git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity
Files
master
linux_patch_api/README.md
Draco-Lunaris-Echo eac05ad1eb
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 4s
CI/CD Pipeline / Clippy Lints (push) Successful in 44s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s
CI/CD Pipeline / Security Audit (push) Successful in 4s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m15s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s
CI/CD Pipeline / Build Debian Package (push) Failing after 4s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m17s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m25s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m15s
fix: remove dead min_tls_version config field, TLS 1.3 is only supported version (closes #16) 
Co-authored-by: git-echo <git-echo@moon-dragon.us>
2026-06-06 16:50:55 -05:00

18 KiB
Raw Permalink Blame History

Linux Patch API

Version: 1.0.0
Status: Production Ready
License: Apache 2.0

Secure REST API for remote package and patch management on Linux systems.

Table of Contents

Overview

Linux Patch API provides a secure, production-ready interface for managing software packages and system patches on Linux servers. Designed for internal network deployment with enterprise-grade security controls.

Key Design Principles:

  • Zero-trust security architecture (mTLS + IP whitelist)
  • Pure REST API with async job handling
  • Real-time status via WebSocket streaming
  • Multi-distro support (Debian, RHEL, Alpine, Arch)
  • Comprehensive audit logging

Features

Package Management

  • Install, update, and remove packages remotely
  • Batch operations with dependency resolution
  • Support for apt, dnf, yum, apk, pacman backends
  • Version pinning and force options

Patch Management

  • List available security patches
  • Apply patches with optional auto-reboot
  • Patch scheduling and delay options
  • Rollback capabilities

Job Management

  • Async operation tracking with job IDs
  • Real-time status via WebSocket
  • Job history and audit trail
  • Configurable concurrency limits

System Management

  • System information retrieval
  • Health check endpoints
  • Remote reboot capabilities
  • Service status monitoring

Security Features

  • mTLS certificate authentication (TLS 1.3 only)
  • IP whitelist enforcement (deny by default)
  • Automated self-enrollment with linux_patch_manager (no manual PKI distribution)
  • Comprehensive audit logging (systemd journal)
  • Systemd hardening and process isolation
  • File permission enforcement

Quick Start

Prerequisites

  • Linux server (Debian/Ubuntu, RHEL/CentOS/Fedora, Alpine, or Arch)
  • systemd init system
  • Root or sudo access
  • Internal CA infrastructure for certificates

1. Install Package

Debian/Ubuntu:

dpkg -i linux-patch-api_1.0.0-1_amd64.deb

RHEL/CentOS/Fedora:

rpm -ivh linux-patch-api-1.0.0-1.x86_64.rpm

Manual Installation:

./install.sh

2. Configure Certificates

# Copy CA certificate
cp ca.pem /etc/linux_patch_api/certs/

# Copy server certificate and key
cp server.pem /etc/linux_patch_api/certs/
cp server.key.pem /etc/linux_patch_api/certs/
chmod 600 /etc/linux_patch_api/certs/server.key.pem

3. Configure IP Whitelist

Edit /etc/linux_patch_api/whitelist.yaml:

entries:
  - "192.168.1.0/24"      # Management network
  - "10.0.0.50"           # Admin workstation

4. Start Service

systemctl enable linux-patch-api
systemctl start linux-patch-api
systemctl status linux-patch-api

5. Test Connection

curl --cacert ca.pem \
     --cert client.pem \
     --key client.key.pem \
     https://localhost:12443/api/v1/health

Usage Examples

Standard Startup (Existing Certificates)

When certificates are already provisioned, start with the configuration path:

sudo linux-patch-api --config /etc/linux_patch_api/config.yaml

Or via systemd (recommended for production):

systemctl enable linux-patch-api
systemctl start linux-patch-api

Self-Enrollment with Manager

Bootstrap a new host by automatically requesting certificates from the manager:

sudo linux-patch-api --enroll https://manager.example.com

The enrollment workflow:

  1. Extracts machine identity (/etc/machine-id, FQDN, OS details)
  2. Registers with manager (POST /api/v1/enroll)
  3. Polls for admin approval (default: every 60 seconds, up to 24 hours)
  4. Downloads PKI bundle on approval
  5. Writes certificates and updates whitelist automatically
  6. Starts mTLS server without requiring a restart
# Enrollment with verbose logging
sudo linux-patch-api --enroll https://manager.example.com --verbose

For detailed enrollment procedures, see DEPLOYMENT_GUIDE.md - Self-Enrollment Deployment.

Installation

Package Installation

All platform packages produce identical installation results:

  • Creates /etc/linux_patch_api/, /etc/linux_patch_api/certs/, /var/lib/linux_patch_api/, /var/log/linux_patch_api/
  • Copies example configs to live configs if not already present
  • Enables the service (does not start automatically)
  • Sets correct permissions (750 on config dirs, 755 on data/log dirs)
  • Ownership: root:root (service runs as root)

Debian/Ubuntu (.deb)

# Install the package
dpkg -i linux-patch-api_1.0.0-1_amd64.deb

# Fix any dependency issues
apt-get install -f -y

# Verify installation
systemctl status linux-patch-api
linux-patch-api --version

# Check installed files
dpkg -L linux-patch-api

# Remove package (keeping configs)
dpkg -r linux-patch-api

# Purge package (removing all configs)
dpkg -P linux-patch-api

Prerequisites: systemd, libsystemd0

Post-install: The package automatically copies example configs, enables the service, and prints next steps. Configure /etc/linux_patch_api/config.yaml and place TLS certificates in /etc/linux_patch_api/certs/ before starting.

RHEL/CentOS/Fedora (.rpm)

# Install the package (recommended - resolves dependencies automatically)
dnf install -y ./linux-patch-api-1.0.0-1.el9.x86_64.rpm

# Or with yum
yum install -y ./linux-patch-api-1.0.0-1.el9.x86_64.rpm

# Or with rpm (does NOT resolve dependencies)
rpm -ivh linux-patch-api-1.0.0-1.el9.x86_64.rpm

# Verify installation
systemctl status linux-patch-api
linux-patch-api --version

# Check installed files
rpm -ql linux-patch-api

# Remove package
rpm -e linux-patch-api

Prerequisites (auto-resolved with dnf/yum): systemd, libsystemd, openssl-libs, ca-certificates

Post-install: The package automatically creates directories, copies example configs, enables the service, and prints next steps. Configure /etc/linux_patch_api/config.yaml and place TLS certificates in /etc/linux_patch_api/certs/ before starting.

Note: Use dnf install or yum install instead of rpm -ivh to automatically resolve dependencies. The rpm -ivh command will fail if required packages are not already installed.

Arch Linux (.pkg.tar.zst)

# Install the package
sudo pacman -U ./linux-patch-api-1.0.0-1-x86_64.pkg.tar.zst

# Verify installation
systemctl status linux-patch-api
linux-patch-api --version

# Check installed files
pacman -Ql linux-patch-api

# Remove package
sudo pacman -R linux-patch-api

Prerequisites: systemd (included by default on Arch)

Post-install: The package automatically creates directories, copies example configs, enables the service, and prints next steps. Configure /etc/linux_patch_api/config.yaml and place TLS certificates in /etc/linux_patch_api/certs/ before starting.

Note: Arch uses systemd by default. The install hook runs systemctl enable but does not start the service. You must configure before starting.

Alpine Linux (.apk)

# Install the package
sudo apk add --allow-unstable ./linux-patch-api-1.0.0-r0.apk

# Verify installation
rc-service linux-patch-api status
linux-patch-api --version

# Check installed files
apk info -L linux-patch-api

# Remove package
sudo apk del linux-patch-api

Prerequisites: openrc (included by default on Alpine)

Post-install: The package automatically creates directories, copies example configs, adds the service to the default runlevel, and prints next steps. Configure /etc/linux_patch_api/config.yaml and place TLS certificates in /etc/linux_patch_api/certs/ before starting.

Important differences from systemd-based systems:

  • Alpine uses OpenRC instead of systemd. Use rc-service commands instead of systemctl
  • Start service: rc-service linux-patch-api start
  • Stop service: rc-service linux-patch-api stop
  • Check status: rc-service linux-patch-api status
  • The service is added to the default runlevel automatically on install
  • Service init script: /etc/init.d/linux-patch-api

Manual Installation

For systems without package manager support:

# Run interactive installer (requires root)
sudo ./install.sh

The installer will:

  • Detect operating system
  • Create directory structure (/etc/linux_patch_api/, /var/lib/linux_patch_api/, /var/log/linux_patch_api/)
  • Install binary to /usr/bin/linux-patch-api
  • Install example configs
  • Configure systemd service
  • Set correct permissions

Building from Source

Prerequisites (all platforms)

  • Rust toolchain (stable channel, 1.75+)
  • OpenSSL development headers
  • systemd development headers
  • C compiler (gcc)

Build Debian Package (.deb)

# On Debian/Ubuntu
apt-get install -y build-essential debhelper pkg-config libsystemd-dev libssl-dev cargo rustc
cargo build --release
sudo dpkg-buildpackage -us -uc -b

Build RPM Package (.rpm)

# On Fedora/RHEL/CentOS
dnf install -y rpm-build cargo rust gcc openssl-devel systemd-devel pkgconfig
cargo build --release --target x86_64-unknown-linux-gnu
chmod +x build-rpm.sh
./build-rpm.sh

Note: The RPM spec includes BuildRequires for native RPM build environments. When building in CI containers (where deps are pre-installed via apt-get), these are informational only.

Build Arch Package (.pkg.tar.zst)

# On Arch Linux/Manjaro
pacman -Syu --noconfirm rust cargo systemd git base-devel gcc
cargo build --release
chmod +x build-arch.sh
SKIP_CARGO_BUILD=1 ./build-arch.sh

Note: The build script creates a builduser for makepkg when running as root (typical in CI). The .install hook handles directory creation, config copying, and service enablement.

Build Alpine Package (.apk)

# On Alpine Linux 3.18+
apk add --no-cache alpine-sdk rust cargo openssl openssl-dev elogind-dev musl-dev abuild gcc
cargo build --release --target x86_64-unknown-linux-musl
chmod +x build-alpine.sh
SKIP_CARGO_BUILD=1 ./build-alpine.sh

Important: Alpine requires the x86_64-unknown-linux-musl target for static linking. The build script handles abuild key generation and runs as a builduser when executed as root.

See BUILD_PACKAGES.md for detailed build instructions.

Configuration

Configuration File

Location: /etc/linux_patch_api/config.yaml

# Server Configuration
server:
  port: 12443
  bind: "0.0.0.0"
  timeout_seconds: 30

# TLS/mTLS Configuration
tls:
  enabled: true
  port: 12443
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
  # TLS 1.3 is the only supported version (hardcoded, not configurable)

# Job Configuration
jobs:
  max_concurrent: 5
  timeout_minutes: 30
  storage_path: "/var/lib/linux_patch_api/jobs"

# Logging Configuration
logging:
  level: "info"
  journal_enabled: true
  syslog_enabled: false
  file_path: "/var/log/linux_patch_api/audit.log"
  retention_days: 30

# IP Whitelist Configuration
whitelist:
  path: "/etc/linux_patch_api/whitelist.yaml"

# Package Manager Backend
package_manager:
  backend: "auto"  # auto, apt, dnf, yum, apk, pacman

IP Whitelist

Location: /etc/linux_patch_api/whitelist.yaml

entries:
  - "192.168.1.0/24"      # Management network
  - "10.0.0.50"           # Specific admin workstation
  - "admin-server.internal"  # Hostname (resolved at startup)

Supported Entry Types:

  • Individual IPs: 192.168.1.100
  • CIDR subnets: 192.168.1.0/24
  • Hostnames: admin-server.internal

Note: Changes to whitelist are applied automatically (no restart required).

Certificate Requirements

File Location Permissions Description
CA Certificate /etc/linux_patch_api/certs/ca.pem 644 Internal CA public cert
Server Cert /etc/linux_patch_api/certs/server.pem 644 Server public certificate
Server Key /etc/linux_patch_api/certs/server.key 600 Server private key
Client Cert /etc/linux_patch_api/certs/client.pem 644 Client public certificate
Client Key /etc/linux_patch_api/certs/client.key 600 Client private key

See DEPLOYMENT_SECURITY_GUIDE.md for certificate setup instructions.

API Usage

Base URL

https://<server-ip>:12443/api/v1/

Authentication

All requests require:

  1. Valid client certificate (signed by internal CA)
  2. Source IP in whitelist
curl --cacert ca.pem \
     --cert client.pem \
     --key client.key.pem \
     https://localhost:12443/api/v1/health

Standard Response Format

{
  "success": true,
  "request_id": "550e8400-e29b-41d4-a716-446655440000",
  "timestamp": "2026-04-09T13:04:02Z",
  "data": {},
  "error": null
}

Example: List Packages

curl --cacert ca.pem \
     --cert client.pem \
     --key client.key.pem \
     "https://localhost:12443/api/v1/packages?limit=10&sort=name"

Example: Install Package (Async)

curl --cacert ca.pem \
     --cert client.pem \
     --key client.key.pem \
     -X POST \
     -H "Content-Type: application/json" \
     -d '{"packages": [{"name": "nginx", "version": "1.24.0-1"}]}' \
     https://localhost:12443/api/v1/packages

Response (202 Accepted):

{
  "success": true,
  "request_id": "uuid",
  "timestamp": "2026-04-09T13:04:02Z",
  "data": {
    "job_id": "uuid",
    "status": "pending",
    "operation": "install",
    "packages": ["nginx"]
  },
  "error": null
}

Example: Check Job Status

curl --cacert ca.pem \
     --cert client.pem \
     --key client.key.pem \
     https://localhost:12443/api/v1/jobs/<job-id>

WebSocket Status Streaming

const ws = new WebSocket('wss://localhost:12443/api/v1/ws/jobs', {
  cert: clientCert,
  key: clientKey,
  ca: caCert
});

ws.onopen = () => {
  ws.send(JSON.stringify({ type: 'subscribe', job_id: 'uuid' }));
};

ws.onmessage = (event) => {
  const data = JSON.parse(event.data);
  console.log('Job status:', data);
};

See API_DOCUMENTATION.md for complete API reference.

Security

Security Architecture

  • Authentication: mTLS certificate-based (TLS 1.3 only)
  • Authorization: IP whitelist enforcement (deny by default)
  • Encryption: TLS 1.3 for all connections
  • Audit Logging: systemd journal + optional file/syslog
  • Process Isolation: systemd hardening directives

Threat Model

Threat Mitigation Status
Spoofing mTLS certificate validation Mitigated
Tampering TLS 1.3 encryption Mitigated
Information Disclosure IP whitelist + silent drop Mitigated
Denial of Service Concurrent job limits, timeouts Mitigated
Privilege Escalation Systemd hardening, minimal permissions Mitigated

See SECURITY.md for complete security specification.

Security Posture

  • Status: GOOD - Approved for internal network deployment
  • Security Tests: 16/16 passing
  • Compliance: 93% (SECURITY_CONTROLS_MATRIX.md)

Performance

Benchmark Results

Metric Result Status
Average Endpoint Latency <5ns (simulated) Excellent
Health Check Latency 866ps Excellent
Concurrent Request Handling Linear scaling to 100+ Good
TLS Handshake Overhead ~15ms ⚠️ Expected
Memory Usage 45MB idle, 78MB under load Good

Performance Recommendations

  1. Enable TLS session resumption (85% handshake reduction)
  2. Implement request timeout middleware
  3. Add connection limits
  4. Reduce JSON allocation overhead
  5. Optimize job manager locking

See PERFORMANCE_BENCHMARK.md for detailed benchmark data.

Contributing

Development Setup

# Clone repository
git clone https://gitea.internal/linux-patch-api.git
cd linux-patch-api

# Install Rust toolchain
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

# Install dependencies
apt-get install -y cargo rustc libsystemd-dev pkg-config

# Run tests
cargo test --all-features

# Run linters
cargo fmt --all -- --check
cargo clippy --all-targets --all-features -- -D warnings

Code Standards

  • Follow Rust idioms and best practices
  • All code must pass Clippy lints
  • Unit test coverage >95%
  • Security audit clean (cargo-audit)
  • Format with rustfmt

Pull Request Process

  1. Create feature branch from develop
  2. Implement changes with tests
  3. Ensure CI pipeline passes
  4. Submit PR for review
  5. Address reviewer feedback
  6. Merge after approval

Reporting Issues

  • Security issues: Contact security team directly (do not create public issues)
  • Bug reports: Include reproduction steps, expected/actual behavior
  • Feature requests: Describe use case and expected functionality

Support

Documentation

Logs and Troubleshooting

# View service logs
journalctl -u linux-patch-api -f

# View audit logs
cat /var/log/linux_patch_api/audit.log

# Check service status
systemctl status linux-patch-api

# Test configuration
linux-patch-api --check-config

Contact

  • Internal Documentation: Internal Wiki
  • Security Team: security@internal
  • Development Team: dev-team@internal

License

This project is licensed under the Apache License 2.0.

Copyright 2025-2026 Draco Lunaris

Version: 1.0.0
Release Date: 2026-07-17