Breakdown Architecture into Guide pages

CHANGELOG.md

@@ -1,5 +1,40 @@
 # Changelog
 
+## 4.1.1
+
+This release of Teleport contains a bug fix.
+
+* Fixed an issue with multi-cluster EKS when the Teleport proxy runs outside EKS. [#3070](https://github.com/gravitational/teleport/pull/3070)
+
+## 4.1.0
+
+This is a major Teleport release with a focus on stability and bug fixes.
+
+### Improvements
+
+* Support for IPv6. [#2124](https://github.com/gravitational/teleport/issues/2124)
+* Kubernetes support does not require SNI. [#2766](https://github.com/gravitational/teleport/issues/2766)
+* Support use of a path for `auth_token` in `teleport.yaml`. [#2515](https://github.com/gravitational/teleport/issues/2515)
+* Implement ProxyJump compatibility. [#2543](https://github.com/gravitational/teleport/issues/2543)
+* Audit logs should show roles. [#2823](https://github.com/gravitational/teleport/issues/2823)
+* Allow tsh to go background and without executing remote command. [#2297](https://github.com/gravitational/teleport/issues/2297)
+* Provide a high level tool to backup and restore the cluster state. [#2480](https://github.com/gravitational/teleport/issues/2480)
+* Investigate nodes using stale list when connecting to proxies (discovery protocol). [#2832](https://github.com/gravitational/teleport/issues/2832)
+
+### Fixes
+
+* Proxy can hang due to invalid OIDC connector. [#2690](https://github.com/gravitational/teleport/issues/2690)
+* Proper `-D` flag parsing. [#2663](https://github.com/gravitational/teleport/issues/2663)
+* tsh status does not show correct cluster name. [#2671](https://github.com/gravitational/teleport/issues/2671)
+* Teleport truncates MOTD with PAM. [#2477](https://github.com/gravitational/teleport/issues/2477)
+* Miscellaneous fixes around error handling and reporting.
+
+## 4.0.10
+
+This release of Teleport contains a bug fix.
+
+* Fixed a goroutine leak that occured whenever a leaf cluster disconnected from the root cluster. [#3037](https://github.com/gravitational/teleport/pull/3037)
+
 ## 4.0.9
 
 This release of Teleport contains a bug fix.

Makefile

@@ -10,7 +10,9 @@
 # Naming convention:
 #	for stable releases we use "1.0.0" format
 #   for pre-releases, we use   "1.0.0-beta.2" format
-VERSION=4.2.0-alpha.1
+VERSION=4.2.0-alpha.2
+
+DOCKER_IMAGE ?= quay.io/gravitational/teleport
 
 # These are standard autotools variables, don't change them please
 BUILDDIR ?= build
@@ -318,12 +320,12 @@ install: build
 .PHONY: image
 image:
 	cp ./build.assets/charts/Dockerfile $(BUILDDIR)/
-	cd $(BUILDDIR) && docker build --no-cache . -t quay.io/gravitational/teleport:$(VERSION)
+	cd $(BUILDDIR) && docker build --no-cache . -t $(DOCKER_IMAGE):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e image; fi
 
 .PHONY: publish
 publish:
-	docker push quay.io/gravitational/teleport:$(VERSION)
+	docker push $(DOCKER_IMAGE):$(VERSION)
 	if [ -f e/Makefile ]; then $(MAKE) -C e publish; fi
 
 .PHONY: print-version

assets/marketplace/Jenkinsfile-build-ent

@@ -7,7 +7,7 @@ pipeline {
         timestamps()
     }
     parameters {
-        string(name: 'version', defaultValue: '3.1.7', description: 'Teleport version to build')
+        string(name: 'version', defaultValue: '4.1.0', description: 'Teleport version to build')
     }
     stages {
         stage('Create files/build directory') {
@@ -20,14 +20,15 @@ pipeline {
         stage('Run Packer to build specified version') {
             steps {
                 dir('assets/marketplace') {
-                    sh "PUBLIC_AMI_NAME=gravitational-teleport-ami-ent-${params.version} MARKETPLACE_AMI_NAME=gravitational-teleport-marketplace-ami-ent-${params.version} TELEPORT_VERSION=${params.version} make ent-jenkins-build"
+                    sh "PUBLIC_AMI_NAME=gravitational-teleport-ami-ent-${params.version} FIPS_AMI_NAME=gravitational-teleport-ami-ent-${params.version}-fips MARKETPLACE_AMI_NAME=gravitational-teleport-marketplace-ami-ent-${params.version} TELEPORT_VERSION=${params.version} make ent-jenkins-build"
                 }
             }
         }
         stage('Make Enterprise AMIs public') {
             steps {
                 dir('assets/marketplace') {
                     sh 'make change-amis-to-public-ent'
+                    sh 'make change-amis-to-public-ent-fips'
                 }
             }
         }

assets/marketplace/Jenkinsfile-build-oss

@@ -7,7 +7,7 @@ pipeline {
         timestamps()
     }
     parameters {
-        string(name: 'version', defaultValue: '3.1.7', description: 'Teleport version to build')
+        string(name: 'version', defaultValue: '4.1.0', description: 'Teleport version to build')
     }
     stages {
         stage('Create files/build directory') {

assets/marketplace/Makefile

@@ -14,7 +14,7 @@ MARKETPLACE_AMI_NAME ?=
 AWS_REGION ?= us-west-2
 
 # Teleport version
-TELEPORT_VERSION ?= 4.0.4
+TELEPORT_VERSION ?= 4.1.0
 
 # Teleport UID is the UID of a non-privileged 'teleport' user
 TELEPORT_UID ?= 1007
@@ -52,7 +52,7 @@ oss:
 	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)"
 	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
 	mkdir -p files/build
-	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -except teleport-aws-linux-marketplace single-ami.json
+	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux single-ami.json
 	@echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt
 
 # Build named 'production' AMI and marketplace version
@@ -65,7 +65,7 @@ oss-jenkins-build:
 	@echo "Marketplace AMI name: $(MARKETPLACE_AMI_NAME)"
 	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
 	mkdir -p files/build
-	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var marketplace_ami_name=$(MARKETPLACE_AMI_NAME) -var build_type=production -var build_timestamp=$(BUILD_TIMESTAMP) single-ami.json
+	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var marketplace_ami_name=$(MARKETPLACE_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) -except teleport-aws-linux-fips single-ami.json
 	@echo "$(BUILD_TIMESTAMP)" > files/build/oss_build_timestamp.txt
 
 .PHONY: change-amis-to-public-oss
@@ -80,7 +80,7 @@ ent: check-vars
 	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE)"
 	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
 	mkdir -p files/build
-	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -except teleport-aws-linux-marketplace single-ami.json
+	packer build -force -var build_timestamp=$(BUILD_TIMESTAMP) -only teleport-aws-linux single-ami.json
 	@echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt
 
 # Build named 'production' AMI and marketplace version
@@ -90,17 +90,23 @@ ent-jenkins-build: check-vars
 ent-jenkins-build:
 	@echo "Building image $(TELEPORT_VERSION) $(TELEPORT_TYPE) via Jenkins"
 	@echo "Public AMI name: $(PUBLIC_AMI_NAME)"
+	@echo "FIPS AMI name: $(FIPS_AMI_NAME)"
 	@echo "Marketplace AMI name: $(MARKETPLACE_AMI_NAME)"
 	@echo "BUILD_TIMESTAMP=$(BUILD_TIMESTAMP)"
 	mkdir -p files/build
-	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var marketplace_ami_name=$(MARKETPLACE_AMI_NAME) -var build_type=production -var build_timestamp=$(BUILD_TIMESTAMP) single-ami.json
+	packer build -force -var ami_name=$(PUBLIC_AMI_NAME) -var fips_ami_name=$(FIPS_AMI_NAME) -var marketplace_ami_name=$(MARKETPLACE_AMI_NAME) -var build_timestamp=$(BUILD_TIMESTAMP) single-ami.json
 	@echo "$(BUILD_TIMESTAMP)" > files/build/ent_build_timestamp.txt
 
 .PHONY: change-amis-to-public-ent
 change-amis-to-public-ent:
 	@echo "Making Enterprise AMIs public"
 	bash files/make-amis-public.sh ent
 
+.PHONY: change-amis-to-public-ent-fips
+change-amis-to-public-ent-fips:
+	@echo "Making FIPS Enterprise AMIs public"
+	bash files/make-amis-public.sh ent-fips
+
 
 # Other helpers
 .PHONY: check-vars

assets/marketplace/cloudformation/files/install.sh

@@ -26,8 +26,8 @@ useradd -r teleport -u ${TELEPORT_UID}
 usermod -a -G adm teleport
 
 # Setup teleport run dir for pid files
-mkdir -p /var/run/teleport/ /var/lib/teleport /etc/teleport.d
-chown -R teleport:adm /var/run/teleport /var/lib/teleport /etc/teleport.d/
+mkdir -p /run/teleport/ /var/lib/teleport /etc/teleport.d
+chown -R teleport:adm /run/teleport /var/lib/teleport /etc/teleport.d/
 
 # Download and install teleport binaries
 pushd /tmp

assets/marketplace/cloudformation/files/system/teleport-auth.service

@@ -12,7 +12,7 @@ RestartSec=5
 RuntimeDirectory=teleport
 ExecStart=/usr/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3434 --pid-file=/run/teleport/teleport.pid
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/var/run/teleport/teleport.pid
+PIDFile=/run/teleport/teleport.pid
 LimitNOFILE=65536
 
 [Install]

assets/marketplace/cloudformation/files/system/teleport-node.service

@@ -13,7 +13,7 @@ RuntimeDirectory=teleport
 ExecStartPre=/usr/bin/teleport-ssm-get-token
 ExecStart=/usr/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3434 --pid-file=/run/teleport/teleport.pid
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/var/run/teleport/teleport.pid
+PIDFile=/run/teleport/teleport.pid
 LimitNOFILE=65536
 
 [Install]

assets/marketplace/cloudformation/files/system/teleport-proxy.service

@@ -15,7 +15,7 @@ ExecStartPre=/usr/bin/teleport-ssm-get-token
 ExecStartPre=/bin/aws s3 sync s3://${TELEPORT_S3_BUCKET}/live/${TELEPORT_DOMAIN_NAME} /var/lib/teleport
 ExecStart=/usr/bin/teleport start --config=/etc/teleport.yaml --diag-addr=127.0.0.1:3434 --pid-file=/run/teleport/teleport.pid
 ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/var/run/teleport/teleport.pid
+PIDFile=/run/teleport/teleport.pid
 LimitNOFILE=65536
 
 [Install]

assets/marketplace/files/bin/teleport-generate-config

@@ -9,12 +9,12 @@ if [ -f /etc/teleport.yaml ]; then
     cp /etc/teleport.yaml /etc/teleport.yaml.old
 fi
 
-# Setup teleport config file
+# Setup Teleport config file
 LOCAL_IP=$(curl -sS http://169.254.169.254/latest/meta-data/local-ipv4)
 LOCAL_HOSTNAME=$(curl -sS http://169.254.169.254/latest/meta-data/local-hostname)
 LOCAL_HOSTNAME=${LOCAL_HOSTNAME//./-}
 
-# Source variables set up by cloudformation template
+# Source variables from user-data
 source /etc/teleport.d/conf
 
 # Set host UUID so auth server picks it up, as each auth server's
@@ -33,6 +33,18 @@ if [[ "${USE_ACM}" != "true" ]]; then
     echo "use-letsencrypt" > /etc/teleport.d/use-letsencrypt
 fi
 
+# Determine whether this is a FIPS AMI or not
+# We do this by looking at the ExecStart command for teleport.service to see whether it contains 'fips' or not (which is set during packer build)
+# We use this to modify the auth service's configuration depending on whether FIPS is in use or not
+# With FIPS: auth_service.authentication.local_auth must be 'false' or Teleport will not start
+# Without FIPS: auth.service.authentication.second_factor should be set to 'otp'
+FIPS_AMI=false
+AUTHENTICATION_STANZA="second_factor: otp"
+if grep "ExecStart" /etc/systemd/system/teleport.service | grep -q "fips"; then
+  FIPS_AMI=true
+  AUTHENTICATION_STANZA="local_auth: false"
+fi
+
 if [[ "${TELEPORT_ROLE}" == "auth" ]]; then
     echo "auth" > /etc/teleport.d/role.auth
     # Teleport Auth server is using DynamoDB as a backend
@@ -63,7 +75,7 @@ auth_service:
   enabled: yes
   listen_addr: 0.0.0.0:3025
   authentication:
-    second_factor: otp
+    ${AUTHENTICATION_STANZA}
   cluster_name: ${TELEPORT_CLUSTER_NAME}
 EOF
 
@@ -239,9 +251,8 @@ teleport:
 auth_service:
   enabled: yes
   listen_addr: 0.0.0.0:3025
-
   authentication:
-    second_factor: otp
+    ${AUTHENTICATION_STANZA}
 
 ssh_service:
   enabled: yes
@@ -426,5 +437,7 @@ EOF
     systemctl restart telegraf.service
 fi
 
-# make sure config file can be edited by pre-start commands running later
-chown teleport:adm /etc/teleport.yaml
+# make sure config file can be edited by pre-start commands running later (assuming it exists)
+if [ -f /etc/teleport.yaml ]; then
+  chown teleport:adm /etc/teleport.yaml
+fi

assets/marketplace/files/install.sh

@@ -32,10 +32,11 @@ rm -f /tmp/influxdb.rpm
 # Install certbot to rotate certificates
 # Certbot is a tool to request letsencrypt certificates,
 # remove it if you don't need letsencrypt.
-curl ${CURL_OPTS} -O https://bootstrap.pypa.io/get-pip.py
-python2.7 get-pip.py
-pip install -I awscli requests[security]==2.18.4
-pip install certbot==0.21.0 certbot-dns-route53==0.21.0
+sudo yum -y install python3 python3-pip
+#curl ${CURL_OPTS} -O https://bootstrap.pypa.io/get-pip.py
+#python3 get-pip.py
+pip3 install -I awscli requests[security]==2.18.4
+pip3 install certbot==0.21.0 certbot-dns-route53==0.21.0
 
 # Create teleport user. It is helpful to share the same UID
 # to have the same permissions on shared NFS volumes across auth servers and for consistency.
@@ -44,23 +45,34 @@ useradd -r teleport -u ${TELEPORT_UID} -d /var/lib/teleport
 usermod -a -G adm teleport
 
 # Setup teleport run dir for pid files
-mkdir -p /var/run/teleport/ /var/lib/teleport /etc/teleport.d
-chown -R teleport:adm /var/run/teleport /var/lib/teleport /etc/teleport.d/
+mkdir -p /run/teleport/ /var/lib/teleport /etc/teleport.d
+chown -R teleport:adm /run/teleport /var/lib/teleport /etc/teleport.d/
 
 # Download and install teleport binaries
 pushd /tmp
-if [[ "${TELEPORT_TYPE}" == "oss" ]]; then
-    echo "Installing OSS Teleport version ${TELEPORT_VERSION}"
-    curl ${CURL_OPTS} -o teleport.tar.gz https://s3.amazonaws.com/clientbuilds.gravitational.io/teleport/${TELEPORT_VERSION}/teleport-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz
-    tar -xzf teleport.tar.gz
-    cp teleport/tctl teleport/tsh teleport/teleport /usr/bin
-    rm -rf /tmp/teleport.tar.gz /tmp/teleport
-else
-    echo "Installing Enterprise Teleport version ${TELEPORT_VERSION}"
-    curl ${CURL_OPTS} -o teleport.tar.gz https://get.gravitational.com/teleport/${TELEPORT_VERSION}/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz
-    tar -xzf teleport.tar.gz
-    cp teleport-ent/tctl teleport-ent/tsh teleport-ent/teleport /usr/bin
-    rm -rf /tmp/teleport.tar.gz /tmp/teleport-ent
+# Install the FIPS version of Teleport if /tmp/teleport-fips is present
+if [ -f /tmp/teleport-fips ]; then
+        echo "Installing Enterprise Teleport version ${TELEPORT_VERSION} with FIPS support"
+        curl ${CURL_OPTS} -o teleport.tar.gz https://get.gravitational.com/teleport/${TELEPORT_VERSION}/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-fips-bin.tar.gz
+        tar -xzf teleport.tar.gz
+        cp teleport-ent/tctl teleport-ent/tsh teleport-ent/teleport /usr/bin
+        rm -rf /tmp/teleport.tar.gz /tmp/teleport-ent
+        # add --fips to 'teleport start' commands in FIPS mode
+        sed -i -E "s_ExecStart=/usr/bin/teleport start(.*)_ExecStart=/usr/bin/teleport start --fips\1_g" /etc/systemd/system/teleport*.service
+else 
+    if [[ "${TELEPORT_TYPE}" == "oss" ]]; then
+        echo "Installing OSS Teleport version ${TELEPORT_VERSION}"
+        curl ${CURL_OPTS} -o teleport.tar.gz https://s3.amazonaws.com/clientbuilds.gravitational.io/teleport/${TELEPORT_VERSION}/teleport-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz
+        tar -xzf teleport.tar.gz
+        cp teleport/tctl teleport/tsh teleport/teleport /usr/bin
+        rm -rf /tmp/teleport.tar.gz /tmp/teleport
+    else
+        echo "Installing Enterprise Teleport version ${TELEPORT_VERSION}"
+        curl ${CURL_OPTS} -o teleport.tar.gz https://get.gravitational.com/teleport/${TELEPORT_VERSION}/teleport-ent-v${TELEPORT_VERSION}-linux-amd64-bin.tar.gz
+        tar -xzf teleport.tar.gz
+        cp teleport-ent/tctl teleport-ent/tsh teleport-ent/teleport /usr/bin
+        rm -rf /tmp/teleport.tar.gz /tmp/teleport-ent
+    fi
 fi
 popd
 

assets/marketplace/files/make-amis-public.sh

@@ -6,7 +6,7 @@ REGION_LIST="eu-west-1 us-east-1 us-east-2 us-west-2"
 
 # Exit if oss/ent parameters not provided
 if [[ "$1" == "" ]]; then
-    echo "Usage: $(basename $0) [oss/ent]"
+    echo "Usage: $(basename $0) [oss/ent/ent-fips]"
     exit 1
 else
     RUN_MODE="$1"
@@ -16,13 +16,23 @@ ABSPATH=$(readlink -f "$0")
 SCRIPT_DIR=$(dirname "${ABSPATH}")
 BUILD_DIR=$(readlink -f "${SCRIPT_DIR}/build")
 
+AMI_TAG="production"
+OUTFILE="amis.txt"
+BUILD_TIMESTAMP_FILENAME="${RUN_MODE}_build_timestamp.txt"
+# Conditionally set variables for FIPS
+if [[ "${RUN_MODE}" == "ent-fips" ]]; then
+    AMI_TAG="production-fips"
+    OUTFILE="amis-fips.txt"
+    BUILD_TIMESTAMP_FILENAME="ent_build_timestamp.txt"
+fi
+
 # Remove existing AMI ID file if present
-if [ -f "${BUILD_DIR}/amis.txt" ]; then
-    rm -f "${BUILD_DIR}/amis.txt"
+if [ -f "${BUILD_DIR}/${OUTFILE}.txt" ]; then
+    rm -f "${BUILD_DIR}/${OUTFILE}.txt"
 fi
 
 # Read build timestamp from file
-TIMESTAMP_FILE="${BUILD_DIR}/${RUN_MODE}_build_timestamp.txt"
+TIMESTAMP_FILE="${BUILD_DIR}/${BUILD_TIMESTAMP_FILENAME}"
 if [ ! -f "${TIMESTAMP_FILE}" ]; then
     echo 'Cannot find "${TIMESTAMP_FILE}"'
     exit 1
@@ -31,24 +41,24 @@ BUILD_TIMESTAMP=$(<"${TIMESTAMP_FILE}")
 
 # Write AMI ID for each region to AMI ID file
 for REGION in ${REGION_LIST}; do
-    aws ec2 describe-images --region ${REGION} --filters "Name=tag:BuildTimestamp,Values=${BUILD_TIMESTAMP}" "Name=tag:BuildType,Values=production" > "${BUILD_DIR}/${REGION}.json"
+    aws ec2 describe-images --region ${REGION} --filters "Name=tag:BuildTimestamp,Values=${BUILD_TIMESTAMP}" "Name=tag:BuildType,Values=${AMI_TAG}" > "${BUILD_DIR}/${REGION}.json"
     AMI_ID=$(jq --raw-output '.Images[0].ImageId' "${BUILD_DIR}/${REGION}.json")
     if [[ "${AMI_ID}" == "" || "${AMI_ID}" == "null" ]]; then
         echo "Error: cannot get AMI ID for ${REGION}"
         exit 2
     fi
     rm -f "${BUILD_DIR}/${REGION}.json"
-    echo "${REGION}=${AMI_ID}" >> "${BUILD_DIR}/amis.txt"
+    echo "${REGION}=${AMI_ID}" >> "${BUILD_DIR}/${OUTFILE}.txt"
 done
 
 # Make each AMI public (set launchPermission to 'all')
 for REGION in ${REGION_LIST}; do
-    AMI_ID=$(grep ${REGION} "${BUILD_DIR}/amis.txt" | awk -F= '{print $2}')
+    AMI_ID=$(grep ${REGION} "${BUILD_DIR}/${OUTFILE}.txt" | awk -F= '{print $2}')
     if [[ "${AMI_ID}" == "" || "${AMI_ID}" == "null" ]]; then
         echo "Error: cannot get AMI ID for ${REGION}"
         exit 3
     else
         aws ec2 modify-image-attribute --region ${REGION} --image-id ${AMI_ID} --launch-permission "Add=[{Group=all}]"
         echo "AMI ID ${AMI_ID} for ${REGION} set to public"
     fi
-done
+done