-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[teleport-update] Isolated installation suffix #49364
Conversation
@hugoShaka FYI, decided to ship this sooner since initial users of the time-based schedule had asked for it. Let me know if the UX seems reasonable. Everything gets a |
b417dcb
to
f9d3e81
Compare
186a738
to
ab388e0
Compare
1cf971b
to
eeaab53
Compare
eeaab53
to
9f5117e
Compare
After testing this out over the weekend, and researching prior art for similar packages, I'd like to recommend an alternative set of paths, for both namespaced and non-namespaced installations. I found that while it's common to keep package-sized data in
Examples of issues caused by
Additionally, while it's somewhat common for packages to create On top that, I noticed that For namespaces specifically, I think it would be more convenient to create namespaced data directories outside of the primary data dir Finally, all systemd service files that are not installed by packages should be installed in My new proposal is this: System package install: Binaries: Non-namespaced, auto-updates: Binaries: Namespaced, auto-updates: Binaries: Let me know if this seems better. I have updated the PR description accordingly, and I'm working on updating the PR. |
CC: @vapopov re: moving the system package paths to |
This is blocking a few other PRs, looking for reviews when anyone has a chance 🙂 |
dataDir: dataDir, | ||
linkDir: linkDir, | ||
versionsDir: filepath.Join(namespaceDir(name), versionsDirName), | ||
serviceFile: filepath.Join(systemdAdminDir, prefix+".service"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it possible that we define a name of the existing namespace? should we validate this case in constructor?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NewNamespace
is intended to be used with existing namespaces. It's just used to generate the appropriate set of paths the Updater to read/write.
@timothyb89 @flyinghermit @hugoShaka looking for one more review 🙂 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to replace the trace.Errorf calls, but LGTM otherwise.
This PR adds support for isolated installations of agents that can operate and be updated independently on the same Linux machine.
Any time
teleport-update
is run with the--install-suffix
flag, it modifies the paths to use isolated directories and suffixes.Note that the non-isolated paths have changed significantly as well. See this comment.
System package install:
Binaries:
/opt/teleport/system/bin/*
->/usr/local/bin/*
Service:
/opt/teleport/system/lib/systemd/system/teleport.service
->/lib/systemd/system/teleport.service
(others same as below)
Non-isolated, auto-updates:
Binaries:
/opt/teleport/default/versions/1.2.3/bin/*
->/usr/local/bin/*
Service:
/opt/teleport/default/versions/1.2.3/lib/systemd/system/teleport.service
->/lib/systemd/system/teleport.service
Lock:
/opt/teleport/default/update.lock
Data dir:
/var/lib/teleport
PID:
/run/teleport.pid
Config:
/etc/teleport.yaml
Defaults:
/etc/defaults/teleport
Updater service:
/etc/systemd/system/teleport-update.service
Isolated, auto-updates:
Binaries:
/opt/teleport/mycluster/versions/1.2.3/bin/*
->/opt/teleport/mycluster/bin/*
Service:
/opt/teleport/mycluster/versions/1.2.3/lib/systemd/system/teleport.service
->/etc/systemd/system/teleport_mycluster.service
Lock:
/opt/teleport/mycluster/update.lock
Data dir:
/var/lib/teleport_mycluster
PID:
/run/teleport_mycluster.pid
Config:
/etc/teleport_mycluster.yaml
Defaults:
/etc/defaults/teleport
(shared)Updater service:
/etc/systemd/system/teleport-update_mycluster.service
Note that the non-isolated installation uses system package paths for the systemd service, config, PID file, and data dir to maintain compatibility with existing installation methods, such as the package.
Also note that the underlying struct is called
Namespace
. I plan to change this toInstallSuffix
in the future, but I have several PRs chained on top of this one, so I want to leave it as-is for now.The
teleport-update
binary will be used to enable, disable, and trigger automatic Teleport agent updates.RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289
Example: