Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[teleport-update] Extended binary validations #49748

Merged
merged 1 commit into from
Dec 6, 2024
Merged

[teleport-update] Extended binary validations #49748

merged 1 commit into from
Dec 6, 2024

Conversation

sclevine
Copy link
Member

@sclevine sclevine commented Dec 4, 2024

This PR adds additional validations on binaries downloaded by teleport-update before their are linked into system locations.

The following conditions will result in a warning and skip the file:

  • Irregular file
  • Non-executable regular file
  • Shell script

The following conditions will error:

  • Unreadable file
  • Executable binary that cannot execute on the host (run with version as argv[1])

This makes teleport-update resilient to unknown non-binary files that may be present in the teleport tgz in past or future releases (e.g., other install scripts).

Example:

ubuntu@legendary-mite:~$ sudo ./teleport-update enable --force-version=16.4.7
2024-12-04T06:37:53Z INFO [UPDATER]   Initiating installation. target_version:16.4.7 active_version: agent/updater.go:304
2024-12-04T06:37:54Z INFO [UPDATER]   Downloading Teleport tarball. url:https://cdn.teleport.dev/teleport-ent-v16.4.7-linux-arm64-bin.tar.gz size:162964120 agent/installer.go:324
2024-12-04T06:38:00Z INFO [UPDATER]   Extracting Teleport tarball. path:/opt/teleport/default/versions/16.4.7 size:648448000 agent/installer.go:362
2024-12-04T06:38:03Z INFO [UPDATER]   Validating binary name:fdpass-teleport agent/validate.go:68
2024-12-04T06:38:03Z INFO [UPDATER]   Binary does not support version command name:fdpass-teleport agent/validate.go:79
2024-12-04T06:38:03Z INFO [UPDATER]   Validating binary name:tbot agent/validate.go:68
2024-12-04T06:38:03Z INFO [UPDATER]   [stdout] Teleport v16.4.7 git:v16.4.7-0-g15dfef1 go1.22.9 agent/process.go:385
2024-12-04T06:38:03Z INFO [UPDATER]   Validating binary name:tctl agent/validate.go:68
2024-12-04T06:38:03Z INFO [UPDATER]   [stdout] Teleport v16.4.7 git:v16.4.7-0-g15dfef1 go1.22.9 agent/process.go:385
2024-12-04T06:38:03Z INFO [UPDATER]   Validating binary name:teleport agent/validate.go:68
2024-12-04T06:38:03Z INFO [UPDATER]   [stdout] Teleport Enterprise v16.4.7 git:v16.4.7-0-g15dfef1 go1.22.9 agent/process.go:385
2024-12-04T06:38:03Z INFO [UPDATER]   Validating binary name:tsh agent/validate.go:68
2024-12-04T06:38:03Z INFO [UPDATER]   [stdout] Teleport v16.4.7 git:v16.4.7-0-g15dfef1 go1.22.9 agent/process.go:385
2024-12-04T06:38:03Z INFO [UPDATER]   Executing new teleport-update binary to update configuration. agent/updater.go:133
2024-12-04T06:38:04Z INFO [UPDATER]   Systemd configuration synced. unit:teleport-update.timer agent/process.go:259
2024-12-04T06:38:04Z INFO [UPDATER]   Service enabled. unit:teleport-update.timer agent/process.go:276
2024-12-04T06:38:04Z INFO [UPDATER]   Finished executing new teleport-update binary. agent/updater.go:139
2024-12-04T06:38:04Z INFO [UPDATER]   Target version successfully installed. target_version:16.4.7 agent/updater.go:676
2024-12-04T06:38:05Z INFO [UPDATER]   Gracefully reloaded. unit:teleport.service agent/process.go:110
2024-12-04T06:38:05Z INFO [UPDATER]   Monitoring PID file to detect crashes. unit:teleport.service agent/process.go:113
2024-12-04T06:38:19Z INFO [UPDATER]   Configuration updated. agent/updater.go:320

The teleport-update binary will be used to enable, disable, and trigger automatic Teleport agent updates. The new auto-updates system manages a local installation of the cluster-specified version of Teleport stored in /opt/teleport.

RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289

@sclevine sclevine added the no-changelog Indicates that a PR does not require a changelog entry label Dec 4, 2024
@sclevine sclevine requested review from vapopov and hugoShaka December 4, 2024 06:47
vapopov
vapopov approved these changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@vapopov vapopov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sclevine sclevine requested a review from zmb3 December 5, 2024 20:41
@sclevine sclevine added this pull request to the merge queue Dec 6, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 6, 2024
@sclevine sclevine added this pull request to the merge queue Dec 6, 2024
Merged via the queue into master with commit 51b278a Dec 6, 2024
42 of 43 checks passed
@sclevine sclevine deleted the sclevine/teleport-update-validate branch December 6, 2024 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 approved these changes

@vapopov vapopov vapopov approved these changes

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry size/md
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sclevine @vapopov @zmb3