CI Targets

The point of a Factory is to create Targets. A git push is all that is required to trigger a Target to be built.

There is another type of Target, Production Targets, that are intended to be used for production devices. However, it is almost always originally created by the CI when:

  • A change is pushed to source.foundries.io
  • A CI job is triggered in ci.foundries.io
  • The CI job signs the resulting TUF targets.json with the Factory’s “online” Targets signing key.

The online Targets signing key ID can be seen in the TUF root metadata:

$ fioctl get https://api.foundries.io/ota/repo/<FACTORY>/api/v1/user_repo/root.json \
| jq '.signed.roles.targets.keyids[0]'

Due to all the changes and branches you may have, the TUF Targets metadata can grow to include a large number of Targets. There are two ways this can be dealt with:

  • Condensed Targets
  • Target Pruning

Condensed Targets

Each device is configured to take updates for Targets that include a specific tag. Because of this, most of the Targets in targets.json are not relevant for any given device and can be ignored by it. In order to provide smaller TUF metadata payloads, the backend employs what is referred to as “condensed Targets”.

Condensed Targets are produced by taking the raw CI version, and then producing condensed versions for each unique tag. For example, a raw targets.json might include:

version=1, tag=master
version=2, tag=devel
version=3, tag=devel
version=4, tag=devel,experimental

The back-end will actually produce three different condensed versions. Each one is signed with the Factory’s online Targets signing key:

# targets-master.json
version=1, tag=master

# targets-devel.json
version=2, tag=devel
version=3, tag=devel

# targets-experimental.json
version=3, tag=experimental
version=4, tag=experimental

The device gateway is then able to serve an optimized targets.json to each CI device.

Target Pruning

Each successful build appends a Target to targets.json. Eventually it can grow too large, and you would see an error in CI:

Publishing local TUF targets to the remote TUF repository
== 2022-03-24 00:44:18 Running: garage-sign targets push --repo /root/tmp.gkfCEF
|  An error occurred
|  com.advancedtelematic.libtuf.http.CliHttpClient$CliHttpClientError: ReposerverHttpClient|PUT|http/413|https://api.foundries.io/ota/repo/andy-corp/api/v1/user_repo/targets%7C<html>
|  <head><title>413 Request Entity Too Large</title></head>

When this happens, it is time to prune targets.