- Updated the CHANGELOG
- Makefile improvements:
- Added "make full" for quickly building release binaries
- Added `examples` directory to the release directory
- The default `make` runs twice as fast.
- `make goinstall` is similarly 2x speed (also more idiomatic)
- Also cleaned it Make dependencies a bit to made them more reliable.
1. Got rid of `tool/tsh/common` package. See below.
2. Fixed logger in config test (it was getting reset by the test itself)
The reason we don't need `tool/tsh/common` is because `tsh` is the same
for OSS or Enterprise versions. This is good for two reasons:
1. Enterprise customers don't need to bother telling users to use a
proprietary binary, they can just get OSS (which will eventually get
pacakged for OSX/Ubuntu/RHEL) and will be one `apt-get` or `brew install` away
2. Easier for us to package/maintain.
- Switched to new way of building Enterprise
- Removed `tctl tunnels` command (preparation for new resources)
- Removed `tctl auth ls` command (preparation for new resources)
`make clean` now removes not only output binaries, but also object files
(.o) for Teleport in the packages dir under $GOHOME.
So, running `make` after `make clean` will guarantee that every file
will be rebuilt.
First part of addressing #1033 is ability to load credentials from the
credentials file(s).
This commit adds -i flag processing, i.e. a certificate can be fed via a
cert.file and used to login.
In this commit:
1. Minor addition to Makefile to pull new .go files from
tool/teleport/common
2. os.Glob() returns an empty list (instead of an error) if the
file/pattern is not found, so added check for that.
3. sendFile was prematurely sending 'C' command before trying to open a
file. This used to lead to creation of empty files for invlaid
sources.
Also, removed some confusing comments.
This commit adds several improvements to how CLI SSH login works
- Validated keys are added to the SSH agent [1]
- tsh will does not verify host keys twice anymore
- error messages for "access denied" look clean now
[1] This is huge. This means that tsh login can "feed" the keys to the
built-in SSH agents of the OS and OpenSSH can fetch them from there.
QUESTION: why do we even need `tsh agent` option then? ssh-agent is
installed on every Linux/OSX machine.
- Added ability to read AWS config from `~/.aws` directory for testing
- Fixed TTL bug in DynamoDB back-end
- Made FS back-end return similar error types as Boltdb does
- Cleaned up buggy tests for DynamoDB
- Removed unnecessary locks everywhere in code
Prior to this fix Teleport would not relay proxy errors from remote
clusters.
In other words, the following command:
```
$ tsh --cluster=remote ssh non-existing-host
```
Would print an error like:
"Cannot find a remote tunnel connection. ssh subsystem request failed"
Insead, it should say something like:
"dial non-existing-host error: no such host"
This commit fixes it. It works by:
- Sending net.Dial() error from the remote proxy back via stderr over
reverse tunnel.
- Carefully handling this error to distinguish it from tunnel-related
network errors.
`tsh` would sometimes ignore --insecure flag. To reproduce:
- copy `/var/lib/teleport` from machine A to machine B
- start Teleport on B
Try to connect with `tsh --proxy=localhost --insecure`. It will fail
because it would try to use local key pool (on machine B) which is not
the same as on A. Instead, --insecure should ignore local keys and
simply ignore certificate validation errors.
Functionality:
`teleport` binary now serves web assets from its own binary file.
Unless `DEBUG` environment variable is set to "1" or "true", in
this case it will look for ../web/dist (as located in github repo)
which can be used for development.
Design:
To avoid accumulating 3rd party dependencies with a ton of extra
features and licenses, this implementation uses minimalistic
implementation of http.FileSystem interface on top of the embedded ZIP
archive.
1. The assets are zipped into assets.zip during build process
2. assets.zip gets appended to the end of `teleport` binary
3. The resulting file is converted into a self-extracting ZIP
4. Teleport opens itself using the built-in zip unarchiver, and loads
the assets on demand.
Notes:
1. LOC is tiny (dozens)
2. RAM consumption is CONSTANT regardless of the ZIP size, about 500Kb
increase vs load-from-file, and most of it is linking zip archive
code from the standard library. Tested with a 20MB ZIP archive.
This backend can be enabled by optionally adding a new build flag.
See lib/backend/dynamo/README.md for details.
It should not affect default Teleport builds.
What works:
1. You have to start all 3: node, proxy and auth.
2. Login using 'tsh' (so it will create a cert)
3. Then you can shut 'auth' down.
4. Proxy and node will stay up and tsh will be able to login.
What doesn't work:
1. Auth updates are not visible to proxy/node (like new servers)
2. Not sure if "trusted clusters" will work.
At this stage I have an in-memory snapshot of a "cluster state" which
can be kept by nodes in-memory not requiring the auth connection to be
up 100% of the time.
Node and proxy are now both using this snapshot instead of a live
connection to the auth server.
Next steps:
- Make node and proxy continue to work after the auth is killed.
- Make the snapshot persistent.
- Make node & proxy use persistence and be able to restart with the auth
server down.
IMPORTANT:
Also found an interesting case where process identity is generated (on
first start). Right now there wasn't any kind of locking, and concurrent
identity initialization was possible. While it's not clear if this can
cause any real world issue, I have refactored it into a separate
lock-protected function.
- Updated docs for "advertise_ip"
- Updated docs for "tokens" in teleport.yaml
- Updated "adding nodes" section in the admin guide and in the
quickstart guide
- Crated `run-docs` make target for convenient live documentation
editing.
- Fixed all tests
- Removed "magic constants" in random places
- Improved 'retry connecting to auth server' logic (it used to always
fail on 1st attempt)
Found a place in Teleport where `check.v1` was imported into production
(not test) code.
This has a few problems:
1. `check.v1` has `init()` package function which alters the program
execution: it registers globals, like 'flags' package (this affects
how scp.go works, which uses flags)
2. This also brings accidental symbols into production code (and you may
have developers using functions indended to be used by tests by
mistake).
The proper fix (IMO) would be to eliminate any test code stored in files
without _test suffix.
In this case, to save time, I've added 'test' build flag, turned on
condnitional compilation and instructed "go test" to always use this
flag.
1. Removed `assets` directory
2. Removed Gravity package building from the Makefile
3. Updated "Admin Guide" with the information regarding web assets.
Here's how it works:
* It takes the closest tag that is present in the build
* Automatically applies this tag
* Adds git commit as well
* Is 100% go gettable
* No external deps, all vendored
When teleport starts, it looks for web assets in the following
directories:
- Dir where executable is
- /usr/local/share/teleport
- /usr/share/teleport
- /opt/teleport