Package ID: $aznfsArcRpmAzureLinux" + ################################### Add uploaded packages to its repository ###################################### echo "now adding packages to repositories..." diff --git a/generate_package.sh b/generate_package.sh index 2225fb428..54d02649f 100644 --- a/generate_package.sh +++ b/generate_package.sh @@ -25,7 +25,7 @@ generate_rpm_package() rpm_dir=$1 custom_stunnel_required=0 - # Overwrite rpm_pkg_dir in case of Mariner, RedHat7, and Centos7. + # Overwrite rpm_pkg_dir in case of RedHat7 and Centos7. if [ "$rpm_dir" == "stunnel" ]; then custom_stunnel_required=1 fi @@ -240,7 +240,7 @@ dpkg-deb -Zgzip --root-owner-group --build $STG_DIR/deb/$pkg_dir generate_rpm_package rpm generate_rpm_package suse -# Generate rpm package with custom stunnel installation for Mariner, RedHat7, and Centos7. +# Generate rpm package with custom stunnel installation for RedHat7 and Centos7. generate_rpm_package stunnel diff --git a/lib/common.sh b/lib/common.sh index 5bcfaddbc..25ae99323 100644 --- a/lib/common.sh +++ b/lib/common.sh @@ -623,7 +623,7 @@ log_version_info() if [ "$distro_id" == "ubuntu" ]; then current_version=$(dpkg-query -W -f='${Version}\n' aznfs 2>/dev/null) - elif [ "$distro_id" == "centos" -o "$distro_id" == "rocky" -o "$distro_id" == "rhel" -o "$distro" == "mariner" -o "$distro" == "ol" ]; then + elif [ "$distro_id" == "centos" -o "$distro_id" == "rocky" -o "$distro_id" == "rhel" -o "$distro_id" == "ol" -o "$distro_id" == "azurelinux" ]; then current_pkg_name=$(rpm -q aznfs) current_version=$(echo "$current_pkg_name" | sed -E 's/^aznfs-(.+)\.[^.]+$/\1/') elif [ "$distro_id" == "sles" ]; then diff --git a/package.sh b/package.sh index 55eeb2524..9efb9f4e6 100755 --- a/package.sh +++ b/package.sh @@ -30,7 +30,7 @@ generate_rpm_package() rpm_pkg_dir="${pkg_name}_sles-${RELEASE_NUMBER}-1.$arch" fi - # Overwrite rpm_pkg_dir in case of Mariner, RedHat7, and Centos7. + # Overwrite rpm_pkg_dir in case of RedHat7, and Centos7. if [ "$rpm_dir" == "stunnel" ]; then rpm_pkg_dir="${pkg_name}_stunnel_custom-${RELEASE_NUMBER}-1.$arch" custom_stunnel_required=1 @@ -315,7 +315,7 @@ dpkg-deb -Zgzip --root-owner-group --build $STG_DIR/deb/$pkg_dir generate_rpm_package rpm generate_rpm_package suse -# Generate rpm package with custom stunnel installation for Mariner, RedHat7, and Centos7. +# Generate rpm package with custom stunnel installation for RedHat7, and Centos7. generate_rpm_package stunnel ############################# diff --git a/packages.csv b/packages.csv index b5439af83..dd777657f 100644 --- a/packages.csv +++ b/packages.csv @@ -25,4 +25,6 @@ SUSE-15,aznfsArcRpmSles,microsoft-sles15-prod-yum, Rocky-8.0,aznfsRpm,microsoft-el8-prod-yum, Rocky-8.0,aznfsArcRpm,microsoft-el8-prod-yum, Rocky-9.0,aznfsRpm,microsoft-el9-prod-yum, -Rocky-9.0,aznfsArcRpm,microsoft-el9-prod-yum, \ No newline at end of file +Rocky-9.0,aznfsArcRpm,microsoft-el9-prod-yum, +AzureLinux-3.0,aznfsRpmAzureLinux,azurelinux-3.0-prod-ms-oss-x86_64-yum, +AzureLinux-3.0,aznfsArcRpmAzureLinux,azurelinux-3.0-prod-ms-oss-aarch64-yum, \ No newline at end of file diff --git a/packaging/aznfs/RPM/aznfs.spec b/packaging/aznfs/RPM/aznfs.spec index e5b8841b6..b95498fb0 100644 --- a/packaging/aznfs/RPM/aznfs.spec +++ b/packaging/aznfs/RPM/aznfs.spec @@ -60,59 +60,94 @@ cleanup_stunnel_files() rm -f /tmp/stunnel-latest.tar.gz } -# Stunnel package is missing in Mariner package repo, and default stunnel package version on RedHat 7 is not compatible with aznfs. -if grep -qi "mariner" /etc/os-release || [[ "$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1)" -eq 7 ]]; then - # Install stunnel from source. - wget https://www.stunnel.org/downloads/stunnel-latest.tar.gz -P /tmp - if [ $? -ne 0 ]; then - echo "Failed to download stunnel source code. Please install stunnel and try again." - exit 1 - fi +# Function to check if stunnel meets minimum version requirement +check_stunnel_version() { + local required_version="5.40" + + if command -v stunnel >/dev/null 2>&1; then + # Get installed stunnel version + installed_version=$(stunnel -version 2>&1 | grep -Eo 'stunnel [0-9]+\.[0-9]+' | awk '{print $2}') + + if [ -n "$installed_version" ]; then + echo "Found stunnel version: $installed_version" + + # Compare versions using sort -V (version sort) + # If required_version appears first when sorted, installed version is >= required + if [ "$(printf '%s\n' "$required_version" "$installed_version" | sort -V | head -n1)" = "$required_version" ]; then + echo "stunnel version $installed_version meets minimum requirement ($required_version)" + return 0 # Success - version is adequate + else + echo "stunnel version $installed_version is below minimum requirement ($required_version)" + return 1 # Failure - version is too old + fi + else + echo "Could not determine stunnel version" + return 1 # Failure - version unknown + fi + else + echo "stunnel is not installed" + return 1 # Failure - not installed + fi +} - tar -xvf /tmp/stunnel-latest.tar.gz -C /tmp - if [ $? -ne 0 ]; then - echo "Failed to extract stunnel tarball. Please install stunnel and try again." - rm -f /tmp/stunnel-latest.tar.gz - exit 1 - fi +# Default stunnel package version on RedHat 7 and Centos 7 is not compatible with aznfs. +if [[ "$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1)" -eq 7 ]]; then + if check_stunnel_version; then + echo "Using existing stunnel installation" + else + # Install stunnel from source. + echo "Installing stunnel from source" + wget https://www.stunnel.org/downloads/stunnel-latest.tar.gz -P /tmp + if [ $? -ne 0 ]; then + echo "Failed to download stunnel source code. Please install stunnel and try again." + exit 1 + fi - stunnel_dir=$(tar -tf /tmp/stunnel-latest.tar.gz | head -n 1 | cut -f1 -d'/') + tar -xvf /tmp/stunnel-latest.tar.gz -C /tmp + if [ $? -ne 0 ]; then + echo "Failed to extract stunnel tarball. Please install stunnel and try again." + rm -f /tmp/stunnel-latest.tar.gz + exit 1 + fi - cd /tmp/$stunnel_dir - ./configure - if [ $? -ne 0 ]; then - echo "Failed to configure the build. Please install stunnel and try again." - cleanup_stunnel_files $stunnel_dir - exit 1 - fi + stunnel_dir=$(tar -tf /tmp/stunnel-latest.tar.gz | head -n 1 | cut -f1 -d'/') - make - if [ $? -ne 0 ]; then - echo "Failed to build stunnel. Please install stunnel and try again." - cleanup_stunnel_files $stunnel_dir - exit 1 - fi + cd /tmp/$stunnel_dir + ./configure + if [ $? -ne 0 ]; then + echo "Failed to configure the build. Please install stunnel and try again." + cleanup_stunnel_files $stunnel_dir + exit 1 + fi - make install - if [ $? -ne 0 ]; then - echo "Failed to install stunnel. Please install stunnel and try again." - cleanup_stunnel_files $stunnel_dir - exit 1 - fi + make + if [ $? -ne 0 ]; then + echo "Failed to build stunnel. Please install stunnel and try again." + cleanup_stunnel_files $stunnel_dir + exit 1 + fi - cleanup_stunnel_files $stunnel_dir + make install + if [ $? -ne 0 ]; then + echo "Failed to install stunnel. Please install stunnel and try again." + cleanup_stunnel_files $stunnel_dir + exit 1 + fi - # Remove the old link and create a symlink to stunnel binary. - [ -f /bin/stunnel ] && mv /bin/stunnel /bin/stunnel.old - ln -sf /usr/local/bin/stunnel /bin/stunnel + cleanup_stunnel_files $stunnel_dir - if command -v stunnel >/dev/null 2>&1; then - echo "Successfully installed stunnel version ${stunnel_dir}" - rm -f /bin/stunnel.old - else - echo "Failed to install stunnel version ${stunnel_dir}. Please install stunnel and try again." - mv /bin/stunnel.old /bin/stunnel > /dev/null 2>&1 - exit 1 + # Remove the old link and create a symlink to stunnel binary. + [ -f /bin/stunnel ] && mv /bin/stunnel /bin/stunnel.old + ln -sf /usr/local/bin/stunnel /bin/stunnel + + if command -v stunnel >/dev/null 2>&1; then + echo "Successfully installed stunnel version ${stunnel_dir}" + rm -f /bin/stunnel.old + else + echo "Failed to install stunnel version ${stunnel_dir}. Please install stunnel and try again." + mv /bin/stunnel.old /bin/stunnel > /dev/null 2>&1 + exit 1 + fi fi fi @@ -301,22 +336,24 @@ if [ $1 == 0 ]; then if [ $existing_mounts_v3 -ne 0 -o $existing_mounts_v4 -ne 0 ]; then echo echo -e "${RED}There are existing Azure Blob/Files NFS mounts using aznfs mount helper, they will not be tracked!" > /dev/tty - echo -n -e "Are you sure you want to continue? [y/N]${NORMAL} " > /dev/tty - read -n 1 result < /dev/tty - echo - if [ "$result" != "y" -a "$result" != "Y" ]; then - echo "Removal aborted!" - if [ "DISTRO" != "suse" -a ! -f /etc/centos-release ]; then - echo - echo "*******************************************************************" - echo "Unfortunately some of the anzfs dependencies may have been uninstalled." - echo "aznfs mounts may be affected and new aznfs shares cannot be mounted." - echo "To fix this, run the below command to install dependencies:" - echo "INSTALL_CMD install conntrack-tools iptables bind-utils iproute util-linux nfs-utils NETCAT_PACKAGE_NAME stunnel net-tools" - echo "*******************************************************************" - echo + if ! grep -qi "azurelinux" /etc/os-release; then + echo -n -e "Are you sure you want to continue? [y/N]${NORMAL} " > /dev/tty + read -n 1 result < /dev/tty + echo + if [ "$result" != "y" -a "$result" != "Y" ]; then + echo "Removal aborted!" + if [ "DISTRO" != "suse" -a ! -f /etc/centos-release ]; then + echo + echo "*******************************************************************" + echo "Unfortunately some of the anzfs dependencies may have been uninstalled." + echo "aznfs mounts may be affected and new aznfs shares cannot be mounted." + echo "To fix this, run the below command to install dependencies:" + echo "INSTALL_CMD install conntrack-tools iptables bind-utils iproute util-linux nfs-utils NETCAT_PACKAGE_NAME stunnel net-tools" + echo "*******************************************************************" + echo + fi + exit 1 fi - exit 1 fi fi diff --git a/scripts/aznfs_install.sh b/scripts/aznfs_install.sh index 246808ed6..bb36a795f 100644 --- a/scripts/aznfs_install.sh +++ b/scripts/aznfs_install.sh @@ -144,7 +144,7 @@ ensure_pkg() exit 1 fi apt=1 - elif [ "$distro" == "centos" -o "$distro" == "rocky" -o "$distro" == "rhel" -o "$distro" == "mariner" -o "$distro" == "ol" ]; then + elif [ "$distro" == "centos" -o "$distro" == "rocky" -o "$distro" == "rhel" -o "$distro" == "azurelinux" -o "$distro" == "ol" ]; then use_dnf_or_yum check_update_opt=" --refresh" $yum -y check-update $check_update_opt >/dev/null 2>&1 diff --git a/src/nfsv4mountscript.sh b/src/nfsv4mountscript.sh index 3f748c3f2..5ce65160a 100644 --- a/src/nfsv4mountscript.sh +++ b/src/nfsv4mountscript.sh @@ -328,10 +328,8 @@ add_stunnel_configuration() distro_id=$(canonicalize_distro_id $distro_id) fi - if [ "$distro_id" == "mariner" ]; then - # List available TLSv1.3 ciphersuites using OpenSSL - available_ciphers=$(openssl ciphers -s -tls1_3 | awk '{print $1}') - echo "ciphersuites = $available_ciphers" >> $stunnel_conf_file + if [ "$distro_id" == "azurelinux" ]; then + echo "ciphers = DEFAULT" >> $stunnel_conf_file if [ $? -ne 0 ]; then chattr -f +i $stunnel_conf_file eecho "Failed to add 'ciphersuites' info to $stunnel_conf_file!"