From 13970859357637e469521ef9781d4ed708fa61d6 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Thu, 25 May 2023 19:32:51 +0200 Subject: [PATCH] Bump boulder version to release-2023-05-22 --- .github/workflows/release.yml | 2 +- build/build.sh | 6 ++-- build/tmp.patch | 4 +-- install | 2 +- patch.sh | 5 ++- patches/boulder-va_main.patch | 46 ++++++++++++++++------------ patches/cmd_config.patch | 13 ++++++++ patches/config_bad-key-revoker.patch | 2 +- patches/config_crl-storer.patch | 6 ++-- patches/config_duration.patch | 13 ++++++++ patches/docker-compose-redis.patch | 8 ++--- patches/docker-compose.patch | 19 ++++++++---- patches/errors_errors.patch | 4 +-- patches/log_log.patch | 14 --------- patches/log_prod_prefix.patch | 14 +++++++++ patches/log_test_prefix.patch | 24 +++++++++++++++ patches/ocsp-responder_main.patch | 19 +++++++++--- patches/ra_ra.patch | 6 ++-- patches/updater_updater.patch | 8 ++--- 19 files changed, 146 insertions(+), 69 deletions(-) create mode 100644 patches/cmd_config.patch create mode 100644 patches/config_duration.patch delete mode 100644 patches/log_log.patch create mode 100644 patches/log_prod_prefix.patch create mode 100644 patches/log_test_prefix.patch diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f47ca9..c34f92c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,7 @@ jobs: fail-fast: false matrix: GO_VERSION: - - 1.20.3 + - 1.20.4 steps: - name: Checkout diff --git a/build/build.sh b/build/build.sh index dcf7321..36bb109 100755 --- a/build/build.sh +++ b/build/build.sh @@ -8,7 +8,7 @@ TMP_DIR=$(pwd)/tmp rm -rf $TMP_DIR && mkdir -p $TMP_DIR/{admin,bin,logs,src} boulderDir=$TMP_DIR/src -boulderTag="release-2023-04-24" +boulderTag="release-2023-05-22" boulderUrl="https://github.com/letsencrypt/boulder/" cloneDir=$(pwd)/.. @@ -18,7 +18,9 @@ BUILD_IMAGE=$(eval echo $(grep boulder-tools ../patches/docker-compose.patch | h git clone --branch $boulderTag --depth 1 $boulderUrl $boulderDir 2>/dev/null cd $boulderDir -git checkout $boulderTag -b $boulderTag 2>/dev/null +if [ $boulderTag != "main" ]; then + git checkout $boulderTag -b $boulderTag 2>/dev/null +fi if [ "$BUILD_IMAGE" == "" ]; then BUILD_IMAGE=$(eval echo $(grep boulder-tools $TMP_DIR/src/docker-compose.yml | grep "image:" | head -1 | sed -e "s/image://" | sed -e "s/&boulder_image//")) diff --git a/build/tmp.patch b/build/tmp.patch index 0c53a17..9c5a849 100644 --- a/build/tmp.patch +++ b/build/tmp.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index cfdcc784a..b50c8b18d 100644 +index 4fe5b4749..e70a007ef 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,8 +1,9 @@ @@ -8,7 +8,7 @@ index cfdcc784a..b50c8b18d 100644 services: boulder: # Should match one of the GO_DEV_VERSIONS in test/boulder-tools/tag_and_upload.sh. -- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.3_2023-04-04} +- image: &boulder_image letsencrypt/boulder-tools:${BOULDER_TOOLS_TAG:-go1.20.4_2023-05-02} + image: ghcr.io/hakwerk/labca-boulder:${LABCA_IMAGE_VERSION:-latest} environment: # To solve HTTP-01 and TLS-ALPN-01 challenges, change the IP in FAKE_DNS diff --git a/install b/install index 4aae0f4..2c7d994 100755 --- a/install +++ b/install @@ -30,7 +30,7 @@ dockerComposeVersion="v2.5.0" labcaUrl="https://github.com/hakwerk/labca/" boulderUrl="https://github.com/letsencrypt/boulder/" -boulderTag="release-2023-04-24" +boulderTag="release-2023-05-22" # Feature flags flag_skip_redis=true diff --git a/patch.sh b/patch.sh index 23f11cd..b0ea9b7 100755 --- a/patch.sh +++ b/patch.sh @@ -22,7 +22,9 @@ $SUDO patch -p1 < $cloneDir/patches/bad-key-revoker_main.patch $SUDO patch -p1 < $cloneDir/patches/boulder-va_main.patch $SUDO patch -p1 < $cloneDir/patches/ca_crl.patch $SUDO patch -p1 < $cloneDir/patches/cert-checker_main.patch +$SUDO patch -p1 < $cloneDir/patches/cmd_config.patch $SUDO patch -p1 < $cloneDir/patches/cmd_shell.patch +$SUDO patch -p1 < $cloneDir/patches/config_duration.patch $SUDO patch -p1 < $cloneDir/patches/contact-auditor_main.patch $SUDO patch -p1 < $cloneDir/patches/core_interfaces.patch $SUDO patch -p1 < $cloneDir/patches/crl-storer_main.patch @@ -31,7 +33,8 @@ $SUDO patch -p1 < $cloneDir/patches/db_migrations.patch $SUDO patch -p1 < $cloneDir/patches/errors_errors.patch $SUDO patch -p1 < $cloneDir/patches/expiration-mailer_main.patch $SUDO patch -p1 < $cloneDir/patches/linter_linter.patch -$SUDO patch -p1 < $cloneDir/patches/log_log.patch +$SUDO patch -p1 < $cloneDir/patches/log_prod_prefix.patch +$SUDO patch -p1 < $cloneDir/patches/log_test_prefix.patch $SUDO patch -p1 < $cloneDir/patches/log-validator_main.patch $SUDO patch -p1 < $cloneDir/patches/mail_mailer.patch $SUDO patch -p1 < $cloneDir/patches/makefile.patch diff --git a/patches/boulder-va_main.patch b/patches/boulder-va_main.patch index 33db2f3..990f12c 100644 --- a/patches/boulder-va_main.patch +++ b/patches/boulder-va_main.patch @@ -1,35 +1,41 @@ diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go -index ebc83fa14..cfef7773c 100644 +index 3625dace9..55cb7cc18 100644 --- a/cmd/boulder-va/main.go +++ b/cmd/boulder-va/main.go -@@ -25,8 +25,10 @@ type Config struct { - // DNSTries is the number of times to try a DNS query (that has a temporary error) +@@ -27,8 +27,9 @@ type Config struct { // before giving up. May be short-circuited by deadlines. A zero value // will be turned into 1. -- DNSTries int -- DNSResolver string `validate:"required"` -+ DNSTries int -+ DNSResolver string `validate:"required"` -+ // Deprecated, replaced by singular DNSResolver above. + DNSTries int +- DNSResolver string `validate:"required_without=DNSProvider,excluded_with=DNSProvider,omitempty,hostname|hostname_port"` +- DNSProvider *cmd.DNSProvider `validate:"required_without=DNSResolver,excluded_with=DNSResolver,omitempty"` ++ DNSResolver string `validate:"omitempty,hostname|hostname_port"` + DNSResolvers []string - DNSTimeout string ++ DNSProvider *cmd.DNSProvider `validate:"omitempty"` + DNSTimeout config.Duration `validate:"required"` DNSAllowLoopbackAddresses bool -@@ -94,11 +96,13 @@ func main() { - clk := cmd.Clock() +@@ -88,7 +89,7 @@ func main() { + cmd.Fail("Cannot specify both 'dnsResolver' and dnsProvider") + } + +- if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil { ++ if c.VA.DNSResolver == "" && c.VA.DNSProvider == nil && len(c.VA.DNSResolvers) == 0 { + cmd.Fail("Must specify either 'dnsResolver' or dnsProvider") + } + +@@ -101,8 +102,13 @@ func main() { + } var servers bdns.ServerProvider -- if c.VA.DNSResolver == "" { -- cmd.Fail("Config key 'dnsresolver' is required") -+ if c.VA.DNSResolver != "" { -+ servers, err = bdns.StartDynamicProvider(c.VA.DNSResolver, 60*time.Second) -+ cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") -+ } else { +- servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second) +- cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") ++ if len(c.VA.DNSResolvers) > 0 { + servers, err = bdns.NewStaticProvider(c.VA.DNSResolvers) + cmd.FailOnError(err, "Couldn't parse static DNS server(s)") - } -- servers, err = bdns.StartDynamicProvider(c.VA.DNSResolver, 60*time.Second) -- cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") ++ } else { ++ servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second) ++ cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver") ++ } defer servers.Stop() var resolver bdns.Client diff --git a/patches/cmd_config.patch b/patches/cmd_config.patch new file mode 100644 index 0000000..6147b92 --- /dev/null +++ b/patches/cmd_config.patch @@ -0,0 +1,13 @@ +diff --git a/cmd/config.go b/cmd/config.go +index 99ff43d02..a91f51d7d 100644 +--- a/cmd/config.go ++++ b/cmd/config.go +@@ -460,7 +460,7 @@ type GRPCServerConfig struct { + // this controls how long it takes before a client learns about changes to its + // backends. + // https://pkg.go.dev/google.golang.org/grpc/keepalive#ServerParameters +- MaxConnectionAge config.Duration `validate:"required"` ++ MaxConnectionAge config.Duration + } + + // GRPCServiceConfig contains the information needed to configure a gRPC service. diff --git a/patches/config_bad-key-revoker.patch b/patches/config_bad-key-revoker.patch index eea2134..847980c 100644 --- a/patches/config_bad-key-revoker.patch +++ b/patches/config_bad-key-revoker.patch @@ -20,7 +20,7 @@ index f4696dc2..b9c19ce3 100644 }, "maximumRevocations": 15, "findCertificatesBatchSize": 10, -- "interval": "1s", +- "interval": "50ms", + "interval": "5m", "backoffIntervalMax": "2s" }, diff --git a/patches/config_crl-storer.patch b/patches/config_crl-storer.patch index a8c0340..c48c2e0 100644 --- a/patches/config_crl-storer.patch +++ b/patches/config_crl-storer.patch @@ -1,9 +1,9 @@ diff --git a/test/config/crl-storer.json b/test/config/crl-storer.json -index 61f14d79..a620896f 100644 +index ef70c2ffc..a53b75d86 100644 --- a/test/config/crl-storer.json +++ b/test/config/crl-storer.json -@@ -15,10 +15,9 @@ - ] +@@ -23,10 +23,9 @@ + } }, "issuerCerts": [ - "/hierarchy/intermediate-cert-rsa-a.pem", diff --git a/patches/config_duration.patch b/patches/config_duration.patch new file mode 100644 index 0000000..8914022 --- /dev/null +++ b/patches/config_duration.patch @@ -0,0 +1,13 @@ +diff --git a/config/duration.go b/config/duration.go +index c97eeb486..6167bf768 100644 +--- a/config/duration.go ++++ b/config/duration.go +@@ -9,7 +9,7 @@ import ( + // Duration is just an alias for time.Duration that allows + // serialization to YAML as well as JSON. + type Duration struct { +- time.Duration `validate:"required"` ++ time.Duration + } + + // ErrDurationMustBeString is returned when a non-string value is diff --git a/patches/docker-compose-redis.patch b/patches/docker-compose-redis.patch index a57eb79..e160918 100644 --- a/patches/docker-compose-redis.patch +++ b/patches/docker-compose-redis.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index e9b68587b..5699aa777 100644 +index 5eb8a5513..05d16611b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -20,8 +20,6 @@ services: @@ -18,9 +18,9 @@ index e9b68587b..5699aa777 100644 - - bredis_1 - - bredis_2 - bconsul + - bjaeger entrypoint: test/entrypoint.sh - working_dir: &boulder_working_dir /boulder -@@ -78,24 +74,6 @@ services: +@@ -79,24 +75,6 @@ services: aliases: - boulder-proxysql @@ -45,7 +45,7 @@ index e9b68587b..5699aa777 100644 bconsul: image: hashicorp/consul:1.13.1 volumes: -@@ -132,13 +110,6 @@ networks: +@@ -142,13 +120,6 @@ networks: config: - subnet: 10.88.88.0/24 diff --git a/patches/docker-compose.patch b/patches/docker-compose.patch index ad76712..e229f55 100644 --- a/patches/docker-compose.patch +++ b/patches/docker-compose.patch @@ -1,5 +1,5 @@ diff --git a/docker-compose.yml b/docker-compose.yml -index 5699aa777..cfdcc784a 100644 +index 05d16611b..4fe5b4749 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -8,10 +8,12 @@ services: @@ -17,7 +17,7 @@ index 5699aa777..cfdcc784a 100644 - ./.gocache:/root/.cache/go-build:cached - ./.hierarchy:/hierarchy/:cached - ./.softhsm-tokens/:/var/lib/softhsm/tokens/:cached -@@ -31,19 +33,26 @@ services: +@@ -31,20 +33,26 @@ services: # TODO: Remove this when ServerAddress is deprecated in favor of SRV records # and DNSAuthority. dns: 10.55.55.10 @@ -33,6 +33,7 @@ index 5699aa777..cfdcc784a 100644 - bmysql - - bproxysql - bconsul +- - bjaeger - entrypoint: test/entrypoint.sh - working_dir: &boulder_working_dir /boulder + entrypoint: labca/entrypoint.sh @@ -51,7 +52,7 @@ index 5699aa777..cfdcc784a 100644 networks: bluenet: aliases: -@@ -57,22 +66,11 @@ services: +@@ -58,22 +66,11 @@ services: # small. command: mysqld --bind-address=0.0.0.0 --slow-query-log --log-output=TABLE --log-queries-not-using-indexes=ON logging: @@ -79,7 +80,7 @@ index 5699aa777..cfdcc784a 100644 bconsul: image: hashicorp/consul:1.13.1 -@@ -83,18 +81,70 @@ services: +@@ -84,26 +81,70 @@ services: ipv4_address: 10.55.55.10 command: "consul agent -dev -config-format=hcl -config-file=/test/consul/config.hcl" @@ -127,10 +128,16 @@ index 5699aa777..cfdcc784a 100644 + - /home/labca/nginx_data/conf.d:/etc/nginx/conf.d + - /home/labca/nginx_data/ssl:/etc/nginx/ssl + - /home/labca/nginx_data/static:/var/www/html -+ + +- bjaeger: +- image: jaegertracing/all-in-one:1.44 +- environment: +- COLLECTOR_OTLP_ENABLED: "true" + control: + image: *boulder_image -+ networks: + networks: +- bluenet: +- ipv4_address: 10.77.77.17 + - bluenet + volumes: + - /var/run/docker.sock:/var/run/docker.sock diff --git a/patches/errors_errors.patch b/patches/errors_errors.patch index 8518bef..1d5aeaa 100644 --- a/patches/errors_errors.patch +++ b/patches/errors_errors.patch @@ -1,8 +1,8 @@ diff --git a/errors/errors.go b/errors/errors.go -index 83adf7f1..cc136790 100644 +index f531782e8..4e59a7259 100644 --- a/errors/errors.go +++ b/errors/errors.go -@@ -163,10 +163,10 @@ func NotFoundError(msg string, args ...interface{}) error { +@@ -166,10 +166,10 @@ func NotFoundError(msg string, args ...interface{}) error { return New(NotFound, msg, args...) } diff --git a/patches/log_log.patch b/patches/log_log.patch deleted file mode 100644 index 52b3cd4..0000000 --- a/patches/log_log.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/log/log.go b/log/log.go -index 75262337d..4245e41a9 100644 ---- a/log/log.go -+++ b/log/log.go -@@ -94,6 +94,9 @@ func newStdoutWriter(level int) *stdoutWriter { - } - - prefix := fmt.Sprintf("%s %s %s[%d]:", shortHostname, datacenter, core.Command(), os.Getpid()) -+ if datacenter == "unknown" { -+ prefix = fmt.Sprintf("%s %s[%d]:", shortHostname, core.Command(), os.Getpid()) -+ } - - return &stdoutWriter{ - prefix: prefix, diff --git a/patches/log_prod_prefix.patch b/patches/log_prod_prefix.patch new file mode 100644 index 0000000..7f3b03d --- /dev/null +++ b/patches/log_prod_prefix.patch @@ -0,0 +1,14 @@ +diff --git a/log/prod_prefix.go b/log/prod_prefix.go +index b4cf55daf..91f1aee8b 100644 +--- a/log/prod_prefix.go ++++ b/log/prod_prefix.go +@@ -25,6 +25,9 @@ func getPrefix() (string, string) { + } + + prefix := fmt.Sprintf("%s %s %s[%d]: ", shortHostname, datacenter, core.Command(), os.Getpid()) ++ if datacenter == "unknown" { ++ prefix = fmt.Sprintf("%s[%d]: ", core.Command(), os.Getpid()) ++ } + clkFormat := "2006-01-02T15:04:05.000000+00:00Z" + + return prefix, clkFormat diff --git a/patches/log_test_prefix.patch b/patches/log_test_prefix.patch new file mode 100644 index 0000000..950d8f8 --- /dev/null +++ b/patches/log_test_prefix.patch @@ -0,0 +1,24 @@ +diff --git a/log/test_prefix.go b/log/test_prefix.go +index d1fb89491..8974ac30e 100644 +--- a/log/test_prefix.go ++++ b/log/test_prefix.go +@@ -2,8 +2,18 @@ + + package log + ++import ( ++ "fmt" ++ "os" ++ ++ "github.com/letsencrypt/boulder/core" ++) ++ + // getPrefix returns the prefix and clkFormat that should be used by the + // stdout logger. + func getPrefix() (string, string) { +- return "", "15:04:05.000000" ++ prefix := fmt.Sprintf("%s[%d]: ", core.Command(), os.Getpid()) ++ clkFormat := "2006-01-02T15:04:05.000000+00:00Z" ++ ++ return prefix, clkFormat + } diff --git a/patches/ocsp-responder_main.patch b/patches/ocsp-responder_main.patch index 6f08adb..78cbe39 100644 --- a/patches/ocsp-responder_main.patch +++ b/patches/ocsp-responder_main.patch @@ -1,13 +1,22 @@ diff --git a/cmd/ocsp-responder/main.go b/cmd/ocsp-responder/main.go -index 2254dc26f..9d3a73c39 100644 +index 39a0dac43..c7e0dc02d 100644 --- a/cmd/ocsp-responder/main.go +++ b/cmd/ocsp-responder/main.go -@@ -151,49 +151,51 @@ as generated by Boulder's ceremony command. +@@ -88,7 +88,7 @@ type Config struct { + + // Configuration for using Redis as a cache. This configuration should + // allow for both read and write access. +- Redis *rocsp_config.RedisConfig `validate:"required_without=Source"` ++ Redis *rocsp_config.RedisConfig + + // TLS client certificate, private key, and trusted root bundle. + TLS cmd.TLSConfig `validate:"required_without=Source,structonly"` +@@ -154,49 +154,51 @@ as generated by Boulder's ceremony command. source, err = responder.NewMemorySourceFromFile(filename, logger) cmd.FailOnError(err, fmt.Sprintf("Couldn't read file: %s", url.Path)) } else { - // Set up the redis source and the combined multiplex source. -- rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope) +- rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope) - cmd.FailOnError(err, "Could not make redis client") - - err = rocspRWClient.Ping(context.Background()) @@ -28,9 +37,9 @@ index 2254dc26f..9d3a73c39 100644 - maxInflight := c.OCSPResponder.MaxInflightSignings - if maxInflight == 0 { - maxInflight = 1000 -+ if c.OCSPResponder.Redis.ShardAddrs != nil { ++ if c.OCSPResponder.Redis != nil { + // Set up the redis source and the combined multiplex source. -+ rocspRWClient, err := rocsp_config.MakeClient(&c.OCSPResponder.Redis, clk, scope) ++ rocspRWClient, err := rocsp_config.MakeClient(c.OCSPResponder.Redis, clk, scope) + cmd.FailOnError(err, "Could not make redis client") + + err = rocspRWClient.Ping(context.Background()) diff --git a/patches/ra_ra.patch b/patches/ra_ra.patch index 1103e3e..dd39016 100644 --- a/patches/ra_ra.patch +++ b/patches/ra_ra.patch @@ -1,8 +1,8 @@ diff --git a/ra/ra.go b/ra/ra.go -index a3ec42916..a71060a45 100644 +index fb881c4ed..0bb0a317a 100644 --- a/ra/ra.go +++ b/ra/ra.go -@@ -42,7 +42,6 @@ import ( +@@ -43,7 +43,6 @@ import ( "github.com/letsencrypt/boulder/issuance" blog "github.com/letsencrypt/boulder/log" "github.com/letsencrypt/boulder/metrics" @@ -10,7 +10,7 @@ index a3ec42916..a71060a45 100644 "github.com/letsencrypt/boulder/probs" pubpb "github.com/letsencrypt/boulder/publisher/proto" rapb "github.com/letsencrypt/boulder/ra/proto" -@@ -530,7 +529,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { +@@ -531,7 +530,7 @@ func (ra *RegistrationAuthorityImpl) validateContacts(contacts []string) error { contact, ) } diff --git a/patches/updater_updater.patch b/patches/updater_updater.patch index 771ec54..b19cf0e 100644 --- a/patches/updater_updater.patch +++ b/patches/updater_updater.patch @@ -1,5 +1,5 @@ diff --git a/crl/updater/updater.go b/crl/updater/updater.go -index 7d28c6e23..9f663706b 100644 +index cf58b3e6f..75ee6f338 100644 --- a/crl/updater/updater.go +++ b/crl/updater/updater.go @@ -8,6 +8,7 @@ import ( @@ -10,7 +10,7 @@ index 7d28c6e23..9f663706b 100644 "sort" "strings" "time" -@@ -120,6 +121,29 @@ func NewUpdater( +@@ -128,6 +129,29 @@ func NewUpdater( // next scheduled run time based on the current time and the updateOffset, then // begins running once every updatePeriod. func (cu *crlUpdater) Run(ctx context.Context) error { @@ -40,7 +40,7 @@ index 7d28c6e23..9f663706b 100644 // We don't want the times at which crlUpdater runs to be dependent on when // the process starts. So wait until the appropriate time before kicking off // the first run and the main ticker loop. -@@ -141,7 +165,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error { +@@ -149,7 +173,7 @@ func (cu *crlUpdater) Run(ctx context.Context) error { // counting from the appropriate time. ticker := time.NewTicker(cu.updatePeriod) atTime := cu.clk.Now() @@ -49,7 +49,7 @@ index 7d28c6e23..9f663706b 100644 if err != nil { // We only log, rather than return, so that the long-lived process can // continue and try again at the next tick. -@@ -327,7 +351,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam +@@ -359,7 +383,7 @@ func (cu *crlUpdater) tickShard(ctx context.Context, atTime time.Time, issuerNam crlEntries = append(crlEntries, entry) }