opiproject / sztp Goto Github PK

If the device is running a different image, the device downloads the image, uses the new image to upgrade, and then reboots with the new image.

$ jq -r .\"ietf-sztp-bootstrap-server:output\".\"conveyed-information\" /tmp/post_rpc_input.json | base64 --decode | tail -n +2 | sed  '1i {' | jq . | tee /tmp/post_rpc_fixed.json
{
  "ietf-sztp-conveyed-info:onboarding-information": {
    "boot-image": {
      "download-uri": [
        "http://web:8082/var/lib/misc/my-boot-image.img"
      ],
      "image-verification": [
        {
          "hash-algorithm": "ietf-sztp-conveyed-info:sha-256",
          "hash-value": "7b:ca:e6:ac:23:06:d8:79:06:8c:ac:03:80:e2:16:44:7e:40:6a:65:fa:d4:69:61:6e:05:ce:f5:87:dc:2b:97"
        }
      ]
    },
    "pre-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHByZS1jb25maWd1cmF0aW9uLXNjcmlwdC4uLiIK",
    "configuration-handling": "merge",
    "configuration": "PHRvcCB4bWxucz0iaHR0cHM6L2V4YW1wbGUuY29tL2NvbmZpZyI+CiAgPGFueS14bWwtY29udGVudC1va2F5Lz4KPC90b3A+Cg==",
    "post-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHBvc3QtY29uZmlndXJhdGlvbi1zY3JpcHQuLi4iCg=="
  }
}

$ jq -r .\"ietf-sztp-bootstrap-server:output\".\"conveyed-information\" /tmp/post_rpc_input.json | base64 --decode | head -n 2
0▒B
   *▒H▒▒+▒▒1▒-{
  "ietf-sztp-conveyed-info:onboarding-information": {

  option sztp-redirect-urls "https://bootstrap:8080/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data";

cat << EOM > bootstrap-complete.json
{
  "ietf-sztp-bootstrap-server:input" : {
    "progress-type" : "bootstrap-complete",
    "message" : "Dynamically generated SSH host key included.",
    "ssh-host-keys" : {
      "ssh-host-key" : [
        {
          "algorithm" : "ssh-rsa",
          "key-data" : "BASE64VALUE="
        }
      ]
    }
  }
}
EOM

# POST it to the "report-progress" RPC resource
curl -i -X POST --data @bootstrap-complete.json -H "Content-Type:application/yang-data+json" --cacert sbi_t\
rust_chain.pem --key pki/client/end-entity/private_key.pem --cert pki/client/end-entity/my_cert.pem --user \
my-serial-number:my-secret https://127.0.0.1:9090/restconf/operations/ietf-sztp-bootstrap-server:report-pro\
gress 1> output/post_progress_report.out 2>/dev/null

The following example illustrates a device using the API to post a
 progress report to a bootstrap server. Illustrated below is the
 "bootstrap-complete" message, but the device may send other progress
 reports to the server while bootstrapping. In this example, the
 device is sending both its SSH host keys and a TLS server
 certificate, which the bootstrap server may, for example, pass to an
 NMS, as discussed in Appendix C.3.
 REQUEST
 [Note: ’\’ line wrapping for formatting only]
 POST /restconf/operations/ietf-sztp-bootstrap-server:report-progress\
 HTTP/1.1
 HOST: example.com
 Content-Type: application/yang.data+xml
 <input xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server">
     <progress-type>bootstrap-complete</progress-type>
      <message>example message</message>
      <ssh-host-keys>
           <ssh-host-key>
                <algorithm>ssh-rsa</algorithm>
                <key-data>base64encodedvalue==</key-data>
           </ssh-host-key>
           <ssh-host-key>
               <algorithm>rsa-sha2-256</algorithm>
               <key-data>base64encodedvalue==</key-data>
           </ssh-host-key>
      </ssh-host-keys>
      <trust-anchor-certs>
           <trust-anchor-cert>base64encodedvalue==</trust-anchor-cert>
      </trust-anchor-certs>
 </input>
 RESPONSE
 HTTP/1.1 204 No Content
 Date: Sat, 31 Oct 2015 17:02:40 GMT
 Server: example-server

sztp-agent-1           | 2024/06/07 00:16:24 [INFO] Configuration file copied successfully
sztp-agent-1           | 2024/06/07 00:16:24 [INFO] Starting the pre-configuration.
sztp-agent-1           | 2024/06/07 00:16:24 [INFO] Starting the Report Progress request.
sztp-agent-1           | 2024/06/07 00:16:24 [INFO] Sending to: https://bootstrap:9090/restconf/operations/ietf-sztp-bootstrap-server:report-progress
sztp-agent-1           | 2024/06/07 00:16:24 [INFO] Sending input: {"ietf-sztp-bootstrap-server:input":{"progress-type":"pre-script-initiated","message":"message sent via JSON"}}
sztp-agent-1           | 2024/06/07 00:16:24 [ERROR]  [ERROR] Status code received: 204 ...but status code expected: 200
sztp-agent-1           | 2024/06/07 00:16:24 [INFO] pre-configuration script created successfully

 "ietf-sztp-conveyed-info:onboarding-information": {
   "boot-image": {
     "download-uri": [
       "http://web:8082/var/lib/misc/my-boot-image.img",
       "ftp://web:3082/var/lib/misc/my-boot-image.img"
     ],
     "image-verification": [
       {
         "hash-algorithm": "ietf-sztp-conveyed-info:sha-256",
         "hash-value": "7b:ca:e6:ac:23:06:d8:79:06:8c:ac:03:80:e2:16:44:7e:40:6a:65:fa:d4:69:61:6e:05:ce:f5:87:dc:2b:97"
       }
     ]
   },
   "pre-configuration-script": "IyEvYmluL2Jhc2gKZWNobyAiaW5zaWRlIHRoZSBwcmUtY29uZmlndXJhdGlvbi1zY3JpcHQuLi4iCg==",
   "configuration-handling": "merge",
   "configuration": "PHRvcCB4bWxucz0iaHR0cHM6L2V4YW1wbGUuY29tL2NvbmZpZyI+CiAgPGFueS14bWwtY29udGVudC1va2F5Lz4KPC90b3A+Cg==",
   "post-configuration-script": "IyEvYmluL2Jhc2gKZWNobyAiaW5zaWRlIHRoZSBwb3N0LWNvbmZpZ3VyYXRpb24tc2NyaXB0Li4uIgo="
 }

type BootstrapServerOnboardingIinformation struct {
	BootImage struct {
		DownloadURI       []string `json:"download-uri"`
		ImageVerification []struct {
			HashAlgorithm string `json:"hash-algorithm"`
			HashValue     string `json:"hash-value"`
		} `json:"image-verification"`
	} `json:"boot-image"`
	PreConfigurationScript  string `json:"pre-configuration-script"`
	ConfigurationHandling   string `json:"configuration-handling"`
	Configuration           string `json:"configuration"`
	PostConfigurationScript string `json:"post-configuration-script"`
}

	var oi BootstrapServerOnboardingIinformation
	derr := json.Unmarshal(ci.Content.Bytes, &oi)
	if derr != nil {
		return derr
	}
	log.Println(oi)

type AutoGenerated struct {
	IetfSztpConveyedInfoRedirectInformation struct {
		BootstrapServer []struct {
			Address     string `json:"address"`
			Port        int    `json:"port"`
			TrustAnchor string `json:"trust-anchor"`
		} `json:"bootstrap-server"`
	} `json:"ietf-sztp-conveyed-info:redirect-information"`
}

{
  "ietf-sztp-conveyed-info:redirect-information": {
    "bootstrap-server": [
      {
        "address": "sztp1.example.com",
        "port": 8443,
        "trust-anchor": "base64encodedvalue=="
      },
      {
        "address": "sztp2.example.com",
        "port": 8443,
        "trust-anchor": "base64encodedvalue=="
      },
      {
        "address": "sztp3.example.com",
        "port": 8443,
        "trust-anchor": "base64encodedvalue=="
      }
    ]
  }
}

6.1. Data Model Overview
 The following tree diagram provides an overview of the data model for
 the conveyed information artifact.
 module: ietf-sztp-conveyed-info
 yang-data conveyed-information:
 +-- (information-type)
 +--:(redirect-information)
 | +-- redirect-information
 | +-- bootstrap-server* [address]
 | +-- address inet:host
 | +-- port? inet:port-number
 | +-- trust-anchor? cms
 +--:(onboarding-information)
 +-- onboarding-information
 +-- boot-image
 | +-- os-name? string
 | +-- os-version? string
 | +-- download-uri* inet:uri
 | +-- image-verification* [hash-algorithm]
 | +-- hash-algorithm identityref
 | +-- hash-value yang:hex-string
 +-- configuration-handling? enumeration
 +-- pre-configuration-script? script
 +-- configuration? binary
 +-- post-configuration-script? script

7.1. API Overview
 The following tree diagram provides an overview for the bootstrap server RESTCONF API.

 module: ietf-sztp-bootstrap-server

 rpcs:
 +---x get-bootstrapping-data
 | +---w input
 | | +---w signed-data-preferred? empty
 | | +---w hw-model? string
 | | +---w os-name? string
 | | +---w os-version? string
 | | +---w nonce? binary
 | +--ro output
 | +--ro reporting-level? enumeration {onboarding-server}?
 | +--ro conveyed-information cms
 | +--ro owner-certificate? cms
 | +--ro ownership-voucher? cms
 +---x report-progress {onboarding-server}?
 +---w input
 +---w progress-type enumeration
 +---w message? string
 +---w ssh-host-keys
 | +---w ssh-host-key* []
 | +---w algorithm string
 | +---w key-data binary
 +---w trust-anchor-certs
 +---w trust-anchor-cert* cms

	// TODO: download and verify OS image
	log.Println(oi.IetfSztpConveyedInfoOnboardingInformation.BootImage.DownloadURI)

2022/10/17 13:20:24 [http://web:8082/var/lib/misc/my-boot-image.img ftp://web:3082/var/lib/misc/my-boot-image.img]

import ("net/http"; "io"; "os")
...
out, err := os.Create("output.txt")
defer out.Close()
...
resp, err := http.Get("http://example.com/")
defer resp.Body.Close()
...
n, err := io.Copy(out, resp.Body)

$ go get github.com/cavaliergopher/grab/v3
...
resp, err := grab.Get(".", "http://www.golang-book.com/public/pdf/gobook.pdf")
if err != nil {
	log.Fatal(err)
}

fmt.Println("Download saved to", resp.Filename)

++ jq -r '."ietf-sztp-conveyed-info:onboarding-information"."boot-image"."download-uri"[]' /tmp/post_rpc_fixed.json
+ URL=http://web:8082/var/lib/misc/my-boot-image.img
++ basename http://web:8082/var/lib/misc/my-boot-image.img
+ docker-compose run --rm -v /tmp:/tmp agent curl --output /tmp/my-boot-image.img --fail http://web:8082/var/lib/misc/my-boot-image.img
Creating sztp_agent_run ... done
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 65536  100 65536    0     0  31.2M      0 --:--:-- --:--:-- --:--:-- 31.2M
++ awk '{print $2}'
+++ basename http://web:8082/var/lib/misc/my-boot-image.img
++ openssl dgst -sha256 -c /tmp/my-boot-image.img
+ SIGNATURE=7b:ca:e6:ac:23:06:d8:79:06:8c:ac:03:80:e2:16:44:7e:40:6a:65:fa:d4:69:61:6e:05:ce:f5:87:dc:2b:97

$ docker-compose run --rm -v /tmp:/tmp agent curl --output /tmp/my-boot-image.img --fail https://web:8082/var/lib/misc/my-boot-image.img
Creating sztp_agent_run ... done
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
ERROR: 35

diff --git a/examples/sztp/config/input.json b/examples/sztp/config/input.json
index 1bdc36c..0236172 100644
--- a/examples/sztp/config/input.json
+++ b/examples/sztp/config/input.json
@@ -3,6 +3,7 @@
       "hw-model" : "model-x",
       "os-name" : "vendor-os",
       "os-version" : "17.3R2.1",
+      "signed-data-preferred": [null],
       "nonce" : "BASE64VALUE="
     }
   }

   <output
     xmlns="urn:ietf:params:xml:ns:yang:ietf-sztp-bootstrap-server">
     <conveyed-information>base64encodedvalue==</conveyed-information>
     <owner-certificate>base64encodedvalue==</owner-certificate>
     <ownership-voucher>base64encodedvalue==</ownership-voucher>
   </output>

5.1. Initial State
 +-------------------------------------------------------------+
 | <device> |
 | |
 | +---------------------------------------------------------+ |
 | | <read/write storage> | |
 | | | |
 | | 1. flag to enable SZTP bootstrapping set to "true" | |
 | +---------------------------------------------------------+ |
 | |
 | +---------------------------------------------------------+ |
 | | <read-only storage> | |
 | | | |
 | | 2. TLS client cert & related intermediate certificates | |
 | | 3. list of trusted well-known bootstrap servers | |
 | | 4. list of trust anchor certs for bootstrap servers | |
 | | 5. list of trust anchor certs for ownership vouchers | |
 | +---------------------------------------------------------+ |
 | |
 | +-----------------------------------------------------+ |
 | | <secure storage> | |
 | | | |
 | | 6. private key for TLS client certificate | |
 | | 7. private key for decrypting SZTP artifacts | |
 | +-----------------------------------------------------+ |
 | |
 +-------------------------------------------------------------+

    command: ['sztpd', 'postgresql://sztpd-admin:secret@localhost:5432/sztpd-db']

The "database-url" argument has the form "<dialect>:<dialect-specific-path>".
Three dialects are supported: "sqlite", "postgresql", and "mysql+pymysql".
The <dialect-specific-path> for each of these is described below.

For the "sqlite" dialect, <dialect-specific-path> follows the format
"///<sqlite-path>", where <sqlite-path> can be one of:

  :memory:    - an in-memory database (only useful for testing)
  <filepath>  - an OS-specific filepath to a persisted database file

  Examples:

    $ sztpd sqlite:///:memory:                      (memory)
    $ sztpd sqlite:///relative/path/to/sztpd.db     (unix)
    $ sztpd sqlite:////absolute/path/to/sztpd.db    (unix)
    $ sztpd sqlite:///C:\path\to\sztpd.db           (windows)

For both the "postgresql" and "mysql+pymysql" dialects, <dialect-specific-path>
follows the format "//<user>[:<passwd>]@<host>:<port>/<database-name>".

  Examples:

    The following two examples assume the database is called "sztpd" and
    that the database server listens on the loopback address with no TLS.

      $ sztpd mysql+pymysql://user:pass@localhost:3306/sztpd
      $ sztpd postgresql://user:pass@localhost:5432/sztpd

Please see the documentation for more information.

 $ docker run --rm -it flungo/avahi
Unable to find image 'flungo/avahi:latest' locally
latest: Pulling from flungo/avahi
596ba82af5aa: Pull complete
b206d7a30008: Pull complete
32376195e81b: Pull complete
Digest: sha256:1ca78a72b58f55565bdb585d00d1ab6168f35281616bde0e65c4bdead37f5ded
Status: Downloaded newer image for flungo/avahi:latest
Saved 1 file(s)
Found user 'avahi' (UID 86) and group 'avahi' (GID 86).
Successfully dropped root privileges.
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Successfully called chroot().
Successfully dropped remaining capabilities.
Loading service file /services/sftp-ssh.service.
Loading service file /services/ssh.service.
Joining mDNS multicast group on interface eth0.IPv6 with address 2001:db8:1::242:ac11:2.
New relevant interface eth0.IPv6 for mDNS.
Joining mDNS multicast group on interface eth0.IPv4 with address 172.17.0.2.
New relevant interface eth0.IPv4 for mDNS.
Joining mDNS multicast group on interface lo.IPv6 with address ::1.
New relevant interface lo.IPv6 for mDNS.
Joining mDNS multicast group on interface lo.IPv4 with address 127.0.0.1.
New relevant interface lo.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 2001:db8:1::242:ac11:2 on eth0.*.
Registering new address record for 172.17.0.2 on eth0.IPv4.
Registering new address record for ::1 on lo.*.
Registering new address record for 127.0.0.1 on lo.IPv4.
Server startup complete. Host name is b21a3cd25ae2.local. Local service cookie is 2413553038.
Service "b21a3cd25ae2" (/services/ssh.service) successfully established.
Service "b21a3cd25ae2" (/services/sftp-ssh.service) successfully established.

avahi-browse -v -a -t

$ docker-compose run nmap --script=dns-service-discovery
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-27 15:58 UTC
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.24 seconds

diff --git a/docker-compose.yml b/docker-compose.yml
index aaf88d6..ee45042 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -110,7 +110,8 @@ services:
         echo "DNS.3 = web" >> sztpd1/sbi/end-entity/openssl.cnf
         echo "DNS.4 = redirecter" >> sztpd1/sbi/end-entity/openssl.cnf
         sed -i 's/my-serial-number/third-serial-number/g' client/end-entity/openssl.cnf
-        make pki SHELL=/bin/ash
+        make -C sztpd1/sbi pki SHELL=/bin/ash
+        make -C client     pki SHELL=/bin/ash
         echo SERVER SBI certificates
         cat sztpd1/sbi/end-entity/my_cert.pem sztpd1/sbi/intermediate2/my_cert.pem > /tmp/cert_chain.pem
         openssl crl2pkcs7 -nocrl -certfile /tmp/cert_chain.pem -outform DER -out /tmp/cert_chain.cms
(END)

-        tar -zxvf sztpd-simulator-0.0.11.tgz -C /tmp
+        tar -zxvf sztpd-simulator-0.0.11.tgz -C /tmp sztpd-simulator/pki/sztpd1/sbi sztpd-simulator/pki/client

docker run --rm -it --network=host   --mount type=bind,source=/mnt,target=/mnt   --mount type=bind,source=/etc/os-release,target=/etc/os-release   --mount type=bind,source=${DHCLIENT_LEASE_FILE},target=/var/lib/dhclient/dhclient.leases   ghcr.io/opiproject/opi-sztp-client:v0.2.0   /opi-sztp-agent daemon --bootstrap-trust-anchor-cert /mnt/nonexist.pem --device-end-entity-cert /mnt/nonexist.pem --device-private-key /mnt/nonexist.pem --serial-number opi-serial-number
Run the daemon command

Usage:
  opi-sztp-agent daemon [flags]

Flags:
      --bootstrap-trust-anchor-cert string   Bootstrap server trust anchor Cert (default "/certs/opi.pem")
      --device-end-entity-cert string        Device's End Entity cert (default "/certs/my_cert.pem")
      --device-password string               Device's password (default "my-secret")
      --device-private-key string            Device's private key (default "/certs/private_key.pem")
      --dhcp-lease-file string               Device's dhclient leases file (default "/var/lib/dhclient/dhclient.leases")
  -h, --help                                 help for daemon
      --serial-number string                 Device's serial number (default "my-serial-number")
2024/06/17 13:04:09 [INFO] Get the Bootstrap URL from DHCP client
2024/06/17 13:04:09 [INFO] Bootstrap URL retrieved successfully: https://bootstrap:8080/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data
2024/06/17 13:04:09 [INFO] Starting the Request to get On-boarding Information.
2024/06/17 13:04:09 [DEBUG] Sending to: https://bootstrap:8080/restconf/operations/ietf-sztp-bootstrap-server:get-bootstrapping-data
2024/06/17 13:04:09 [DEBUG] Sending input: {"ietf-sztp-bootstrap-server:input":{"hw-model":"BlueField SoC","os-name":"Ubuntu 22.04.4 LTS","os-version":"22.04","nonce":""}}
2024/06/17 13:04:09 [ERROR]  [ERROR] Expected conveyed-information, received error type=protocol, tag=access-denied, message=
Error: [ERROR] Expected conveyed-information, received error type=protocol, tag=access-denied, message=

option sztp-redirect-urls code 143  = text;

request subnet-mask, broadcast-address, ... , sztp-redirect-urls;

HTTP/1.1 404 Not Found
Content-Type: application/yang-data+json; charset=utf-8
Content-Length: 198
Date: Fri, 15 Jan 2021 02:38:07 GMT
Server: <redacted>

{
  "ietf-restconf:errors": {
    "error": [
      {
        "error-type": "application",
        "error-tag": "data-missing",
        "error-message": "No responses configured."
      }
    ]
  }
}

package main

import (
	"fmt"

	"github.com/jaypipes/ghw"
)

func main() {
	baseboard, err := ghw.Baseboard()
	if err != nil {
		fmt.Printf("Error getting baseboard info: %v", err)
	}

	fmt.Printf("%v\n", baseboard)
}

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /etc/apache2/ssl/client.crt

curl -X POST --data {"ietf-sztp-bootstrap-server:input":{"progress-type":"bootstrap-initiated","message":"message sent via JSON"}} -H "Content-Type:application/yang-data+json" ...
curl -X POST --data {"ietf-sztp-bootstrap-server:input":{"hw-model":"model-x","os-name":"vendor-os","os-version":"17.3R2.1","signed-data-preferred":[null],"nonce":"BASE64VALUE="}} -H "Content-Type:application/yang-data+json" ...