From 2773a68da5cf76bcd67b72a528cceae79c60a42e Mon Sep 17 00:00:00 2001 From: Sasha Klizhentas Date: Wed, 8 Jun 2016 13:08:41 -0700 Subject: [PATCH 1/3] recover back AuthIdentityEvent --- lib/service/service.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/lib/service/service.go b/lib/service/service.go index 35afbd7489865..80cb8891db598 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -66,6 +66,8 @@ const ( // TeleportExitEvent is generated when someone is askign Teleport Process to close // all listening sockets and exit TeleportExitEvent = "TeleportExit" + // AuthIdentityEvent is generated when auth's identity has been initialized + AuthIdentityEvent = "AuthIdentity" ) // RoleConfig is a configuration for a server role (either proxy or node) @@ -346,7 +348,25 @@ func (process *TeleportProcess) initAuthService(authority auth.Authority) error // Heart beat auth server presence, this is not the best place for this // logic, consolidate it into auth package later - var authClient *auth.TunClient + storage := utils.NewFileAddrStorage( + filepath.Join(process.Config.DataDir, "authservers.json")) + + authUser := identity.Cert.ValidPrincipals[0] + authClient, err := auth.NewTunClient( + string(teleport.RoleAuth), + process.Config.AuthServers, + authUser, + []ssh.AuthMethod{ssh.PublicKeys(identity.KeySigner)}, + auth.TunClientStorage(storage), + ) + // success? + if err != nil { + return trace.Wrap(err) + } + process.BroadcastEvent(Event{Name: AuthIdentityEvent, Payload: &Connector{ + Identity: identity, + Client: authClient, + }}) process.RegisterFunc(func() error { srv := services.Server{ ID: process.Config.HostUUID, From 84c12af43366ce2339e77631c8f7c0df0bc06a5a Mon Sep 17 00:00:00 2001 From: Sasha Klizhentas Date: Wed, 8 Jun 2016 16:57:40 -0700 Subject: [PATCH 2/3] address code review comments --- lib/auth/tun.go | 2 +- lib/service/service.go | 41 +++++++++++++++++------------------------ 2 files changed, 18 insertions(+), 25 deletions(-) diff --git a/lib/auth/tun.go b/lib/auth/tun.go index 3de5ae6a21232..46a3abd20e8c0 100644 --- a/lib/auth/tun.go +++ b/lib/auth/tun.go @@ -42,7 +42,7 @@ import ( // dialRetryInterval specifies the time interval tun client waits to retry // dialing the same auth server -const dialRetryInterval = time.Duration(time.Millisecond * 50) +const dialRetryInterval = time.Duration(time.Second) // AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes // an SSH tunnell which HTTP requests travel over. In other words, the Auth Service API diff --git a/lib/service/service.go b/lib/service/service.go index 80cb8891db598..cf10e9e829ae7 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -332,41 +332,35 @@ func (process *TeleportProcess) initAuthService(authority auth.Authority) error auth.SetLimiter(limiter), ) if err != nil { - utils.Consolef(cfg.Console, "[PROXY] Error: %v", err) + utils.Consolef(cfg.Console, "[AUTH] Error: %v", err) return trace.Wrap(err) } if err := authTunnel.Start(); err != nil { if askedToExit { - log.Infof("[PROXY] Auth Tunnel exited") + log.Infof("[AUTH] Auth Tunnel exited") return nil } - utils.Consolef(cfg.Console, "[PROXY] Error: %v", err) + utils.Consolef(cfg.Console, "[AUTH] Error: %v", err) return trace.Wrap(err) } return nil }) - // Heart beat auth server presence, this is not the best place for this - // logic, consolidate it into auth package later - storage := utils.NewFileAddrStorage( - filepath.Join(process.Config.DataDir, "authservers.json")) + process.RegisterFunc(func() error { + // Heart beat auth server presence, this is not the best place for this + // logic, consolidate it into auth package later + connector, err := process.connectToAuthService(teleport.RoleAdmin) + if err != nil { + return trace.Wrap(err) + } + // External integrations rely on this event: + process.BroadcastEvent(Event{Name: AuthIdentityEvent, Payload: connector}) + process.onExit(func(payload interface{}) { + connector.Client.Close() + }) + return nil + }) - authUser := identity.Cert.ValidPrincipals[0] - authClient, err := auth.NewTunClient( - string(teleport.RoleAuth), - process.Config.AuthServers, - authUser, - []ssh.AuthMethod{ssh.PublicKeys(identity.KeySigner)}, - auth.TunClientStorage(storage), - ) - // success? - if err != nil { - return trace.Wrap(err) - } - process.BroadcastEvent(Event{Name: AuthIdentityEvent, Payload: &Connector{ - Identity: identity, - Client: authClient, - }}) process.RegisterFunc(func() error { srv := services.Server{ ID: process.Config.HostUUID, @@ -409,7 +403,6 @@ func (process *TeleportProcess) initAuthService(authority auth.Authority) error process.onExit(func(payload interface{}) { askedToExit = true authTunnel.Close() - authClient.Close() log.Infof("[AUTH] auth service exited") }) return nil From 235fc6427c73d046f9b65f0884e1983c73aaff9c Mon Sep 17 00:00:00 2001 From: Sasha Klizhentas Date: Wed, 8 Jun 2016 17:05:12 -0700 Subject: [PATCH 3/3] update retry strategy --- lib/auth/tun.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/auth/tun.go b/lib/auth/tun.go index 46a3abd20e8c0..c66ed0c8ae649 100644 --- a/lib/auth/tun.go +++ b/lib/auth/tun.go @@ -42,7 +42,7 @@ import ( // dialRetryInterval specifies the time interval tun client waits to retry // dialing the same auth server -const dialRetryInterval = time.Duration(time.Second) +const dialRetryInterval = 100 * time.Millisecond // AuthTunnel listens on TCP/IP socket and accepts SSH connections. It then establishes // an SSH tunnell which HTTP requests travel over. In other words, the Auth Service API @@ -621,7 +621,7 @@ func (c *TunClient) GetDialer() AccessPointDialer { if err == nil { return conn, nil } - time.Sleep(dialRetryInterval * time.Duration(attempt)) + time.Sleep(4 * time.Duration(attempt) * dialRetryInterval) } log.Error(err) return nil, trace.Wrap(err)