[teleport-update] Add linking into /usr/local

[sclevine]

This PR adds support for linking the Teleport binaries and systemd service into /usr/local when the enable subcommand to the teleport-update binary is executed. Additionally, the PR cleans up old versions of Teleport aside from the last installed ("backup") version.

This PR also adds:

• Logic preventing the active version from being removed
• Logic preventing path escapes via invalid versions
• Warnings when cleanup in interrupted

This is the third in a series of PRs implementing teleport-update:
Enable Command: #47565
Initial scaffolding PR: #46418

The teleport-update binary will be used to enable, disable, and trigger automatic Teleport agent updates. The new auto-updates system manages a local installation of the cluster-specified version of Teleport stored in /var/lib/teleport/versions.

RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289

---

Example:

root@7e41707a19a4:/teleport# ./tool/teleport-update/teleport-update enable --data-dir=./temp/ --proxy=levine.teleport.sh --force-version=16.4.3 --link-dir=./link/
2024-10-24T01:56:32Z INFO [UPDATER]   Downloading Teleport tarball. url:https://cdn.teleport.dev/teleport-v16.4.3-linux-arm64-bin.tar.gz size:157371486 agent/installer.go:299
2024-10-24T01:56:39Z INFO [UPDATER]   Extracting Teleport tarball. path:/teleport/temp/versions/16.4.3 size:625131520 agent/installer.go:337
2024-10-24T01:56:43Z INFO [UPDATER]   Target version successfully installed. version:16.4.3 agent/updater.go:291
2024-10-24T01:56:43Z INFO [UPDATER]   Backup version set. version:16.4.0 agent/updater.go:296
2024-10-24T01:56:43Z INFO [UPDATER]   Configuration updated. agent/updater.go:308
root@7e41707a19a4:/teleport# ls -l ./link/bin/tsh
lrwxr-xr-x 1 root root 38 Oct 24 01:56 ./link/bin/tsh -> /teleport/temp/versions/16.4.3/bin/tsh
root@7e41707a19a4:/teleport# ls -R ./link/
./link/: bin  lib
./link/bin: fdpass-teleport  tbot  tctl  teleport  tsh
./link/lib: systemd
./link/lib/systemd: system
./link/lib/systemd/system: teleport.service
root@7e41707a19a4:/teleport# ls -R ./temp/versions/16.4.3/
./temp/versions/16.4.3/: bin  etc  sha256  share
./temp/versions/16.4.3/bin: fdpass-teleport  tbot  tctl  teleport  tsh
./temp/versions/16.4.3/etc: systemd
./temp/versions/16.4.3/etc/systemd: teleport.service
./temp/versions/16.4.3/share: CHANGELOG.md  README.md  VERSION
root@7e41707a19a4:/teleport# cat temp/versions/update.yaml
version: v1
kind: update_config
spec:
    proxy: levine.teleport.sh
    group: ""
    url_template: ""
    enabled: true
status:
    active_version: 16.4.3
    backup_version: 16.4.0

[aws-amplify-us-west-2]

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47879.d212ksyjt6y4yg.amplifyapp.com

[aws-amplify-us-west-2]

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47879.d3pp5qlev8mo18.amplifyapp.com

[sclevine]

Reviews appreciated, since this is blocking #47929 🙂

[vapopov]

should it be /etc/systemd/system/ path? since we have such help message c431630#diff-39c53543c507ce0bdbd34343ad186bc7d95006d8a62171be800239fb556a8522R66-R78

[sclevine]

This is the path within the versions directory (e.g., /var/lib/teleport/versions/1.2.3/etc/systemd/teleport.service), which uses the same subpath as the examples directory in the Teleport tgz (examples/systemd/teleport.service). It's not related to the system /etc/systemd/system/ directory, which is for custom service files.

Not strongly opinionated on if we introduce /system/, since only the symlink location matters to systemd. Happy to change it if anyone feel strongly. It might make more sense as /var/lib/teleport/versions/1.2.3/lib/systemd/system/teleport.service, to better match the symlink location.

[sclevine]

Merging as-is for now, since theoretically we could add options for linking to other places (e.g., /usr/local/systemd/user/, /etc/systemd/system) in the future. Also worried that we may have to change the linking destination if systemd isn't compiled with /usr/local paths in a supported distro (CoreOS does not support it).

Happy to change in a follow-up PR if there are any concerns.