This commit introduces signal handling.
Parent teleport process is now capable of forking
the child process and passing listeners file descriptors
to the child.
Parent process then can gracefully shutdown
by tracking the amount of current connections and
closing listeners once the amount goes to 0.
Here are the signals handled:
* USR2 signal will cause the parent to fork
a child process and pass listener file descriptors to it.
Child process will close unused file descriptors
and will bind to the used ones.
At this moment two processes - the parent
and the forked child process will be serving requests.
After looking at the traffic and the log files,
administrator can either shut down the parent process
or the child process if the child process is not functioning
as expected.
* TERM, INT signals will trigger graceful process shutdown.
Auth, node and proxy processes will wait until the amount
of active connections goes down to 0 and will exit after that.
* KILL, QUIT signals will cause immediate non-graceful
shutdown.
* HUP signal combines USR2 and TERM signals in a convenient
way: parent process will fork a child process and
self-initate graceful shutdown. This is a more convenient
than USR2/TERM sequence, but less agile and robust
as if the connection to the parent process drops, but
the new process exits with error, administrators
can lock themselves out of the environment.
Additionally, boltdb backend has to be phased out,
as it does not support read/writes by two concurrent
processes. This had required refactoring of the dir
backend to use file locking to allow inter-process
collaboration on read/write operations.
Fixes#1663, #1665
This commit fixes a couple of issues with tsh and tctl:
* tsh now check the version of the server and prints error
if tsh is newer version than the server.
* tctl did not work properly when yaml file contained
multiple resources in a list
Demo monitoring stack sets up example monitoring
infrastructure:
* All nodes, auth servers and proxies
run telegraf alongside them, polling prometheus
diagnostic endpoints.
* Telegraf sends the data to InfluxDB database
* Grafana sets up cluster health dashboard
watching key teleport metrics - numbers of goroutines,
number of active sessions, file descriptors and so on.
fixes#1546, fixes#1535
This commit fixes error message in case if token
is generated for trusted cluster and allows
admins to provide custom tokens:
tctl nodes add --roles=node --token=custom --ttl=100h
This commit makes sure that trusted cluster resource
name is the same name as the cluster name it conects to.
If user supplies name of the trusted cluster resource
that is different from the cluster name, the warning
will be issued and trusted cluster will be renamed.
Upgrade procedure renames existing trusted clusters
in place.
If user supplies trusted cluster without role
mappings, or with role mappings referring to
non-existent roles that do not exist, the
error will be returned.
The highest port number can be 65535 but int16 only goes to 32767. That is why we need int32 to reach higher port numbers than 32767. In certain cases this can be handy when you want to run the node client on a random port.
This commit adds remote cluster resource that specifies
connection and trust of the remote trusted cluster to the local
cluster. Deleting remote cluster resource deletes trust
established between clusters on the local cluster side
and terminates all reverse tunnel connections.
Migrations make sure that remote cluster resources exist
after upgrade of the auth server.
This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.
* Allow external audit log plugins
* Add support for auth API server plugins
* Add license file path configuration parameter (not used in open-source)
* Extend audit log with user login events
This was fixed running the `misspell` linter in fix mode using
`gometalinter`. The exact command I ran was :
```
gometalinter --vendor --disable-all -E misspell --linter='misspell:misspell -w {path}:^(?P<path>.*?\.go):(?P<line>\d+):(?P<col>\d+):\s*(?P<message>.*)$' ./...
```
Some typo were fixed by hand on top of it.
Instead of quietly changing behavior because `DEBUG` envar was set to
true, Teleport now explicitly requires scary --insecure flag to enable
this behavior.
goterm had no license, I quickly replaced it with our own little table
formatter.
also rewrote some tsh commands, that were using home-made formatting, to
the new table, so the output is now much nicer.
`tctl create` used to create or update (AKA "upsert") resources.
Now there's a difference:
`--force, -f` flag, if not set, means "create only". Otherwise it means
"update".
This means you can fail updating non-existing resources.
This commit refs #1137
- tctl get user/joe now works (as reported in #1247)
- tctl create/rm roles changes
- added synonyms for various resources
- made YAML the default output for tctl get
- added better help + examples for tctl get
- edited error messages
- minor refactoring
- added the system of "command plugins" which allows enterprise version
of tctl to introduce different behavior to OSS commands
- Renamed "dir" format to "openssh"
- Replaced self-made key fingerprinting function with a standard one
- Changed fingerprinting from legacy md5 to sha256