Added policy manager content

BUG=b/73012579
TEST=None

Change-Id: Iabd160c7a6f7e8ab4a3a6e8ade18af4b3d38cc47
49 files changed
tree: ab3c1459788eeefd532a1c83bd7435427ac56ca3
  1. .gitignore
  2. CONTRIBUTING.md
  3. LICENSE
  4. OWNERS
  5. PRESUBMIT.cfg
  6. README.md
  7. src/
README.md

Policy Manager for COS(Container-Optimized OS) Image

Overview

Policy Manager is the client for the COS control plane. It is responsible for reporting current instance status and fetching device update config.

It is designed to be a system daemon that's started immediately after boot. It sends status update to an update manager, which will respond with the appropriate update config.

Using the update config, it will generate the appropriate update policy blobs to enforce the update strategy set by the user.

How to run

  • Policy Manager must be run with root privileges in order to access update_engine status and control device policy.
  • Run modes:
    • Daemon Mode Continuously reports status and fetches update policy from metadata server.
    • Non-Daemon Mode Prints the current status to stdout.
    • Init Device Policy Mode Initializes the device policy file along with the necessary keys.

What's up with update [policy, strategy, config]?

Part of Policy Manager's features is to allow users to control the OS update behavior of their COS instances.

COS has defined 2 update stategies that users can choose:

  1. All Updates Instances will receive all OS updates.

  2. Critical Updates Only Instances will only receive updates within their major release version. For example, if both 12.1.0 and 13.0.0 are available, an instance running 12.0.0 will only get updated to 12.1.0 if it has this strategy.

The update manager generates update config that is fetched by Policy Manager when it reports its status to the update manager. The config depends on the instance‘s status and the user’s update strategy.

The actual enforcement of the strategies are done by the update policy, which is a Chrome OS feature. An update policy is a protobuf blob that contains the parameters that will be used to fetch updates from Omaha. Policy Manager is responsible for generating the update policy blobs from update config.

Building

  • To build and test Policy Manager, please run FEATURES=test emerge-lakitu spiny

Mocks

  • Policy Manager relies on the gomock package and mockgen binary from github.com/golang/mock to generate mocks for interfaces.
  • To mock a new interface, add the file containing the interface to gen_mock.sh
  • Note that the Policy Manager binary can be built without the mocks.
  • Do NOT submit the generated mocks into the repo.

Protobufs

  • To compile protobuf definitions, run ./gen_proto.sh.
  • Do NOT submit the generated protobufs into the repo.