CloudFormation signal program (issue #1581)

[mello7tre]

Issue number:
#1581

Description of changes:
Created a new rust program, cfsignal to send signal to CloudFormation
Stack.
Program is a sort of cfn-signal
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-signal.html
but as cfn-signal need python cannot be used by bottlerocket.

cfsignal read configuration from a cfsignal.toml file configured reading
user-data, so it depends on settings-applier.service.
It cannot send a signal for a failure happening before
settings-applier.service and network-online.target are started.

It is able to send a failure signal for any other service starting from
(included):
activate-multi-user.service

It use systemctl action is-system-running with --wait option.
This way we can know if any service, after systemd boot process
finished, is in a failure status.

Detail
I have created a new setting named cloudformation.
It support the keys:

signal: boolean
stack_name: string
logical_resource_id: string

If signal is false (default) program do nothing.
Other way it excute systemctl --wait is-system-running to find out the system state.
Then it send the relative signal to the the stack_name stack.

Testing done:
Created and updated and AutoScalingGroup configured to wait signaling by created instances.
Tested that instance send SUCCESS signal if all service started successfully.

bash-5.0# systemctl status cfsignal
● cfsignal.service - Send signal to CloudFormation Stack
     Loaded: loaded (/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/cfsignal.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Thu 2022-02-24 03:20:40 UTC; 10min ago
    Process: 1578 ExecStart=/usr/bin/cfsignal (code=exited, status=0/SUCCESS)
   Main PID: 1578 (code=exited, status=0/SUCCESS)

Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] System status is: running [0]
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Connecting to IMDS
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Received meta-data/instance-id
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Received dynamic/instance-identity/document
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Region: "us-west-2" - InstanceID: "i-051f097c469cd6a7f" - Signal: "SUCCESS"
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal systemd[1]: cfsignal.service: Succeeded.

Tested that instance send FAILURE signal if a service after activate-multi-user.service fail.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

[webern]

Thank you for the PR @mello7tre! We are looking at it 👀 .

[samuelkarp]

@mello7tre thank you so much for putting this together! I took a look and had a few suggestions for changes. Please let me know if you have any questions about the suggestions. (And if you don't have the time to look at those suggestions, we can keep this open until you do or we can take a look at making those changes for you.)

[mello7tre]

thanks @samuelkarp for the comments.
Give me some time and i will try to make the changes.
Mine only concern is about changing systemd.service Type, i have explained it better above.

[mello7tre]

just pushed the requested changes.
I need more time to work on:
#1728 (comment)
#1728 (comment)

will came later...

[jfrconley]

Is there any movement on this issue? Waiting to adopt Bottlerocket until I can be sure that my asg will wait for instances to register with ECS

[jpculp]

All, we're sorry this has been left open for quite some time. From what I can tell it seems to be on the right track. @mello7tre, would you be able to re-base, squash the commits, and request re-review?

[mello7tre]

Rebased as requested.

[etungsten]

Hi @mello7tre, sorry about the delay. I'm gonna do my best and help you get this over the finish line. I took a look over the existing comments and resolved the ones that have been addressed.

The only comment that still needs addressing is #1728 (comment).

Another thing is we want to make sure cfsignal only runs on first boot as opposed to on every boot. We can achieve this by making cfsignal create an sentinel file at some path and the service unit can conditionally run based on the file's presence. The early-boot-config service is an example that does this:

bottlerocket/packages/os/early-boot-config.service

Lines 9 to 11 in 9749af9

	# We only want to run once, at first boot. This file is created by early-boot-config
	# after a successful run.
	ConditionPathExists=!/var/lib/bottlerocket/early-boot-config.ran

And the sentinel file is created like so:

bottlerocket/sources/api/early-boot-config/src/main.rs

Lines 144 to 149 in 9749af9

	fs::write(MARKER_FILE, "").unwrap_or_else(|e| {
	warn!(
	"Failed to create marker file {}, may unexpectedly run again: {}",
	MARKER_FILE, e
	)
	});

Let me know what you think and how I can help.

And finally, since we're introducing new settings, we need to create a simple migration binary to migrate our settings datastore between OS versions. You can read more about migrations here and how to write them here. The closest example would be the add-network migration here:

bottlerocket/sources/api/migration/migrations/archived/v1.0.5/add-network-settings/src/main.rs

Lines 7 to 15 in 9749af9

	/// We added a set of settings for configuring service network behavior and their associated
	/// configuration file. Remove the whole `settings.network`, `configuration-files.proxy-env` prefix
	/// if we downgrade.
	fn run() -> Result<()> {
	migrate(AddPrefixesMigration(vec![
	"settings.network",
	"configuration-files.proxy-env",
	]))
	}

Of course, we can take care of this for you if you'd prefer not to dabble with it. Just let us know. Thanks again for your contribution!

[mello7tre]

Hi @etungsten, just pushed the requested changes.
Have a look if all is right.

[etungsten]

Looking good. We need to do a rebase to fix some minor conflicts and fix the migration crate path.

[etungsten]

Since we only do anything with the system check status if should_signal is set, we can have the check inside the if block.

Suggested change

	let system_check = Box::new(SystemCheck {});
	let system_status = system_check.system_running()?;
	info!(
	"System status is: {} [{}]",
	system_status.status, system_status.exit_code
	);
	// run only if the opt-in flag is set
	if config.should_signal {
	// run only if the opt-in flag is set
	if config.should_signal {
	let system_check = Box::new(SystemCheck {});
	let system_status = system_check.system_running()?;
	info!(
	"System status is: {} [{}]",
	system_status.status, system_status.exit_code
	);

[mello7tre]

Could be useful to know which would be the system status even without signaling it to CloudFormation, maybe to try it out in a dry mode or to debug.

[mello7tre]

applied requested changes
rebased on aeec3aa
squashed commits

[mello7tre]

i made a little mess rebasing, so i fixed it and force pushed the right "version"

[etungsten]

Nice! I'm gonna start asking others to take a look.

https://github.com/bottlerocket-os/bottlerocket/pull/1728/files#r803845979 still needs a quick fix.

[mello7tre]

Hi @etungsten, i think that to speed up the development is better if, from now on, you directly make all relevant changes.
So feel free to change it as you prefer, i just would like that this feature will be included in a future release.

Regards, Alberto.

[etungsten]

Push above addresses comments. Needed to label cfsignal with api_exec so it can write the sentinel file to a persistent storage location like /var/lib/bottlerocket.
Made sure cfsignal only runs on first boot. On subsequent boots, the cfsignal service unit never starts:

Feb 11 21:13:21 systemd[1]: Condition check resulted in Send signal to CloudFormation Stack being skipped.

[webern]

🎸

i'm making the changes

[etungsten]

Push above and below addresses @arnaldo2792 's comments.

Tested changes and it works as expected:

bash-5.0# systemctl status cfsignal
● cfsignal.service - Send signal to CloudFormation Stack
     Loaded: loaded (/x86_64-bottlerocket-linux-gnu/sys-root/usr/lib/systemd/system/cfsignal.service; enabled; vendor preset: enabled)
     Active: inactive (dead) since Thu 2022-02-24 03:20:40 UTC; 10min ago
    Process: 1578 ExecStart=/usr/bin/cfsignal (code=exited, status=0/SUCCESS)
   Main PID: 1578 (code=exited, status=0/SUCCESS)

Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] System status is: running [0]
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Connecting to IMDS
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Received meta-data/instance-id
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Received dynamic/instance-identity/document
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal cfsignal[1578]: 03:20:40 [INFO] Region: "us-west-2" - InstanceID: "i-051f097c469cd6a7f" - Signal: "SUCCESS"
Feb 24 03:20:40 ip-192-168-16-4.us-west-2.compute.internal systemd[1]: cfsignal.service: Succeeded.

[arnaldo2792]

🦆

[zmrow]

🍨

Thanks!

[bcressey]

Nice! This looks ready to merge.

@mello7tre, I know this has been a long time coming! I really appreciate the contribution as well as your extraordinary patience. We're planning to ship it in the next release.

[mello7tre]

Nice! This looks ready to merge.

@mello7tre, I know this has been a long time coming! I really appreciate the contribution as well as your extraordinary patience. We're planning to ship it in the next release.

Thanks, i am glad to have given a little contribution to the project.

[etungsten]

Push above rebases onto develop

[etungsten]

Push above addresses @bcressey 's comments.

[etungsten]

Push above moves the migration to the v1.6.1 to v1.6.2 migration chain since we're planning this for v1.6.2 release.

[etungsten]

Tested migration again and it still works as expected