refactor(NODE-1516): create generate-ic-config.service (#2343)

ic-replica.service and ic-crypto-csp both call
generate-replica-config.sh. By creating a separate generate-ic-config
service, we can consolidate these calls.

Additionally, renamed generate-replica-config.sh to
generate-ic-config.sh to reflect its use by services other than
ic-replica.service

ic-os/components/BUILD.bazel

@@ -7,7 +7,7 @@ load("setupos.bzl", setupos_component_files = "component_files")
 package(default_visibility = ["//ic-os:__subpackages__"])
 
 PUBLIC_GUESTOS_EXPORTS = [
-    "ic/ic.json5.template",
+    "ic/generate-ic-config/ic.json5.template",
     "networking/dev-certs/canister_http_test_ca.cert",
     "networking/dev-certs/canister_http_test_ca.key",
     "hostos-scripts/build-bootstrap-config-image.sh",
@@ -94,7 +94,7 @@ EOF
 sh_test(
     name = "validate-ic-json5",
     srcs = ["validate-ic-json5-script"],
-    args = ["$(execpath ic/ic.json5.template)"],
-    data = ["ic/ic.json5.template"],
+    args = ["$(execpath ic/generate-ic-config/ic.json5.template)"],
+    data = ["ic/generate-ic-config/ic.json5.template"],
     tags = ["manual"],
 )

ic-os/components/guestos.bzl

@@ -34,8 +34,9 @@ component_files = {
     Label("ic/ic-https-outcalls-adapter/ic-https-outcalls-adapter.socket"): "/etc/systemd/system/ic-https-outcalls-adapter.socket",
     Label("ic/ic-https-outcalls-adapter/generate-https-outcalls-adapter-config.sh"): "/opt/ic/bin/generate-https-outcalls-adapter-config.sh",
     Label("ic/ic-replica.service"): "/etc/systemd/system/ic-replica.service",
-    Label("ic/generate-replica-config.sh"): "/opt/ic/bin/generate-replica-config.sh",
-    Label("ic/ic.json5.template"): "/opt/ic/share/ic.json5.template",
+    Label("ic/generate-ic-config/generate-ic-config.sh"): "/opt/ic/bin/generate-ic-config.sh",
+    Label("ic/generate-ic-config/generate-ic-config.service"): "/etc/systemd/system/generate-ic-config.service",
+    Label("ic/generate-ic-config/ic.json5.template"): "/opt/ic/share/ic.json5.template",
 
     # init
     Label("init/bootstrap-ic-node/bootstrap-ic-node.sh"): "/opt/ic/bin/bootstrap-ic-node.sh",

ic-os/components/ic/generate-ic-config/generate-ic-config.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Generate IC Configuration
+# We must wait for IC bootstrap to complete: It writes various
+# state files and may also be needed to obtain network config.
+After=bootstrap-ic-node.service
+Wants=bootstrap-ic-node.service
+# We must also wait for storage permission fixup to have finished.
+After=setup-permissions.service
+Wants=setup-permissions.service
+# We must also wait for the network to become online: We must
+# put the correct address(es) into the ic.json5, but in case
+# of dynamic assignment they only become available once all
+# network interfaces are up.
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/opt/ic/bin/generate-ic-config.sh -n /boot/config/network.conf -c /boot/config/nns.conf -b /boot/config/backup.conf -m /boot/config/malicious_behavior.conf -q /boot/config/query_stats.conf -t /boot/config/jaeger_addr.conf -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic.json5
+
+[Install]
+WantedBy=multi-user.target

ic-os/components/ic/generate-replica-config.sh → ic-os/components/ic/generate-ic-config/generate-ic-config.sh

@@ -6,7 +6,7 @@
 function usage() {
     cat <<EOF
 Usage:
-  generate-replica-config [-n network.conf] [-c nns.conf] [-b backup.conf] [-m malicious_behavior.conf] [-q query_stats.conf] -i ic.json5.template -o ic.json5
+  generate-ic-config [-n network.conf] [-c nns.conf] [-b backup.conf] [-m malicious_behavior.conf] [-q query_stats.conf] -i ic.json5.template -o ic.json5
 
   Generate replica config from template file.
 

ic-os/components/ic/ic-crypto-csp/ic-crypto-csp.service

@@ -1,12 +1,7 @@
 [Unit]
 Description=IC Crypto Service Provider
-# We must wait for IC bootstrap to complete: It writes various
-# state files and may also be needed to obtain network config.
-After=bootstrap-ic-node.service
-Wants=bootstrap-ic-node.service
-# We must also wait for storage permission fixup to have finished.
-After=setup-permissions.service
-Wants=setup-permissions.service
+After=generate-ic-config.service
+Wants=generate-ic-config.service
 Requires=ic-crypto-csp.socket
 StartLimitBurst=5
 StartLimitIntervalSec=5
@@ -15,13 +10,7 @@ StartLimitIntervalSec=5
 UMask=066
 User=ic-csp-vault
 Environment=RUST_BACKTRACE=1
-# When starting ic-crypto-csp, ideally --replica-config-file would directly point to
-# /run/ic-node/config/ic.json5, but this file may be not available yet as it is generated
-# only on ExecStartPre by ic-replica.service. As a temporary workaround, we are generating
-# an ic-csp-service-specific version of ic.json5 of which only the parts related to crypto
-# and logging are relevant.
-ExecStartPre=+/opt/ic/bin/generate-replica-config.sh -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic-crypto-csp.json5
-ExecStart=/opt/ic/bin/ic-crypto-csp --replica-config-file /run/ic-node/config/ic-crypto-csp.json5
+ExecStart=/opt/ic/bin/ic-crypto-csp --replica-config-file /run/ic-node/config/ic.json5
 NotifyAccess=main
 Restart=always
 

ic-os/components/ic/ic-replica.service

@@ -1,21 +1,11 @@
 [Unit]
 Description=IC replica
-# We must wait for IC bootstrap to complete: It writes various
-# state files and may also be needed to obtain network config.
-After=bootstrap-ic-node.service
-Wants=bootstrap-ic-node.service
-# We must also wait for storage permission fixup to have finished.
-After=setup-permissions.service
-Wants=setup-permissions.service
+
+After=generate-ic-config.service
+Wants=generate-ic-config.service
 # Replica & orchestrator need ic-crypto-csp service running.
 After=ic-crypto-csp.service
 Wants=ic-crypto-csp.service
-# We must also wait for the network to become online: We must
-# put the correct address(es) into the ic.json5, but in case
-# of dynamic assignment they only become available once all
-# network interfaces are up.
-After=network-online.target
-Wants=network-online.target
 StartLimitBurst=5
 StartLimitIntervalSec=60
 
@@ -25,10 +15,7 @@ Type=simple
 User=ic-replica
 
 Environment=RUST_BACKTRACE=1
-# Remember to update 'rs/default.nix' for nix-shell users
-# Remember to update 'src/dfx/src/actors/replica.rs' in the sdk repo for dfx users
 Environment=RUST_MIN_STACK=8192000
-ExecStartPre=+/opt/ic/bin/generate-replica-config.sh -n /boot/config/network.conf -c /boot/config/nns.conf -b /boot/config/backup.conf -m /boot/config/malicious_behavior.conf -q /boot/config/query_stats.conf -t /boot/config/jaeger_addr.conf -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic.json5
 ExecStart=/opt/ic/bin/orchestrator --replica-binary-dir /var/lib/ic/data/images --cup-dir /var/lib/ic/data/cups --replica-config-file /run/ic-node/config/ic.json5 --enable-provisional-registration --ic-binary-directory /opt/ic/bin --orchestrator-data-directory /var/lib/ic/data/orchestrator --version-file /opt/ic/share/version.txt
 LimitNOFILE=16777216
 Restart=always

ic-os/docs/Configuration.adoc

@@ -36,7 +36,7 @@ GuestOS then reads from `ic-bootstrap.tar` (link:../components/init/bootstrap-ic
 * *System state:* Node initialization material (initial registry & keys) is copied directly into target directories for replica use.
 * *Config partition:* All other contents of the injected config are copied into the `/boot/config` directory. These configurations need to be available on subsequent boots (not just the first boot of the system), and need to be preserved across upgrades.
 ** The contents of `/boot/config` are then used in various ways to parameterize system services as they start. For example, ssh keys are installed to target accounts, network settings are applied by network set-up scripts, etc.
-** `generate-replica-config.sh` uses `ic.json5.template` to produce the replica configuration (also cf. service file definition). Template placeholders are populated with information from `/boot/config`.
+** `generate-ic-config.sh` uses `ic.json5.template` to produce the ic configuration (also cf. service file definition). Template placeholders are populated with information from `/boot/config`.
 
 [NOTE]
 GuestOS only reads a predefined set of files from the bootstrap config image (i.e., it "sanitizes" the bootstrap config image).
@@ -58,7 +58,7 @@ To add a new configuration file/directory:
 
 2. Add handling to `bootstrap-ic-node.sh` for the new file/directory.
 
-3. Add interpretation of configuration file/directory to suitable place, e.g. generate-replica-config.sh
+3. Add interpretation of configuration file/directory to suitable place, e.g. generate-ic-config.sh
 
 4. Adapt testnet and/or prod deployment config as needed
 ** E.g. for testnets, you may need to update link:../../testnet/tools/icos_deploy.sh[icos_deploy.sh]. If you are adding a production deployment config file, you may need to add a file to the SetupOS config partition to be piped through to HostOS.
@@ -70,7 +70,7 @@ Consider that values may be controlled by an attacker on boot. Bootstrapping a n
 
 *Configuration files*: New configuration bits might be added to either existing configuration files that have a suitable structure (e.g. key=value pairs), or new files. If in doubt, opt for adding additional configuration files.
 
-*Interpretation of configuration bits*: Any script or service in the system may pull configuration bits out of /boot/config to customize its behavior. E.g. if adding parameter-driven customization of ic.json5, then augment the generate-replica-config.sh script to pull the configuration values and substitute them into the generated configuration.
+*Interpretation of configuration bits*: Any script or service in the system may pull configuration bits out of /boot/config to customize its behavior. E.g. if adding parameter-driven customization of ic.json5, then augment the generate-ic-config.sh script to pull the configuration values and substitute them into the generated configuration.
 
 === Testing
 
@@ -81,6 +81,6 @@ Consider that values may be controlled by an attacker on boot. Bootstrapping a n
 
 * *bootstrap-ic-node.sh* can be temporarily tweaked (internally adapt paths; basically just running the process_bootstrap function of it) to run stand-alone and verify that the config image is unpacked and its files sorted into the correct locations.
 
-* *generate-replica-config.sh* can be run stand-alone to verify that it produces the intended ic.json5 configuration from the template.
+* *generate-ic-config.sh* can be run stand-alone to verify that it produces the intended ic.json5 configuration from the template.
 
 After all is done, it is advised to prepare a configuration for a single node and boot it in a VM before conducting testnet deployments.

ic-os/guestos/docs/Boot.adoc

@@ -246,14 +246,10 @@ Service: +node_exporter.service+. Depends on +setup-node_exporter-keys.service+.
 
 Starts the +node_exporter+ service to make machine metrics accessible externally.
 
-== Start IC replica
+== Generate IC config
+
+Service: generate-ic-config.service creates a config file from ic.json.template, which is used by the replica and other ic services
 
-Service: +ic-replica.service+, pre-exec scripts +/opt/ic/bin/generate-replica-config.sh+ and
-+/opt/ic/bin/setup-permissions.sh+. Depends on all file system mounts as well
-as having an IPv6 address obtained on primary network interface.
+== Start IC replica
 
 Starts the nodemaneger which in turn monitors and starts the IC replica service.
-The first pre-exec script creates the configuration of the replica (which among
-other things contains the IPv6 address). The second pre-exec script fixes up
-permissions for all files and directories used by replica (this should "probably"
-move to a different location, such as "upgrade data store").

rs/orchestrator/BUILD.bazel

@@ -89,7 +89,7 @@ rust_test(
     data = [
         "testdata/nftables_assigned_replica.conf.golden",
         "testdata/nftables_boundary_node.conf.golden",
-        "//ic-os/components:ic/ic.json5.template",
+        "//ic-os/components:ic/generate-ic-config/ic.json5.template",
     ],
     deps = [
         # Keep sorted.

rs/orchestrator/src/firewall.rs

@@ -638,7 +638,7 @@ mod tests {
     use super::*;
 
     const CFG_TEMPLATE_BYTES: &[u8] =
-        include_bytes!("../../../ic-os/components/ic/ic.json5.template");
+        include_bytes!("../../../ic-os/components/ic/generate-ic-config/ic.json5.template");
     const NFTABLES_GOLDEN_BYTES: &[u8] =
         include_bytes!("../testdata/nftables_assigned_replica.conf.golden");
     const NFTABLES_BOUNDARY_NODE_GOLDEN_BYTES: &[u8] =

rs/tests/BUILD.bazel

@@ -25,7 +25,7 @@ rust_library(
     testonly = True,
     srcs = glob(["src/**/*.rs"]),
     compile_data = [
-        "//ic-os/components:ic/ic.json5.template",
+        "//ic-os/components:ic/generate-ic-config/ic.json5.template",
         "src/ledger_tests/transaction_ledger_correctness.wasm",
     ],
     crate_name = "ic_tests",

rs/tests/driver/BUILD.bazel

@@ -20,7 +20,7 @@ rust_library(
         "//rs/utils": "utils",
     },
     compile_data = [
-        "//ic-os/components:ic/ic.json5.template",
+        "//ic-os/components:ic/generate-ic-config/ic.json5.template",
         "src/message.wasm",
     ],
     crate_name = "ic_system_test_driver",

rs/tests/driver/src/util.rs

@@ -85,7 +85,7 @@ pub const _EMPTY_WASM: &[u8] = &[0, 97, 115, 109, 1, 0, 0, 0];
 pub const MESSAGE_CANISTER_WASM: &[u8] = include_bytes!("message.wasm");
 
 pub const CFG_TEMPLATE_BYTES: &[u8] =
-    include_bytes!("../../../../ic-os/components/ic/ic.json5.template");
+    include_bytes!("../../../../ic-os/components/ic/generate-ic-config/ic.json5.template");
 
 // Requests are multiplexed over H2 requests.
 pub const MAX_CONCURRENT_REQUESTS: usize = 10_000;