)]}' { "log": [ { "commit": "52f7f291c1987fe98bd10d3ad79d4a0c8772ad03", "tree": "eaf212647f9bab001e62bb35647255b5f107bd2e", "parents": [ "3ff5af330857b2aadcdae9d9e6ca37b7e5d2c56e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:42:02 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:42:02 2020 +0200" }, "message": "Add nanoswitch and cluster testing\n\nAdds nanoswitch and the `switched-multi2` launch target to launch two Smalltown instances on a switched\nnetwork and enroll them into a single cluster. Nanoswitch contains a Linux bridge and a minimal DHCP server\nand connects to the two Smalltown instances over virtual Ethernet cables. Also moves out the DHCP client into\na package since nanoswitch needs it.\n\nTest Plan:\nManually tested using `bazel run //:launch -- switched-multi2` and observing that the second VM\n(whose serial port is mapped to stdout) prints that it is enrolled. Also validated by `bazel run //core/cmd/dbg -- kubectl get node -o wide` returning two ready nodes.\n\nX-Origin-Diff: phab/D572\nGitOrigin-RevId: 9f6e2b3d8268749dd81588205646ae3976ad14b3\n" }, { "commit": "fc5dbc6646c6e332f5cbb88f6a68b6fbcffebe77", "tree": "4ea7cb93b2f0abfca9f547ee1401d39b73a79f5d", "parents": [ "140bddcbe1aac46b168f6fc2178eb9c3870a434c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 28 12:18:07 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 28 12:18:07 2020 +0200" }, "message": "Add E2E tests for basic functionality and port launching to Go\n\nThis adds a new E2E test suite replacing the old log-parsing\nbased one. It also moves launching and controlling Smalltown VMs into\na Go package and command and exposes the \u0027//:launch\u0027 alias.\nThe new E2E test suite covers basic conditions (IP assigned, Data\navailable) and Kubernetes Node, Deployment and StatefulSet tests.\n\nTest Plan: This consists of E2E tests\n\nX-Origin-Diff: phab/D544\nGitOrigin-RevId: 7c624c667c849068bafa544a3a6c635d6d406e1c\n" }, { "commit": "878f5f9e5f9de93b09d354db7d116fd3d558dbfa", "tree": "994b67ea5264f7e38bb67e9043a369454eaab75d", "parents": [ "9a741a861a4cb5c52b0251a4abf3a2c606b06198" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "message": "Add Kubernetes Worker and infrastructure\n\nAdds Kubernetes Kubelet with patches for syscall-based mounting and\nsyscall-based (and much faster) metrics. fsquota patches have been\ndeferred to a further revision (for robust emptyDir capacity isolation).\n\nChanges encoding of the node ID to hex since Base64-URL is not supported\nas a character set for K8s names. Also adds `/etc/machine-id` and\n`/etc/os-release` since Kubernetes wants them. `os-release` is generated\nby stamping, `machine-id` is the hex-encoded node ID derived from the\npublic key.\n\nAlso includes a primitive reconciler which automatically ensures a set of\nbuilt-in Kubernetes objects are always present. Currently this includes\na PSP and some basic RBAC policies that are elementary to proper cluster\noperations.\n\nAdds an additional gRPC service (NodeDebugService) to cleanly\ncommunicate with external debug and test tooling. It supports reading\nfrom logbuffers for all externally-run components, checking conditions\n(for replacing log matching in testing and debugging) and getting\ndebug credentials for the Kubernetes cluster.\n\nA small utility (dbg) is provided that interfaces with NodeDebugService\nand provides access to its functions from the CLI. It also incorporates\na kubectl wrapper which directly grabs credentials from the Debug API\nand passes them to kubectl\n(e.g. `bazel run //core/cmd/dbg -- kubectl describe node`).\n\nTest Plan:\nManually tested.\nKubernetes:\n`bazel run //core/cmd/dbg -- kubectl create -f test.yml`\n\nChecked that pods run, logs are accessible and exec works.\n\nReading buffers:\n`bazel run //core/cmd/dbg -- logs containerd`\n\nOutputs containerd logs in the right order.\n\nAutomated testing is in the works, but has been deferred to a future\nrevision because this one is already too big again.\n\nX-Origin-Diff: phab/D525\nGitOrigin-RevId: 0fbfa0c433de405526c7f09ef10c466896331328\n" }, { "commit": "d3c59d22955d01ff4afcada9d4845cd935d820b7", "tree": "faa355d618630f556b053707cbe5ee60f84a534e", "parents": [ "c88c82db8b1a7f8a07782c970e1d0dfb453f9f66" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon May 11 16:00:22 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon May 11 16:00:22 2020 +0200" }, "message": "Update to Go 1.14\n\nUpdates the Go toolchain to 1.14 and gets rid of all upstreamed\npatches. Also shrinks binary sizes.\n\nTest Plan: Should be covered by CI.\n\nX-Origin-Diff: phab/D515\nGitOrigin-RevId: 1c400a6ba6a8d78a02aba925d95486b807eda0e9\n" }, { "commit": "60febd9db40970a31a2f49bdb969897a37c11cc6", "tree": "8ac7756b46db3333e0f81dea04ce1d8bbfe38e62", "parents": [ "fc2c4f5bc24286f24d3fe130bec61cf9fc59982d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 07 14:08:18 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 07 14:08:18 2020 +0200" }, "message": "Clean up consensus etcd log output\n\nIntegrates our Zap logger into our etcd embedded instance to\nclean up the logs. Split out from D497 (ex feature/kubelet).\n\nTest Plan:\n`bazel run //core/scripts:launch` no longer shows etcd JSON\noutput.\n\nX-Origin-Diff: phab/D498\nGitOrigin-RevId: 8df3b9c3edd20310079306479adfadf983af7da2\n" }, { "commit": "8efe51e0fd63e9df72cd61ab610ffe0a6dd27834", "tree": "250202ef0188f8018193626c43f03b2cb3165de0", "parents": [ "30b00d6d9f0bc6928ea81a6780883d252def5a3c" ], "author": { "name": "Hendrik Hofstadt", "email": "hendrik@nexantic.com", "time": "Fri Feb 28 12:53:41 2020 +0100" }, "committer": { "name": "Hendrik Hofstadt", "email": "hendrik@nexantic.com", "time": "Fri Feb 28 12:53:41 2020 +0100" }, "message": "ide: use goimports instead of gofmt\n\nTest Plan: changed import sorting and saved file. Imports were resorted.\n\nX-Origin-Diff: phab/D413\nGitOrigin-RevId: 72ce771a9724f62f839e44211ee5cd64c89c56d7\n" }, { "commit": "aa6b7346a87a5512fbdd5b39db766000c0e10415", "tree": "8b7665934b854d4d2ee18e90a289752f8cd85942", "parents": [ "5e0bd2d43ab72cf4091e7689d02f95e07b1c1010" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Dec 12 02:55:02 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Dec 12 02:55:02 2019 +0100" }, "message": "Attestation \u0026 Identity \u0026 Global Unlock \u0026 Enrolment\n\nThis changes the node startup sequence significantly. Now the following three startup procedures replace the old setup/join mechanic:\n* If no enrolment config is present, automatically bootstrap a new cluster and become master for it.\n* If an enrolment config with an enrolment token is present, register with the NodeManagementService.\n* If an enrolment config without an enrolment token is present, attempt a normal cluster unlock.\n\nIt also completely revamps the GRPC management services:\n* NodeManagementService is a master-only service that deals with other nodes and has a cluster-wide identity\n* NodeService is only available in unlocked state and keyed with the node identity\n* ClusterManagement is now a master-only service that\u0027s been spun out of the main NMS since they have very different authentication models and also deals with EnrolmentConfigs\n\nThe TPM support library has also been extended by:\n* Lots of integrity attestation and verification functions\n* Built-in AK management\n* Some advanced policy-based authentication stuff\n\nAlso contains various enhancements to the network service to make everything work in a proper multi-node environment.\n\nLots of old code has been thrown out.\n\nTest Plan: Passed a full manual test of all three startup modes (bootstrap, enrolment and normal unlock) including automated EnrolmentConfig generation and consumption in a dual-node configuration on swtpm / OVMF.\n\nBug: T499\n\nX-Origin-Diff: phab/D291\nGitOrigin-RevId: d53755c828218b1df83a1d7ad252c7b3231abca8\n" }, { "commit": "6e8f69c53a2c82f5a760ab2e8152218cc86f3430", "tree": "1556b56e0a0cdb5108c301dc88710b5b2d74ba1b", "parents": [ "b7a18fd9be7732e9ed9b29f33b7f545916da207b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 18 10:44:24 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 18 10:44:24 2019 +0100" }, "message": "Initial Kubernetes Control Plane\n\nThis adds a minimum viable Kubernetes Control Plane consisting of a\nkube-apiserver, kube-controller-manager and kube-scheduler. It contains\ntwo small CAs for Kubernetes Identity management based on shared\ncertificates and contains changes for exposing etcd via UNIX socket\nso that the apiserver can talk to it.\n\nTest Plan:\nTested by manually calling Setup() and observing subsequent logs and\nconnecting to the API server.\n\nBug: T485\n\nX-Origin-Diff: phab/D271\nGitOrigin-RevId: e56f3e50eb9d33ea291289faa1aac3bebdeb3346\n" }, { "commit": "68c58755e0a56e1b1c565d80f99056ec4948fbec", "tree": "f122ab392769d33620077c65ddf0f0a3aed43d1c", "parents": [ "5ed291ea1833ffd07665b6194f7b6db2b7c1c4aa" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Thu Nov 14 21:00:59 2019 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Thu Nov 14 21:00:59 2019 +0100" }, "message": "Improve documentation, remove dead code plus some minor refactorings\n\nThis improves our code-to-comments ratio by a lot.\n\nOn the refactorings:\n\n- Simplify the cluster join mode to just a single protobuf message -\n a node can either join an existing cluster or bootstrap a new one.\n All of the node-level setup like hostname and trust backend is done\n using the setup call, since those are identical for both cases.\n\n- We don\u0027t need a node name separate from the hostname. Ideally, we would\n get rid of IP addresses for etcd as well.\n\n- Google API design guidelines suggest the `List` term (vs. `Get`).\n\n- Add username to comments for consistency. I think the names provide\n useful context, but git blame is a thing. What do you think?\n\n- Fixed or silenced some ignored error checks in preparation of using\n an errcheck linter. Especially during early boot, many errors are\n obviously not recoverable, but logging them can provide useful debugging info.\n\n- Split up the common package into smaller subpackages.\n\n- Remove the audit package (this will be a separate service that probably\n uses it own database, rather than etcd).\n\n- Move storage constants to storage package.\n\n- Remove the unused KV type.\n\nI also added a bunch of TODO comments with discussion points.\nAdded both of you as blocking reviewers - please comment if I\nmisunderstood any of your code.\n\nTest Plan: Everything compiles and scripts:launch works (for whatever that\u0027s worth).\n\nX-Origin-Diff: phab/D235\nGitOrigin-RevId: 922fec5076e8d683e1138f26d2cb490de64a9777\n" }, { "commit": "a4ea9d03f1fb4248739392615967eaf07842e74b", "tree": "e2b8e2e3d9aa83ca7f650f2a0d972023869c1d3b", "parents": [ "e47ace84cb3e30375dcb4236c17ee9710a77a6ad" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Oct 31 11:40:30 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Oct 31 11:40:30 2019 +0100" }, "message": "Added bootstrap CA\n\nThis adds a self-contained CA for bootstrapping and securing etcd\nusing certificates of infinite duration and a CRL for near-instant\nrevocation.\n\nThe bootstrapping problem is addressed by first\ngenerating the CA and issuing initial certificates and then\ninjecting them once the consensus system is up and running.\nAll files are also kept on the encrypted persistent data store to\nprevent the same bootstrapping problem when the node is already\ninitialized. The CRL is synchronized using a sync loop on every\nnode running the consensus service and distributed inside that.\n\nThe CA uses Ed25519-based cryptography and identifies the\nhosts by their external hostname.\n\nTest Plan:\nInitial bootstrapping manually tested on a single node using a\nmanual gRPC call for Setup() and openssl s_client for connecting\nto etcd.\n\nX-Origin-Diff: phab/D233\nGitOrigin-RevId: bd67818b5b649b13e0c098e480059ef990826542\n" }, { "commit": "0d7c91e331022831a974c2e34d32bb5b89ddc89c", "tree": "5b822873c015053f4b697d60c33fa3b1ef9a3a4b", "parents": [ "043daa57020dd36e074488dcb432114a548a3d2a" ], "author": { "name": "Hendrik Hofstadt", "email": "hendrik@certus.one", "time": "Wed Oct 23 21:44:47 2019 +0200" }, "committer": { "name": "Hendrik Hofstadt", "email": "hendrik@certus.one", "time": "Wed Oct 23 21:44:47 2019 +0200" }, "message": "Implement monorepo layout\n\nImplemented the nexantic monorepo.\n\nSmalltown code was moved to `core`. From now on all code will live in top level directories named after the projects with the exception for general purpose libraries which should go to `\u003clang\u003elibs`.\n\nGeneral build and utility folders are underscore prefixed.\n\nThe repo name will from now on be rNXT (nexantic). I think this change makes sense since components in this repo will not all be part of Smalltown, the Smalltown brand has been claimed by Signon GmbH so we need to change it anyway and the longer we wait the harder it will be to change/move it.\n\nTest Plan: Launched Smalltown using `./scripts/bin/bazel run //core/scripts:launch`\n\nX-Origin-Diff: phab/D210\nGitOrigin-RevId: fa5a7f08143d2ead2cb7206b4c63ab641794162c\n" } ] }