[teleport-update] Isolated installation suffix

[sclevine]

This PR adds support for isolated installations of agents that can operate and be updated independently on the same Linux machine.

Any time teleport-update is run with the --install-suffix flag, it modifies the paths to use isolated directories and suffixes.

Note that the non-isolated paths have changed significantly as well. See this comment.

System package install:

Binaries: /opt/teleport/system/bin/* -> /usr/local/bin/*
Service: /opt/teleport/system/lib/systemd/system/teleport.service -> /lib/systemd/system/teleport.service
(others same as below)

Non-isolated, auto-updates:

Binaries: /opt/teleport/default/versions/1.2.3/bin/* -> /usr/local/bin/*
Service: /opt/teleport/default/versions/1.2.3/lib/systemd/system/teleport.service ->
/lib/systemd/system/teleport.service
Lock: /opt/teleport/default/update.lock
Data dir: /var/lib/teleport
PID: /run/teleport.pid
Config: /etc/teleport.yaml
Defaults: /etc/defaults/teleport
Updater service: /etc/systemd/system/teleport-update.service

Isolated, auto-updates:

Binaries: /opt/teleport/mycluster/versions/1.2.3/bin/* -> /opt/teleport/mycluster/bin/*
Service: /opt/teleport/mycluster/versions/1.2.3/lib/systemd/system/teleport.service ->
/etc/systemd/system/teleport_mycluster.service
Lock: /opt/teleport/mycluster/update.lock
Data dir: /var/lib/teleport_mycluster
PID: /run/teleport_mycluster.pid
Config: /etc/teleport_mycluster.yaml
Defaults: /etc/defaults/teleport (shared)
Updater service: /etc/systemd/system/teleport-update_mycluster.service

Note that the non-isolated installation uses system package paths for the systemd service, config, PID file, and data dir to maintain compatibility with existing installation methods, such as the package.

Also note that the underlying struct is called Namespace. I plan to change this to InstallSuffix in the future, but I have several PRs chained on top of this one, so I want to leave it as-is for now.

---

The teleport-update binary will be used to enable, disable, and trigger automatic Teleport agent updates.

RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289

Example:

ubuntu@legendary-mite:~$ sudo ./teleport-update enable --install-suffix mycluster --proxy=proxy.example.com
2024-11-22T21:52:21Z WARN [UPDATER]   Custom namespace is specified. Teleport's data_dir must be configured accordingly. data_dir:/var/lib/teleport_mycluster path:/opt/teleport/mycluster/bin config:/etc/teleport_mycluster.yaml service:teleport_mycluster.service pid:/run/teleport_mycluster.pid teleport-update/main.go:284
2024-11-22T21:52:22Z INFO [UPDATER]   Initiating installation. target_version:16.4.7 active_version: agent/updater.go:331
2024-11-22T21:52:22Z INFO [UPDATER]   Version already present. version:16.4.7 agent/installer.go:150
2024-11-22T21:52:22Z INFO [UPDATER]   Executing new teleport-update binary to update configuration. agent/updater.go:150
2024-11-22T21:52:23Z INFO [UPDATER]   Systemd configuration synced. unit:teleport-update_mycluster.timer agent/process.go:259
2024-11-22T21:52:23Z INFO [UPDATER]   [stderr] Created symlink /etc/systemd/system/teleport_mycluster.service.wants/teleport-update_mycluster.timer → /etc/systemd/system/teleport-update_mycluster.timer. agent/process.go:392
2024-11-22T21:52:23Z INFO [UPDATER]   Service enabled. unit:teleport-update_mycluster.timer agent/process.go:276
2024-11-22T21:52:23Z INFO [UPDATER]   Finished executing new teleport-update binary. agent/updater.go:156
2024-11-22T21:52:23Z INFO [UPDATER]   Target version successfully installed. target_version:16.4.7 agent/updater.go:702
2024-11-22T21:52:23Z WARN [UPDATER]   Systemd service not running. unit:teleport_mycluster.service agent/process.go:84
2024-11-22T21:52:23Z INFO [UPDATER]   Configuration updated. agent/updater.go:347
ubuntu@legendary-mite:~$ ls -la /opt/teleport/mycluster/bin/
lrwxrwxrwx 1 root root   66 Nov 22 21:08 fdpass-teleport -> /opt/teleport/mycluster/versions/16.4.7/bin/fdpass-teleport
lrwxrwxrwx 1 root root   55 Nov 22 21:08 tbot -> /opt/teleport/mycluster/versions/16.4.7/bin/tbot
lrwxrwxrwx 1 root root   55 Nov 22 21:08 tctl -> /opt/teleport/mycluster/versions/16.4.7/bin/tctl
lrwxrwxrwx 1 root root   59 Nov 22 21:08 teleport -> /opt/teleport/mycluster/versions/16.4.7/bin/teleport
lrwxrwxrwx 1 root root   65 Nov 22 21:10 teleport-update -> /home/ubuntu/mounts/teleport/tool/teleport-update/teleport-update
lrwxrwxrwx 1 root root   54 Nov 22 21:08 tsh -> /opt/teleport/mycluster/versions/16.4.7/bin/tsh
ubuntu@legendary-mite:~$ ls -la /etc/systemd/system/teleport*
-rw-r--r-- 1 root root  138 Nov 22 00:23 teleport-update.service
-rw-r--r-- 1 root root  171 Nov 22 00:23 teleport-update.timer
-rw-r--r-- 1 root root  203 Nov 22 21:52 teleport-update_mycluster.service
-rw-r--r-- 1 root root  205 Nov 22 21:52 teleport-update_mycluster.timer
-rw-r--r-- 1 root root  504 Nov 22 21:52 teleport_mycluster.service
ubuntu@legendary-mite:~$ ls -la /etc/systemd/system/teleport.service 
-rw-r--r-- 1 root root 435 Nov 22 00:03 /etc/systemd/system/teleport.service
ubuntu@legendary-mite:~$ ls -la /opt/teleport/mycluster/
drwxr-xr-x 5 root root 4096 Nov 22 21:08 16.4.7
-rw-r--r-- 1 root root  177 Nov 22 21:55 update.yaml

[sclevine]

@hugoShaka FYI, decided to ship this sooner since initial users of the time-based schedule had asked for it. Let me know if the UX seems reasonable. Everything gets a --namespace flag, namespaces must be alphanumeric + -, and _ is used to separate the name and namespace.

[sclevine]

After testing this out over the weekend, and researching prior art for similar packages, I'd like to recommend an alternative set of paths, for both namespaced and non-namespaced installations.

I found that while it's common to keep package-sized data in /var/lib, keeping executables there can cause problems for CIS Benchmarks that require certain subdirectories of /var to be mounted noexec, such as CCE-82008-4. While it's possible to work around these requirements, there are other issues that make /var/lib/teleport less ideal:

1. Existing automated backups for /var/lib/teleport will unexpectedly increase in size
2. Attempting to reset the agent installation by deleting /var/lib/teleport will leave broken symlinks
3. /var may be more likely to need selinux rule changes than other locations.

Examples of issues caused by noexec on /var:

• Cannot install K3s with noexec flag in /var k3s-io/k3s#7296
• problems when var partition is mounted as "noexec" Azure/WALinuxAgent#1388
• https://knowledge.broadcom.com/external/article/195547/impact-of-removing-noexec-for-var-in-etc.html

Additionally, while it's somewhat common for packages to create /usr/local/<package>, such as /usr/local/ssl for some installations of OpenSSL, it is technically not FHS-compliant. FHS is clear that /usr/local should not have non-FHS defined subdirectories.

On top that, I noticed that /var/lib/teleport is intended to have 700 permissions by default, which is incompatible with path traversal for running Teleport binaries. I would prefer not to change the default permissions on the data directory.

For namespaces specifically, I think it would be more convenient to create namespaced data directories outside of the primary data dir /var/lib/teleport, so that they can easily be stored on separate volumes and backed-up separately. Adding other data directories (and Teleport packages) to /var/lib/teleport also makes the `--data-dir argument confusing.

Finally, all systemd service files that are not installed by packages should be installed in /etc/systemd/system. I cannot find any examples of non-packaged software installing into /lib. For example, K3s installs its services into /etc/systemd/system, and also supports auto-updates.

My new proposal is this:

System package install:

Binaries: /opt/teleport/system/bin/* -> /usr/local/bin/*
Service: /opt/teleport/system/lib/systemd/system/teleport.service -> /lib/systemd/system/teleport.service
(others same as below)

Non-namespaced, auto-updates:

Binaries: /opt/teleport/default/versions/1.2.3/bin/* -> /usr/local/bin/*
Service: /opt/teleport/default/versions/1.2.3/lib/systemd/system/teleport.service ->
/lib/systemd/system/teleport.service
Lock: /opt/teleport/default/update.lock
Data dir: /var/lib/teleport
PID: /run/teleport.pid
Config: /etc/teleport.yaml
Defaults: /etc/defaults/teleport
Updater service: /etc/systemd/system/teleport-update.service

Namespaced, auto-updates:

Binaries: /opt/teleport/mycluster/versions/1.2.3/bin/* -> /opt/teleport/mycluster/bin/*
Service: /opt/teleport/mycluster/versions/1.2.3/lib/systemd/system/teleport.service ->
/etc/systemd/system/teleport_mycluster.service
Lock: /opt/teleport/mycluster/update.lock
Data dir: /var/lib/teleport_mycluster
PID: /run/teleport_mycluster.pid
Config: /etc/teleport_mycluster.yaml
Defaults: /etc/defaults/teleport (shared)
Updater service: /etc/systemd/system/teleport-update_mycluster.service

Let me know if this seems better. I have updated the PR description accordingly, and I'm working on updating the PR.

[sclevine]

CC: @vapopov re: moving the system package paths to /opt/teleport/system

[sclevine]

This is blocking a few other PRs, looking for reviews when anyone has a chance 🙂

[vapopov]

is it possible that we define a name of the existing namespace? should we validate this case in constructor?

[sclevine]

NewNamespace is intended to be used with existing namespaces. It's just used to generate the appropriate set of paths the Updater to read/write.

[sclevine]

@timothyb89 @flyinghermit @hugoShaka looking for one more review 🙂

[zmb3]

You may want to replace the trace.Errorf calls, but LGTM otherwise.

[sclevine]

@zmb3 thanks, #49388 is based on this PR, so these will get fixed after rebasing 🙂