From c9d12408b24f26e6402c9722ca6ee59923c46fa3 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Thu, 4 Jul 2024 17:50:15 +0700
Subject: [PATCH 01/11] Add tt integrity check options
---
.../tooling/tt_cli/global_options.rst | 5 ++
doc/reference/tooling/tt_cli/pack.rst | 41 ++++++++++++
doc/reference/tooling/tt_cli/start.rst | 67 ++++++++++++++++---
3 files changed, 102 insertions(+), 11 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/global_options.rst b/doc/reference/tooling/tt_cli/global_options.rst
index 69c673d62d..ef78fd86a9 100644
--- a/doc/reference/tooling/tt_cli/global_options.rst
+++ b/doc/reference/tooling/tt_cli/global_options.rst
@@ -24,6 +24,11 @@ Global options
Display help.
+.. option:: --integrity-check PUBLIC_KEY
+
+ Perform an integrity check using the specified public key before executing the operation.
+ Learn more in :ref:`tt-start-integrity-check`.
+
.. option:: -I, --internal
Force the use of an internal module even if there is an
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index 748ed48996..1876544428 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -76,6 +76,43 @@ An example of the ``systemd-unit-params.yml`` file:
INSTANCE: "inst:%i"
TARANTOOL_WORKDIR: "/tmp"
+.. _tt-pack-integrity-check:
+
+Generating files for integrity checks
+-------------------------------------
+
+``tt pack`` can generate hashes and signatures to use for integrity checks
+when running the application. These files are:
+
+- ``hashes.json`` and ``hashes.json.sig`` in each application directory.
+ ``hashes.json`` containsSHA256 checksums of executable files that the application uses
+ and its configuration file. ``hashes.json.sig`` contains a digital signature
+ for ``hashes.json``.
+
+- ``env-hashes.json`` and ``env-hashes.json.sig`` in the environment root are
+ a similar files for the ``tt`` environment. They contain checksums for
+ Tarantool and ``tt`` executables, and for the ``tt.yaml`` configuration file.
+
+To generate hashes and signatures for integrity check, use the ``--with-integrity-check``
+option. Its argument must be an RSA private key.
+
+.. note::
+
+ You can generate a key pair using `OpenSSL `__ as follows:
+
+ .. code-block:: console
+
+ $ openssl genrsa -traditional -out private.pem 2048
+ $ openssl rsa -in private.pem -pubout > public.pem
+
+To create a ``tar.gz`` archive with integrity check artifacts:
+
+.. code-block:: console
+
+ $ tt pack tgz --with-integrity-check private.pem
+
+Learn how to perform integrity checks upon application startup and in runtime in the :ref:``tt start `` reference.
+
.. _tt-pack-options:
@@ -210,6 +247,10 @@ Options
Include Tarantool and ``tt`` binaries in a bundle.
+.. option:: --with-integrity-check PRIVATE_KEY
+
+ Generate hashes and signatures for integrity checks at the application startup.
+
.. option:: --with-tarantool-deps
Add Tarantool and ``tt`` as package dependencies.
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index 43d0c5c843..db76fcb8ad 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -12,10 +12,29 @@ inside the ``instances_enabled`` directory specified in the :ref:`tt configurati
For detailed instructions on preparing and running Tarantool applications, see
:ref:`admin-instance-environment-overview` and :ref:`admin-start_stop_instance`.
-When called without arguments, starts all enabled applications in the current environment.
-
See also: :ref:`tt-stop`, :ref:`tt-restart`, :ref:`tt-status`.
+To start all instances of the application stored in the ``app`` directory inside
+``instances_enabled`` in accordance with its ``instances.yml``:
+
+.. code-block:: console
+
+ $ tt start app
+
+To start the ``router`` instance of the ``app`` application:
+
+.. code-block:: console
+
+ $ tt start app:router
+
+When called without arguments, starts all enabled applications in the current environment:
+
+.. code-block:: console
+
+ $ tt start
+
+.. _tt-start-app-layout:
+
Application layout
------------------
@@ -38,6 +57,8 @@ For more information about Tarantool application layout, see :ref:`admin-instanc
which is considered a legacy approach since Tarantool 3.0. For information
about using ``tt`` with such applications, refer to the Tarantool 2.11 documentation.
+.. _tt-start-background:
+
Running in the background
-------------------------
@@ -52,19 +73,43 @@ process for status checks (:ref:`tt status `) and application stoppin
If you start such an application with ``tt start``, ``tt`` won't be able to check
the application status or stop it using the corresponding commands.
-Examples
---------
+.. _tt-start-integrity-check:
+
+Integrity check
+---------------
+
+``tt start`` can perform initial and periodical integrity checks of applications
+that it starts. To make the integrity checks possible, you need to pack the application
+using ``tt pack`` with the ``--with-integrity-check`` option. This option generates
+and signs checksums of executables and configuration files in the current ``tt``
+environment. Learn more in :ref:`tt-pack-integrity-check`.
+
+To check the environment and application integrity when running the application,
+start it with the :ref:`global option ` ``--integrity-check``.
+Its argument must be a public key matching the private key that was used for
+generating checksums.
-* Start instances of the application stored in the ``app`` directory inside
- ``instances_enabled`` in accordance with its ``instances.yml``:
+.. code-block:: console
+
+ $ tt --integrity-check public.pem start myapp
+
+After such a call, ``tt`` checks the environment and application integrity using
+the checksums and starts the application in case of the success. Then, integrity
+checks are performed periodically when the application is running. By default,
+they are performed once every 24 hours. You can adjust the integrity check period
+by adding the ``--integrity-check-period`` option:
+
+.. code-block:: console
- .. code-block:: console
+ $ tt --integrity-check public.pem start myapp --integrity-check-period 60
- $ tt start app
-* Start the ``router`` instance of the ``app`` application:
+.. _tt-start-options:
- .. code-block:: console
+Options
+-------
- $ tt start app:router
+.. option:: --integrity-check-interval NUMBER
+ Integrity check interval in seconds. Default: 86400 (24 hours).
+ Set this option to ``0`` to disable periodic checks.
From 40d7b6597b031fab050ff52c9cb1b39b8d9d845f Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Thu, 4 Jul 2024 17:52:37 +0700
Subject: [PATCH 02/11] Add tt integrity check options
---
doc/reference/tooling/tt_cli/global_options.rst | 5 +++++
doc/reference/tooling/tt_cli/pack.rst | 5 +++++
doc/reference/tooling/tt_cli/start.rst | 5 +++++
3 files changed, 15 insertions(+)
diff --git a/doc/reference/tooling/tt_cli/global_options.rst b/doc/reference/tooling/tt_cli/global_options.rst
index ef78fd86a9..9c21ac9608 100644
--- a/doc/reference/tooling/tt_cli/global_options.rst
+++ b/doc/reference/tooling/tt_cli/global_options.rst
@@ -26,6 +26,11 @@ Global options
.. option:: --integrity-check PUBLIC_KEY
+ .. admonition:: Enterprise Edition
+ :class: fact
+
+ This option is supported by the `Enterprise Edition `_ only.
+
Perform an integrity check using the specified public key before executing the operation.
Learn more in :ref:`tt-start-integrity-check`.
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index 1876544428..bf93eceae2 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -81,6 +81,11 @@ An example of the ``systemd-unit-params.yml`` file:
Generating files for integrity checks
-------------------------------------
+.. admonition:: Enterprise Edition
+ :class: fact
+
+ The integrity check functionality is supported by the `Enterprise Edition `_ only.
+
``tt pack`` can generate hashes and signatures to use for integrity checks
when running the application. These files are:
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index db76fcb8ad..6d012751a0 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -78,6 +78,11 @@ process for status checks (:ref:`tt status `) and application stoppin
Integrity check
---------------
+.. admonition:: Enterprise Edition
+ :class: fact
+
+ The integrity check functionality is supported by the `Enterprise Edition `_ only.
+
``tt start`` can perform initial and periodical integrity checks of applications
that it starts. To make the integrity checks possible, you need to pack the application
using ``tt pack`` with the ``--with-integrity-check`` option. This option generates
From 63b98e1e5a176edc65dc299ae43fcce3ce857123 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Thu, 4 Jul 2024 18:08:40 +0700
Subject: [PATCH 03/11] Fix
---
doc/reference/tooling/tt_cli/pack.rst | 6 +++---
doc/reference/tooling/tt_cli/start.rst | 3 +++
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index bf93eceae2..98ab6667da 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -90,12 +90,12 @@ Generating files for integrity checks
when running the application. These files are:
- ``hashes.json`` and ``hashes.json.sig`` in each application directory.
- ``hashes.json`` containsSHA256 checksums of executable files that the application uses
+ ``hashes.json`` contains SHA256 checksums of executable files that the application uses
and its configuration file. ``hashes.json.sig`` contains a digital signature
for ``hashes.json``.
- ``env-hashes.json`` and ``env-hashes.json.sig`` in the environment root are
- a similar files for the ``tt`` environment. They contain checksums for
+ similar files for the ``tt`` environment. They contain checksums for
Tarantool and ``tt`` executables, and for the ``tt.yaml`` configuration file.
To generate hashes and signatures for integrity check, use the ``--with-integrity-check``
@@ -116,7 +116,7 @@ To create a ``tar.gz`` archive with integrity check artifacts:
$ tt pack tgz --with-integrity-check private.pem
-Learn how to perform integrity checks upon application startup and in runtime in the :ref:``tt start `` reference.
+Learn how to perform integrity checks upon application startup and in runtime in the :ref:`tt start ` reference.
.. _tt-pack-options:
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index 6d012751a0..a19c2eac98 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -108,6 +108,7 @@ by adding the ``--integrity-check-period`` option:
$ tt --integrity-check public.pem start myapp --integrity-check-period 60
+If an integrity check fails, ``tt`` stops the application.
.. _tt-start-options:
@@ -118,3 +119,5 @@ Options
Integrity check interval in seconds. Default: 86400 (24 hours).
Set this option to ``0`` to disable periodic checks.
+
+ See also: :ref:`tt-start-integrity-check`
\ No newline at end of file
From 81665ebb1dd48bb91363b969e4350d8f1796839b Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Thu, 4 Jul 2024 19:39:00 +0700
Subject: [PATCH 04/11] Fix filename
---
doc/reference/tooling/tt_cli/pack.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index 98ab6667da..e9e149444a 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -94,7 +94,7 @@ when running the application. These files are:
and its configuration file. ``hashes.json.sig`` contains a digital signature
for ``hashes.json``.
-- ``env-hashes.json`` and ``env-hashes.json.sig`` in the environment root are
+- ``env_hashes.json`` and ``env_hashes.json.sig`` in the environment root are
similar files for the ``tt`` environment. They contain checksums for
Tarantool and ``tt`` executables, and for the ``tt.yaml`` configuration file.
From 49219ceb6d70848021fd05d990c2062079a0e085 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Fri, 5 Jul 2024 16:59:58 +0700
Subject: [PATCH 05/11] Add tt cluster publish integrity check
---
doc/reference/tooling/tt_cli/cluster.rst | 41 ++++++++++++++++++++++++
doc/reference/tooling/tt_cli/pack.rst | 2 +-
doc/reference/tooling/tt_cli/start.rst | 25 +++++++++------
3 files changed, 58 insertions(+), 10 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index 19bee01cda..6c05eb2c50 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -112,6 +112,47 @@ and aborts in case of an error. To skip the validation, add the ``--force`` opti
$ tt cluster publish myapp source.yaml --force
+.. _tt-cluster-publish-integrity:
+
+Publishing configuration with integrity check
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. admonition:: Enterprise Edition
+ :class: fact
+
+ The integrity check functionality is supported by the `Enterprise Edition `_ only.
+
+When called with the ``-with-integrity-check`` option, ``tt cluster publish``
+generates a checksum of the configuration it publishes. It signs the checksum using
+the private key passed as the option argument, and writes it into the configuration store.
+
+.. code-block:: console
+
+ $ tt cluster publish "http://localhost:2379/myapp" source.yaml --with-integrity-check private.pem
+
+If an application configuration is published this way, it can be checked for integrity
+using the ``--integrity-check`` :ref:`global option `.
+
+.. code-block:: console
+
+ $ tt --integrity-check public.pem start myapp
+
+Learn more about integrity checks upon application startup and in runtime in the :ref:`tt start ` reference.
+
+To update the configuration with integrity check, call ``tt cluster publish``
+with two options:
+
+- ``--integrity-check PUBLIC_KEY`` global option checks that the configuration wasn't changed
+ since it was published
+- ``--with-integrity-check PRIVATE_KEY`` generates new checksums and signatures
+ for future integrity checks of the updated configuration.
+
+.. code-block:: console
+
+ $ tt --integrity-check public.pem cluster publish \
+ --with-integrity-check private.pem \
+ "http://localhost:2379/myapp" source.yaml
+
.. _tt-cluster-show:
show
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index e9e149444a..8db346e684 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -58,7 +58,7 @@ option to the ``tt pack`` call:
.. important::
- The ``systemd-unit-params.yml`` file has a higher priority than the ``--unit-params-file`` option.
+ The ``systemd-unit-params.yml`` file has a higher priority than the ``--unit-params-file`` option.
If this file exists, it overrides parameters from the file passed in the option.
``tt pack`` supports the following systemd unit parameters:
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index a19c2eac98..6042050947 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -83,14 +83,21 @@ Integrity check
The integrity check functionality is supported by the `Enterprise Edition `_ only.
-``tt start`` can perform initial and periodical integrity checks of applications
-that it starts. To make the integrity checks possible, you need to pack the application
-using ``tt pack`` with the ``--with-integrity-check`` option. This option generates
-and signs checksums of executables and configuration files in the current ``tt``
+``tt start`` can perform initial and periodical integrity checks of the environment,
+application, and centralized configuration.
+
+To enable the integrity checks of environment and application files, you need to pack
+the application using ``tt pack`` with the ``--with-integrity-check`` option.
+This option generates and signs checksums of executables and configuration files in the current ``tt``
environment. Learn more in :ref:`tt-pack-integrity-check`.
-To check the environment and application integrity when running the application,
-start it with the :ref:`global option ` ``--integrity-check``.
+To enable the configuration integrity check, publish the configuration to a centralized
+storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
+This option generates and signs configuration checksums and saves them to the storage.
+Learn more in :ref:`tt-cluster-publish-integrity`.
+
+To perform the integrity checks when running the application, start it with the
+``--integrity-check`` :ref:`global option `.
Its argument must be a public key matching the private key that was used for
generating checksums.
@@ -98,9 +105,9 @@ generating checksums.
$ tt --integrity-check public.pem start myapp
-After such a call, ``tt`` checks the environment and application integrity using
-the checksums and starts the application in case of the success. Then, integrity
-checks are performed periodically when the application is running. By default,
+After such a call, ``tt`` checks the environment, application, and configuration integrity
+using the checksums and starts the application in case of the success. Then, integrity
+checks are performed periodically while the application is running. By default,
they are performed once every 24 hours. You can adjust the integrity check period
by adding the ``--integrity-check-period`` option:
From c732f5a07968f587ce68fc464707c3ccd7ffec09 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Fri, 5 Jul 2024 18:07:49 +0700
Subject: [PATCH 06/11] fix
---
doc/reference/tooling/tt_cli/cluster.rst | 12 +++++++-----
doc/reference/tooling/tt_cli/pack.rst | 2 ++
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index 6c05eb2c50..6fbb2edb6b 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -114,8 +114,8 @@ and aborts in case of an error. To skip the validation, add the ``--force`` opti
.. _tt-cluster-publish-integrity:
-Publishing configuration with integrity check
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Publishing configurations with integrity check
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. admonition:: Enterprise Edition
:class: fact
@@ -123,7 +123,7 @@ Publishing configuration with integrity check
The integrity check functionality is supported by the `Enterprise Edition `_ only.
When called with the ``-with-integrity-check`` option, ``tt cluster publish``
-generates a checksum of the configuration it publishes. It signs the checksum using
+generates a hash of configurations it publishes. It signs the hash using
the private key passed as the option argument, and writes it into the configuration store.
.. code-block:: console
@@ -139,12 +139,12 @@ using the ``--integrity-check`` :ref:`global option `.
Learn more about integrity checks upon application startup and in runtime in the :ref:`tt start ` reference.
-To update the configuration with integrity check, call ``tt cluster publish``
+To ensure the configuration integrity when updating it, call ``tt cluster publish``
with two options:
- ``--integrity-check PUBLIC_KEY`` global option checks that the configuration wasn't changed
since it was published
-- ``--with-integrity-check PRIVATE_KEY`` generates new checksums and signatures
+- ``--with-integrity-check PRIVATE_KEY`` generates new hash and signature
for future integrity checks of the updated configuration.
.. code-block:: console
@@ -519,3 +519,5 @@ Options
**Applicable to:** ``publish``
Generate hashes and signatures for integrity checks.
+
+ See also: :ref:`tt-cluster-publish-integrity`
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index 8db346e684..ae5c8a62f9 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -256,6 +256,8 @@ Options
Generate hashes and signatures for integrity checks at the application startup.
+ See also: :ref:`tt-pack-integrity-check`
+
.. option:: --with-tarantool-deps
Add Tarantool and ``tt`` as package dependencies.
From 1a22460173e1615f823189f5ba6a534806b2c0da Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Mon, 8 Jul 2024 17:23:13 +0700
Subject: [PATCH 07/11] Apply suggestions from code review
Co-authored-by: Oleg Jukovec
---
doc/reference/tooling/tt_cli/cluster.rst | 2 +-
doc/reference/tooling/tt_cli/pack.rst | 2 +-
doc/reference/tooling/tt_cli/start.rst | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index 6fbb2edb6b..0dfba5d1a8 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -122,7 +122,7 @@ Publishing configurations with integrity check
The integrity check functionality is supported by the `Enterprise Edition `_ only.
-When called with the ``-with-integrity-check`` option, ``tt cluster publish``
+When called with the ``--with-integrity-check`` option, ``tt cluster publish``
generates a hash of configurations it publishes. It signs the hash using
the private key passed as the option argument, and writes it into the configuration store.
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index ae5c8a62f9..9b0f4ea165 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -103,7 +103,7 @@ option. Its argument must be an RSA private key.
.. note::
- You can generate a key pair using `OpenSSL `__ as follows:
+ You can generate a key pair using `OpenSSL 3 `__ as follows:
.. code-block:: console
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index 6042050947..a88df47c2b 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -31,7 +31,7 @@ When called without arguments, starts all enabled applications in the current en
.. code-block:: console
- $ tt start
+ $ tt start
.. _tt-start-app-layout:
@@ -91,7 +91,7 @@ the application using ``tt pack`` with the ``--with-integrity-check`` option.
This option generates and signs checksums of executables and configuration files in the current ``tt``
environment. Learn more in :ref:`tt-pack-integrity-check`.
-To enable the configuration integrity check, publish the configuration to a centralized
+To add the configuration at the centralized storage integrity check, publish the configuration to a centralized
storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
This option generates and signs configuration checksums and saves them to the storage.
Learn more in :ref:`tt-cluster-publish-integrity`.
From f954090b98606a38b3793b7f4c3a8963ae616c09 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Mon, 8 Jul 2024 17:30:24 +0700
Subject: [PATCH 08/11] fix
---
doc/reference/tooling/tt_cli/cluster.rst | 1 +
doc/reference/tooling/tt_cli/start.rst | 7 +++++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index 0dfba5d1a8..ca2afe9390 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -135,6 +135,7 @@ using the ``--integrity-check`` :ref:`global option `.
.. code-block:: console
+ $ tt --integrity-check public.pem cluster show myapp
$ tt --integrity-check public.pem start myapp
Learn more about integrity checks upon application startup and in runtime in the :ref:`tt start ` reference.
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index a88df47c2b..826485bc77 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -91,8 +91,8 @@ the application using ``tt pack`` with the ``--with-integrity-check`` option.
This option generates and signs checksums of executables and configuration files in the current ``tt``
environment. Learn more in :ref:`tt-pack-integrity-check`.
-To add the configuration at the centralized storage integrity check, publish the configuration to a centralized
-storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
+To enable the integrity check of the configuration at the centralized storage,
+publish the configuration to a this storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
This option generates and signs configuration checksums and saves them to the storage.
Learn more in :ref:`tt-cluster-publish-integrity`.
@@ -115,6 +115,9 @@ by adding the ``--integrity-check-period`` option:
$ tt --integrity-check public.pem start myapp --integrity-check-period 60
+Additionally, Tarantool checks the integrity of the modules that the application uses
+at the load time, that is, when ``require(\`module\`)`` is called.
+
If an integrity check fails, ``tt`` stops the application.
.. _tt-start-options:
From c0de1e573d299beb160e423c242015ccf17f9b1b Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Mon, 8 Jul 2024 17:37:33 +0700
Subject: [PATCH 09/11] fix
---
doc/reference/tooling/tt_cli/pack.rst | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/pack.rst b/doc/reference/tooling/tt_cli/pack.rst
index 9b0f4ea165..828627ec94 100644
--- a/doc/reference/tooling/tt_cli/pack.rst
+++ b/doc/reference/tooling/tt_cli/pack.rst
@@ -86,7 +86,7 @@ Generating files for integrity checks
The integrity check functionality is supported by the `Enterprise Edition `_ only.
-``tt pack`` can generate hashes and signatures to use for integrity checks
+``tt pack`` can generate checksums and signatures to use for integrity checks
when running the application. These files are:
- ``hashes.json`` and ``hashes.json.sig`` in each application directory.
@@ -98,7 +98,7 @@ when running the application. These files are:
similar files for the ``tt`` environment. They contain checksums for
Tarantool and ``tt`` executables, and for the ``tt.yaml`` configuration file.
-To generate hashes and signatures for integrity check, use the ``--with-integrity-check``
+To generate checksums and signatures for integrity check, use the ``--with-integrity-check``
option. Its argument must be an RSA private key.
.. note::
@@ -116,7 +116,8 @@ To create a ``tar.gz`` archive with integrity check artifacts:
$ tt pack tgz --with-integrity-check private.pem
-Learn how to perform integrity checks upon application startup and in runtime in the :ref:`tt start ` reference.
+Learn how to perform integrity checks at the application startup and in runtime
+in the :ref:`tt start ` reference.
.. _tt-pack-options:
@@ -254,7 +255,7 @@ Options
.. option:: --with-integrity-check PRIVATE_KEY
- Generate hashes and signatures for integrity checks at the application startup.
+ Generate checksums and signatures for integrity checks at the application startup.
See also: :ref:`tt-pack-integrity-check`
From 306a4f4bcd1551975f762a6683e0a7560281b648 Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Wed, 10 Jul 2024 11:15:01 +0700
Subject: [PATCH 10/11] Apply suggestions from code review
Co-authored-by: Kseniia Antonova <73473519+xuniq@users.noreply.github.com>
---
doc/reference/tooling/tt_cli/cluster.rst | 2 +-
doc/reference/tooling/tt_cli/start.rst | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index ca2afe9390..cc332fd7fe 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -123,7 +123,7 @@ Publishing configurations with integrity check
The integrity check functionality is supported by the `Enterprise Edition `_ only.
When called with the ``--with-integrity-check`` option, ``tt cluster publish``
-generates a hash of configurations it publishes. It signs the hash using
+generates a hash of the configurations it publishes. It signs the hash using
the private key passed as the option argument, and writes it into the configuration store.
.. code-block:: console
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index 826485bc77..11f0fd9956 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -92,7 +92,7 @@ This option generates and signs checksums of executables and configuration files
environment. Learn more in :ref:`tt-pack-integrity-check`.
To enable the integrity check of the configuration at the centralized storage,
-publish the configuration to a this storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
+publish the configuration to this storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
This option generates and signs configuration checksums and saves them to the storage.
Learn more in :ref:`tt-cluster-publish-integrity`.
From f25651442abb00d1e588cd3cff29a358f1c36e7e Mon Sep 17 00:00:00 2001
From: Pavel Semyonov
Date: Wed, 10 Jul 2024 11:27:09 +0700
Subject: [PATCH 11/11] Fix
---
doc/reference/tooling/tt_cli/cluster.rst | 2 +-
doc/reference/tooling/tt_cli/start.rst | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/reference/tooling/tt_cli/cluster.rst b/doc/reference/tooling/tt_cli/cluster.rst
index cc332fd7fe..9177bb9c3c 100644
--- a/doc/reference/tooling/tt_cli/cluster.rst
+++ b/doc/reference/tooling/tt_cli/cluster.rst
@@ -123,7 +123,7 @@ Publishing configurations with integrity check
The integrity check functionality is supported by the `Enterprise Edition `_ only.
When called with the ``--with-integrity-check`` option, ``tt cluster publish``
-generates a hash of the configurations it publishes. It signs the hash using
+generates a checksum of the configurations it publishes. It signs the checksum using
the private key passed as the option argument, and writes it into the configuration store.
.. code-block:: console
diff --git a/doc/reference/tooling/tt_cli/start.rst b/doc/reference/tooling/tt_cli/start.rst
index 11f0fd9956..63e78358d7 100644
--- a/doc/reference/tooling/tt_cli/start.rst
+++ b/doc/reference/tooling/tt_cli/start.rst
@@ -86,12 +86,12 @@ Integrity check
``tt start`` can perform initial and periodical integrity checks of the environment,
application, and centralized configuration.
-To enable the integrity checks of environment and application files, you need to pack
+To enable integrity checks of environment and application files, you need to pack
the application using ``tt pack`` with the ``--with-integrity-check`` option.
This option generates and signs checksums of executables and configuration files in the current ``tt``
environment. Learn more in :ref:`tt-pack-integrity-check`.
-To enable the integrity check of the configuration at the centralized storage,
+To enable integrity check of the configuration at the centralized storage,
publish the configuration to this storage using ``tt cluster publish`` with the ``--with-integrity-check`` option.
This option generates and signs configuration checksums and saves them to the storage.
Learn more in :ref:`tt-cluster-publish-integrity`.
@@ -116,7 +116,7 @@ by adding the ``--integrity-check-period`` option:
$ tt --integrity-check public.pem start myapp --integrity-check-period 60
Additionally, Tarantool checks the integrity of the modules that the application uses
-at the load time, that is, when ``require(\`module\`)`` is called.
+at the load time, that is, when ``require('module')`` is called.
If an integrity check fails, ``tt`` stops the application.