[teleport-update] Move teleport binaries to new path {deb,rpm} (#49110)

* Move teleport binaries to new path * Use link/unlink command to manage links Move teleport.service to new path * Move teleport binaries under standard path for distroless Cleanup * Fix wrong move path * Create missing directory * Rename link/unlink commands * Exclude teleport-update from docker image Systemd reload now managed by teleport-update Make safe unlink not to block package removal * Add teleport-update to AMI image build * Fix RPM build, fpm automatically manage scripts * Fix AMI build, add missing teleport.service * Move binaries to /opt/teleport/system
gravitational · Dec 16, 2024 · 278dfc8 · 278dfc8
1 parent af2db96
commit 278dfc8
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 17 deletions.
diff --git a/assets/aws/files/install-hardened.sh b/assets/aws/files/install-hardened.sh
@@ -23,11 +23,16 @@ usermod -a -G adm teleport
 # Setup teleport run dir for pid files
 install -d -m 0700 -o teleport -g adm /var/lib/teleport
 install -d -m 0755 -o teleport -g adm /run/teleport /etc/teleport.d
+# Setup teleport/system directory
+install -d -m 0755 -o teleport -g adm /opt/teleport/system/bin
+install -d -m 0755 -o teleport -g adm /opt/teleport/system/lib/systemd/system
 
 # Extract tarball to /tmp/teleport to get the binaries out
 mkdir /tmp/teleport
 tar -C /tmp/teleport -x -z -f /tmp/teleport.tar.gz --strip-components=1
-install -m 755 /tmp/teleport/{tctl,tsh,teleport,tbot,fdpass-teleport} /usr/local/bin
+install -m 755 /tmp/teleport/{tctl,tsh,teleport,tbot,fdpass-teleport,teleport-update} /opt/teleport/system/bin
+install -m 755 /tmp/teleport/examples/systemd/teleport.service /opt/teleport/system/lib/systemd/system
+/opt/teleport/system/bin/teleport-update link-package
 rm -rf /tmp/teleport /tmp/teleport.tar.gz
 
 if [[ "${TELEPORT_FIPS}" == 1 ]]; then

diff --git a/build.assets/build-package.sh b/build.assets/build-package.sh
@@ -63,8 +63,8 @@ TARBALL_DIRECTORY="$s"
 GNUPG_DIR=${GNUPG_DIR:-/tmp/gnupg}
 
 # linux package configuration
-LINUX_BINARY_DIR=/usr/local/bin
-LINUX_SYSTEMD_DIR=/lib/systemd/system
+LINUX_BINARY_DIR=/opt/teleport/system/bin
+LINUX_SYSTEMD_DIR=/opt/teleport/system/lib/systemd/system
 LINUX_CONFIG_DIR=/etc
 LINUX_DATA_DIR=/var/lib/teleport
 
@@ -229,8 +229,8 @@ if [[ "${PACKAGE_TYPE}" == "pkg" ]]; then
         PKG_FILENAME="teleport-bin-${TELEPORT_VERSION}${ARCH_TAG}.${PACKAGE_TYPE}"
     fi
 else
-    FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/examples/systemd/teleport.service ${TAR_PATH}/examples/systemd/post-upgrade"
-    LINUX_BINARY_FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport"
+    FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/teleport ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport-update ${TAR_PATH}/examples/systemd/teleport.service ${TAR_PATH}/examples/systemd/post-install ${TAR_PATH}/examples/systemd/before-remove"
+    LINUX_BINARY_FILE_LIST="${TAR_PATH}/tsh ${TAR_PATH}/tctl ${TAR_PATH}/tbot ${TAR_PATH}/fdpass-teleport ${TAR_PATH}/teleport ${TAR_PATH}/teleport-update"
     LINUX_SYSTEMD_FILE_LIST="${TAR_PATH}/examples/systemd/teleport.service"
     EXTRA_DOCKER_OPTIONS=""
     RPM_SIGN_STANZA=""
@@ -294,8 +294,12 @@ if [[ "${PACKAGE_TYPE}" != "pkg" ]]; then
         CONFIG_FILE_STANZA="--config-files /src/buildroot${LINUX_CONFIG_DIR}/${LINUX_CONFIG_FILE} "
     fi
 
-    # include post-upgrade script
-    mv -v ${TAR_PATH}/examples/systemd/post-upgrade ${PACKAGE_TEMPDIR}
+    # include post-install and before-remove script
+    mv -v ${TAR_PATH}/examples/systemd/post-install ${PACKAGE_TEMPDIR}
+    mv -v ${TAR_PATH}/examples/systemd/before-remove ${PACKAGE_TEMPDIR}
+
+    # create versions folder
+    mkdir -p ${PACKAGE_TEMPDIR}/buildroot${LINUX_DATA_DIR}/versions
 
     # /var/lib/teleport
     # shellcheck disable=SC2174
@@ -371,7 +375,8 @@ else
         --provides teleport \
         --prefix / \
         --verbose \
-        --after-upgrade /src/post-upgrade \
+        --after-install /src/post-install \
+        --before-remove /src/before-remove \
         ${CONFIG_FILE_STANZA} \
         ${FILE_PERMISSIONS_STANZA} \
         "${LICENSE_STANZA[@]}" \

diff --git a/build.assets/charts/Dockerfile-distroless b/build.assets/charts/Dockerfile-distroless
@@ -23,7 +23,10 @@ COPY $TELEPORT_DEB_FILE_NAME ./$TELEPORT_DEB_FILE_NAME
 RUN dpkg-deb -R $TELEPORT_DEB_FILE_NAME /opt/staging && \
     mkdir -p /opt/staging/etc/teleport && \
     mkdir -p /opt/staging/var/lib/dpkg/status.d/ && \
+    mkdir -p /opt/staging/usr/local/bin && \
     mv /opt/staging/DEBIAN/control /opt/staging/var/lib/dpkg/status.d/teleport && \
+    mv /opt/staging/opt/teleport/system/bin/* /opt/staging/usr/local/bin/ && \
+    rm -f /opt/staging/usr/local/bin/teleport-update && \
     rm -rf /opt/staging/DEBIAN
 
 FROM $BASE_IMAGE

diff --git a/build.assets/charts/Dockerfile-distroless-fips b/build.assets/charts/Dockerfile-distroless-fips
@@ -23,7 +23,10 @@ COPY $TELEPORT_DEB_FILE_NAME ./$TELEPORT_DEB_FILE_NAME
 RUN dpkg-deb -R $TELEPORT_DEB_FILE_NAME /opt/staging && \
     mkdir -p /opt/staging/etc/teleport && \
     mkdir -p /opt/staging/var/lib/dpkg/status.d/ && \
+    mkdir -p /opt/staging/usr/local/bin && \
     mv /opt/staging/DEBIAN/control /opt/staging/var/lib/dpkg/status.d/teleport && \
+    mv /opt/staging/opt/teleport/system/bin/* /opt/staging/usr/local/bin/ && \
+    rm -f /opt/staging/usr/local/bin/teleport-update && \
     rm -rf /opt/staging/DEBIAN
 
 FROM $BASE_IMAGE

diff --git a/build.assets/charts/Dockerfile-tbot-distroless b/build.assets/charts/Dockerfile-tbot-distroless
@@ -17,5 +17,5 @@ ENV TELEPORT_DEB_FILE_NAME=teleport${TELEPORT_RELEASE_INFIX}_${TELEPORT_VERSION}
 RUN --mount=type=bind,target=/ctx dpkg-deb -R /ctx/$TELEPORT_DEB_FILE_NAME /opt/staging
 
 FROM $BASE_IMAGE
-COPY --from=teleport /opt/staging/usr/local/bin/tbot /usr/local/bin/tbot
+COPY --from=teleport /opt/staging/opt/teleport/system/bin/tbot /usr/local/bin/tbot
 ENTRYPOINT ["/usr/local/bin/tbot"]
diff --git a/build.assets/charts/Dockerfile-tbot-distroless-fips b/build.assets/charts/Dockerfile-tbot-distroless-fips
@@ -17,5 +17,5 @@ ENV TELEPORT_DEB_FILE_NAME=teleport${TELEPORT_RELEASE_INFIX}_${TELEPORT_VERSION}
 RUN --mount=type=bind,target=/ctx dpkg-deb -R /ctx/$TELEPORT_DEB_FILE_NAME /opt/staging
 
 FROM $BASE_IMAGE
-COPY --from=teleport /opt/staging/usr/local/bin/tbot /usr/local/bin/tbot
+COPY --from=teleport /opt/staging/opt/teleport/system/bin/tbot /usr/local/bin/tbot
 ENTRYPOINT ["/usr/local/bin/tbot", "--fips"]
diff --git a/examples/systemd/before-remove b/examples/systemd/before-remove
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# This before remove script is run each time the teleport package is removed.
+
+set -eu
+
+echo "Removing symlinks from Teleport system paths..."
+/opt/teleport/system/bin/teleport-update unlink-package || true
diff --git a/examples/systemd/post-install b/examples/systemd/post-install
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# This post install script is run each time the teleport package is installed/upgraded.
+
+set -eu
+
+echo "Teleport system symlinks creation..."
+/opt/teleport/system/bin/teleport-update link-package
diff --git a/examples/systemd/post-upgrade b/examples/systemd/post-upgrade
@@ -1,11 +1,5 @@
 #!/bin/bash
 
-# this post upgrade script is run each time the teleport package is upgraded
+# This post upgrade script is run each time the teleport package is upgraded.
 
 set -eu
-
-# skip reload and restart when systemd is disabled. This is only relevant when
-# testing in a container.
-if [ -d /run/systemd/system ]; then
-    systemctl --system daemon-reload >/dev/null || true
-fi