Update stunnel installation

.github/aznfs-build.yaml

@@ -61,10 +61,11 @@ stages:
 
           - script: |
               mkdir -p $(Build.ArtifactStagingDirectory)/artifacts
-              for dir in deb rpm suse stunnel; do
+              for dir in deb rpm suse stunnel azurelinux; do
                 mkdir -p $(Build.ArtifactStagingDirectory)/artifacts/$dir
               done
               cp -f $(System.DefaultWorkingDirectory)/deb/aznfs-${{ parameters.versionName }}-1_amd64.deb $(Build.ArtifactStagingDirectory)/artifacts/deb
+              cp -f $(System.DefaultWorkingDirectory)/rpm/root/rpmbuild/RPMS/x86_64/aznfs-${{ parameters.versionName }}-1.x86_64.rpm $(Build.ArtifactStagingDirectory)/artifacts/azurelinux
               for dir in rpm suse stunnel; do
                 cp -f $(System.DefaultWorkingDirectory)/$dir/root/rpmbuild/RPMS/x86_64/aznfs-${{ parameters.versionName }}-1.x86_64.rpm $(Build.ArtifactStagingDirectory)/artifacts/$dir
               done
@@ -108,10 +109,11 @@ stages:
 
           - script: |
               mkdir -p $(Build.ArtifactStagingDirectory)/artifacts
-              for dir in deb rpm suse stunnel; do
+              for dir in deb rpm suse stunnel azurelinux; do
                 mkdir -p $(Build.ArtifactStagingDirectory)/artifacts/$dir
               done
               cp -avf $(System.DefaultWorkingDirectory)/deb/aznfs-${{ parameters.versionName }}-1_arm64.deb $(Build.ArtifactStagingDirectory)/artifacts/deb
+              cp -avf $(System.DefaultWorkingDirectory)/rpm/root/rpmbuild/RPMS/aarch64/aznfs-${{ parameters.versionName }}-1.aarch64.rpm $(Build.ArtifactStagingDirectory)/artifacts/azurelinux
               for dir in rpm suse stunnel; do
                 cp -avf $(System.DefaultWorkingDirectory)/$dir/root/rpmbuild/RPMS/aarch64/aznfs-${{ parameters.versionName }}-1.aarch64.rpm $(Build.ArtifactStagingDirectory)/artifacts/$dir
               done
@@ -272,6 +274,35 @@ stages:
                 }
                 ]
 
+          - task: EsrpCodeSigning@5
+            displayName: 'ESRP CodeSigning MI AzureLinux'
+            inputs:
+              ConnectedServiceName: 'Azure AZNFS'
+              AppRegistrationClientId: $(AppRegistrationClientId)
+              AppRegistrationTenantId: $(AppRegistrationTenantId)
+
+              UseMSIAuthentication: true
+              AuthAKVName: $(AuthAKVName)
+              AuthSignCertName: $(AuthSignCertName)
+
+              FolderPath: $(Build.ArtifactStagingDirectory)/aznfs-temp/artifacts/azurelinux
+              Pattern: '*.rpm'
+              SessionTimeout: 90
+              ServiceEndpointUrl: 'https://api.esrp.microsoft.com/api/v2'
+              MaxConcurrency: 25
+              signConfigType: inlineSignParams
+              VerboseLogin: true
+              inlineOperation: |
+                [
+                {
+                  "KeyCode": "CP-459159-Pgp",
+                  "OperationCode": "LinuxSign",
+                  "ToolName": "sign",
+                  "ToolVersion": "1.0",
+                  "Parameters": {}
+                }
+                ]
+
            # Validate signed images have md5sum changed
           - script: |
               chmod 755 $(Build.ArtifactStagingDirectory)/aznfs-temp/artifacts/deb/*.deb
@@ -368,6 +399,12 @@ stages:
                   aznfsArcRpmStunnel=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/stunnel/aznfs*-1.aarch64.rpm`
                   echo "AZNFS ARC Stunnel RPM Package ID: $aznfsRpmStunnel"
 
+                  aznfsRpmAzureLinux=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/azurelinux/aznfs*-1.x86_64.rpm`
+                  echo "AZNFS RPM Package ID: $aznfsRpmAzureLinux"
+
+                  aznfsArcRpmAzureLinux=`pmc --base-url "https://pmc-ingest.trafficmanager.net/api/v4" --id-only package upload $(Build.ArtifactStagingDirectory)/aznfs-signed/artifacts/azurelinux/aznfs*-1.aarch64.rpm`
+                  echo "AZNFS ARC RPM Package ID: $aznfsArcRpmAzureLinux"
+
                   ################################### Add uploaded packages to its repository ######################################
                   echo "now adding packages to repositories..."
 

generate_package.sh

@@ -25,7 +25,7 @@ generate_rpm_package()
 	rpm_dir=$1
 	custom_stunnel_required=0
 
-	# Overwrite rpm_pkg_dir in case of Mariner, RedHat7, and Centos7.
+	# Overwrite rpm_pkg_dir in case of RedHat7 and Centos7.
 	if [ "$rpm_dir" == "stunnel" ]; then
 		custom_stunnel_required=1
 	fi
@@ -240,7 +240,7 @@ dpkg-deb -Zgzip --root-owner-group --build $STG_DIR/deb/$pkg_dir
 
 generate_rpm_package rpm
 generate_rpm_package suse
-# Generate rpm package with custom stunnel installation for Mariner, RedHat7, and Centos7.
+# Generate rpm package with custom stunnel installation for RedHat7 and Centos7.
 generate_rpm_package stunnel
 
 

lib/common.sh

@@ -623,7 +623,7 @@ log_version_info()
 
     if [ "$distro_id" == "ubuntu" ]; then
         current_version=$(dpkg-query -W -f='${Version}\n' aznfs 2>/dev/null)
-    elif [ "$distro_id" == "centos" -o "$distro_id" == "rocky" -o "$distro_id" == "rhel" -o "$distro" == "mariner" -o "$distro" == "ol" ]; then
+    elif [ "$distro_id" == "centos" -o "$distro_id" == "rocky" -o "$distro_id" == "rhel" -o "$distro_id" == "ol" -o "$distro_id" == "azurelinux" ]; then
         current_pkg_name=$(rpm -q aznfs)
         current_version=$(echo "$current_pkg_name" | sed -E 's/^aznfs-(.+)\.[^.]+$/\1/')
     elif [ "$distro_id" == "sles" ]; then

package.sh

@@ -30,7 +30,7 @@ generate_rpm_package()
 		rpm_pkg_dir="${pkg_name}_sles-${RELEASE_NUMBER}-1.$arch"
 	fi
 
-	# Overwrite rpm_pkg_dir in case of Mariner, RedHat7, and Centos7.
+	# Overwrite rpm_pkg_dir in case of RedHat7, and Centos7.
 	if [ "$rpm_dir" == "stunnel" ]; then
 		rpm_pkg_dir="${pkg_name}_stunnel_custom-${RELEASE_NUMBER}-1.$arch"
 		custom_stunnel_required=1
@@ -315,7 +315,7 @@ dpkg-deb -Zgzip --root-owner-group --build $STG_DIR/deb/$pkg_dir
 
 generate_rpm_package rpm
 generate_rpm_package suse
-# Generate rpm package with custom stunnel installation for Mariner, RedHat7, and Centos7.
+# Generate rpm package with custom stunnel installation for RedHat7, and Centos7.
 generate_rpm_package stunnel
 
 #############################

packages.csv

@@ -25,4 +25,6 @@ SUSE-15,aznfsArcRpmSles,microsoft-sles15-prod-yum,
 Rocky-8.0,aznfsRpm,microsoft-el8-prod-yum,
 Rocky-8.0,aznfsArcRpm,microsoft-el8-prod-yum,
 Rocky-9.0,aznfsRpm,microsoft-el9-prod-yum,
-Rocky-9.0,aznfsArcRpm,microsoft-el9-prod-yum,
+Rocky-9.0,aznfsArcRpm,microsoft-el9-prod-yum,
+AzureLinux-3.0,aznfsRpmAzureLinux,azurelinux-3.0-prod-ms-oss-x86_64-yum,
+AzureLinux-3.0,aznfsArcRpmAzureLinux,azurelinux-3.0-prod-ms-oss-aarch64-yum,

packaging/aznfs/RPM/aznfs.spec

@@ -60,59 +60,94 @@ cleanup_stunnel_files()
 	rm -f /tmp/stunnel-latest.tar.gz
 }
 
-# Stunnel package is missing in Mariner package repo, and default stunnel package version on RedHat 7 is not compatible with aznfs.
-if grep -qi "mariner" /etc/os-release || [[ "$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1)" -eq 7 ]]; then
-	# Install stunnel from source.
-	wget https://www.stunnel.org/downloads/stunnel-latest.tar.gz -P /tmp
-	if [ $? -ne 0 ]; then
-		echo "Failed to download stunnel source code. Please install stunnel and try again."
-		exit 1
-	fi
+# Function to check if stunnel meets minimum version requirement
+check_stunnel_version() {
+    local required_version="5.40"
+
+    if command -v stunnel >/dev/null 2>&1; then
+        # Get installed stunnel version
+        installed_version=$(stunnel -version 2>&1 | grep -Eo 'stunnel [0-9]+\.[0-9]+' | awk '{print $2}')
+
+        if [ -n "$installed_version" ]; then
+            echo "Found stunnel version: $installed_version"
+
+            # Compare versions using sort -V (version sort)
+            # If required_version appears first when sorted, installed version is >= required
+            if [ "$(printf '%s\n' "$required_version" "$installed_version" | sort -V | head -n1)" = "$required_version" ]; then
+                echo "stunnel version $installed_version meets minimum requirement ($required_version)"
+                return 0  # Success - version is adequate
+            else
+                echo "stunnel version $installed_version is below minimum requirement ($required_version)"
+                return 1  # Failure - version is too old
+            fi
+        else
+            echo "Could not determine stunnel version"
+            return 1  # Failure - version unknown
+        fi
+    else
+        echo "stunnel is not installed"
+        return 1  # Failure - not installed
+    fi
+}
 
-	tar -xvf /tmp/stunnel-latest.tar.gz -C /tmp
-	if [ $? -ne 0 ]; then
-		echo "Failed to extract stunnel tarball. Please install stunnel and try again."
-		rm -f /tmp/stunnel-latest.tar.gz
-		exit 1
-	fi
+# Default stunnel package version on RedHat 7 and Centos 7 is not compatible with aznfs.
+if [[ "$(grep '^VERSION_ID=' /etc/os-release | cut -d'=' -f2 | tr -d '"' | cut -d'.' -f1)" -eq 7 ]]; then
+	if check_stunnel_version; then
+        echo "Using existing stunnel installation"
+	else
+		# Install stunnel from source.
+		echo "Installing stunnel from source"
+		wget https://www.stunnel.org/downloads/stunnel-latest.tar.gz -P /tmp
+		if [ $? -ne 0 ]; then
+			echo "Failed to download stunnel source code. Please install stunnel and try again."
+			exit 1
+		fi
 
-	stunnel_dir=$(tar -tf /tmp/stunnel-latest.tar.gz | head -n 1 | cut -f1 -d'/')
+		tar -xvf /tmp/stunnel-latest.tar.gz -C /tmp
+		if [ $? -ne 0 ]; then
+			echo "Failed to extract stunnel tarball. Please install stunnel and try again."
+			rm -f /tmp/stunnel-latest.tar.gz
+			exit 1
+		fi
 
-	cd /tmp/$stunnel_dir
-	./configure
-	if [ $? -ne 0 ]; then
-		echo "Failed to configure the build. Please install stunnel and try again."
-		cleanup_stunnel_files $stunnel_dir
-		exit 1
-	fi
+		stunnel_dir=$(tar -tf /tmp/stunnel-latest.tar.gz | head -n 1 | cut -f1 -d'/')
 
-	make
-	if [ $? -ne 0 ]; then
-		echo "Failed to build stunnel. Please install stunnel and try again."
-		cleanup_stunnel_files $stunnel_dir
-		exit 1
-	fi
+		cd /tmp/$stunnel_dir
+		./configure
+		if [ $? -ne 0 ]; then
+			echo "Failed to configure the build. Please install stunnel and try again."
+			cleanup_stunnel_files $stunnel_dir
+			exit 1
+		fi
 
-	make install
-	if [ $? -ne 0 ]; then
-		echo "Failed to install stunnel. Please install stunnel and try again."
-		cleanup_stunnel_files $stunnel_dir
-		exit 1
-	fi
+		make
+		if [ $? -ne 0 ]; then
+			echo "Failed to build stunnel. Please install stunnel and try again."
+			cleanup_stunnel_files $stunnel_dir
+			exit 1
+		fi
 
-	cleanup_stunnel_files $stunnel_dir
+		make install
+		if [ $? -ne 0 ]; then
+			echo "Failed to install stunnel. Please install stunnel and try again."
+			cleanup_stunnel_files $stunnel_dir
+			exit 1
+		fi
 
-	# Remove the old link and create a symlink to stunnel binary.
-	[ -f /bin/stunnel ] && mv /bin/stunnel /bin/stunnel.old
-	ln -sf /usr/local/bin/stunnel /bin/stunnel
+		cleanup_stunnel_files $stunnel_dir
 
-	if command -v stunnel >/dev/null 2>&1; then
-		echo "Successfully installed stunnel version ${stunnel_dir}"
-		rm -f /bin/stunnel.old
-	else
-		echo "Failed to install stunnel version ${stunnel_dir}. Please install stunnel and try again."
-		mv /bin/stunnel.old /bin/stunnel > /dev/null 2>&1
-		exit 1
+		# Remove the old link and create a symlink to stunnel binary.
+		[ -f /bin/stunnel ] && mv /bin/stunnel /bin/stunnel.old
+		ln -sf /usr/local/bin/stunnel /bin/stunnel
+
+		if command -v stunnel >/dev/null 2>&1; then
+			echo "Successfully installed stunnel version ${stunnel_dir}"
+			rm -f /bin/stunnel.old
+		else
+			echo "Failed to install stunnel version ${stunnel_dir}. Please install stunnel and try again."
+			mv /bin/stunnel.old /bin/stunnel > /dev/null 2>&1
+			exit 1
+		fi
 	fi
 fi
 
@@ -301,22 +336,24 @@ if [ $1 == 0 ]; then
 	if [ $existing_mounts_v3 -ne 0 -o $existing_mounts_v4 -ne 0 ]; then
 		echo
 		echo -e "${RED}There are existing Azure Blob/Files NFS mounts using aznfs mount helper, they will not be tracked!" > /dev/tty
-		echo -n -e "Are you sure you want to continue? [y/N]${NORMAL} " > /dev/tty
-		read -n 1 result < /dev/tty
-		echo
-		if [ "$result" != "y" -a "$result" != "Y" ]; then
-			echo "Removal aborted!"
-			if [ "DISTRO" != "suse" -a ! -f /etc/centos-release ]; then
-				echo
-				echo "*******************************************************************"
-				echo "Unfortunately some of the anzfs dependencies may have been uninstalled."
-				echo "aznfs mounts may be affected and new aznfs shares cannot be mounted."
-				echo "To fix this, run the below command to install dependencies:"
-				echo "INSTALL_CMD install conntrack-tools iptables bind-utils iproute util-linux nfs-utils NETCAT_PACKAGE_NAME stunnel net-tools"
-				echo "*******************************************************************"
-				echo
+		if ! grep -qi "azurelinux" /etc/os-release; then
+			echo -n -e "Are you sure you want to continue? [y/N]${NORMAL} " > /dev/tty
+			read -n 1 result < /dev/tty
+			echo
+			if [ "$result" != "y" -a "$result" != "Y" ]; then
+				echo "Removal aborted!"
+				if [ "DISTRO" != "suse" -a ! -f /etc/centos-release ]; then
+					echo
+					echo "*******************************************************************"
+					echo "Unfortunately some of the anzfs dependencies may have been uninstalled."
+					echo "aznfs mounts may be affected and new aznfs shares cannot be mounted."
+					echo "To fix this, run the below command to install dependencies:"
+					echo "INSTALL_CMD install conntrack-tools iptables bind-utils iproute util-linux nfs-utils NETCAT_PACKAGE_NAME stunnel net-tools"
+					echo "*******************************************************************"
+					echo
+				fi
+				exit 1
 			fi
-			exit 1
 		fi
 	fi
 

scripts/aznfs_install.sh

@@ -144,7 +144,7 @@ ensure_pkg()
             exit 1
         fi
         apt=1
-    elif [ "$distro" == "centos" -o "$distro" == "rocky" -o "$distro" == "rhel" -o "$distro" == "mariner" -o "$distro" == "ol" ]; then
+    elif [ "$distro" == "centos" -o "$distro" == "rocky" -o "$distro" == "rhel" -o "$distro" == "azurelinux" -o "$distro" == "ol" ]; then
         use_dnf_or_yum
         check_update_opt=" --refresh"
         $yum -y check-update $check_update_opt >/dev/null 2>&1

src/nfsv4mountscript.sh

@@ -328,10 +328,8 @@ add_stunnel_configuration()
         distro_id=$(canonicalize_distro_id $distro_id)
     fi
 
-    if [ "$distro_id" == "mariner" ]; then
-        # List available TLSv1.3 ciphersuites using OpenSSL
-        available_ciphers=$(openssl ciphers -s -tls1_3 | awk '{print $1}')
-        echo "ciphersuites = $available_ciphers" >> $stunnel_conf_file
+    if [ "$distro_id" == "azurelinux" ]; then
+        echo "ciphers = DEFAULT" >> $stunnel_conf_file
         if [ $? -ne 0 ]; then
             chattr -f +i $stunnel_conf_file
             eecho "Failed to add 'ciphersuites' info to $stunnel_conf_file!"