Remove support for CentOS 7 and Debian 10 (#624)

.github/workflows/e2e-tests-manual.yaml

@@ -49,8 +49,6 @@ jobs:
 
       matrix:
         os:
-        - 'centos:7'
-        - 'debian:10'
         - 'debian:11'
         # EL8 VMs spontaneously lose ssh after installing updates. Disable it for now.
         # - 'platform:el8'

.github/workflows/e2e-tests-scheduled.yaml

@@ -65,8 +65,6 @@ jobs:
         - 'main'
         - 'release/1.4'
         os:
-        - 'centos:7'
-        - 'debian:10'
         - 'debian:11'
         # EL8 VMs spontaneously lose ssh after installing updates. Disable it for now.
         # - 'platform:el8'

.github/workflows/packages.yaml

@@ -13,8 +13,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -27,12 +25,6 @@ jobs:
         os:
         - ''
         exclude:
-        # CentOS 7 does not have functioning cross compilers. The Azure/iotedge repo builds CentOS 7 arm32v7 and aarch64 packages
-        # by running the arm32v7 / aarch64 containers under qemu. For now we don't care to replicate that here.
-        - container_os: 'centos:7'
-          arch: 'arm32v7'
-        - container_os: 'centos:7'
-          arch: 'aarch64'
         # More investigation needed for RHEL 8 and 9. Excluding for now.
         - container_os: 'redhat/ubi8:latest'
           arch: 'arm32v7'

.github/workflows/test.yaml

@@ -17,8 +17,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -75,8 +73,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'debian:11-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
@@ -139,8 +135,6 @@ jobs:
 
       matrix:
         container_os:
-        - 'centos:7'
-        - 'debian:10-slim'
         - 'redhat/ubi8:latest'
         - 'redhat/ubi9:latest'
         arch:

Makefile

@@ -280,7 +280,7 @@ codecov: default
 # Packaging
 #
 # - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' deb` builds deb packages for Debian and Ubuntu.
-# - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' rpm` builds RPM packages for CentOS.
+# - `make PACKAGE_VERSION='...' PACKAGE_RELEASE='...' rpm` builds RPM packages for RHEL.
 
 # Creates a source tarball at /tmp/aziot-identity-service-$(PACKAGE_VERSION).tar.gz
 dist:
@@ -352,19 +352,11 @@ rpm:
 	# Copy spec file to rpmbuild specs directory
 	mkdir -p $(RPMBUILDDIR)/SPECS
 
-	# Engine needs to be installed to what openssl considers the enginesdir,
-	# which we can get from openssl 1.1 with `openssl version -e` but not from openssl 1.0.
-	# Also, the filename for 1.0 should have a `lib` prefix.
-	#
-	# CentOS 7 has 1.0 and RedHat 8 has 1.1, so we need to support both here. RedHat 9 has 3.0.
-	#
-	# Since there is no RPM macro for those two things, we have to infer them from
-	# the output of `openssl version` and `openssl version -e` ourselves. This wouldn't be right
-	# if we were cross-compiling, but we don't support cross-compiling for either of those two OSes,
-	# so it's fine.
+	# Since there is no RPM macro to tell us where openssl expects us to install the engine, we
+	# have to infer it from the output of `openssl version -e`. This wouldn't be right if we were
+	# cross-compiling, but we don't support cross-compiling for RHEL so it's fine.
 	command -v openssl # Assert that openssl exists
 	case "$$(openssl version)" in \
-		'OpenSSL 1.0.'*) OPENSSL_ENGINE_FILENAME='%\{_libdir\}/openssl/engines/libaziot_keys.so' ;; \
 		'OpenSSL 1.1.'* | 'OpenSSL 3.0.'*) OPENSSL_ENGINE_FILENAME="$$(openssl version -e | sed 's/^ENGINESDIR: "\(.*\)"$$/\1/')/aziot_keys.so" ;; \
 		*) echo "Unknown openssl version [$$(openssl version)]"; exit 1 ;; \
 	esac; \

aziotctl/aziotctl-common/src/host_info.rs

@@ -47,8 +47,7 @@ impl Default for DmiInfo {
 /// ```ignore
 ///  OS                  | id                  | version_id
 /// ---------------------+---------------------+------------
-///  CentOS 7            | centos              | 7
-///  Debian 9            | debian              | 9
+///  Debian 12           | debian              | 12
 ///  openSUSE Tumbleweed | opensuse-tumbleweed | 20190325
 ///  Ubuntu 22.04        | ubuntu              | 22.04
 /// ```

ci/e2e-tests/test-run.sh

@@ -85,14 +85,6 @@ get_package() {
     echo "Artifacts URL: $artifacts_url" >&2
 
     case "$OS" in
-        'centos:7')
-            artifact_name='centos-7'
-            ;;
-
-        'debian:10')
-            artifact_name='debian-10-slim'
-            ;;
-
         'debian:11')
             artifact_name='debian-11-slim'
             ;;
@@ -175,16 +167,6 @@ get_package() {
 
     echo 'Extracting package...' >&2
     case "$OS" in
-        'centos:7')
-            unzip -j package.zip 'centos7/amd64/aziot-identity-service-*.x86_64.rpm' -x '*-debuginfo-*.rpm' '*-devel-*.rpm' >&2
-            printf '%s/%s\n' "$PWD" aziot-identity-service-*.x86_64.rpm
-            ;;
-
-        'debian:10')
-            unzip -j package.zip 'debian10/amd64/aziot-identity-service_*_amd64.deb' >&2
-            printf '%s/%s\n' "$PWD" aziot-identity-service_*_amd64.deb
-            ;;
-
         'debian:11')
             unzip -j package.zip 'debian11/amd64/aziot-identity-service_*_amd64.deb' >&2
             printf '%s/%s\n' "$PWD" aziot-identity-service_*_amd64.deb
@@ -549,22 +531,6 @@ echo 'Creating VM...' >&2
 # Choice of publisher is determined by
 # https://docs.microsoft.com/en-us/troubleshoot/azure/cloud-services/support-linux-open-source-technology
 case "$OS" in
-    'centos:7')
-        # az vm image list --all \
-        #     --publisher 'OpenLogic' --offer 'CentOS' --sku '7' \
-        #     --query "[?publisher == 'OpenLogic' && offer == 'CentOS'].{ sku: sku, version: version, urn: urn }" --output table
-        vm_image='OpenLogic:CentOS:7_9-gen2:latest'
-        ;;
-
-    'debian:10')
-        # Not listed on the docs.microsoft.com page, but credativ doesn't publish Debian 10+ images.
-        #
-        # az vm image list --all \
-        #     --publisher 'Debian' --offer 'debian-10' --sku '10' \
-        #     --query "[?publisher == 'Debian' && offer == 'debian-10'].{ sku: sku, version: version, urn: urn }" --output table
-        vm_image='Debian:debian-10:10-gen2:latest'
-        ;;
-
     'debian:11')
         # Not listed on the docs.microsoft.com page, but credativ doesn't publish Debian 10+ images.
         #
@@ -673,19 +639,6 @@ fi
 
 echo 'Updating VM...' >&2
 case "$OS" in
-    centos:*)
-        ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '
-            set -euxo pipefail
-
-            sudo yum -y clean all
-            sudo yum -y makecache
-            sudo yum -y update
-
-            # The test needs jq
-            sudo yum -y install epel-release
-        '
-        ;;
-
     debian:*|ubuntu:*)
         ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '
             for retry in {0..3}; do
@@ -758,7 +711,7 @@ fi
 
 echo 'Installing package...' >&2
 case "$OS" in
-    centos:*|platform:el*)
+    platform:el*)
         scp -i "$PWD/vm-ssh-key" "$package" "aziot@$vm_public_ip:/home/aziot/aziot-identity-service.rpm"
 
         ssh -i "$PWD/vm-ssh-key" "aziot@$vm_public_ip" '

ci/install-build-deps.sh

@@ -11,38 +11,6 @@ fi
 # OS packages
 
 case "$OS:$ARCH" in
-    'centos:7:amd64')
-        export VENDOR_LIBTSS=1
-
-        yum install -y centos-release-scl epel-release
-        yum install -y \
-            autoconf autoconf-archive automake curl devtoolset-9-gcc devtoolset-9-gcc-c++ \
-            git jq libcurl-devel libtool llvm-toolset-7-clang llvm-toolset-7-llvm-devel \
-            make openssl openssl-devel pkgconfig
-
-        set +eu # scl_source fails with -eu
-        . scl_source enable devtoolset-9 llvm-toolset-7
-        set -eu
-        ;;
-
-    'centos:7:arm32v7'|'centos:7:aarch64')
-        echo "Cross-compilation on $OS $ARCH is not supported" >&2
-        exit 1
-        ;;
-
-    'debian:10:amd64')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y \
-            acl autoconf autoconf-archive automake build-essential clang cmake \
-            curl git jq libclang1 libltdl-dev libssl-dev libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:amd64'|'ubuntu:20.04:amd64'|'ubuntu:22.04:amd64')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC
@@ -55,22 +23,6 @@ case "$OS:$ARCH" in
             llvm-dev pkg-config
         ;;
 
-    'debian:10:arm32v7')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        dpkg --add-architecture armhf
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y --no-install-recommends \
-            acl autoconf autoconf-archive automake build-essential ca-certificates \
-            clang cmake crossbuild-essential-armhf curl git jq \
-            libc-dev:armhf libclang1 libcurl4-openssl-dev:armhf \
-            libltdl-dev:armhf libssl-dev:armhf libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:arm32v7')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC
@@ -86,22 +38,6 @@ case "$OS:$ARCH" in
             llvm-dev pkg-config
         ;;
 
-    'debian:10:aarch64')
-        export DEBIAN_FRONTEND=noninteractive
-        export TZ=UTC
-        export VENDOR_LIBTSS=1
-
-        dpkg --add-architecture arm64
-        apt-get update
-        apt-get upgrade -y
-        apt-get install -y --no-install-recommends \
-            acl autoconf autoconf-archive automake build-essential ca-certificates \
-            clang cmake crossbuild-essential-arm64 curl git jq \
-            libc-dev:arm64 libclang1 libcurl4-openssl-dev:arm64 \
-            libltdl-dev:arm64 libssl-dev:arm64 libtool llvm-dev \
-            pkg-config
-        ;;
-
     'debian:11:aarch64')
         export DEBIAN_FRONTEND=noninteractive
         export TZ=UTC

ci/install-runtime-deps.sh

@@ -6,9 +6,7 @@
 OS="$(. /etc/os-release; echo "${PLATFORM_ID:-$ID:$VERSION_ID}")"
 
 case "$OS" in
-    'centos:7'|'platform:el8'|'platform:el9')
-        # openssl 1.0
-
+    'platform:el8'|'platform:el9')
         # If using RHEL 8/9 UBI images without a subscription then they only have access to a
         # subset of packages. Workaround to enable EPEL.
         if [ "$OS" = 'platform:el8' ] && [ "$(. /etc/os-release; echo "$ID")" = 'rhel' ]; then
@@ -20,9 +18,6 @@ case "$OS" in
 
             # curl is already installed on el9
             yum install -y jq openssl ca-certificates
-        else
-            yum install -y epel-release
-            yum install -y curl jq openssl ca-certificates
         fi
 
         case "${PKCS11_BACKEND:-}" in
@@ -44,8 +39,8 @@ case "$OS" in
         esac
         ;;
 
-    'debian:10'|'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
-        # openssl 1.1.1 for Debian 10/11 and Ubuntu 20.04
+    'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
+        # openssl 1.1.1 for Debian 11 and Ubuntu 20.04
         # openssl 3.0 for Ubuntu 22.04
 
         apt-get update -y

ci/install-test-deps.sh

@@ -10,13 +10,6 @@
 # OS packages
 
 case "$OS" in
-    'centos:7')
-        export SKIP_TSS_MINIMAL=0
-        export USE_SWTPM_PKG=0
-
-        yum install -y expect json-glib-devel libtasn1-devel net-tools python3 socat
-        ;;
-
     # NOTE: ubuntu:20.04 uses libtss2-dev provided through the package
     # repositories, but the available version does not provide a TCTI
     # module for swtpm.  So, we skip testing tss-minimal on

ci/iothub-get-twin.sh

@@ -22,8 +22,7 @@ uri_encode() {
 
 # This is a tiny Azure IoT MQTT implementation that just authenticates as a device or module and fetches its twin.
 #
-# It would be nice to use mosquitto_rr instead of this, but https://github.com/eclipse/mosquitto/issues/1881
-# Also, Debian 9's moquitto-clients package is old enough that it doesn't have mosquitto_rr anyway.
+# It would be nice to use mosquitto_rr instead of this, but https://github.com/eclipse/mosquitto/issues/1881.
 # For SAS identities we could work around that by generating the SAS token on the VM and then sending it back to
 # the workflow runner, but that doesn't work for X.509 identities where the client must be able to talk to the KS
 # via the aziot-keys openssl engine.

ci/mock-iot-tests/mock-iot-setup.sh

@@ -5,12 +5,7 @@ set -eu
 # Install mock-iot-server's root CA certificate.
 # Don't modify trusted certificates if not running on a CI container OS.
 case "$CONTAINER_OS" in
-    'debian:10-slim')
-        mkdir -p /usr/local/share/ca-certificates
-        cp "$ROOT_CERT" /usr/local/share/ca-certificates/dps_root_cert.crt
-        update-ca-certificates
-        ;;
-    'centos:7' | 'redhat/ubi8:latest' | 'redhat/ubi9:latest')
+    'redhat/ubi8:latest' | 'redhat/ubi9:latest')
         mkdir -p /etc/pki/ca-trust/source/anchors
         cp "$ROOT_CERT" /etc/pki/ca-trust/source/anchors/dps_root_cert.crt
         update-ca-trust

ci/package.sh

@@ -11,7 +11,7 @@ mkdir -p packages
 
 
 case "$OS" in
-    'centos:7'|'platform:el8'|'platform:el9')
+    'platform:el8'|'platform:el9')
         case "$ARCH" in
             'arm32v7'|'aarch64')
                 echo "Cross-compilation on $OS is not supported" >&2
@@ -20,11 +20,6 @@ case "$OS" in
         esac
 
         case "$OS" in
-            'centos:7')
-                TARGET_DIR="centos7/$ARCH"
-                PACKAGE_DIST="el7"
-                ;;
-
             'platform:el8')
                 TARGET_DIR="el8/$ARCH"
                 PACKAGE_DIST="el8"
@@ -53,17 +48,12 @@ case "$OS" in
             "packages/$TARGET_DIR/"
         ;;
 
-    'debian:10'|'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
+    'debian:11'|'ubuntu:20.04'|'ubuntu:22.04')
         DEBIAN_FRONTEND=noninteractive TZ=UTC apt-get install -y dh-make debhelper
 
         make ARCH="$ARCH" PACKAGE_VERSION="$PACKAGE_VERSION" PACKAGE_RELEASE="$PACKAGE_RELEASE" VENDOR_LIBTSS="${VENDOR_LIBTSS:-0}" V=1 deb
 
         case "$OS" in
-            'debian:10')
-                TARGET_DIR="debian10/$ARCH"
-                DBGSYM_EXT='deb'
-                ;;
-
             'debian:11')
                 TARGET_DIR="debian11/$ARCH"
                 DBGSYM_EXT='deb'