From 7faefa223e736d5fd76c929a9fcbeb3ad15916f7 Mon Sep 17 00:00:00 2001 From: Stephen Levine Date: Wed, 20 Nov 2024 15:13:24 -0500 Subject: [PATCH] [teleport-update] Add systemd setup (#49174) * service and timer * comments * feedback * feedback --- lib/autoupdate/agent/config.go | 116 +++++++++++++ lib/autoupdate/agent/config_test.go | 65 +++++++ lib/autoupdate/agent/installer.go | 22 +-- lib/autoupdate/agent/process.go | 18 ++ .../{sync_fails.golden => setup_fails.golden} | 0 .../teleport-update.service.golden | 7 + .../teleport-update.timer.golden | 11 ++ lib/autoupdate/agent/updater.go | 135 +++++++++++---- lib/autoupdate/agent/updater_test.go | 162 ++++++++++-------- tool/teleport-update/main.go | 132 +++++++------- 10 files changed, 484 insertions(+), 184 deletions(-) create mode 100644 lib/autoupdate/agent/config.go create mode 100644 lib/autoupdate/agent/config_test.go rename lib/autoupdate/agent/testdata/TestUpdater_Update/{sync_fails.golden => setup_fails.golden} (100%) create mode 100644 lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.service.golden create mode 100644 lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.timer.golden diff --git a/lib/autoupdate/agent/config.go b/lib/autoupdate/agent/config.go new file mode 100644 index 0000000000000..334d1089ab7f4 --- /dev/null +++ b/lib/autoupdate/agent/config.go @@ -0,0 +1,116 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package agent + +import ( + "context" + "log/slog" + "os" + "path/filepath" + "text/template" + + "github.com/google/renameio/v2" + "github.com/gravitational/trace" +) + +const ( + updateServiceTemplate = `# teleport-update +[Unit] +Description=Teleport auto-update service + +[Service] +Type=oneshot +ExecStart={{.LinkDir}}/bin/teleport-update update +` + updateTimerTemplate = `# teleport-update +[Unit] +Description=Teleport auto-update timer unit + +[Timer] +OnActiveSec=1m +OnUnitActiveSec=5m +RandomizedDelaySec=1m + +[Install] +WantedBy=teleport.service +` +) + +// Setup installs service and timer files for the teleport-update binary. +// Afterwords, Setup reloads systemd and enables the timer with --now. +func Setup(ctx context.Context, log *slog.Logger, linkDir, dataDir string) error { + err := writeConfigFiles(linkDir, dataDir) + if err != nil { + return trace.Errorf("failed to write teleport-update systemd config files: %w", err) + } + svc := &SystemdService{ + ServiceName: "teleport-update.timer", + Log: log, + } + if err := svc.Sync(ctx); err != nil { + return trace.Errorf("failed to sync systemd config: %w", err) + } + if err := svc.Enable(ctx, true); err != nil { + return trace.Errorf("failed to enable teleport-update systemd timer: %w", err) + } + return nil +} + +func writeConfigFiles(linkDir, dataDir string) error { + servicePath := filepath.Join(linkDir, serviceDir, updateServiceName) + err := writeTemplate(servicePath, updateServiceTemplate, linkDir, dataDir) + if err != nil { + return trace.Wrap(err) + } + timerPath := filepath.Join(linkDir, serviceDir, updateTimerName) + err = writeTemplate(timerPath, updateTimerTemplate, linkDir, dataDir) + if err != nil { + return trace.Wrap(err) + } + return nil +} + +func writeTemplate(path, t, linkDir, dataDir string) error { + dir, file := filepath.Split(path) + if err := os.MkdirAll(dir, systemDirMode); err != nil { + return trace.Wrap(err) + } + opts := []renameio.Option{ + renameio.WithPermissions(configFileMode), + renameio.WithExistingPermissions(), + } + f, err := renameio.NewPendingFile(path, opts...) + if err != nil { + return trace.Wrap(err) + } + defer f.Cleanup() + + tmpl, err := template.New(file).Parse(t) + if err != nil { + return trace.Wrap(err) + } + err = tmpl.Execute(f, struct { + LinkDir string + DataDir string + }{linkDir, dataDir}) + if err != nil { + return trace.Wrap(err) + } + return trace.Wrap(f.CloseAtomicallyReplace()) +} diff --git a/lib/autoupdate/agent/config_test.go b/lib/autoupdate/agent/config_test.go new file mode 100644 index 0000000000000..16cbdb5374fb6 --- /dev/null +++ b/lib/autoupdate/agent/config_test.go @@ -0,0 +1,65 @@ +/* + * Teleport + * Copyright (C) 2024 Gravitational, Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +package agent + +import ( + "bytes" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" + + libdefaults "github.com/gravitational/teleport/lib/defaults" + "github.com/gravitational/teleport/lib/utils/golden" +) + +func TestWriteConfigFiles(t *testing.T) { + t.Parallel() + linkDir := t.TempDir() + dataDir := t.TempDir() + err := writeConfigFiles(linkDir, dataDir) + require.NoError(t, err) + + for _, p := range []string{ + filepath.Join(linkDir, serviceDir, updateServiceName), + filepath.Join(linkDir, serviceDir, updateTimerName), + } { + t.Run(filepath.Base(p), func(t *testing.T) { + data, err := os.ReadFile(p) + require.NoError(t, err) + data = replaceValues(data, map[string]string{ + DefaultLinkDir: linkDir, + libdefaults.DataDir: dataDir, + }) + if golden.ShouldSet() { + golden.Set(t, data) + } + require.Equal(t, string(golden.Get(t)), string(data)) + }) + } +} + +func replaceValues(data []byte, m map[string]string) []byte { + for k, v := range m { + data = bytes.ReplaceAll(data, []byte(v), + []byte(k)) + } + return data +} diff --git a/lib/autoupdate/agent/installer.go b/lib/autoupdate/agent/installer.go index 957e90779c2ab..f03401063a3b8 100644 --- a/lib/autoupdate/agent/installer.go +++ b/lib/autoupdate/agent/installer.go @@ -55,11 +55,15 @@ const ( systemDirMode = 0755 ) -var ( +const ( // serviceDir contains the relative path to the Teleport SystemD service dir. - serviceDir = filepath.Join("lib", "systemd", "system") + serviceDir = "lib/systemd/system" // serviceName contains the name of the Teleport SystemD service file. serviceName = "teleport.service" + // updateServiceName contains the name of the Teleport Update Systemd service + updateServiceName = "teleport-update.service" + // updateTimerName contains the name of the Teleport Update Systemd timer + updateTimerName = "teleport-update.timer" ) // LocalInstaller manages the creation and removal of installations @@ -431,7 +435,7 @@ func (li *LocalInstaller) Link(ctx context.Context, version string) (revert func return revert, nil } -// LinkSystem links the system (package) version into the system LinkBinDir and LinkServiceDir. +// LinkSystem links the system (package) version into LinkBinDir and LinkServiceDir. // The revert function restores the previous linking. // See Installer interface for additional specs. func (li *LocalInstaller) LinkSystem(ctx context.Context) (revert func(context.Context) bool, err error) { @@ -539,7 +543,7 @@ func (li *LocalInstaller) forceLinks(ctx context.Context, binDir, svcDir string) dst := filepath.Join(li.LinkServiceDir, serviceName) orig, err := forceCopy(dst, src, maxServiceFileSize) if err != nil && !errors.Is(err, os.ErrExist) { - return revert, trace.Errorf("failed to create file for %s: %w", serviceName, err) + return revert, trace.Errorf("failed to write file %s: %w", serviceName, err) } if orig != nil { revertFiles = append(revertFiles, *orig) @@ -782,13 +786,5 @@ func (li *LocalInstaller) isLinked(versionDir string) (bool, error) { return true, nil } } - linkData, err := readFileN(filepath.Join(li.LinkServiceDir, serviceName), maxServiceFileSize) - if err != nil { - return false, nil - } - versionData, err := readFileN(filepath.Join(versionDir, serviceDir, serviceName), maxServiceFileSize) - if err != nil { - return false, nil - } - return bytes.Equal(linkData, versionData), nil + return false, nil } diff --git a/lib/autoupdate/agent/process.go b/lib/autoupdate/agent/process.go index 2de3d8d0d746c..ed210cae99ed0 100644 --- a/lib/autoupdate/agent/process.go +++ b/lib/autoupdate/agent/process.go @@ -252,6 +252,24 @@ func (s SystemdService) Sync(ctx context.Context) error { if code != 0 { return trace.Errorf("unable to reload systemd configuration") } + s.Log.InfoContext(ctx, "Systemd configuration synced.", unitKey, s.ServiceName) + return nil +} + +// Enable the systemd service. +func (s SystemdService) Enable(ctx context.Context, now bool) error { + if err := s.checkSystem(ctx); err != nil { + return trace.Wrap(err) + } + args := []string{"enable", s.ServiceName} + if now { + args = append(args, "--now") + } + code := s.systemctl(ctx, slog.LevelError, args...) + if code != 0 { + return trace.Errorf("unable to enable systemd service") + } + s.Log.InfoContext(ctx, "Service enabled.", unitKey, s.ServiceName) return nil } diff --git a/lib/autoupdate/agent/testdata/TestUpdater_Update/sync_fails.golden b/lib/autoupdate/agent/testdata/TestUpdater_Update/setup_fails.golden similarity index 100% rename from lib/autoupdate/agent/testdata/TestUpdater_Update/sync_fails.golden rename to lib/autoupdate/agent/testdata/TestUpdater_Update/setup_fails.golden diff --git a/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.service.golden b/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.service.golden new file mode 100644 index 0000000000000..185b4f07a1aa9 --- /dev/null +++ b/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.service.golden @@ -0,0 +1,7 @@ +# teleport-update +[Unit] +Description=Teleport auto-update service + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/teleport-update update diff --git a/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.timer.golden b/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.timer.golden new file mode 100644 index 0000000000000..acca095d9825f --- /dev/null +++ b/lib/autoupdate/agent/testdata/TestWriteConfigFiles/teleport-update.timer.golden @@ -0,0 +1,11 @@ +# teleport-update +[Unit] +Description=Teleport auto-update timer unit + +[Timer] +OnActiveSec=1m +OnUnitActiveSec=5m +RandomizedDelaySec=1m + +[Install] +WantedBy=teleport.service diff --git a/lib/autoupdate/agent/updater.go b/lib/autoupdate/agent/updater.go index 5d82017998263..8fa5d34c246c2 100644 --- a/lib/autoupdate/agent/updater.go +++ b/lib/autoupdate/agent/updater.go @@ -27,7 +27,9 @@ import ( "log/slog" "net/http" "os" + "os/exec" "path/filepath" + "runtime" "strings" "time" @@ -36,6 +38,7 @@ import ( "gopkg.in/yaml.v3" "github.com/gravitational/teleport/api/client/webclient" + "github.com/gravitational/teleport/api/constants" libdefaults "github.com/gravitational/teleport/lib/defaults" "github.com/gravitational/teleport/lib/modules" libutils "github.com/gravitational/teleport/lib/utils" @@ -46,6 +49,10 @@ const ( DefaultLinkDir = "/usr/local" // DefaultSystemDir is the location where packaged Teleport binaries and services are installed. DefaultSystemDir = "/usr/local/teleport-system" + // VersionsDirName specifies the name of the subdirectory inside the Teleport data dir for storing Teleport versions. + VersionsDirName = "versions" + // BinaryName specifies the name of the updater binary. + BinaryName = "teleport-update" ) const ( @@ -136,16 +143,20 @@ func NewLocalUpdater(cfg LocalUpdaterConfig) (*Updater, error) { if cfg.SystemDir == "" { cfg.SystemDir = DefaultSystemDir } - if cfg.VersionsDir == "" { - cfg.VersionsDir = filepath.Join(libdefaults.DataDir, "versions") + if cfg.DataDir == "" { + cfg.DataDir = libdefaults.DataDir + } + installDir := filepath.Join(cfg.DataDir, VersionsDirName) + if err := os.MkdirAll(installDir, systemDirMode); err != nil { + return nil, trace.Errorf("failed to create install directory: %w", err) } return &Updater{ Log: cfg.Log, Pool: certPool, InsecureSkipVerify: cfg.InsecureSkipVerify, - ConfigPath: filepath.Join(cfg.VersionsDir, updateConfigName), + ConfigPath: filepath.Join(installDir, updateConfigName), Installer: &LocalInstaller{ - InstallDir: cfg.VersionsDir, + InstallDir: installDir, LinkBinDir: filepath.Join(cfg.LinkDir, "bin"), // For backwards-compatibility with symlinks created by package-based installs, we always // link into /lib/systemd/system, even though, e.g., /usr/local/lib/systemd/system would work. @@ -162,6 +173,28 @@ func NewLocalUpdater(cfg LocalUpdaterConfig) (*Updater, error) { PIDPath: "/run/teleport.pid", Log: cfg.Log, }, + Setup: func(ctx context.Context) error { + name := filepath.Join(cfg.LinkDir, "bin", BinaryName) + if cfg.SelfSetup && runtime.GOOS == constants.LinuxOS { + name = "/proc/self/exe" + } + cmd := exec.CommandContext(ctx, name, + "--data-dir", cfg.DataDir, + "--link-dir", cfg.LinkDir, + "setup") + cmd.Stderr = os.Stderr + cmd.Stdout = os.Stdout + cfg.Log.InfoContext(ctx, "Executing new teleport-update binary to update configuration.") + defer cfg.Log.InfoContext(ctx, "Finished executing new teleport-update binary.") + err := cmd.Run() + if cmd.ProcessState.ExitCode() == CodeNotSupported { + return ErrNotSupported + } + return trace.Wrap(err) + }, + Revert: func(ctx context.Context) error { + return trace.Wrap(Setup(ctx, cfg.Log, cfg.LinkDir, cfg.DataDir)) + }, }, nil } @@ -175,12 +208,14 @@ type LocalUpdaterConfig struct { // DownloadTimeout is a timeout for file download requests. // Defaults to no timeout. DownloadTimeout time.Duration - // VersionsDir for installing Teleport (usually /var/lib/teleport/versions). - VersionsDir string + // DataDir for Teleport (usually /var/lib/teleport). + DataDir string // LinkDir for installing Teleport (usually /usr/local). LinkDir string // SystemDir for package-installed Teleport installations (usually /usr/local/teleport-system). SystemDir string + // SelfSetup mode for using the current version of the teleport-update to setup the update service. + SelfSetup bool } // Updater implements the agent-local logic for Teleport agent auto-updates. @@ -197,6 +232,10 @@ type Updater struct { Installer Installer // Process manages a running instance of Teleport. Process Process + // Setup installs the Teleport updater service using the linked installation. + Setup func(ctx context.Context) error + // Revert installs the Teleport updater service using the running installation. + Revert func(ctx context.Context) error } // Installer provides an API for installing Teleport agents. @@ -237,6 +276,11 @@ var ( ErrNotSupported = errors.New("not supported on this platform") ) +const ( + // CodeNotSupported is returned when the operation is not supported on the platform. + CodeNotSupported = 3 +) + // Process provides an API for interacting with a running Teleport process. type Process interface { // Reload must reload the Teleport process as gracefully as possible. @@ -337,6 +381,8 @@ func (u *Updater) Enable(ctx context.Context, override OverrideConfig) error { return trace.Errorf("agent version not available from Teleport cluster") } + u.Log.InfoContext(ctx, "Initiating initial update.", targetVersionKey, targetVersion, activeVersionKey, cfg.Status.ActiveVersion) + if err := u.update(ctx, cfg, targetVersion, flags); err != nil { return trace.Wrap(err) } @@ -477,7 +523,7 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, targetVersion s } } - // Install the desired version (or validate existing installation) + // Install and link the desired version (or validate existing installation) template := cfg.Spec.URLTemplate if template == "" { @@ -487,6 +533,12 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, targetVersion s if err != nil { return trace.Errorf("failed to install: %w", err) } + + // TODO(sclevine): if the target version has fewer binaries, this will + // leave old binaries linked. This may prevent the installation from + // being removed. To fix this, we should look for orphaned binaries + // and remove them, or alternatively, attempt to remove extra versions. + revert, err := u.Installer.Link(ctx, targetVersion) if err != nil { return trace.Errorf("failed to link: %w", err) @@ -495,22 +547,31 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, targetVersion s // If we fail to revert after this point, the next update/enable will // fix the link to restore the active version. - // Sync process configuration after linking. - - if err := u.Process.Sync(ctx); err != nil { - if errors.Is(err, context.Canceled) { - return trace.Errorf("sync canceled") + revertConfig := func(ctx context.Context) bool { + if ok := revert(ctx); !ok { + u.Log.ErrorContext(ctx, "Failed to revert Teleport symlinks. Installation likely broken.") + return false } + if err := u.Revert(ctx); err != nil { + u.Log.ErrorContext(ctx, "Failed to revert configuration after failed restart.", errorKey, err) + return false + } + return true + } + + // Setup teleport-updater configuration and sync systemd. + + err = u.Setup(ctx) + if errors.Is(err, ErrNotSupported) { + u.Log.WarnContext(ctx, "Not syncing systemd configuration because systemd is not running.") + } else if errors.Is(err, context.Canceled) { + return trace.Errorf("sync canceled") + } else if err != nil { // If sync fails, we may have left the host in a bad state, so we revert linking and re-Sync. u.Log.ErrorContext(ctx, "Reverting symlinks due to invalid configuration.") - if ok := revert(ctx); !ok { - u.Log.ErrorContext(ctx, "Failed to revert Teleport symlinks. Installation likely broken.") - } else if err := u.Process.Sync(ctx); err != nil { - u.Log.ErrorContext(ctx, "Failed to sync configuration after failed restart.", errorKey, err) - } else { + if ok := revertConfig(ctx); ok { u.Log.WarnContext(ctx, "Teleport updater encountered a configuration error and successfully reverted the installation.") } - return trace.Errorf("failed to validate configuration for new version %q of Teleport: %w", targetVersion, err) } @@ -518,22 +579,23 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, targetVersion s if cfg.Status.ActiveVersion != targetVersion { u.Log.InfoContext(ctx, "Target version successfully installed.", targetVersionKey, targetVersion) - if err := u.Process.Reload(ctx); err != nil && !errors.Is(err, ErrNotNeeded) { - if errors.Is(err, context.Canceled) { - return trace.Errorf("reload canceled") - } - // If reloading Teleport at the new version fails, revert, resync, and reload. + err = u.Process.Reload(ctx) + if errors.Is(err, context.Canceled) { + return trace.Errorf("reload canceled") + } + if err != nil && + !errors.Is(err, ErrNotNeeded) && // no output if restart not needed + !errors.Is(err, ErrNotSupported) { // already logged above for Sync + + // If reloading Teleport at the new version fails, revert and reload. u.Log.ErrorContext(ctx, "Reverting symlinks due to failed restart.") - if ok := revert(ctx); !ok { - u.Log.ErrorContext(ctx, "Failed to revert Teleport symlinks to older version. Installation likely broken.") - } else if err := u.Process.Sync(ctx); err != nil { - u.Log.ErrorContext(ctx, "Invalid configuration found after reverting Teleport to older version. Installation likely broken.", errorKey, err) - } else if err := u.Process.Reload(ctx); err != nil && !errors.Is(err, ErrNotNeeded) { - u.Log.ErrorContext(ctx, "Failed to revert Teleport to older version. Installation likely broken.", errorKey, err) - } else { - u.Log.WarnContext(ctx, "Teleport updater encountered an error during the update and successfully reverted the installation.") + if ok := revertConfig(ctx); ok { + if err := u.Process.Reload(ctx); err != nil && !errors.Is(err, ErrNotNeeded) { + u.Log.ErrorContext(ctx, "Failed to reload Teleport after reverting. Installation likely broken.", errorKey, err) + } else { + u.Log.WarnContext(ctx, "Teleport updater encountered a configuration error and successfully reverted the installation.") + } } - return trace.Errorf("failed to start new version %q of Teleport: %w", targetVersion, err) } cfg.Status.BackupVersion = cfg.Status.ActiveVersion @@ -554,7 +616,6 @@ func (u *Updater) update(ctx context.Context, cfg *UpdateConfig, targetVersion s if n := len(versions); n > 2 { u.Log.WarnContext(ctx, "More than 2 versions of Teleport installed. Version directory may need cleanup to save space.", "count", n) } - return nil } @@ -609,7 +670,11 @@ func validateConfigSpec(spec *UpdateSpec, override OverrideConfig) error { if override.Group != "" { spec.Group = override.Group } - if override.URLTemplate != "" { + switch override.URLTemplate { + case "": + case "default": + spec.URLTemplate = "" + default: spec.URLTemplate = override.URLTemplate } if spec.URLTemplate != "" && @@ -620,7 +685,7 @@ func validateConfigSpec(spec *UpdateSpec, override OverrideConfig) error { } // LinkPackage creates links from the system (package) installation of Teleport, if they are needed. -// LinkPackage returns nils and warns if an auto-updates version is already linked, but auto-updates is disabled. +// LinkPackage returns nil and warns if an auto-updates version is already linked, but auto-updates is disabled. // LinkPackage returns an error only if an unknown version of Teleport is present (e.g., manually copied files). // This function is idempotent. func (u *Updater) LinkPackage(ctx context.Context) error { diff --git a/lib/autoupdate/agent/updater_test.go b/lib/autoupdate/agent/updater_test.go index 1197ac3d5a795..01e6e4980f5de 100644 --- a/lib/autoupdate/agent/updater_test.go +++ b/lib/autoupdate/agent/updater_test.go @@ -83,7 +83,13 @@ func TestUpdater_Disable(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { dir := t.TempDir() - cfgPath := filepath.Join(dir, "update.yaml") + cfgPath := filepath.Join(dir, VersionsDirName, "update.yaml") + + updater, err := NewLocalUpdater(LocalUpdaterConfig{ + InsecureSkipVerify: true, + DataDir: dir, + }) + require.NoError(t, err) // Create config file only if provided in test case if tt.cfg != nil { @@ -92,11 +98,7 @@ func TestUpdater_Disable(t *testing.T) { err = os.WriteFile(cfgPath, b, 0600) require.NoError(t, err) } - updater, err := NewLocalUpdater(LocalUpdaterConfig{ - InsecureSkipVerify: true, - VersionsDir: dir, - }) - require.NoError(t, err) + err = updater.Disable(context.Background()) if tt.errMatch != "" { require.Error(t, err) @@ -131,7 +133,7 @@ func TestUpdater_Update(t *testing.T) { flags InstallFlags inWindow bool installErr error - syncErr error + setupErr error reloadErr error removedVersion string @@ -139,9 +141,9 @@ func TestUpdater_Update(t *testing.T) { installedTemplate string linkedVersion string requestGroup string - syncCalls int reloadCalls int revertCalls int + setupCalls int errMatch string }{ { @@ -164,8 +166,8 @@ func TestUpdater_Update(t *testing.T) { installedTemplate: "https://example.com", linkedVersion: "16.3.0", requestGroup: "group", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "updates disabled during window", @@ -293,8 +295,8 @@ func TestUpdater_Update(t *testing.T) { installedTemplate: "https://example.com", linkedVersion: "16.3.0", removedVersion: "backup-version", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "backup version kept when no change", @@ -336,8 +338,8 @@ func TestUpdater_Update(t *testing.T) { installedTemplate: "https://example.com", linkedVersion: "16.3.0", removedVersion: "backup-version", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "invalid metadata", @@ -345,7 +347,7 @@ func TestUpdater_Update(t *testing.T) { errMatch: "invalid", }, { - name: "sync fails", + name: "setup fails", cfg: &UpdateConfig{ Version: updateConfigVersion, Kind: updateConfigKind, @@ -359,16 +361,16 @@ func TestUpdater_Update(t *testing.T) { }, }, inWindow: true, - syncErr: errors.New("sync error"), + setupErr: errors.New("setup error"), installedVersion: "16.3.0", installedTemplate: "https://example.com", linkedVersion: "16.3.0", removedVersion: "backup-version", - syncCalls: 2, reloadCalls: 0, revertCalls: 1, - errMatch: "sync error", + setupCalls: 1, + errMatch: "setup error", }, { name: "reload fails", @@ -391,9 +393,9 @@ func TestUpdater_Update(t *testing.T) { installedTemplate: "https://example.com", linkedVersion: "16.3.0", removedVersion: "backup-version", - syncCalls: 2, reloadCalls: 2, revertCalls: 1, + setupCalls: 1, errMatch: "reload error", }, } @@ -419,7 +421,13 @@ func TestUpdater_Update(t *testing.T) { t.Cleanup(server.Close) dir := t.TempDir() - cfgPath := filepath.Join(dir, "update.yaml") + cfgPath := filepath.Join(dir, VersionsDirName, "update.yaml") + + updater, err := NewLocalUpdater(LocalUpdaterConfig{ + InsecureSkipVerify: true, + DataDir: dir, + }) + require.NoError(t, err) // Create config file only if provided in test case if tt.cfg != nil { @@ -430,19 +438,16 @@ func TestUpdater_Update(t *testing.T) { require.NoError(t, err) } - updater, err := NewLocalUpdater(LocalUpdaterConfig{ - InsecureSkipVerify: true, - VersionsDir: dir, - }) - require.NoError(t, err) - var ( installedVersion string installedTemplate string linkedVersion string removedVersion string installedFlags InstallFlags - revertCalls int + revertFuncCalls int + setupCalls int + revertSetupCalls int + reloadCalls int ) updater.Installer = &testInstaller{ FuncInstall: func(_ context.Context, version, template string, flags InstallFlags) error { @@ -454,7 +459,7 @@ func TestUpdater_Update(t *testing.T) { FuncLink: func(_ context.Context, version string) (revert func(context.Context) bool, err error) { linkedVersion = version return func(_ context.Context) bool { - revertCalls++ + revertFuncCalls++ return true }, nil }, @@ -466,20 +471,20 @@ func TestUpdater_Update(t *testing.T) { return nil }, } - var ( - syncCalls int - reloadCalls int - ) updater.Process = &testProcess{ - FuncSync: func(_ context.Context) error { - syncCalls++ - return tt.syncErr - }, FuncReload: func(_ context.Context) error { reloadCalls++ return tt.reloadErr }, } + updater.Setup = func(_ context.Context) error { + setupCalls++ + return tt.setupErr + } + updater.Revert = func(_ context.Context) error { + revertSetupCalls++ + return nil + } ctx := context.Background() err = updater.Update(ctx) @@ -495,9 +500,10 @@ func TestUpdater_Update(t *testing.T) { require.Equal(t, tt.removedVersion, removedVersion) require.Equal(t, tt.flags, installedFlags) require.Equal(t, tt.requestGroup, requestedGroup) - require.Equal(t, tt.syncCalls, syncCalls) require.Equal(t, tt.reloadCalls, reloadCalls) - require.Equal(t, tt.revertCalls, revertCalls) + require.Equal(t, tt.revertCalls, revertSetupCalls) + require.Equal(t, tt.revertCalls, revertFuncCalls) + require.Equal(t, tt.setupCalls, setupCalls) if tt.cfg == nil { _, err := os.Stat(cfgPath) @@ -594,7 +600,13 @@ func TestUpdater_LinkPackage(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { dir := t.TempDir() - cfgPath := filepath.Join(dir, "update.yaml") + cfgPath := filepath.Join(dir, VersionsDirName, "update.yaml") + + updater, err := NewLocalUpdater(LocalUpdaterConfig{ + InsecureSkipVerify: true, + DataDir: dir, + }) + require.NoError(t, err) // Create config file only if provided in test case if tt.cfg != nil { @@ -604,12 +616,6 @@ func TestUpdater_LinkPackage(t *testing.T) { require.NoError(t, err) } - updater, err := NewLocalUpdater(LocalUpdaterConfig{ - InsecureSkipVerify: true, - VersionsDir: dir, - }) - require.NoError(t, err) - var tryLinkSystemCalls int updater.Installer = &testInstaller{ FuncTryLinkSystem: func(_ context.Context) error { @@ -648,7 +654,7 @@ func TestUpdater_Enable(t *testing.T) { userCfg OverrideConfig flags InstallFlags installErr error - syncErr error + setupErr error reloadErr error removedVersion string @@ -656,9 +662,9 @@ func TestUpdater_Enable(t *testing.T) { installedTemplate string linkedVersion string requestGroup string - syncCalls int reloadCalls int revertCalls int + setupCalls int errMatch string }{ { @@ -679,8 +685,8 @@ func TestUpdater_Enable(t *testing.T) { installedTemplate: "https://example.com", linkedVersion: "16.3.0", requestGroup: "group", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "config from user", @@ -704,8 +710,8 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "new-version", installedTemplate: "https://example.com/new", linkedVersion: "new-version", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "already enabled", @@ -723,8 +729,8 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "insecure URL", @@ -764,8 +770,8 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 1, reloadCalls: 0, + setupCalls: 1, }, { name: "backup version removed on install", @@ -782,8 +788,8 @@ func TestUpdater_Enable(t *testing.T) { installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", removedVersion: "backup-version", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "backup version kept for validation", @@ -800,8 +806,8 @@ func TestUpdater_Enable(t *testing.T) { installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", removedVersion: "", - syncCalls: 1, reloadCalls: 0, + setupCalls: 1, }, { name: "config does not exist", @@ -809,8 +815,8 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "FIPS and Enterprise flags", @@ -818,8 +824,8 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 1, reloadCalls: 1, + setupCalls: 1, }, { name: "invalid metadata", @@ -827,16 +833,16 @@ func TestUpdater_Enable(t *testing.T) { errMatch: "invalid", }, { - name: "sync fails", - syncErr: errors.New("sync error"), + name: "setup fails", + setupErr: errors.New("setup error"), installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 2, reloadCalls: 0, revertCalls: 1, - errMatch: "sync error", + setupCalls: 1, + errMatch: "setup error", }, { name: "reload fails", @@ -845,9 +851,9 @@ func TestUpdater_Enable(t *testing.T) { installedVersion: "16.3.0", installedTemplate: cdnURITemplate, linkedVersion: "16.3.0", - syncCalls: 2, reloadCalls: 2, revertCalls: 1, + setupCalls: 1, errMatch: "reload error", }, } @@ -855,7 +861,13 @@ func TestUpdater_Enable(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { dir := t.TempDir() - cfgPath := filepath.Join(dir, "update.yaml") + cfgPath := filepath.Join(dir, VersionsDirName, "update.yaml") + + updater, err := NewLocalUpdater(LocalUpdaterConfig{ + InsecureSkipVerify: true, + DataDir: dir, + }) + require.NoError(t, err) // Create config file only if provided in test case if tt.cfg != nil { @@ -886,19 +898,16 @@ func TestUpdater_Enable(t *testing.T) { tt.userCfg.Proxy = strings.TrimPrefix(server.URL, "https://") } - updater, err := NewLocalUpdater(LocalUpdaterConfig{ - InsecureSkipVerify: true, - VersionsDir: dir, - }) - require.NoError(t, err) - var ( installedVersion string installedTemplate string linkedVersion string removedVersion string installedFlags InstallFlags - revertCalls int + revertFuncCalls int + reloadCalls int + setupCalls int + revertSetupCalls int ) updater.Installer = &testInstaller{ FuncInstall: func(_ context.Context, version, template string, flags InstallFlags) error { @@ -910,7 +919,7 @@ func TestUpdater_Enable(t *testing.T) { FuncLink: func(_ context.Context, version string) (revert func(context.Context) bool, err error) { linkedVersion = version return func(_ context.Context) bool { - revertCalls++ + revertFuncCalls++ return true }, nil }, @@ -922,20 +931,20 @@ func TestUpdater_Enable(t *testing.T) { return nil }, } - var ( - syncCalls int - reloadCalls int - ) updater.Process = &testProcess{ - FuncSync: func(_ context.Context) error { - syncCalls++ - return tt.syncErr - }, FuncReload: func(_ context.Context) error { reloadCalls++ return tt.reloadErr }, } + updater.Setup = func(_ context.Context) error { + setupCalls++ + return tt.setupErr + } + updater.Revert = func(_ context.Context) error { + revertSetupCalls++ + return nil + } ctx := context.Background() err = updater.Enable(ctx, tt.userCfg) @@ -951,9 +960,10 @@ func TestUpdater_Enable(t *testing.T) { require.Equal(t, tt.removedVersion, removedVersion) require.Equal(t, tt.flags, installedFlags) require.Equal(t, tt.requestGroup, requestedGroup) - require.Equal(t, tt.syncCalls, syncCalls) require.Equal(t, tt.reloadCalls, reloadCalls) - require.Equal(t, tt.revertCalls, revertCalls) + require.Equal(t, tt.revertCalls, revertSetupCalls) + require.Equal(t, tt.revertCalls, revertFuncCalls) + require.Equal(t, tt.setupCalls, setupCalls) if tt.cfg == nil && err != nil { _, err := os.Stat(cfgPath) diff --git a/tool/teleport-update/main.go b/tool/teleport-update/main.go index d559ad3e75cdd..1db37feae4954 100644 --- a/tool/teleport-update/main.go +++ b/tool/teleport-update/main.go @@ -21,6 +21,7 @@ package main import ( "context" "errors" + "fmt" "log/slog" "os" "os/signal" @@ -58,10 +59,8 @@ const ( ) const ( - // versionsDirName specifies the name of the subdirectory inside of the Teleport data dir for storing Teleport versions. - versionsDirName = "versions" - // lockFileName specifies the name of the file inside versionsDirName containing the flock lock preventing concurrent updater execution. - lockFileName = ".lock" + // lockFileName specifies the name of the file containing the flock lock preventing concurrent updater execution. + lockFileName = ".update-lock" ) var plog = logutils.NewPackageLogger(teleport.ComponentKey, teleport.ComponentUpdater) @@ -84,6 +83,8 @@ type cliConfig struct { DataDir string // LinkDir for linking binaries and systemd services LinkDir string + // SelfSetup mode for using the current version of the teleport-update to setup the update service. + SelfSetup bool } func Run(args []string) error { @@ -91,7 +92,7 @@ func Run(args []string) error { ctx := context.Background() ctx, _ = signal.NotifyContext(ctx, os.Interrupt, syscall.SIGTERM) - app := libutils.InitCLIParser("teleport-update", appHelp).Interspersed(false) + app := libutils.InitCLIParser(autoupdate.BinaryName, appHelp).Interspersed(false) app.Flag("debug", "Verbose logging to stdout."). Short('d').BoolVar(&ccfg.Debug) app.Flag("data-dir", "Teleport data directory. Access to this directory should be limited."). @@ -103,7 +104,7 @@ func Run(args []string) error { app.HelpFlag.Short('h') - versionCmd := app.Command("version", "Print the version of your teleport-updater binary.") + versionCmd := app.Command("version", fmt.Sprintf("Print the version of your %s binary.", autoupdate.BinaryName)) enableCmd := app.Command("enable", "Enable agent auto-updates and perform initial update.") enableCmd.Flag("proxy", "Address of the Teleport Proxy."). @@ -114,13 +115,20 @@ func Run(args []string) error { Short('t').Envar(templateEnvVar).StringVar(&ccfg.URLTemplate) enableCmd.Flag("force-version", "Force the provided version instead of querying it from the Teleport cluster."). Short('f').Envar(updateVersionEnvVar).Hidden().StringVar(&ccfg.ForceVersion) + enableCmd.Flag("self-setup", "Use the current teleport-update binary to create systemd service config for auto-updates."). + Short('s').Hidden().BoolVar(&ccfg.SelfSetup) // TODO(sclevine): add force-fips and force-enterprise as hidden flags disableCmd := app.Command("disable", "Disable agent auto-updates.") updateCmd := app.Command("update", "Update agent to the latest version, if a new version is available.") + updateCmd.Flag("self-setup", "Use the current teleport-update binary to create systemd service config for auto-updates."). + Short('s').Hidden().BoolVar(&ccfg.SelfSetup) - linkCmd := app.Command("link", "Link the system installation of Teleport from the Teleport package, if auto-updates is disabled.") + linkCmd := app.Command("link-package", "Link the system installation of Teleport from the Teleport package, if auto-updates is disabled.") + + setupCmd := app.Command("setup", "Write configuration files that run the update subcommand on a timer."). + Hidden() libutils.UpdateAppUsageTemplate(app, args) command, err := app.Parse(args) @@ -143,6 +151,8 @@ func Run(args []string) error { err = cmdUpdate(ctx, &ccfg) case linkCmd.FullCommand(): err = cmdLink(ctx, &ccfg) + case setupCmd.FullCommand(): + err = cmdSetup(ctx, &ccfg) case versionCmd.FullCommand(): modules.GetModules().PrintVersion() default: @@ -172,12 +182,17 @@ func setupLogger(debug bool, format string) error { // cmdDisable disables updates. func cmdDisable(ctx context.Context, ccfg *cliConfig) error { - versionsDir := filepath.Join(ccfg.DataDir, versionsDirName) - if err := os.MkdirAll(versionsDir, 0755); err != nil { - return trace.Errorf("failed to create versions directory: %w", err) + updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ + DataDir: ccfg.DataDir, + LinkDir: ccfg.LinkDir, + SystemDir: autoupdate.DefaultSystemDir, + SelfSetup: ccfg.SelfSetup, + Log: plog, + }) + if err != nil { + return trace.Errorf("failed to setup updater: %w", err) } - - unlock, err := libutils.FSWriteLock(filepath.Join(versionsDir, lockFileName)) + unlock, err := libutils.FSWriteLock(filepath.Join(ccfg.DataDir, lockFileName)) if err != nil { return trace.Errorf("failed to grab concurrent execution lock: %w", err) } @@ -186,15 +201,6 @@ func cmdDisable(ctx context.Context, ccfg *cliConfig) error { plog.DebugContext(ctx, "Failed to close lock file", "error", err) } }() - updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ - VersionsDir: versionsDir, - LinkDir: ccfg.LinkDir, - SystemDir: autoupdate.DefaultSystemDir, - Log: plog, - }) - if err != nil { - return trace.Errorf("failed to setup updater: %w", err) - } if err := updater.Disable(ctx); err != nil { return trace.Wrap(err) } @@ -203,13 +209,19 @@ func cmdDisable(ctx context.Context, ccfg *cliConfig) error { // cmdEnable enables updates and triggers an initial update. func cmdEnable(ctx context.Context, ccfg *cliConfig) error { - versionsDir := filepath.Join(ccfg.DataDir, versionsDirName) - if err := os.MkdirAll(versionsDir, 0755); err != nil { - return trace.Errorf("failed to create versions directory: %w", err) + updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ + DataDir: ccfg.DataDir, + LinkDir: ccfg.LinkDir, + SystemDir: autoupdate.DefaultSystemDir, + SelfSetup: ccfg.SelfSetup, + Log: plog, + }) + if err != nil { + return trace.Errorf("failed to setup updater: %w", err) } // Ensure enable can't run concurrently. - unlock, err := libutils.FSWriteLock(filepath.Join(versionsDir, lockFileName)) + unlock, err := libutils.FSWriteLock(filepath.Join(ccfg.DataDir, lockFileName)) if err != nil { return trace.Errorf("failed to grab concurrent execution lock: %w", err) } @@ -218,16 +230,6 @@ func cmdEnable(ctx context.Context, ccfg *cliConfig) error { plog.DebugContext(ctx, "Failed to close lock file", "error", err) } }() - - updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ - VersionsDir: versionsDir, - LinkDir: ccfg.LinkDir, - SystemDir: autoupdate.DefaultSystemDir, - Log: plog, - }) - if err != nil { - return trace.Errorf("failed to setup updater: %w", err) - } if err := updater.Enable(ctx, ccfg.OverrideConfig); err != nil { return trace.Wrap(err) } @@ -236,13 +238,18 @@ func cmdEnable(ctx context.Context, ccfg *cliConfig) error { // cmdUpdate updates Teleport to the version specified by cluster reachable at the proxy address. func cmdUpdate(ctx context.Context, ccfg *cliConfig) error { - versionsDir := filepath.Join(ccfg.DataDir, versionsDirName) - if err := os.MkdirAll(versionsDir, 0755); err != nil { - return trace.Errorf("failed to create versions directory: %w", err) + updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ + DataDir: ccfg.DataDir, + LinkDir: ccfg.LinkDir, + SystemDir: autoupdate.DefaultSystemDir, + SelfSetup: ccfg.SelfSetup, + Log: plog, + }) + if err != nil { + return trace.Errorf("failed to setup updater: %w", err) } - // Ensure update can't run concurrently. - unlock, err := libutils.FSWriteLock(filepath.Join(versionsDir, lockFileName)) + unlock, err := libutils.FSWriteLock(filepath.Join(ccfg.DataDir, lockFileName)) if err != nil { return trace.Errorf("failed to grab concurrent execution lock: %w", err) } @@ -252,15 +259,6 @@ func cmdUpdate(ctx context.Context, ccfg *cliConfig) error { } }() - updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ - VersionsDir: versionsDir, - LinkDir: ccfg.LinkDir, - SystemDir: autoupdate.DefaultSystemDir, - Log: plog, - }) - if err != nil { - return trace.Errorf("failed to setup updater: %w", err) - } if err := updater.Update(ctx); err != nil { return trace.Wrap(err) } @@ -269,10 +267,19 @@ func cmdUpdate(ctx context.Context, ccfg *cliConfig) error { // cmdLink creates system package links if no version is linked and auto-updates is disabled. func cmdLink(ctx context.Context, ccfg *cliConfig) error { - versionsDir := filepath.Join(ccfg.DataDir, versionsDirName) + updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ + DataDir: ccfg.DataDir, + LinkDir: ccfg.LinkDir, + SystemDir: autoupdate.DefaultSystemDir, + SelfSetup: ccfg.SelfSetup, + Log: plog, + }) + if err != nil { + return trace.Errorf("failed to setup updater: %w", err) + } // Skip operation and warn if the updater is currently running. - unlock, err := libutils.FSTryReadLock(filepath.Join(versionsDir, lockFileName)) + unlock, err := libutils.FSTryReadLock(filepath.Join(ccfg.DataDir, lockFileName)) if errors.Is(err, libutils.ErrUnsuccessfulLockTry) { plog.WarnContext(ctx, "Updater is currently running. Skipping package linking.") return nil @@ -285,17 +292,22 @@ func cmdLink(ctx context.Context, ccfg *cliConfig) error { plog.DebugContext(ctx, "Failed to close lock file", "error", err) } }() - updater, err := autoupdate.NewLocalUpdater(autoupdate.LocalUpdaterConfig{ - VersionsDir: versionsDir, - LinkDir: ccfg.LinkDir, - SystemDir: autoupdate.DefaultSystemDir, - Log: plog, - }) - if err != nil { - return trace.Errorf("failed to setup updater: %w", err) - } + if err := updater.LinkPackage(ctx); err != nil { return trace.Wrap(err) } return nil } + +// cmdSetup writes configuration files that are needed to run teleport-update update. +func cmdSetup(ctx context.Context, ccfg *cliConfig) error { + err := autoupdate.Setup(ctx, plog, ccfg.LinkDir, ccfg.DataDir) + if errors.Is(err, autoupdate.ErrNotSupported) { + plog.WarnContext(ctx, "Not enabling systemd service because systemd is not running.") + os.Exit(autoupdate.CodeNotSupported) + } + if err != nil { + return trace.Errorf("failed to setup teleport-update service: %w", err) + } + return nil +}