Documentation ¶
Overview ¶
Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func ApplyDefaults(cfg *Config)
- type AuthConfig
- type Config
- type Connector
- type CoreProperty
- type Event
- type LocalSupervisor
- func (s *LocalSupervisor) BroadcastEvent(event Event)
- func (s *LocalSupervisor) Register(srv Service)
- func (s *LocalSupervisor) RegisterFunc(fn ServiceFunc)
- func (s *LocalSupervisor) Run() error
- func (s *LocalSupervisor) ServiceCount() int
- func (s *LocalSupervisor) Start() error
- func (s *LocalSupervisor) Wait() error
- func (s *LocalSupervisor) WaitForEvent(name string, eventC chan Event, cancelC chan struct{})
- type NodeProperty
- type PocketConfig
- type ProxyConfig
- type RoleConfig
- type SSHConfig
- type Service
- type ServiceFunc
- type Supervisor
- type TeleportProcess
Constants ¶
const ( // ProxyReverseTunnelServerEvent is generated supervisor when proxy // has initialized reverse tunnel server ProxyReverseTunnelServerEvent = "ProxyReverseTunnelServer" // ProxyWebServerEvent is generated supervisor when proxy // has initialized web tunnel server ProxyWebServerEvent = "ProxyWebServer" // ProxyIdentityEvent is generated by supervisor when proxy's identity has been initialized ProxyIdentityEvent = "ProxyIdentity" // SSHIdentityEvent is generated when node's identity has been received SSHIdentityEvent = "SSHIdentity" // TeleportExitEvent is generated when someone is askign Teleport Process to close // all listening sockets and exit TeleportExitEvent = "TeleportExit" // AuthIdentityEvent is generated when auth's identity has been initialized AuthIdentityEvent = "AuthIdentity" )
Variables ¶
This section is empty.
Functions ¶
func ApplyDefaults ¶
func ApplyDefaults(cfg *Config)
ApplyDefaults applies default values to the existing config structure
Types ¶
type AuthConfig ¶
type AuthConfig struct { // Enabled turns auth role on or off for this process Enabled bool // SSHAddr is the listening address of SSH tunnel to HTTP service SSHAddr utils.NetAddr // Authorities is a set of trusted certificate authorities // that will be added by this auth server on the first start Authorities []services.CertAuthority // DomainName is a name that identifies this authority and all // host nodes in the cluster that will share this authority domain name // as a base name, e.g. if authority domain name is example.com, // all nodes in the cluster will have UUIDs in the form: <uuid>.example.com DomainName string // StaticTokens are pre-defined host provisioning tokens supplied via config file for // environments where paranoid security is not needed StaticTokens []services.ProvisionToken // KeysBackend configures backend that stores auth keys, certificates, tokens ... KeysBackend struct { // Type is a backend type - etcd or boltdb Type string // Params is map with backend specific parameters Params string } // EventsBackend configures backend that stores cluster events (login attempts, etc) EventsBackend struct { // Type is a backend type, etcd or bolt Type string // Params is map with backend specific parameters Params string } // RecordsBackend configures backend that stores live SSH sessions recordings RecordsBackend struct { // Type is a backend type, currently only bolt Type string // Params is map with backend specific parameters Params string } Limiter limiter.LimiterConfig // NoAudit, when set to true, disables session recording and event audit NoAudit bool }
AuthConfig is a configuration of the auth server
type Config ¶
type Config struct { // DataDir provides directory where teleport stores it's permanent state // (in case of auth server backed by BoltDB) or local state, e.g. keys DataDir string // Hostname is a node host name Hostname string // Token is used to register this Teleport instance with the auth server Token string // AuthServers is a list of auth servers nodes, proxies and peer auth servers // connect to AuthServers []utils.NetAddr // Identities is an optional list of pre-generated key pairs // for teleport roles, this is helpful when server is preconfigured Identities []*auth.Identity // AdvertiseIP is used to "publish" an alternative IP address this node // can be reached on, if running behind NAT AdvertiseIP net.IP // SSH role an SSH endpoint server SSH SSHConfig // Auth server authentication and authorizatin server config Auth AuthConfig // Keygen points to a key generator implementation Keygen auth.Authority // Proxy is SSH proxy that manages incoming and outbound connections // via multiple reverse tunnels Proxy ProxyConfig // HostUUID is a unique UUID of this host (it will be known via this UUID within // a teleport cluster). It's automatically generated on 1st start HostUUID string // Console writer to speak to a user Console io.Writer // ReverseTunnels is a list of reverse tunnels to create on the // first cluster start ReverseTunnels []services.ReverseTunnel // OIDCConnectors is a list of trusted OpenID Connect identity providers OIDCConnectors []services.OIDCConnector // PidFile is a full path of the PID file for teleport daemon PIDFile string // Trust is a service that manages users and credentials Trust services.Trust // Lock is a distributed or local lock service Lock services.Lock // Presence service is a discovery and hearbeat tracker Presence services.Presence // Provisioner is a service that keeps track of provisioning tokens Provisioner services.Provisioner // Trust is a service that manages users and credentials Identity services.Identity // SeedConfig tells teleport to treat its start-up configuration as initial // "seed" configuration on 1st start. SeedConfig bool }
Config structure is used to initialize _all_ services Teleporot can run. Some settings are globl (like DataDir) while others are grouped into sections, like AuthConfig
func MakeDefaultConfig ¶
func MakeDefaultConfig() (config *Config)
MakeDefaultConfig creates a new Config structure and populates it with defaults
func (*Config) ApplyToken ¶
ApplyToken assigns a given token to all internal services but only if token is not an empty string.
Returns 'true' if token was modified
func (*Config) ConfigureBolt ¶
func (cfg *Config) ConfigureBolt()
ConfigureBolt configures Bolt back-ends with a data dir.
func (*Config) ConfigureETCD ¶
ConfigureETCD configures ETCD backend (still uses BoltDB for some cases)
func (*Config) ConfigureSQLite ¶
func (cfg *Config) ConfigureSQLite()
ConfigureSQLite configures SQLite back-ends with a data dir.
func (*Config) DebugDumpToYAML ¶
DebugDumpToYAML is useful for debugging: it dumps the Config structure into a string
func (*Config) RoleConfig ¶
func (cfg *Config) RoleConfig() RoleConfig
RoleConfig is a config for particular Teleport role
type Connector ¶
Connector has all resources process needs to connect to other parts of the cluster: client and identity
type CoreProperty ¶
type Event ¶
type Event struct { Name string Payload interface{} }
Event is a special service event that can be generated by various goroutines in the supervisor
type LocalSupervisor ¶
func (*LocalSupervisor) BroadcastEvent ¶
func (s *LocalSupervisor) BroadcastEvent(event Event)
func (*LocalSupervisor) Register ¶
func (s *LocalSupervisor) Register(srv Service)
func (*LocalSupervisor) RegisterFunc ¶
func (s *LocalSupervisor) RegisterFunc(fn ServiceFunc)
func (*LocalSupervisor) Run ¶
func (s *LocalSupervisor) Run() error
func (*LocalSupervisor) ServiceCount ¶
func (s *LocalSupervisor) ServiceCount() int
ServiceCount returns the number of registered and actively running services
func (*LocalSupervisor) Start ¶
func (s *LocalSupervisor) Start() error
func (*LocalSupervisor) Wait ¶
func (s *LocalSupervisor) Wait() error
func (*LocalSupervisor) WaitForEvent ¶
func (s *LocalSupervisor) WaitForEvent(name string, eventC chan Event, cancelC chan struct{})
type NodeProperty ¶
type PocketConfig ¶
type PocketConfig struct { // original key and cert Config // Slave node config NodeProperty // Teleport core config CoreProperty }
Config structure is used to initialize _all_ services PocketCluster & Teleporot can run. Some settings are globl (like DataDir) while others are grouped into sections, like AuthConfig
type ProxyConfig ¶
type ProxyConfig struct { // Enabled turns proxy role on or off for this process Enabled bool // DisableWebUI allows to turn off serving the Web UI DisableWebUI bool // ReverseTunnelListenAddr is address where reverse tunnel dialers connect to ReverseTunnelListenAddr utils.NetAddr // WebAddr is address for web portal of the proxy WebAddr utils.NetAddr // SSHAddr is address of ssh proxy SSHAddr utils.NetAddr // AssetsDir is a directory with proxy website assets AssetsDir string // TLSKey is a base64 encoded private key used by web portal TLSKey string // TLSCert is a base64 encoded certificate used by web portal TLSCert string Limiter limiter.LimiterConfig }
ProxyConfig configures proy service
type RoleConfig ¶
type RoleConfig struct { DataDir string HostUUID string HostName string AuthServers []utils.NetAddr Auth AuthConfig Console io.Writer }
RoleConfig is a configuration for a server role (either proxy or node)
type SSHConfig ¶
type SSHConfig struct { Enabled bool Addr utils.NetAddr Shell string Limiter limiter.LimiterConfig Labels map[string]string CmdLabels services.CommandLabels }
SSHConfig configures SSH server node role
type ServiceFunc ¶
type ServiceFunc func() error
func (ServiceFunc) Serve ¶
func (s ServiceFunc) Serve() error
type Supervisor ¶
type Supervisor interface { // Register adds the service to the pool, if supervisor is in // the started state, the service will be started immediatelly // otherwise, it will be started after Start() has been called Register(srv Service) // RegisterFunc creates a service from function spec and registers // it within the system RegisterFunc(fn ServiceFunc) // ServiceCount returns the number of registered and actively running // services ServiceCount() int // Start starts all unstarted services Start() error // Wait waits until all services exit Wait() error // Run starts and waits for the service to complete // it's a combinatioin Start() and Wait() Run() error // BroadcastEvent generates event and broadcasts it to all // interested parties BroadcastEvent(Event) // WaitForEvent waits for event to be broadcasted, if the event // was already broadcasted, payloadC will receive current event immediately // CLose 'cancelC' channel to force WaitForEvent to return prematurely WaitForEvent(name string, eventC chan Event, cancelC chan struct{}) }
Supervisor implements the simple service logic - registering service functions and de-registering the service goroutines
func NewSupervisor ¶
func NewSupervisor() Supervisor
NewSupervisor returns new instance of initialized supervisor
type TeleportProcess ¶
type TeleportProcess struct { sync.Mutex Supervisor Config *Config // contains filtered or unexported fields }
TeleportProcess structure holds the state of the Teleport daemon, controlling execution and configuration of the teleport services: ssh, auth and proxy.
func NewTeleport ¶
func NewTeleport(cfg *Config) (*TeleportProcess, error)
NewTeleport takes the daemon configuration, instantiates all required services and starts them under a supervisor, returning the supervisor object
func (*TeleportProcess) Close ¶
func (process *TeleportProcess) Close() error
func (*TeleportProcess) GetAuthServer ¶
func (process *TeleportProcess) GetAuthServer() *auth.AuthServer
func (*TeleportProcess) RegisterWithAuthServer ¶
func (process *TeleportProcess) RegisterWithAuthServer(token string, role teleport.Role, eventName string)
RegisterWithAuthServer uses one time provisioning token obtained earlier from the server to get a pair of SSH keys signed by Auth server host certificate authority