service

package
v2.0.5+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 3, 2017 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Overview

Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures

Copyright 2015 Gravitational, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const (
	// ProxyReverseTunnelServerEvent is generated supervisor when proxy
	// has initialized reverse tunnel server
	ProxyReverseTunnelServerEvent = "ProxyReverseTunnelServer"
	// ProxyWebServerEvent is generated supervisor when proxy
	// has initialized web tunnel server
	ProxyWebServerEvent = "ProxyWebServer"
	// ProxyIdentityEvent is generated by supervisor when proxy's identity has been initialized
	ProxyIdentityEvent = "ProxyIdentity"
	// SSHIdentityEvent is generated when node's identity has been received
	SSHIdentityEvent = "SSHIdentity"
	// TeleportExitEvent is generated when someone is askign Teleport Process to close
	// all listening sockets and exit
	TeleportExitEvent = "TeleportExit"
	// AuthIdentityEvent is generated when auth's identity has been initialized
	AuthIdentityEvent = "AuthIdentity"
)

Variables

This section is empty.

Functions

func ApplyDefaults added in v1.0.0

func ApplyDefaults(cfg *Config)

ApplyDefaults applies default values to the existing config structure

Types

type AuthConfig

type AuthConfig struct {
	// Enabled turns auth role on or off for this process
	Enabled bool

	// SSHAddr is the listening address of SSH tunnel to HTTP service
	SSHAddr utils.NetAddr

	// Authorities is a set of trusted certificate authorities
	// that will be added by this auth server on the first start
	Authorities []services.CertAuthority

	// Roles is a set of roles to pre-provision for this cluster
	Roles []services.Role

	// DomainName is a name that identifies this authority and all
	// host nodes in the cluster that will share this authority domain name
	// as a base name, e.g. if authority domain name is example.com,
	// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
	DomainName string

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	StaticTokens []services.ProvisionToken

	// DynamicConfig determines the source of configuration truth for Teleport. File
	// configuration or configuration that is in the backend.
	DynamicConfig bool

	// StorageConfig contains configuration settings for the storage backend.
	StorageConfig backend.Config

	Limiter limiter.LimiterConfig

	// NoAudit, when set to true, disables session recording and event audit
	NoAudit bool

	// Preference defines the authentication preference (type and second factor) for
	// the auth server.
	Preference services.AuthPreference

	// U2F defines is settings for Universal Second Factor (appID and facets).
	U2F services.UniversalSecondFactor
}

AuthConfig is a configuration of the auth server

type Config

type Config struct {
	// DataDir provides directory where teleport stores it's permanent state
	// (in case of auth server backed by BoltDB) or local state, e.g. keys
	DataDir string

	// Hostname is a node host name
	Hostname string

	// Token is used to register this Teleport instance with the auth server
	Token string

	// AuthServers is a list of auth servers nodes, proxies and peer auth servers
	// connect to
	AuthServers []utils.NetAddr

	// Identities is an optional list of pre-generated key pairs
	// for teleport roles, this is helpful when server is preconfigured
	Identities []*auth.Identity

	// AdvertiseIP is used to "publish" an alternative IP address this node
	// can be reached on, if running behind NAT
	AdvertiseIP net.IP

	// SSH role an SSH endpoint server
	SSH SSHConfig

	// Auth server authentication and authorizatin server config
	Auth AuthConfig

	// Keygen points to a key generator implementation
	Keygen auth.Authority

	// Proxy is SSH proxy that manages incoming and outbound connections
	// via multiple reverse tunnels
	Proxy ProxyConfig

	// HostUUID is a unique UUID of this host (it will be known via this UUID within
	// a teleport cluster). It's automatically generated on 1st start
	HostUUID string

	// Console writer to speak to a user
	Console io.Writer

	// ReverseTunnels is a list of reverse tunnels to create on the
	// first cluster start
	ReverseTunnels []services.ReverseTunnel

	// OIDCConnectors is a list of trusted OpenID Connect identity providers
	OIDCConnectors []services.OIDCConnector

	// PidFile is a full path of the PID file for teleport daemon
	PIDFile string

	// DeveloperMode should only be used during development as it does several
	// unsafe things like log sensitive information to console as well as
	// not verify certificates.
	DeveloperMode bool

	// Trust is a service that manages users and credentials
	Trust services.Trust

	// Presence service is a discovery and hearbeat tracker
	Presence services.Presence

	// Provisioner is a service that keeps track of provisioning tokens
	Provisioner services.Provisioner

	// Trust is a service that manages users and credentials
	Identity services.Identity

	// Access is a service that controls access
	Access services.Access
}

Config structure is used to initialize _all_ services Teleporot can run. Some settings are globl (like DataDir) while others are grouped into sections, like AuthConfig

func MakeDefaultConfig added in v1.0.0

func MakeDefaultConfig() (config *Config)

MakeDefaultConfig creates a new Config structure and populates it with defaults

func (*Config) ApplyToken added in v1.0.0

func (cfg *Config) ApplyToken(token string) bool

ApplyToken assigns a given token to all internal services but only if token is not an empty string.

Returns 'true' if token was modified

func (*Config) DebugDumpToYAML added in v1.0.0

func (cfg *Config) DebugDumpToYAML() string

DebugDumpToYAML is useful for debugging: it dumps the Config structure into a string

func (*Config) RoleConfig

func (cfg *Config) RoleConfig() RoleConfig

RoleConfig is a config for particular Teleport role

type Connector added in v1.0.0

type Connector struct {
	Identity *auth.Identity
	Client   *auth.TunClient
}

Connector has all resources process needs to connect to other parts of the cluster: client and identity

type Event added in v1.0.0

type Event struct {
	Name    string
	Payload interface{}
}

Event is a special service event that can be generated by various goroutines in the supervisor

func (*Event) String added in v1.0.0

func (e *Event) String() string

type LocalSupervisor

type LocalSupervisor struct {
	sync.Mutex
	// contains filtered or unexported fields
}

func (*LocalSupervisor) BroadcastEvent added in v1.0.0

func (s *LocalSupervisor) BroadcastEvent(event Event)

func (*LocalSupervisor) Register

func (s *LocalSupervisor) Register(srv Service)

func (*LocalSupervisor) RegisterFunc

func (s *LocalSupervisor) RegisterFunc(fn ServiceFunc)

func (*LocalSupervisor) Run

func (s *LocalSupervisor) Run() error

func (*LocalSupervisor) ServiceCount added in v1.0.0

func (s *LocalSupervisor) ServiceCount() int

ServiceCount returns the number of registered and actively running services

func (*LocalSupervisor) Start

func (s *LocalSupervisor) Start() error

func (*LocalSupervisor) Wait

func (s *LocalSupervisor) Wait() error

func (*LocalSupervisor) WaitForEvent added in v1.0.0

func (s *LocalSupervisor) WaitForEvent(name string, eventC chan Event, cancelC chan struct{})

type ProxyConfig

type ProxyConfig struct {
	// Enabled turns proxy role on or off for this process
	Enabled bool

	// DisableWebUI allows to turn off serving the Web UI
	DisableWebUI bool

	// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
	ReverseTunnelListenAddr utils.NetAddr

	// WebAddr is address for web portal of the proxy
	WebAddr utils.NetAddr

	// SSHAddr is address of ssh proxy
	SSHAddr utils.NetAddr

	// TLSKey is a base64 encoded private key used by web portal
	TLSKey string

	// TLSCert is a base64 encoded certificate used by web portal
	TLSCert string

	Limiter limiter.LimiterConfig

	// PublicAddr is the public address the Teleport UI can be accessed at.
	PublicAddr utils.NetAddr
}

ProxyConfig configures proy service

type RoleConfig

type RoleConfig struct {
	DataDir     string
	HostUUID    string
	HostName    string
	AuthServers []utils.NetAddr
	Auth        AuthConfig
	Console     io.Writer
}

RoleConfig is a configuration for a server role (either proxy or node)

type SSHConfig

type SSHConfig struct {
	Enabled   bool
	Addr      utils.NetAddr
	Namespace string
	Shell     string
	Limiter   limiter.LimiterConfig
	Labels    map[string]string
	CmdLabels services.CommandLabels
}

SSHConfig configures SSH server node role

type Service

type Service interface {
	Serve() error
}

type ServiceFunc

type ServiceFunc func() error

func (ServiceFunc) Serve

func (s ServiceFunc) Serve() error

type Supervisor

type Supervisor interface {
	// Register adds the service to the pool, if supervisor is in
	// the started state, the service will be started immediatelly
	// otherwise, it will be started after Start() has been called
	Register(srv Service)

	// RegisterFunc creates a service from function spec and registers
	// it within the system
	RegisterFunc(fn ServiceFunc)

	// ServiceCount returns the number of registered and actively running
	// services
	ServiceCount() int

	// Start starts all unstarted services
	Start() error

	// Wait waits until all services exit
	Wait() error

	// Run starts and waits for the service to complete
	// it's a combinatioin Start() and Wait()
	Run() error

	// BroadcastEvent generates event and broadcasts it to all
	// interested parties
	BroadcastEvent(Event)

	// WaitForEvent waits for event to be broadcasted, if the event
	// was already broadcasted, payloadC will receive current event immediately
	// CLose 'cancelC' channel to force WaitForEvent to return prematurely
	WaitForEvent(name string, eventC chan Event, cancelC chan struct{})
}

Supervisor implements the simple service logic - registering service functions and de-registering the service goroutines

func NewSupervisor

func NewSupervisor() Supervisor

NewSupervisor returns new instance of initialized supervisor

type TeleportProcess added in v1.0.0

type TeleportProcess struct {
	sync.Mutex
	Supervisor
	Config *Config

	// identities of this process (credentials to auth sever, basically)
	Identities map[teleport.Role]*auth.Identity
	// contains filtered or unexported fields
}

TeleportProcess structure holds the state of the Teleport daemon, controlling execution and configuration of the teleport services: ssh, auth and proxy.

func NewTeleport

func NewTeleport(cfg *Config) (*TeleportProcess, error)

NewTeleport takes the daemon configuration, instantiates all required services and starts them under a supervisor, returning the supervisor object

func (*TeleportProcess) Close added in v1.0.0

func (process *TeleportProcess) Close() error

func (*TeleportProcess) GetAuthServer added in v1.0.0

func (process *TeleportProcess) GetAuthServer() *auth.AuthServer

func (*TeleportProcess) GetIdentity added in v1.2.6

func (process *TeleportProcess) GetIdentity(role teleport.Role) (i *auth.Identity, err error)

GetIdentity returns the process identity (credentials to the auth server) for a given teleport Role. A teleport process can have any combination of 3 roles: auth, node, proxy and they have their own identities

func (*TeleportProcess) RegisterWithAuthServer added in v1.0.0

func (process *TeleportProcess) RegisterWithAuthServer(token string, role teleport.Role, eventName string)

RegisterWithAuthServer uses one time provisioning token obtained earlier from the server to get a pair of SSH keys signed by Auth server host certificate authority

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL