feat: reject non-manifest artifacts on system devices

[danielskinstad]

Changelog: On a System Device, mender-update now refuses a deployment whose artifact is not a mender-orchestrator-manifest.
Ticket: MEN-9655

[danielskinstad]

@mender-test-bot start client pipeline

[mender-test-bot]

@danielskinstad, start a full client pipeline with:

• mentioning me and start client pipeline

---

my commands and options

You can prevent me from automatically starting CI pipelines:

• if your pull request title starts with "[NoCI] ..."

You can trigger a client pipeline on multiple prs with:

• mentioning me and start client pipeline --pr mender/127 --pr mender-connect/255

You can trigger a client pipeline for a specific Mender Client release with:

• mentioning me and start client pipeline --release 6.0.x (can be given multiple times)
• by default, a pipeline is triggered for each supported release the component is a part of

You can trigger GitHub->GitLab branch sync with:

• mentioning me and sync

You can print PR statistics for a repository with:

• mentioning me and print fast pr stats (Team stats only)
• mentioning me and print full pr stats (Detailed report)
• options: --repo <repo>, --team <name>, --all-repos, --exclude-drafts, --exclude-user <user>
• mentioning me and print full pr stats --repo mender --all-repos --exclude-drafts

You can deploy a review app with:

• mentioning me and start review app (OS environment)
• mentioning me and start review app enterprise (Enterprise environment)

You can run e2e tests against a deployed review app with:

• mentioning me and start review tests (defaults to os environment)
• mentioning me and start review tests enterprise (for enterprise environment)

You can cherry pick to a given branch or branches with:

• mentioning me and:

 cherry-pick to:
 * 1.0.x
 * 2.0.x

[mender-test-bot]

Hello 😺 I created a pipeline for you here: Pipeline-2631767080

Build Configuration Matrix

Key	Value
BUILD_BEAGLEBONEBLACK	true
BUILD_CLIENT	true
BUILD_QEMUX86_64_BIOS_GRUB	true
BUILD_QEMUX86_64_BIOS_GRUB_GPT	true
BUILD_QEMUX86_64_UEFI_GRUB	true
BUILD_VEXPRESS_QEMU	true
BUILD_VEXPRESS_QEMU_FLASH	true
BUILD_VEXPRESS_QEMU_UBOOT_UEFI_GRUB	true
INTEGRATION_REV	master
MENDER_BINARY_DELTA_REV	master
MENDER_CLIENT_SUBCOMPONENTS_REV	main
MENDER_CONFIGURE_MODULE_REV	master
MENDER_CONNECT_REV	master
MENDER_CONTAINER_MODULES_REV	main
MENDER_FLASH_REV	master
MENDER_REV	pull/1982/head
MONITOR_CLIENT_REV	master
RUN_INTEGRATION_TESTS	true
TEST_QEMUX86_64_BIOS_GRUB	true
TEST_QEMUX86_64_BIOS_GRUB_GPT	true
TEST_QEMUX86_64_UEFI_GRUB	true
TEST_VEXPRESS_QEMU	true
TEST_VEXPRESS_QEMU_FLASH	true
TEST_VEXPRESS_QEMU_UBOOT_UEFI_GRUB	true

[mender-test-bot]

Merging these commits will result in the following changelog entries:

Changelogs

mender (MEN-9655)

New changes in mender since master:

Features

• On a System Device, mender-update now refuses a deployment whose
  artifact is not a mender-orchestrator-manifest.
  (MEN-9655)

[rewanrashid-boop]

From the code it looks good to me testing:

1. When tier is system and attempt to install regular artifact
2. When tier is standard and attempt to install regular artifact
3. When tier is system and attempt to install manifest artifact

Maybe for coverage sake you could have also have a test for when tier is micro and installing a regular/manifest artifact, but i suppose it is the same 🤷. So long as pipeline fully green should be good to merge. Ping when green for approval 🚀 .

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[vpodzime]

So there's a different tier if mender-update runs as a component interface?

[michalkopczan]

So there's a different tier if mender-update runs as a component interface?

No, there's a separate state machine when running in daemon mode and when running in standalone mode. Daniel did changes only to the daemon state machine. So for standalone, even though the tier is system, normal artifacts can be installed.

Nice, I was wondering if rejecting non-manifest updates in daemon, but allowing them in standalone will be a problem to implement, and it turns out that this was free :D

Daniel , correct me if I'm wrong here.