Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 09:30
    stefbehl synchronize #1044
  • 07:34
    stefbehl synchronize #1044
  • Nov 30 15:43
    Nkyn synchronize #1043
  • Nov 30 15:26
    AmmarBikic synchronize #1018
  • Nov 30 14:13
    bogdan-bondar closed #1057
  • Nov 30 12:24
    herdt-michael synchronize #1056
  • Nov 30 12:00
    herdt-michael synchronize #1056
  • Nov 30 09:40
    bogdan-bondar edited #1057
  • Nov 30 09:38
    bogdan-bondar opened #1057
  • Nov 30 07:29
    Nkyn synchronize #1043
  • Nov 27 16:52
    schabdo labeled #1054
  • Nov 27 16:47
    schabdo labeled #1055
  • Nov 27 16:22
    schabdo labeled #1051
  • Nov 27 16:21
    schabdo labeled #1049
  • Nov 27 16:20
    schabdo labeled #1041
  • Nov 27 16:15
    schabdo labeled #1053
  • Nov 27 16:14
    schabdo labeled #1053
  • Nov 27 16:14
    schabdo milestoned #1053
  • Nov 27 12:58
    herdt-michael ready_for_review #1056
  • Nov 27 12:38
    herdt-michael opened #1056
Dominic Schabel
@schabdo
… however I filed an issue to support you better in this kind of setup (cf. eclipse/hawkbit#1036)
Dominic Schabel
@schabdo
@mdymov-hayward nothing in UI available. Usually hawkBit is not showing any client errors since this would flood the logs and is a potential attack vector in terms of DOS. However I think you can switch on some loggers to gain more insights but I have to double check
mdymov-hayward
@mdymov-hayward
@schabdo It would be great to be able to do that via loggers; I am assuming changing logging config will require Hawkbit restart?
Dominic Schabel
@schabdo
Indeed it requires a restart. Raising logging level of org.eclipse.hawkbit.security.ControllerPreAuthenticateSecurityTokenFilter to DEBUG should be all you need
You can add the logger here. After that you should see one of this statements for target token authentication of the device. This will allow you to see at least if the header is sent.
mdymov-hayward
@mdymov-hayward
@schabdo Thank you, will try it. Appreciate quick response!
Dominic Schabel
@schabdo
welcome :+1:
RalfMengwasser
@RalfMengwasser
i got a few general questions:
  1. Is there some sort of user management so I can say user X can manage devices Y and user Z devices W? Where do I change passwords?
  2. Which ports do I have to open for the devices? Is the 8080 the same for user login AND device updates?
Sergey Gerasimov
@Sergey-G-dev

Hi all,
suddenly I'm getting the following error when trying to build/run hawkbit:

java: org.eclipse.hawkbit.repository.jpa.model.JpaDistributionSet is not abstract and does not override abstract method _persistence_shallow_clone() in org.eclipse.persistence.internal.descriptors.PersistenceObject
java: org.eclipse.hawkbit.repository.jpa.model.JpaSoftwareModule is not abstract and does not override abstract method _persistence_shallow_clone() in org.eclipse.persistence.internal.descriptors.PersistenceObject

I executed 'maven clean install' a few times and it went without any errors, but that error still appears. Has anyone experienced that?

P.S. The error disappears if I add an empty method body to those two classes, but that doesn't seem right.
Sergey Gerasimov
@Sergey-G-dev
Update: the error disappeared after clicking "Generate Sources and Update Folders" in Maven menu (and executing Maven build again afterwards).
Dominic Schabel
@schabdo
Regarding 2: If you only use DDI, UI and Managment API port 8080 is sufficent. If you’d like to use DMF API there is more to consider
Dominic Schabel
@schabdo
@RalfMengwasser: Regarding 1, I’m affraid such a fine grained access control on device level is not possible as of today. Changing passwords depends on the kind of “provide” e.g. property based, in memory or OAuth2
Jalal
@jmlups_gitlab
Hello,
where can i get more information on target filter syntax please ?
Florian Ruschbaschan
@floruschbaschan
Hey @jmlups_gitlab please find more information here: https://www.eclipse.org/hawkbit/ui/#how-to-filter
Jalal
@jmlups_gitlab
@floruschbaschan Thank you for the quick response :)
Raffael Wiglenda
@rwiglenda_gitlab
Hi together, does anyone know how to mount an Azure File Share to the Hawkbit Pod in AKS? I guess the only way to do it is writing an own helm chart isn't it?
Sergey Gerasimov
@Sergey-G-dev
Hi all,
I have a question regarding DMF API and RabbitMQ. As I understand, DMF API requires a running Rabbit service in order to connect to port 5762 to communicate with Rabbit. In our ecosystem we do not use DMF but still need to have a running Rabbit service because otherwise DMF will generate errors and exceptions as it fails to connect to Rabbit. So my question is: is it possible to disable DMF module (exclude from Maven build) so that we wouldn't need a running Rabbit instance? I tried to remove Maven dependencies of DMF, AMPQ and Rabbit but even after that hawkBit attempts to connect to 5762.
2 replies
Holger-Seemueller
@Holger-Seemueller
Hi, i have a question regarding secure operation of an Hawkbit instance: I would like to expose only those endpoints to internet that are needed for my devices. The Management UI for example should only be available in intranet. Can you tell me if their are best practices to achieve that, e.g. by liminiting access to specific URI paths?
2 replies
Jalal
@jmlups_gitlab
Hey,
In the docs signature hosting is supported : https://www.eclipse.org/hawkbit/features/
However i couldn't find any other information on artifact signature, any information would be appreciated
XING Yun
@BigFatDog
Hello, I have a question of deployment. In management UI, I create a target (with a fake http address) and a DS, then assign DS to the target. From target's action history, I see the DS is immediately in "RUNNING" status. My understanding is the target need to poll from update server to trigger the download (execute the assigned DS), however, the "RUNNING" status shows UpdateServer is pushing DS to the target based on the fake address, which shouldn't happen since manually added target has no polling logic. I'm confused, anything wrong with my understanding? I read code but get no clue.
danielesergio
@danielesergio
Hi all, in the clustering page of hawkbit documentation it talks about a problem that schedulers could have if they run critical code which has to be executed only once (https://www.eclipse.org/hawkbit/guides/clustering/).
Do the schedulers used by hawkbit (RolloutScheduler, AutoAssignScheduler and AutoCleanupScheduler) provide built-in support for this?
SongweiFu-ITEM
@SongweiFu-ITEM
Hello,

I have registered my device using the following management API

curl -X POST -k -u admin:admin -i http://192.168.0.122:1337/rest/v1/targets \
-H 'Content-Type: application/json;charset=UTF-8' \
-d ' [{
    "securityToken" : "123456789",
    "controllerId" : "gcx-iot-gw",
    "name" : "gcx-iot-gw",
    "description": "test"
}]'

I got the "201 created" as reply. I also see the device on the deployment UI with the given token "123456789".

But when I tried to use the DDI api to poll base resources, I got 401 unauthorized error.

 curl -X GET -u admin:admin http://192.168.0.122:1337/DEFAULT/controller/v1/gcx-iot-gw -i -H 'Authorization: GatewayToken 123456789'

I have tried the above curl with and without "-u admin:admin". Any idea why? thanks

Bondar Bogdan
@bogdan-bondar
Hi @SongweiFu-ITEM ! You have specified the Target Security Token, while registering the target, but trying to use the Gateway Token. In UI under System Config see the section “Authentication Configuration” and choose either “Allow targets to authenticate directly with their target security token” and use the TargetToken Authorization or activate the “Allow a gateway to authenticate and manage multiple targets through a gateway security token” option and use GatewayToken Authorizaton
SongweiFu-ITEM
@SongweiFu-ITEM
Thanks @bogdan-bondar. This is exactly my problem. I did not tick them in the checkbox in the "system config" UI
now I got another error when I tried to update the firmware of a linux board. Any idea about the error "[error] Update failed, missing update file kernel.caibx.sha256.sign"?
Nov 17 15:50:00 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:00.489] [cloud_adapter] [info] A new deployment is available
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.007] [cloud_adapter] [info] Handling for the download part of the provisioning process: forced
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.009] [cloud_adapter] [info] Handling for the update part of the provisioning process: forced
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.012] [cloud_adapter] [info] Downloading chunks ...
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.014] [cloud_adapter] [info] Name: test
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.016] [cloud_adapter] [info] Version: 1.0.0
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.025] [cloud_adapter] [info] Downloading artifact: kernel.caibx
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.183] [cloud_adapter] [info] Downloading artifact: rootfs.caibx
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.210] [cloud_adapter] [info] Downloading artifacts succeeded
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.214] [core] [info] Verifying update ...
Nov 17 15:50:02 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:02.218] [core] [error] Update failed, missing update file kernel.caibx.sha256.sign
Nov 17 15:50:03 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:03.228] [cloud_adapter] [info] Sending log messages (1/3) ...
Nov 17 15:50:03 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:03.282] [cloud_adapter] [info] Sending log messages (2/3) ...
Nov 17 15:50:03 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:03.310] [cloud_adapter] [info] Sending log messages (3/3) ...
Nov 17 15:50:03 gcx-iot-gw-dev-VCSFX84DDWLZS gcx-update-client[406]: [2020-11-17 15:50:03.334] [cloud_adapter] [info] Sending update feedback ...
Bondar Bogdan
@bogdan-bondar
It seems you need to provide the kernel.caibx.sha256.sign artifact explicitly, hawkbit does not generate signed artifacts. However, I must say that I’m not familiar with deployment on the linux board and how the client is implemented on it, so it is just an idea
SongweiFu-ITEM
@SongweiFu-ITEM
no problem. I have a look (in google). BTW, I am using the Buildroot to generate the image. In the Update Mangament UI, I have uploaded kernel.caibx and rootfs.caibx
Bondar Bogdan
@bogdan-bondar
@danielesergio Hi, unfortunately there is no built-in protection for schedulers running simultaneously in cluster mode. These are just normal Spring schedulers, meaning they are bound to Application Context. However, due to transactional execution of the mentioned schedulers there shouldn’t be a problem executing scheduled operation multiple times. The only drawback would be increased DB utilization. However, you could deactivate each of them for the corresponding instances or extract them in its own deployable module
@BigFatDog Hi, “running” state of the action does not mean it is pushing anything to the target. If you specify the http schema it is always pull-based communication, meaning only target can ask for the available distribution set via DDI API. On the other hand, if you specify the amqp schema in Targets’ address, all assignment updates will be pushed to RabbitMQ based on the provided address via DMF API.
Jens Reimann
@ctron
Hey "team hawkbit" … I just wanted to check with you, if you are aware of the open PRs on the packages project, regarding the hawkbit helm chart: https://github.com/eclipse/packages/labels/hawkBit … I think those PRs should at least be commented, if you need any help let me know.
Dominic Schabel
@schabdo
@jmlups_gitlab for hawkBit the signature is completly transparent. One approach I saw is that people sign the artefact (locally) before they are uploaded to hawkBit. Afterwards they upload a second file containing the signature itself (next to the artefact). Devices after download are aware of the “Signer” and check the signature of the file
Dominic Schabel
@schabdo

I just wanted to check with you, if you are aware of the open PRs on the packages project

@ctron this is usually done by @laverman since he is the representative committer of hawkBit within the packages project. @laverman are you aware of the PRs?

BTW @ctron any opinion how we proceed with eclipse/hawkbit#998
Jens Reimann
@ctron

BTW @ctron any opinion how we proceed with eclipse/hawkbit#998

Good point … I will try to add this

Dominic Schabel
@schabdo
Never mind, I was just curious :)
Ulf Hesselbarth
@UlfHesselbarth

Good morning. We're currently trying to set up a Hawkbit instance in an internal network and would like to only expose the DDI API to the internet.
The idea was to use a proxy to forward only calls matching /<TENANT>/controller/* to the internal instance.

This works fine in general and we've managed to configure Hawbit in a way that the artifact download URLs are also pointing to the proxy (instead of the internal instance).
However, we haven't found a way to achieve the same thing for the any of the _links in the regular poll response, which means that devices wouldn't be able to even get the list of download links for example.

Is this a use case Hawkbit supports or do we have to expose the whole instance (instead of trying to proxy particular endpoints)?
Thanks!

Sergey Gerasimov
@Sergey-G-dev
Hi all,
there is a commit from October 29 with the commit message "Java 11 support for hawkbit" (eclipse/hawkbit#1038), but Maven entry for Java 11 is commented out, instead, Java 8 entry is still active. Does that mean that we shouldn't write Java 11 compliant code yet and stick with Java 8 compliance? Is there a date for when Java 11 will be officially supported?
danielesergio
@danielesergio

@danielesergio Hi, unfortunately there is no built-in protection for schedulers running simultaneously in cluster mode. These are just normal Spring schedulers, meaning they are bound to Application Context. However, due to transactional execution of the mentioned schedulers there shouldn’t be a problem executing scheduled operation multiple times. The only drawback would be increased DB utilization. However, you could deactivate each of them for the corresponding instances or extract them in its own deployable module

Thanks

Dominic Schabel
@schabdo

Maven entry for Java 11 is commented out, instead, Java 8 entry is still active

@Sergey-G-dev exactly, that’s on purpose. The main hawkBit repo is now enabled to be build and run with Java source level 11. However there are still some missing pieces to finally switch to Java 11. I tried to outline them here eclipse/hawkbit#955. Basically the main blocker as of now is the official release 0.3.0 which will be based still on Java source level 8. This will allow a clear cut for the community. As soon as the release is available we can proceed with the work on Java 11. Hope this helps to understand the steps towords Java 11 better

Dominic Schabel
@schabdo

Does that mean that we shouldn't write Java 11 compliant code yet and stick with Java 8 compliance?

Yes. No need to consider Java 11 within your contributions so far :+1:

Dominic Schabel
@schabdo

Is there a date for when Java 11 will be officially supported?

No, unfortunately not yet. It depends on how fast we’re able to get release 0.3.0 out of the door. From that point in time we can continue working on Java 11. The release progress can be tracked here: eclipse/hawkbit#784

Dominic Schabel
@schabdo

However, we haven't found a way to achieve the same thing for the any of the _links in the regular poll response, which means that devices wouldn't be able to even get the list of download links for example

@UlfHesselbarth not sure what exactly you did but on the hawkBit sandbox we do run behind a proxy as well and the _links are looking good

curl --location --request GET 'https://hawkbit.eclipse.org/DEFAULT/controller/v1/bubu' \
--header 'Authorization: TargetToken 55848d2887e04c64436659b527bcd2b4'
Response:
"_links": {
        "deploymentBase": {
            "href": "https://hawkbit.eclipse.org/DEFAULT/controller/v1/bubu/deploymentBase/1?c=411629670"
        },
        "configData": {
            "href": "https://hawkbit.eclipse.org/DEFAULT/controller/v1/bubu/configData"
        }
    }
Configuration for sanbox can be found here
Sergey Gerasimov
@Sergey-G-dev
@schabdo Thanks for the explanation, much appreciated!
Dominic Schabel
@schabdo
Important question so glad that you have asked :+1:
Martyn Welch
@mwelchuk
I'm hitting the hawkbit.server.error.quota.storageExceeded error, which I believe is due to reaching the default 20GB limit on artifacts. Is there a way to configure this to be higher?
1 reply