* Fix minor errors
- fix go version in readme.md
- fix broken link in teleport_architecture_overview.md
- fix spacing issues in teleport_users.md and quickstart.md
- revert --insecure back to originally --insecure-no-tls in quickstart.md
- update 24 hrs TTL default to 12 hrs in teleport_proxy.md
- Add links to each CLI mentioned in cli-docs.md
- Remove incorrect flag and add how to exit session in quickstart.md
- Update version mentions in enhanced_session_recording.md, installation.md, admin-guide.md
Co-authored-by: Ben Arent <ben@gravitational.com>
This commit fixes#3252
Security patches 4.2 introduced a regression - leaf clusters ignore role mapping
and attempt to use role names coming from identity of the root cluster
whenever GetNodes method was used.
This commit reverts back the logic, however it ensures that the original
fix is preserved - traits and groups are updated on the user object.
Integration test has been extended to avoid the regression in the future.
Replaced the cgroup resolution function to work on Debian distributions
instead of just RHEL based ones. This implementation comes from the
Linux kernel tests.
This commit adds support for etcd password authentication,
it makes client cert auth optional.
Here is an example:
```yaml
storage:
type: etcd
peers: ['https://example.com:30983']
username: 'username'
password_file: '/mnt/secrets/etcd-pass'
tls_ca_file: '/mnt/secrets/etcd-ca.pem'
```
If the option for port forwarding is not specified, it's enabled by
default. Port forwarding is not specified in the default-implicit-role.
Since it's included in all role sets, port forwarding is always
enabled for all roles.
To fix this, port forwarding in the default-implicit-role is set to
false.
If a shell has been successfully started, don't print an error message
saying the shell failed to start if it exits with exit code other than
0. If an error occured during shell execution or the shell will print
the message itself and exit with an error.
When tctl tries to find the address of the Auth Server to connect to,
first look in file configuration. If a list of Auth Servers is provided
on the CLI override what exists in file configuration.
If nothing is provided in either file configuration or the CLI, then use
the default address.
If the user enabled enhanced session recording in file configuration but
the binary was built without BPF support (like macOS) then exit right
away with a message explaining that their operating system does not
support enhanced session recording.
* Make Teleport log its version upon service start #3145
This change implements a resolution to issue #3145. Version and Gitref string are output when components start information is logged.
https://github.com/gravitational/teleport/issues/3145
* fix merge artifact
Added package cgroup to orchestrate cgroups. Only support for cgroup2
was added to utilize because cgroup2 cgroups have unique IDs that can be
used correlated with BPF events.
Added bpf package that contains three BPF programs: execsnoop,
opensnoop, and tcpconnect. The bpf package starts and stops these
programs as well correlating their output with Teleport sessions
and emitting them to the audit log.
Added support for Teleport to re-exec itself before launching a shell.
This allows Teleport to start a child process, capture it's PID, place
the PID in a cgroup, and then continue to process. Once the process is
continued it can be tracked by it's cgroup ID.
Reduced the total number of connections to a host so Teleport does not
quickly exhaust all file descriptors. Exhausting all file descriptors
happens very quickly when disk events are emitted to the audit log which
are emitted at a very high rate.
Added tarballs for exec sessions. Updated session.start and session.end
events with additional metadata. Updated the format of session tarballs
to include enhanced events.
Added file configuration for enhanced session recording. Added code to
startup enhanced session recording and pass package to SSH nodes.