Skip to content

Commit

Permalink
Merge branch 'main' into smb-acm-local
Browse files Browse the repository at this point in the history
  • Loading branch information
bwendlandt-intel authored Nov 9, 2023
2 parents e6d7e29 + cac1635 commit 6f1a435
Show file tree
Hide file tree
Showing 15 changed files with 91 additions and 104 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/mkdocs_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
# Runs a single command using the runners shell
- name: Run a one-line script
run: |
pip install mkdocs-material==9.2.7
pip install mkdocs-material==9.4.7
pip install mkdocs-render-swagger-plugin
pip install mkdocs-macros-plugin
pip install mkdocs-mermaid2-plugin
Expand Down
2 changes: 1 addition & 1 deletion docs/APIs/indexRPS.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,4 @@
}
</style>

!!swagger-http https://api.swaggerhub.com/apis/rbheopenamt/rps/2.16.0!!
!!swagger-http https://api.swaggerhub.com/apis/rbheopenamt/rps/2.19.0!!
1 change: 1 addition & 0 deletions docs/Deployment/Database/schema.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ The diagrams below illustrates the database schema and relationships for MPS and
string provisioning_cert_storage_format
string provisioning_cert_key
datetime creation_date
datetime expiration_date
string created_by
string tenant_id
}
Expand Down
13 changes: 9 additions & 4 deletions docs/Deployment/upgradeVersion.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,22 @@

### Upgrade to 2.16 (Oct 23) from 2.15 (Sep 23)

The 2.16 release of Open AMT requires an upgrade to the `mpsdb` database. More information about why we've made this change can be found in the [October 2023 Release Notes](https://open-amt-cloud-toolkit.github.io/docs/2.16/release-notes/#whats-new).
The 2.16 release of Open AMT requires an upgrade to both the `mpsdb` and `rpsdb` databases. More information about why we've made this change can be found in the [October 2023 Release Notes](https://open-amt-cloud-toolkit.github.io/docs/2.16/release-notes/#whats-new).

1. Run the following SQL script to alter constraints before upgrading the services.

``` sql
``` sql title="mpsdb"
ALTER TABLE devices
ADD COLUMN IF NOT EXISTS deviceInfo json
ADD COLUMN IF NOT EXISTS deviceInfo json;
```

``` sql title="rpsdb"
ALTER TABLE domains
ADD COLUMN IF NOT EXISTS expiration_date timestamp;
```

???+ example "Example - Adding Columns to PostgresDB using psql"
This example walks through one potential option to update a Postgres Database using psql.
This example walks through one potential option to update a Postgres Database using psql. Change the database passed using the `-d` flag to either `mpsdb` or `rpsdb` as needed.

1. Open a Command Prompt or Terminal.

Expand Down
6 changes: 3 additions & 3 deletions docs/GetStarted/buildRPC.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ Developed in Go* programming language, the Remote Provisioning Client (RPC) appl
</div>

!!! important "Important - Production Environment"
In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices.
In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices.


<figure class="figure-image">
Expand All @@ -21,7 +21,7 @@ Developed in Go* programming language, the Remote Provisioning Client (RPC) appl
## Build the RPC

!!! tip "Flexible Deployment - RPC as a Library"
The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. [Read more about building RPC as a library here](../Reference/RPC/libraryRPC.md).
The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. [Read more about building RPC as a library here](../Reference/RPC/libraryRPC.md).

**To build the executable:**

Expand Down Expand Up @@ -110,7 +110,7 @@ The toolkit provides a reference implementation called the Sample Web UI to mana
```
!!! note "Note - RPC Arguments"
See more about the [flag and other arguments](../Reference/RPC/commandsRPC.md).
See more about the [flags used here and other arguments](../Reference/RPC/commandsRPC.md).
!!! note "Note - Transition Activated Device"
To learn how to use the RPC application to transition an already activated (provisioned) Intel vPro® Platform device, see [Transition Activated Device](../Reference/RPC/buildRPC_Manual.md#transition-activated-device).
Expand Down
8 changes: 3 additions & 5 deletions docs/GetStarted/createProfileACM.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,13 @@ The DNS suffix encompasses the domain suffix (e.g., .com) and follows the hostna

In this example, the hostname is **cb-vending1** and the DNS suffix is **burgerbusiness.com.**

**To set the DNS suffix: **
**To set the DNS suffix:**

1. Manually set it using MEBX on the managed device. Find instructions [here](../Reference/MEBX/dnsSuffix.md).

2. Alternately, change the DHCP Option 15 to DNS suffix within the Router settings.

**To find the the DNS suffix, use the following command: **
**To find the DNS suffix, use the following command:**

=== "Linux"
``` bash
Expand All @@ -63,11 +63,9 @@ In this example, the hostname is **cb-vending1** and the DNS suffix is **burgerb
A Profile provides configuration information to the AMT Firmware during the activation process with the Remote Provisioning Client (RPC).

!!! important "Important - Production Environment"
In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios.
In a production environment, devices are typically activated in ACM mode. ACM mode enables KVM access to devices without user consent. In most IoT use cases, edge devices such as digital signage or kiosks may not have immediate access to it or employees nearby. ACM mode proves immensely helpful in these scenarios.

??? note "Note - More Information about Passwords"
**Passwords**

Open AMT Cloud Toolkit increases security with multiple passwords. Find an explanation of toolkit passwords in [Reference -> Architecture Overview](../Reference/architectureOverview.md#passwords).

**To create an ACM profile:**
Expand Down
4 changes: 2 additions & 2 deletions docs/Reference/RPC/buildRPC_Manual.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Developed in Go* programming language, the Remote Provisioning Client (RPC) application runs on the managed device and communicates with the Remote Provisioning Server (RPS) microservice on the development system. The RPC and RPS configure and activate Intel® AMT on the managed device. Once properly configured, the remote managed device can call home to the Management Presence Server (MPS) by establishing a Client Initiated Remote Access (CIRA) connection with the MPS. See Figure 1.

!!! tip "Production Environment"
In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices.
In a production environment, RPC can be deployed with an in-band manageability agent to distribute it to the fleet of AMT devices. The in-band manageability agent can invoke RPC to run and activate the AMT devices.

<figure class="figure-image">
<img src="..\..\..\assets\images\RPC_Overview.png" alt="Figure 1: RPC Configuration">
Expand Down Expand Up @@ -35,7 +35,7 @@ Developed in Go* programming language, the Remote Provisioning Client (RPC) appl
## Build RPC

!!! tip "Flexible Deployment - RPC as a Library"
The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. [Read more about building RPC as a library here](./libraryRPC.md).
The RPC can be built as an executable file or as a library, which offers the flexibility of deploying in your management agent or client. [Read more about building RPC as a library here](./libraryRPC.md).

**To build the executable:**

Expand Down
8 changes: 4 additions & 4 deletions docs/Tutorials/Scaling/Kubernetes/deployingk8s-aks.md
Original file line number Diff line number Diff line change
Expand Up @@ -262,11 +262,11 @@ Where:
**Make sure to download your Vault credentials** and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.
!!! tip "Tip - Finding the Vault UI External IP Address"
The external IP of your Vault UI service can be found by running:
The external IP of your Vault UI service can be found by running:
```
kubectl get services openamtstack-vault-ui
```
```
kubectl get services openamtstack-vault-ui
```
1. Please refer to HashiCorp documentation on how to [Initialize and unseal Vault](https://learn.hashicorp.com/tutorials/vault/kubernetes-azure-aks?in=vault/kubernetes#initialize-and-unseal-vault). **Stop and return here after signing in to Vault with the `root_token`.**
Expand Down
12 changes: 6 additions & 6 deletions docs/Tutorials/Scaling/Kubernetes/deployingk8s-eks.md
Original file line number Diff line number Diff line change
Expand Up @@ -337,11 +337,11 @@ Where:
**Make sure to download your Vault credentials** and save them in a secure location when unsealing Vault. If the keys are lost, a new Vault will need to be started and any stored data will be lost.
!!! tip "Tip - Finding the Vault UI External IP Address"
The external IP of your Vault UI service can be found by running:
The external IP of your Vault UI service can be found by running:
```
kubectl get services openamtstack-vault-ui
```
```
kubectl get services openamtstack-vault-ui
```
1. Please refer to HashiCorp documentation on how to [Initialize and unseal Vault](https://learn.hashicorp.com/tutorials/vault/kubernetes-azure-aks?in=vault/kubernetes#initialize-and-unseal-vault). **Stop and return here after signing in to Vault with the `root_token`.**
Expand Down Expand Up @@ -371,13 +371,13 @@ Where:
### Update commonName in values.yml
1. Get the External-IP for accessing the UI. Note and save the value under 'EXTERNAL-IP'.
1. Get the `External-IP` for accessing the UI. Note and save the value under `EXTERNAL-IP`.
```
kubectl get service openamtstack-kong-proxy
```
2. Update the value for `commonName` in the **mps** section in the `values.yml` file with the External-IP from above. Recall that `values.yml` is located in `./kubernetes/charts/`.
2. Update the value for `commonName` in the **mps** section in the `values.yml` file with the `External-IP` from above. Recall that `values.yml` is located in `./kubernetes/charts/`.
``` yaml hl_lines="2"
mps:
Expand Down
111 changes: 45 additions & 66 deletions docs/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
## Release Highlights

<div style="text-align:center;">
<iframe width="800" height="450" src="https://www.youtube.com/embed/U8D-WCgVD_4?si=23o5nqBL5X2nb1ly" title="Open AMT September Release Video" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
<iframe width="800" height="450" src="https://www.youtube.com/embed/mSkvJuKCQPE?si=BU4n8IcL6-woFgzM" title="Open AMT October Release Video" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
</div>
<br>

!!! note "Note From the Team"

Greetings everyone,
Happy Halloween!

Fall is here and just like the changing of the seasons, this release contains the most recent changes to Open AMT Cloud Toolkit! Make sure to checkout Bryan's video where he talks about the new changes in this release or you can get the details in the "What's New" section. The team has some exciting new features we're working on in the month of October that we can't wait for you to see. You can follow our day to day progress over at our new Sprint Planning project board (link at the bottom)!
No tricks in this release, just new treats coming to Open AMT Cloud Toolkit! Make sure to checkout Bryan's video where he talks about the new changes in this release or you can get the details in the "What's New" section. You can follow our day to day progress over at our new Sprint Planning project board (link at the bottom)!

We are genuinely excited about this release and are eager to hear your valuable feedback. Your input plays a crucial role in enhancing the Open AMT Cloud Toolkit further.

Expand All @@ -22,118 +22,97 @@

:material-update: **DB Update Required**

Run the following SQL script to alter constraints before upgrading the services.
Run the following SQL scripts to add the new required columns for both the `mpsdb` and `rpsdb`.

``` SQL
ALTER TABLE domains
DROP CONSTRAINT IF EXISTS domains_pkey;
DROP INDEX CONCURRENTLY IF EXISTS lower_name_suffix_idx;
ALTER TABLE domains
ADD CONSTRAINT domainname UNIQUE (name, tenant_id);
ALTER TABLE domains
ADD PRIMARY KEY (name, domain_suffix, tenant_id);
``` sql title="mpsdb"
ALTER TABLE devices
ADD COLUMN IF NOT EXISTS deviceInfo json;
```

[More information or detailed steps can be found in Upgrade Toolkit Version.](./Deployment/upgradeVersion.md)

The goal of this change is to loosen constraints on some unique Domain fields. This will now enable identical Domain profile names and DNS suffixes to be shared across different tenants. The following is an example of what was previously restricted, but now allowed.
The goal of this change is to allow us to cache some of the AMTINFO data that we gather while activating a device in the database and make that available to API callers when a device is not connected to the MPS.

``` sql title="rpsdb"
ALTER TABLE domains
ADD COLUMN IF NOT EXISTS expiration_date timestamp;
```
Name DNS Suffix TenantId
domainName1 example.com 1
domainName1 exmaple.com 2
```

:material-new-box: **New Feature: NoSQL Supported in MPS**

We've added NoSQL (not only SQL) DB support to MPS to aid with future unstructured device data that we'll be storing in the MPS DB. To aid with this, we have implemented a new database interface using the MongoAPI in the src/data/mongo folder. This has been tested against multiple MongoAPI compatible databases and works well without changes to our implementation. We look forward to any feedback you have on this new capability.

:material-new-box: **New Feature: Enhanced `amtinfo` command**

We have updated RPC-Go's `amtinfo` command to allow users to better understand what certificates are currently in AMT.
[More information or detailed steps can be found in Upgrade Toolkit Version.](./Deployment/upgradeVersion.md)

- The `amtinfo -userCert` flag allows you to retrieve certificates associated with specific AMT configuration options. For example, the CIRA certificate, TLS certificates, or 802.1x certificates.
:material-new-box: **New Feature: Offline AMT Data**

- The `amtinfo -cert -password amtPassword` flag now provides information about both system and user certificates.
Along with the DB update this release, we are now storing some basic AMT data in the database. When activating an AMT device, this data will automatically collected and stored. We've also added a new maintenance command `syncdeviceinfo` to RPC-Go that will collect and update this information. Read more about this feature in our [docs](https://open-amt-cloud-toolkit.github.io/docs/2.16/Reference/RPC/commandsRPC/#syncdeviceinfo)

:material-new-box: **New Feature: Sample UI Improvements**
:material-new-box: **New Feature: Certificate Expiration Checking**

We have made two improvements to the Sample UI in this release.
When provisioning certificates are added to Open AMT Cloud Toolkit, the software will now get the expiration date of the certificate and store that in the database. This data is then returned when a GET call to Domains is made. This information makes it easy to determine if a certificate is about to expire or already expired. The Sample Web UI has an implementation showing this capability in this release.

- **Edit Tags** You can now efficiently manage tags for individual systems and perform bulk tag changes across multiple systems via the Sample Web UI.
:material-new-box: **New Feature: Fetch Provisioning Certificates During -local Activation**

- **User Consent** The Sample Web UI now respects user consent settings in AMT, ensuring that it prompts for a user consent code even when the device is configured under Admin Control Mode (ACM).
A new option has been provided for ACM `-local` activation flows. Users can now store their provisioning certificate and credentials securely on a network share and point RPC-Go to fetch this information during activation.

## Get the Details

### Additions, Modifications, and Removals

#### RPS

v2.16.4

- fix: allow same domain suffix across tenants ([#1214](https://github.com/open-amt-cloud-toolkit/rps/issues/1214)) (#ef9cd45)
v2.19.0

v2.16.3
- feat: adds expiration date to prov cert ([#1234](https://github.com/open-amt-cloud-toolkit/rps/issues/1234))

- fix state-machine: unconfigure continues on error for TLS deletions ([#1215](https://github.com/open-amt-cloud-toolkit/rps/issues/1215)) (#b68f168)
v2.18.0

v2.16.2
- feat: add device info maintenance ([#1277](https://github.com/open-amt-cloud-toolkit/rps/issues/1277))

- fix: - adds shouldRetry guards ([#1207](https://github.com/open-amt-cloud-toolkit/rps/issues/1207)) (#f17d28a)
v2.17.1

- fix: store dnssuffix into db ([#1256](https://github.com/open-amt-cloud-toolkit/rps/issues/1256))

#### MPS
v2.17.0

v2.12.0
- feat: save additional values to mps mongo db ([#1236](https://github.com/open-amt-cloud-toolkit/rps/issues/1236))

- feat: enable tenant check on AMT operations (#a4010b1)
- feat: add support for mongo compatible nosql databases ([#1066](https://github.com/open-amt-cloud-toolkit/mps/issues/1066)) (#18096bc)

#### MPS

#### RPC
v2.12.4

v2.16.0
- fix(redir): improve data checking for redirection ([7aa1510](https://github.com/open-amt-cloud-toolkit/mps/commit/7aa151099baf43a565dae003ac45d444ea7a2b4e))

- feat: adds uuid flag to activate command ([bae75fe](https://github.com/open-amt-cloud-toolkit/rpc-go/commit/bae75fea35b4faa0258447ac1b10c7e078ce1f9b)), closes [#163](https://github.com/open-amt-cloud-toolkit/rpc-go/issues/163)
v2.12.3

v2.15.2
- fix: fixed mongo device deletion ([#1100](https://github.com/open-amt-cloud-toolkit/mps/issues/1100))

- fix: trigger ci build for release with docker ([0bbbf78](https://github.com/open-amt-cloud-toolkit/rpc-go/commit/0bbbf78bc40abf72d7c0a2a8a98f1fd2b4b42306))
v2.12.2

v2.15.1
- fix: Remove data from Mongo on deactivation ([#1118](https://github.com/open-amt-cloud-toolkit/mps/issues/1118))

- fix: add prompt for password acm local deactivation
- fix: addwifisettings validate unique priorities
v2.12.1

v2.15.0
- fix: redirection token expiration and device UUID check ([#1098](https://github.com/open-amt-cloud-toolkit/mps/issues/1098))

- feat: amtinfo display user certificates

#### Sample Web UI
#### RPC

v2.14.0
v2.19.0

- feat: edit device tags
- feat: local operations read secrets from environment ([90a5a4c](https://github.com/open-amt-cloud-toolkit/rpc-go/commit/90a5a4c1e445ede1d3e250ea090fcd6ac77c7675))

v2.13.2
v2.18.0

- fix: version call now occurs after login (#a80ffb0)
- feat: add device info maintenance ([e302f8a](https://github.com/open-amt-cloud-toolkit/rpc-go/commit/e302f8aec00222651867b5977dafc419627ae778))

v2.17.0

#### go-wsman-messages
- feat: add features field to message payload ([61s9829](https://github.com/open-amt-cloud-toolkit/rpc-go/commit/61a9829a8a4303600816b6ce629b07d142d7a144))

v1.8.4
#### Sample Web UI

- fix: handle qop="auth-int, auth" header ([2b5a4e6](https://github.com/open-amt-cloud-toolkit/go-wsman-messages/commit/2b5a4e6e4d1e7412bc9f0140925701d47a56245c))
v2.15.0

v1.8.3
- feat: adds exp date to domain certs

- fix wsman: authorize uri is always /wsman ([f2414f3](https://github.com/open-amt-cloud-toolkit/go-wsman-messages/commit/f2414f32eab5db593ceaaad8410a1a2a9e4815bb))

## Project Boards

Check out our new [Sprint Planning](https://github.com/orgs/open-amt-cloud-toolkit/projects/10/views/2) project board to see what stories the dev team is actively working on, what is in our backlog, and what is planned for the next sprint.

Check out our [Feature Backlog](https://github.com/orgs/open-amt-cloud-toolkit/projects/5) project board to see issues and prioritized items we're working on across all of our repositories. You'll also see what is coming in our next release!
Loading

0 comments on commit 6f1a435

Please sign in to comment.