diff --git a/assets/aws/files/install-hardened.sh b/assets/aws/files/install-hardened.sh index 2fd099a28e8d2..c0db8a739bf3b 100644 --- a/assets/aws/files/install-hardened.sh +++ b/assets/aws/files/install-hardened.sh @@ -23,11 +23,16 @@ usermod -a -G adm teleport # Setup teleport run dir for pid files install -d -m 0700 -o teleport -g adm /var/lib/teleport install -d -m 0755 -o teleport -g adm /run/teleport /etc/teleport.d +# Setup teleport/system directory +install -d -m 0755 -o teleport -g adm /opt/teleport/system/bin +install -d -m 0755 -o teleport -g adm /opt/teleport/system/lib/systemd/system # Extract tarball to /tmp/teleport to get the binaries out mkdir /tmp/teleport tar -C /tmp/teleport -x -z -f /tmp/teleport.tar.gz --strip-components=1 -install -m 755 /tmp/teleport/{tctl,tsh,teleport,tbot,fdpass-teleport} /usr/local/bin +install -m 755 /tmp/teleport/{tctl,tsh,teleport,tbot,fdpass-teleport,teleport-update} /opt/teleport/system/bin +install -m 755 /tmp/teleport/examples/systemd/teleport.service /opt/teleport/system/lib/systemd/system +/opt/teleport/system/bin/teleport-update link-package rm -rf /tmp/teleport /tmp/teleport.tar.gz if [[ "${TELEPORT_FIPS}" == 1 ]]; then diff --git a/build.assets/build-package.sh b/build.assets/build-package.sh index 91bb4daa8409a..7207873aa1f28 100755 --- a/build.assets/build-package.sh +++ b/build.assets/build-package.sh @@ -63,8 +63,8 @@ TARBALL_DIRECTORY="$s" GNUPG_DIR=${GNUPG_DIR:-/tmp/gnupg} # linux package configuration -LINUX_BINARY_DIR=/usr/local/bin -LINUX_SYSTEMD_DIR=/lib/systemd/system +LINUX_BINARY_DIR=/opt/teleport/system/bin +LINUX_SYSTEMD_DIR=/opt/teleport/system/lib/systemd/system LINUX_CONFIG_DIR=/etc LINUX_DATA_DIR=/var/lib/teleport @@ -229,8 +229,8 @@ if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then PKG_FILENAME="teleport-bin-${TELEPORT_VERSION}${ARCH_TAG}.${PACKAGE_TYPE}" fi else - FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/examples/systemd/teleport.service ${TAR_PATH}/examples/systemd/post-upgrade" - LINUX_BINARY_FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport" + FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport-update ${TAR_PATH}/examples/systemd/teleport.service ${TAR_PATH}/examples/systemd/post-install ${TAR_PATH}/examples/systemd/before-remove" + LINUX_BINARY_FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport ${TAR_PATH}/teleport-update" LINUX_SYSTEMD_FILE_LIST="${TAR_PATH}/examples/systemd/teleport.service" EXTRA_DOCKER_OPTIONS="" RPM_SIGN_STANZA="" @@ -294,8 +294,12 @@ if [[ "${PACKAGE_TYPE}" != "pkg" ]]; then CONFIG_FILE_STANZA="--config-files /src/buildroot${LINUX_CONFIG_DIR}/${LINUX_CONFIG_FILE} " fi - # include post-upgrade script - mv -v ${TAR_PATH}/examples/systemd/post-upgrade ${PACKAGE_TEMPDIR} + # include post-install and before-remove script + mv -v ${TAR_PATH}/examples/systemd/post-install ${PACKAGE_TEMPDIR} + mv -v ${TAR_PATH}/examples/systemd/before-remove ${PACKAGE_TEMPDIR} + + # create versions folder + mkdir -p ${PACKAGE_TEMPDIR}/buildroot${LINUX_DATA_DIR}/versions # /var/lib/teleport # shellcheck disable=SC2174 @@ -371,7 +375,8 @@ else --provides teleport \ --prefix / \ --verbose \ - --after-upgrade /src/post-upgrade \ + --after-install /src/post-install \ + --before-remove /src/before-remove \ ${CONFIG_FILE_STANZA} \ ${FILE_PERMISSIONS_STANZA} \ "${LICENSE_STANZA[@]}" \ diff --git a/build.assets/charts/Dockerfile-distroless b/build.assets/charts/Dockerfile-distroless index c57265c488405..afc9ef481d768 100644 --- a/build.assets/charts/Dockerfile-distroless +++ b/build.assets/charts/Dockerfile-distroless @@ -23,7 +23,10 @@ COPY $TELEPORT_DEB_FILE_NAME ./$TELEPORT_DEB_FILE_NAME RUN dpkg-deb -R $TELEPORT_DEB_FILE_NAME /opt/staging && \ mkdir -p /opt/staging/etc/teleport && \ mkdir -p /opt/staging/var/lib/dpkg/status.d/ && \ + mkdir -p /opt/staging/usr/local/bin && \ mv /opt/staging/DEBIAN/control /opt/staging/var/lib/dpkg/status.d/teleport && \ + mv /opt/staging/opt/teleport/system/bin/* /opt/staging/usr/local/bin/ && \ + rm -f /opt/staging/usr/local/bin/teleport-update && \ rm -rf /opt/staging/DEBIAN FROM $BASE_IMAGE diff --git a/build.assets/charts/Dockerfile-distroless-fips b/build.assets/charts/Dockerfile-distroless-fips index 482704bf1e8be..c1443b96c6217 100644 --- a/build.assets/charts/Dockerfile-distroless-fips +++ b/build.assets/charts/Dockerfile-distroless-fips @@ -23,7 +23,10 @@ COPY $TELEPORT_DEB_FILE_NAME ./$TELEPORT_DEB_FILE_NAME RUN dpkg-deb -R $TELEPORT_DEB_FILE_NAME /opt/staging && \ mkdir -p /opt/staging/etc/teleport && \ mkdir -p /opt/staging/var/lib/dpkg/status.d/ && \ + mkdir -p /opt/staging/usr/local/bin && \ mv /opt/staging/DEBIAN/control /opt/staging/var/lib/dpkg/status.d/teleport && \ + mv /opt/staging/opt/teleport/system/bin/* /opt/staging/usr/local/bin/ && \ + rm -f /opt/staging/usr/local/bin/teleport-update && \ rm -rf /opt/staging/DEBIAN FROM $BASE_IMAGE diff --git a/build.assets/charts/Dockerfile-tbot-distroless b/build.assets/charts/Dockerfile-tbot-distroless index 9e1e4d8897c07..842157a175bbc 100644 --- a/build.assets/charts/Dockerfile-tbot-distroless +++ b/build.assets/charts/Dockerfile-tbot-distroless @@ -17,5 +17,5 @@ ENV TELEPORT_DEB_FILE_NAME=teleport${TELEPORT_RELEASE_INFIX}_${TELEPORT_VERSION} RUN --mount=type=bind,target=/ctx dpkg-deb -R /ctx/$TELEPORT_DEB_FILE_NAME /opt/staging FROM $BASE_IMAGE -COPY --from=teleport /opt/staging/usr/local/bin/tbot /usr/local/bin/tbot +COPY --from=teleport /opt/staging/opt/teleport/system/bin/tbot /usr/local/bin/tbot ENTRYPOINT ["/usr/local/bin/tbot"] diff --git a/build.assets/charts/Dockerfile-tbot-distroless-fips b/build.assets/charts/Dockerfile-tbot-distroless-fips index 7592a8993ec69..b6fb33caab877 100644 --- a/build.assets/charts/Dockerfile-tbot-distroless-fips +++ b/build.assets/charts/Dockerfile-tbot-distroless-fips @@ -17,5 +17,5 @@ ENV TELEPORT_DEB_FILE_NAME=teleport${TELEPORT_RELEASE_INFIX}_${TELEPORT_VERSION} RUN --mount=type=bind,target=/ctx dpkg-deb -R /ctx/$TELEPORT_DEB_FILE_NAME /opt/staging FROM $BASE_IMAGE -COPY --from=teleport /opt/staging/usr/local/bin/tbot /usr/local/bin/tbot +COPY --from=teleport /opt/staging/opt/teleport/system/bin/tbot /usr/local/bin/tbot ENTRYPOINT ["/usr/local/bin/tbot", "--fips"] diff --git a/examples/systemd/before-remove b/examples/systemd/before-remove new file mode 100755 index 0000000000000..2c83711d60c76 --- /dev/null +++ b/examples/systemd/before-remove @@ -0,0 +1,8 @@ +#!/bin/bash + +# This before remove script is run each time the teleport package is removed. + +set -eu + +echo "Removing symlinks from Teleport system paths..." +/opt/teleport/system/bin/teleport-update unlink-package || true diff --git a/examples/systemd/post-install b/examples/systemd/post-install new file mode 100755 index 0000000000000..189069bd2784d --- /dev/null +++ b/examples/systemd/post-install @@ -0,0 +1,8 @@ +#!/bin/bash + +# This post install script is run each time the teleport package is installed/upgraded. + +set -eu + +echo "Teleport system symlinks creation..." +/opt/teleport/system/bin/teleport-update link-package diff --git a/examples/systemd/post-upgrade b/examples/systemd/post-upgrade old mode 100644 new mode 100755 index 0fe4388403517..499bee029c7ce --- a/examples/systemd/post-upgrade +++ b/examples/systemd/post-upgrade @@ -1,11 +1,5 @@ #!/bin/bash -# this post upgrade script is run each time the teleport package is upgraded +# This post upgrade script is run each time the teleport package is upgraded. set -eu - -# skip reload and restart when systemd is disabled. This is only relevant when -# testing in a container. -if [ -d /run/systemd/system ]; then - systemctl --system daemon-reload >/dev/null || true -fi