- Update from version 3.0.356.0
- Update of rootfile not required
- Changelog
3.2.574.0
- Fixed go-vet issues by passing mocks by value
- Updated domainjoin and cloudwatch executables for windows
3.2.532.0
- Removed explicit setting of EC2 aws credential profile
- Added public key to registration info
- Sends non-interactive command errors that occur before command execution to data channel
- Added instance id verification to registration process
3.2.419.0
- Added minimum retry sleep for Registrar RegisterManagedInstance calls
- Explicitly skip AZ info check for on-prem and ECS targets
- Fix for SSM-Agent that is unable to start on Apple Mac M1's (mac2.metal instances)
- Ensuring powershell path is set to system directory on Windows
- Load DLLs with using system/absolute paths on Windows
- Added workaround for Samba limit when loading Active Directory ids
- Dynamically get network interface name for SeamlessDomainJoin
- Added install-yum-rpm to makefile to install agent on host from source code
- Added logging for specifying credential source
- Refactored tests to remove mocks from production binaries
- Updated Windows DomainJoin plugin SharpZipLib and Newtonsoft.json dependencies
3.2.345.0
- Updated yaml.v3 dependency
3.2.286.0
- Separated EC2 identity vault manifest from OnPrem identity vault manifest
- Fix for credential retrieval blocking os termination signals
- Fix for agent updater using shared credentials on EC2
- Added guards against panic for agent identity health checks
- Added logging around agent module start/stop
3.2.183.0
- Added logging when assuming identity
- Increased retries to ECS metadata endpoint
- Added linux debug build to makefile
- Implemented aws sdk logging interface
- Updated agent minor version to 3.2
- Added functionality to retrieve agent credentials from Systems Manager on EC2
3.1.1927.0
- Update shell for Session Manager on MacOS
3.1.1856.0
- Lower message length threshold for cloudwatch log streaming
- Ran gofmt and goimports with golang version 1.19
- Report AvailabilityZone and AvailabilityZoneId in health pings
- Update AWS Go SDK to v1.44.78
3.1.1767.0
- Fix samba configuration for sub-domains
3.1.1732.0
- Add code in document/session worker to fallback to default identity selector when runtime config not present
- Fix to handle command-line-arguments in document/session worker when launched by old agent workers
3.1.1634.0
- Fallback to file based IPC if named pipe creation times out
- Increase tls handshake timeout in http download client
- Log mds client timeout errors as WARN
3.1.1575.0
- Added separate metric for snapd running apps failure during update
- Fixed idle session timeout with smux keep alive configuration based on CLI version
- Updated AgentTaskComplete message retry
- Updated go version to 1.18.3
3.1.1511.0
- Collect kernel version in InstanceDetailedInformation
- Support separate output stream for non-interactive session
- Cleanup default log group name for runcommands
- Updated rpm spec file to include build id
3.1.1476.0
- Fix port session premature close when local server is not connected before timeout
3.1.1446.0
- Add created date to AgentJobAck message
- Disable smux keep alive to use idle session timeout feature
- Fix unit-tests running on windows
3.1.1374.0
- Added timeout for s3 HEAD requests
- Added vpc address deny to port forwarding
- Fixed for reboot scenario in configure package plugin
- Fixed goroutine leak in seelog library
- Fixed nullpointer segmentation fault in configure package plugin
- Improved error handling in manifest download in updater
- Improved worker initialization to improve startup failure logging
3.1.1260.0
- Added missing check for invalid S3 path parameter
- Added support for domain join using a non-local username
- Fixed broken links in README.md
- Fixed ECS Exec issue where agent was using environment variables for credentials
- Updated Ec2Detector test to query smbios directly for system information
3.1.1208.0
- Updated ec2detector module to use Get-CmiInstance instead of wmic.exe
- Fixed file creation mode of ssm-agent-users sudoer file
3.1.1188.0
- Added new ec2detector module to determine if agent is on EC2
- Added support for port forwarding to remote host
- Added quotes around inventory parameter ValueName on Windows
- Fix for domain join DNS IP assignments in shared directories
- Replaced namedpipe updater test with ec2detector test
3.1.1141.0
- Add application inventory by file for Bottlerocket
- Fix infinite retry logic to send failed replies in MGSInteractor
- Remove usage of io/fs package
3.1.1080.0
- (windows only) Remove symlink scan during update
3.1.1045.0
- Fixed sourceHash validation for aws:application document plugin
- Added document parameter validation for values passed to target document of aws:runDocument plugin
- (windows only) Fix process leak when legacy cloudwatch plugin is enabled
- (windows only) Fail installation if C:\ProgramData\Amazon\SSM\ has symlinks
3.1.1004.0
- Added platform detection for Bottlerocket OS
- Consolidated regional endpoint generation to common endpoint module
3.1.941.0
- Added support for Rocky linux
- Fixed sharefile/shareprofile not being propagated to updateutil
- Fixed incorrect darwin platform detection post BigSur
- Fixed log flush issue in updater
- Updated .NET dependencies for domainjoin and cloudwatch (windows only)
- Updated go version to 1.17.6
3.1.821.0
- Implement new core module named MessageService to start processing commands from both MGS and MDS
- Merge functionalities from RunCommandService core module and Session core module.
- Receive run command documents through MGS if connected and fallback to MDS otherwise. This functionality requires appropriate permissions for both endpoints and will be rolled out gradually to end users.
- Provide filesystem based idempotency check to avoid duplicate run command document execution.
- Increase default run command pool buffer size from 1 to 5 to load additional documents before-hand for processing.
- Fix nil pointer deference panic produced in named pipe test case during agent update
- Remove StopType concept in ssm-agent-worker and add different waits for reboot and shutdown stop
3.1.804.0
- Add support for upstart when running get-diagnostic command using ssm-cli
- Fix systemctl service name to support older versions of systemctl
- Include changes to facilitate testing
- Update DNS server selection logic for seamless domain join on linux and darwin
- Update go version to go1.17.5
- Update golang sys package dependency
3.1.715.0
- Derive default directories from appconfig on Darwin
- Set x-bit on newly-created directories
3.1.634.0
- Fix for ssm-setup-cli to be able to select service manager without the agent being installed
3.1.630.0
- Added greengrass component recipe for the new SystemsManagerAgent component
- Added support for registering agent on a greengrass device
- Added support for downloading more than 1000 objects in downloadContent
- Fixed retry logic for onprem and s3 upload
- Fixed unit tests when running on Mac
- Update AWS SDK to v1.41.4
- Update logic to retrieve platform details for Rocky Linux
3.1.501.0
- Add diagnostics command to ssm-cli
- Fix caching for onprem credentials
- Additional configuration options for Seamless Domain Join
- Gracefully exit session if group of runas user is modified
- Skip retries for cert validation errors in S3 HEAD requests
- Fix DNS failures on CentOS 8.2
- Update several dependencies
3.1.459.0
- Fixed a bug with powershell command for Inventory
3.1.426.0
- Fixed cpu spike issue manifesting on snap
- Fixed issue with version comparison in EC2Config update plugin
- Fixed panic when command output was being truncated
- Updated build to use go1.16.8
- Removed Profile from inventory powershell commands on Windows
3.1.338.0
- Fix to eliminate WaitGroup reuse panic triggered during agent reboot
- Fix to include applications without UninstallString in Inventory for Windows
- Fixed a bug where multi-plugin documents with large outputs would timeout RunCommand
- Fixed a bug where RunCommand could delay executions for up to 15 minutes
3.1.282.0
- Add serial port logging of AwsNitroEnclaves package version on windows during startup
- Allow usage of existing loggroup/logstream when the user does not have create permission
- Change service interrogate request log to debug
- Cleanup old surveyor channel files on startup
- Fix filehandle leak in windows leading to agent going offline
- Fix to schedule correct next run time during orchestration directories cleanup
- Fix to sequentially update correct runcount value in the document bookkeeping file
- Fix a bug with version parsing EC2Config updater
- Updated rpm packaging for fips compliance
3.1.192.0
- Added darwin arm64 to makefile
- Added logic to limit orchestration directory cleanup
- Added packaging for public SSM Agent container image
- Fixed cloudwatch endpoint for telemetry metrics requests
- Fixed handling of Windows filepaths and mutex locks
- Fixed agent worker handling of OS signals and termination channel requests
- Updated datachannel retry strategy to not retry for a specific error scenario
- Updated default gomaxproc value for Windows
- Update build to use go1.16.6
3.1.127.0
- Added a workaround for windows random halts
- Fixed race condition during reboot document execution
3.1.90.0
- Updated to version 3.1
- Updated build to build statically linked binaries for linux 64bit
- Minimum supported linux kernel version for linux 64bit is 3.2+
- Fixed permissions for docker config file
- Fixed issue with ubuntu prerm and postinst scripts
- Fixed issue where processor stop was being called twice
3.0.1390.0
- Added config option to delete orchestration folder
- Added snapcraft packaging config
- Added workaround for aws:runDocument status bug
- Added improved handling of file closure
- Added support for go mod and updated build to use go 1.16.4
- Fixed bug parsing vpce s3 urls
- Refactored use of agent identity in agent cli
- Updated check if agent is running as windows service
- Updated handling of session cancellation to still send output to client side
- Updated interactive session exit code logic to match non-interactive mode
- Updated vendor dependencies
3.0.1295.0
- Added configurable custom identity and identity consumption order
- Added cross-account domain join
- Added cleanup for older versions of updater artifacts
- Added a workaround for MacOS kernel bug that sometimes kept RunCommand from launching
- Added a workaround for log file contention on Windows
- Added synchronization to RunCommand service stop
- Changed hibernation log level
- MacOS executables are now signed
- Removed delay in non-interactive session type
3.0.1209.0
- Fixed issue where registration file is not removed when registration is cleared
- Removed unnecessary CloudWatch Log api calls
- Added support for IMDSv2 in Windows AD domain join plugin
3.0.1181.0
- Added support for digest authorization in downloadContent plugin
- Added missing defer close for windows service in updater
- Added support to disable onprem hardware similarity check
- Fixed windows random halts issue
- Refactored windows startup
- Refactored task pool to dynamically dispatch goroutines
3.0.1124.0
- Added a check for broken symlink after update
- Added support for NonInteractiveCommands session type on Linux and Windows platforms
- Added lint-all flag to makefile
- Changed Inventory plugin billinginfo to use IMDSv2
- Fixed indefinite retries for ResourceError during CWLogging
- Fixed go vet call in checkstyle.sh
- Fixed inter process communication log line
- Fixed a bug where CloudWatch logs were not being uploaded
- Fixed timer and goroutine leaks
- Fixed an issue where document workers on Windows were not exiting
3.0.1031.0
- Added test-all flag to the makefile
- Added support for onprem private key auto rotation
- Added config to remove plugin output files after upload to s3
- Added update precondition for upcoming 3.1 release
- Fixed cloudwatch windows where TLS 1.0 is disabled
- Fixed document cloudwatch upload when CreateLogStream permissions were missing left instances stuck in terminating
- Fixed domain join windows EC2 instances where TLS 1.0 is disabled
- Fixed domain join script for .local domain names
- Fixed domain join script to exit when domain is already joined
- Fixed panic issue in windows startup script when executing powershell command
- Fixed session manager issue on MacOS for root and home path
- Removed IMDS call in domain join script
- Refactored update plugin and updater interaction
3.0.882.0
- Added jitter to first control channel call
- Added dedicated folder for plugins
- Added option to overwrite corrupt shared credentials
3.0.854.0
- Added $HOME env variable for root user when runAsElevated is true in session
- Added CREAD flag in serial port control flags on linux
- Added PlatformName and PlatformVersion as env variables for aws:runShellScript
- Added support for macOS updater
- Added v2.2 document support in updater
- Added defer recover statements
- Fixed inventory error log when dpkg is not available
- Fixed ssm-cli logging to stdout
- Removed consideration of unimportant error codes in service side
- Updated ec2 credential caching time to ~1 hour
- Updated service query logic for Windows
- Updated golang sys package dependency
3.0.755.0
- Fix fallback logic for MGS endpoint generation
- Fix regional endpoint generation
3.0.732.0
- Fix bug in document parameter expansion
- Fix datachannel to wait for empty message buffer before closing
- Fix for hung Session Manager sessions
- Fix for folder permission issue in domain join
- Refactor identity handling
- Update session plugin to pause reading when datachannel not actively sending data
- Update ssm-user creation details in README.md
3.0.655.0
- Add feature to retain hostname during domain join
- Add delay to pty start failure for session-worker
- Add nil pointer check on shell command for session-worker
- Add shlex to vendor which is used to parse session interactive command input for session-worker
- Change log level for IPC not readable message
- Change v2 agent to use v3 agent executor
- Fix network connectivity issues on RHEL8
- Fix race condition where first message is dropped when session plugin's message handler is not ready
- Fix file channel protocol test cases
- Fix blocking http call when certificates are not available
- Move aws cli installation out of /tmp for domain join plugin
- Update boolean attributes in Session Document to accept both string and bool values
- Upgrade vendor dependencies and build to use go1.15.7
3.0.603.0
- Added instruction to README.md for getting the latest version of SSM Agent in a specific region
- Fix for PowerShell stream data being executed in reverse order
- Fix to create update lock folder before creating update locks
- Fix to reset ipcTempFile properties at the end of session
3.0.529.0
- Fix for encrypted s3 bucket upload
3.0.502.0
- Add agent version flag to retrieve agent version
- Add onFailure/onSuccess/finallyStep support for plugins
- Add SSE header for S3 Upload
- Add SSM Agent support in MacOS
- Extend use of default http transport
- Fix for Agent not aquiring new instance role credentials after EC2 hibernation
- Fix for shell profile powershell commands not being executed in the expected order
- Fix to delete undeleted channel while using reboot document
- Fix to consider status of all plugin steps in document after system restart
- Fix bug capturing rpm install exit code
- Handle sourceInfo json sent from CLI in downloadContent plugin
- Optimize agent startup time by removing additional wait times
- Refactor makefile
- Replace master branch with mainline branch
- Upgrade aws-sdk-go to latest version(v1.35.23)
3.0.431.0
- Use DefaultTransport as underlying RoundTripper for S3 access
3.0.413.0
- Add additional checks and logs to install scripts
- Add retry logic to handle ssm document during reboot
- Add dockerfile to build agent
- Add script to package binaries to tar
- Change default download directory on Linux to /var/lib/amazon/ssm
- Extend SSM Agent ability to execute from relative path and use custom certificates
- Fix IP address parsing in domain join plugin
- Fix self update logging
- Log fingerprint similarity check failures as ERROR and each changed machine property as WARN
- Prefix ecs target id with 'ecs:'
- Prefer non-link-local addresses to show in Console
- Use IMDSv1 after IMDSv2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Go leaves temporary build files in the directory
which we do not need and we should clean up after
every build.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
AWS Systems Manager Agent (SSM Agent) is Amazon software that can be
installed and configured on an Amazon EC2 instance, an on-premises
server, or a virtual machine (VM). SSM Agent makes it possible for
Systems Manager to update, manage, and configure these resources. The
agent processes requests from the Systems Manager service in the AWS
Cloud, and then runs them as specified in the request. SSM Agent then
sends status and execution information back to the Systems Manager
service by using the Amazon Message Delivery Service.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
