* Use Teleport's standard buildbox
This commit edits the teleport-operator container image build process to
rely on Teleport's standard buildbox. This will make sure we are using a
single go version at all time.
This also removed unused environment variables from
`operator/Makefile`.
* Extract BUILDBOX variables out of build.assets/Makefile
* Put `teleport-operator` bin out of the Teleport source volume
* Fix docker-compose Getting Started guide issues
This addresses several issues with the Docker Compose Getting
Started Guide.
- Intermittent SSH failures and password prompts from the term
container
In the bootstrap container, the "generate-certs.sh" script is
used to generate certificates for other containers in the
environment. This uses two "tctl auth export" commands. If
the Teleport container is not available, i.e., it hasn't
finished booting, generate-cert.sh is supposed to execute a
"return" statement from either of the two "tctl auth export"
commands with a nonzero code, causing the script to try
again after one second.
However, since the output of each "tctl auth export" command
is piped into a "sed" command, the "generate_certs()"
function continues without retrying if the Teleport
container is not yet available. This means that the
term container does not have access to the certificate it
needs to connect to the OpenSSH server, public key
authentication fails, and SSH issues a password challenge.
This change adds the "set -o pipefail" option to the
"generate-certs.sh" script so that the "tctl auth export"
commands return a nonzero exit code if they fail and
the retry logic works as intended.
- Add session recording to the "Next steps" section
This demo isn't set up for session recording, so we remove
the mention from the main body of the guide to avoid
misleading users that this is supposed to be set up here.
Instead, this mentions it as a next step.
- Update instructions for accessing the Web UI.
This mentions the currently valid Chrome flag to use and
indicates that you can visit the invite page in your browser
via localhost.
Fixes#9687Fixes#7872
* Respond to PR feedback
* Updating teleport-quickstart.yml to latest release
This teleport-quickstart.yml is used in our Docker quickstart guide (docker-compose section). https://goteleport.com/docs/quickstart-docker/#quickstart-using-docker-compose
I updated the quay repo from 5.0 to 6.1.5. (latest version at time of writing)
* Update docker/teleport-quickstart.yml
Co-authored-by: Gus Luxton <gus@gravitational.com>
* Bump Go to 1.15.5
* Downgraded Go version to 1.15.3.
* Sign .drone.yml
Co-authored-by: Russell Jones <rjones@gravitational.com>
Co-authored-by: Gus Luxton <gus@gravitational.com>
Shellcheck is a linter for shell scripts. Since we have quite a few of
those for release packaging and examples, we'll benefit from an extra
set of (robot) eyes.
Note: I disabled https://github.com/koalaman/shellcheck/wiki/Sc2086 to
make this PR smaller. That specific check is for the most frequent
mistake in our scripts - not quoting env var expansions. I'll do a
separate PR cleaning those up.
`build.assets/pkg` is no longer used and was removed.
* Add missing (make build) step for running teleport cluster in docker container
* Edit Dockerfile teleport-buildbox tag from :latest to :go1.13.2 to match the image tag from running "make docker" from root.
* Update root README about docker
This commit fixes#3252
Security patches 4.2 introduced a regression - leaf clusters ignore role mapping
and attempt to use role names coming from identity of the root cluster
whenever GetNodes method was used.
This commit reverts back the logic, however it ensures that the original
fix is preserved - traits and groups are updated on the user object.
Integration test has been extended to avoid the regression in the future.
Fixes#1698.
* Added sync.Pool to take care of many gzip.Writer
allocating a lot of large objects on the heap.
* Reshuffled signal handling, SIGQUIT is now
graceful shutdown, just like in Nginx.
* Signal USR1 prints hepful diagnostic info to stderr.
* Removed gops endpoint and flags.
* Fixed logs in some places.
* Debug flag now adds extra pprof handlers to diagnostic
endpoint.
* Session events are delivered in continuous
batches in a guaranteed order with every event
and print event ordered from session start.
* Each auth server writes to a separate folder
on disk to make sure that no two processes write
to the same file at a time.
* When retrieving sessions, auth servers fetch
and merge results recorded by each auth server.
* Migrations and compatibility modes are in place
for older clients not aware of the new format,
but compatibility mode is not NFS friendly.
* On disk migrations are launched automatically
during auth server upgrades.
This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.