From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sys-cluster/teleport/files/, sys-cluster/teleport/
Date: Thu, 20 Jun 2019 06:32:08 +0000 (UTC) [thread overview]
Message-ID: <1561012245.a98d5007f46b36d5069c9f8541267c1ead647840.mgorny@gentoo> (raw)
commit: a98d5007f46b36d5069c9f8541267c1ead647840
Author: Graeme Lawes <graemelawes <AT> gmail <DOT> com>
AuthorDate: Wed Jun 19 23:07:17 2019 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Thu Jun 20 06:30:45 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a98d5007
sys-cluster/teleport: add v4.0.0
Update files/teleport.yaml for v3.2.*/v4.0.0 features, as v3.1.* and
below have been removed
Signed-off-by: Graeme Lawes <graemelawes <AT> gmail.com>
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
sys-cluster/teleport/Manifest | 1 +
sys-cluster/teleport/files/teleport.yaml | 123 ++++++++++++++++-------------
sys-cluster/teleport/teleport-4.0.0.ebuild | 49 ++++++++++++
3 files changed, 117 insertions(+), 56 deletions(-)
diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest
index f444c13ff08..c2553415a1e 100644
--- a/sys-cluster/teleport/Manifest
+++ b/sys-cluster/teleport/Manifest
@@ -2,3 +2,4 @@ DIST teleport-2.7.9.tar.gz 18221805 BLAKE2B c634f97008310c4cabf4020bc8a600de7eb9
DIST teleport-3.1.8.tar.gz 22605752 BLAKE2B 2ddebb0b0c8c42d36d113e409ce04f194e5ed77a7d88dd3e0a5982e303b8db8e013b156693c5fcd038d9d81f2907d17fdb65f82b34bdc84379bb0c46498e53a5 SHA512 de834309f96c327b54470deec043a498da969c5f3a872777a44143fceb070bd1c9ee837f218f46dc5b82ee1b40fb869a422b8cf9c22d26618f07a069de165f6e
DIST teleport-3.2.0.tar.gz 22613098 BLAKE2B 0ff9675a071f5fb660ad4a7b0e085b9bec01c3d0967bdd206ce29a51addae545c4b2621854cbffdc0f76d0cbc6e5ec8f39e082b80b26ba13d352b1add199c965 SHA512 a3fdb520a62361f78632ac1680f86f183a533e47696791586b3c5ff7d505eb167a881c438c6a3dd72395140c521c065c8d8e4b93b5b8c9cbf134688dd8c1f8da
DIST teleport-3.2.6.tar.gz 22620079 BLAKE2B 07b4bcb5b53a511c25f0556fad33b461307b524554e993097f634b1751d7fd3c664de0478427efa18dc20e597fb73f3c5bd09ba961754456245e1306372ed0ee SHA512 20be34820f9b9f29c492f8dabe8914012b66ebfb9db51f3dff0e19b8a1f7b85b948cc1036861d03ca6de9e6f30ba0b43caf4760bc95c74e45a38f0cad080820c
+DIST teleport-4.0.0.tar.gz 34913323 BLAKE2B 2890d18fed82d9a2da18be6ce9c981ddc1a4ac374862d853f09001c88ed3f9092b9a006c98f6d489dcaae8a702827f98ee12e870708d6746f429f9457debbb33 SHA512 b59ee7e99808475d50e84feff160e2a3c71f04d67dc7d8caa9476251c3e1f51d057de7384f4750b60c121db630c49a8315f9903d8f7ae3e04469f4532ca7078c
diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml
index 0ab548c1a46..c6b012590f2 100644
--- a/sys-cluster/teleport/files/teleport.yaml
+++ b/sys-cluster/teleport/files/teleport.yaml
@@ -7,7 +7,7 @@ teleport:
# by default it's equal to hostname
# nodename: graviton
- # Data directory where Teleport daemon keeps its data.
+ # Data directory where Teleport daemon keeps its data.
# See "Filesystem Layout" section above for more details.
data_dir: /var/lib/teleport
@@ -17,7 +17,7 @@ teleport:
# When running in multi-homed or NATed environments Teleport nodes need
# to know which IP it will be reachable at by other nodes
- #
+ #
# This value can be specified as FQDN e.g. host.example.com
# advertise_ip: 10.1.0.5
@@ -38,8 +38,10 @@ teleport:
output: stderr
severity: ERROR
- # Type of storage used for keys. You need to configure this to use etcd or
- # a DynamoDB backend if you want to run Teleport in HA configuration.
+ # Configuration for the storage back-end used for the cluster state and the
+ # audit log. Several back-end types are supported. See "High Availability"
+ # section of this Admin Manual below to learn how to configure DynamoDB,
+ # S3, etcd and other highly available back-ends.
storage:
# By default teleport uses the `data_dir` directory on a local filesystem
type: dir
@@ -54,50 +56,38 @@ teleport:
# Cipher algorithms that the server supports. This section only needs to be
# set if you want to override the defaults.
- ciphers:
- - aes128-ctr
- - aes192-ctr
- - aes256-ctr
- - aes128-gcm@openssh.com
+ # ciphers:
+ # - aes128-ctr
+ # - aes192-ctr
+ # - aes256-ctr
+ # - aes128-gcm@openssh.com
+ # - chacha20-poly1305@openssh.com
# Key exchange algorithms that the server supports. This section only needs
# to be set if you want to override the defaults.
- kex_algos:
- - curve25519-sha256@libssh.org
- - ecdh-sha2-nistp256
- - ecdh-sha2-nistp384
- - ecdh-sha2-nistp521
- - diffie-hellman-group14-sha1
- - diffie-hellman-group1-sha1
+ # kex_algos:
+ # - curve25519-sha256@libssh.org
+ # - ecdh-sha2-nistp256
+ # - ecdh-sha2-nistp384
+ # - ecdh-sha2-nistp521
# Message authentication code (MAC) algorithms that the server supports.
# This section only needs to be set if you want to override the defaults.
- mac_algos:
- - hmac-sha2-256-etm@openssh.com
- - hmac-sha2-256
- - hmac-sha1
- - hmac-sha1-96
+ # mac_algos:
+ # - hmac-sha2-256-etm@openssh.com
+ # - hmac-sha2-256
- # List of the supported ciphersuites. If this section is not specified,
+ # List of the supported ciphersuites. If this section is not specified,
# only the default ciphersuites are enabled.
- ciphersuites:
- - tls-rsa-with-aes-128-cbc-sha # default
- - tls-rsa-with-aes-256-cbc-sha # default
- - tls-rsa-with-aes-128-cbc-sha256
- - tls-rsa-with-aes-128-gcm-sha256
- - tls-rsa-with-aes-256-gcm-sha384
- - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
- - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
- - tls-ecdhe-rsa-with-aes-128-cbc-sha
- - tls-ecdhe-rsa-with-aes-256-cbc-sha
- - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
- - tls-ecdhe-rsa-with-aes-128-cbc-sha256
- - tls-ecdhe-rsa-with-aes-128-gcm-sha256
- - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
- - tls-ecdhe-rsa-with-aes-256-gcm-sha384
- - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
- - tls-ecdhe-rsa-with-chacha20-poly1305
- - tls-ecdhe-ecdsa-with-chacha20-poly1305
+ # ciphersuites:
+ # - tls-rsa-with-aes-128-gcm-sha256
+ # - tls-rsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-rsa-with-aes-128-gcm-sha256
+ # - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
+ # - tls-ecdhe-rsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
+ # - tls-ecdhe-rsa-with-chacha20-poly1305
+ # - tls-ecdhe-ecdsa-with-chacha20-poly1305
# This section configures the 'auth service':
@@ -106,10 +96,10 @@ auth_service:
enabled: yes
# A cluster name is used as part of a signature in certificates
- # generated by this CA.
+ # generated by this CA.
#
- # We strongly recommend to explicitly set it to something meaningful as it
- # becomes important when configuring trust between multiple clusters.
+ # We strongly recommend to explicitly set it to something meaningful as it
+ # becomes important when configuring trust between multiple clusters.
#
# By default an automatically generated name is used (not recommended)
#
@@ -138,7 +128,7 @@ auth_service:
# certificates
listen_addr: 0.0.0.0:3025
- # The optional DNS name the auth server if locataed behind a load balancer.
+ # The optional DNS name the auth server if located behind a load balancer.
# (see public_addr section below)
# public_addr: auth.example.com:3025
@@ -163,7 +153,7 @@ auth_service:
# Only applicable if session_recording=proxy, see "recording proxy mode" for details.
proxy_checks_host_keys: yes
- # Determines if SSH sessions to cluster nodes are forcefully terminated
+ # Determines if SSH sessions to cluster nodes are forcefully terminated
# after no activity from a client (idle client).
# Examples: "30m", "1h" or "1h30m"
client_idle_timeout: never
@@ -172,10 +162,6 @@ auth_service:
# certificates expire in the middle of an active SSH session. (default is 'no')
disconnect_expired_cert: no
- # If the auth service is deployed outside Kubernetes, but Kubernetes integration
- # is required, you have to specify a valid kubeconfig credentials:
- # kubeconfig_file: /path/to/kubeconfig
-
# This section configures the 'node service':
ssh_service:
# Turns 'ssh' role on. Default is 'yes'
@@ -194,10 +180,11 @@ ssh_service:
role: master
# List of the commands to periodically execute. Their output will be used as node labels.
- # See "Labeling Nodes" section below for more information.
+ # See "Labeling Nodes" section below for more information and more examples.
commands:
- - name: arch # this command will add a label like 'arch=x86_64' to a node
- command: [uname, -p]
+ # this command will add a label 'arch=x86_64' to a node
+ - name: arch
+ command: ['/bin/uname', '-p']
period: 1h0m0s
# enables reading ~/.tsh/environment before creating a session. by default
@@ -209,7 +196,7 @@ ssh_service:
enabled: no
service_name: teleport
-# This section configures the 'proxy servie'
+# This section configures the 'proxy service'
proxy_service:
# Turns 'proxy' role on. Default is 'yes'
enabled: yes
@@ -228,13 +215,37 @@ proxy_service:
# command line (CLI) users via password+HOTP
web_listen_addr: 0.0.0.0:3080
- # The DNS name the proxy server is accessible by cluster users. Defaults to
- # the proxy's hostname if not specified. If running multiple proxies behind
- # a load balancer, this name must point to the load balancer
+ # The DNS name the proxy HTTPS endpoint as accessible by cluster users.
+ # Defaults to the proxy's hostname if not specified. If running multiple
+ # proxies behind a load balancer, this name must point to the load balancer
# (see public_addr section below)
# public_addr: proxy.example.com:3080
+
+ # The DNS name of the proxy SSH endpoint as accessible by cluster clients.
+ # Defaults to the proxy's hostname if not specified. If running multiple proxies
+ # behind a load balancer, this name must point to the load balancer.
+ # Use a TCP load balancer because this port uses SSH protocol.
+ # ssh_public_addr: proxy.example.com:3023
# TLS certificate for the HTTPS connection. Configuring these properly is
# critical for Teleport security.
https_key_file: /var/lib/teleport/webproxy_key.pem
https_cert_file: /var/lib/teleport/webproxy_cert.pem
+
+ # This section configures the Kubernetes proxy service
+ kubernetes:
+ # Turns 'kubernetes' proxy on. Default is 'no'
+ enabled: no
+
+ # Kubernetes proxy listen address.
+ listen_addr: 0.0.0.0:3026
+
+ # The DNS name of the Kubernetes proxy server that is accessible by cluster clients.
+ # If running multiple proxies behind a load balancer, this name must point to the
+ # load balancer.
+ # public_addr: ['kube.example.com:3026']
+
+ # This setting is not required if the Teleport proxy service is
+ # deployed inside a Kubernetes cluster. Otherwise, Teleport proxy
+ # will use the credentials from this file:
+ # kubeconfig_file: /path/to/kube/config
diff --git a/sys-cluster/teleport/teleport-4.0.0.ebuild b/sys-cluster/teleport/teleport-4.0.0.ebuild
new file mode 100644
index 00000000000..546c0f2921f
--- /dev/null
+++ b/sys-cluster/teleport/teleport-4.0.0.ebuild
@@ -0,0 +1,49 @@
+# Copyright 2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+inherit golang-build systemd
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [[ ${PV} == "9999" ]] ; then
+ inherit git-r3 golang-vcs
+ EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+ inherit golang-vcs-snapshot
+ SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+ KEYWORDS="~amd64 ~arm"
+fi
+
+IUSE="pam"
+LICENSE="Apache-2.0"
+RESTRICT="test strip"
+SLOT="0"
+
+DEPEND="app-arch/zip"
+RDEPEND="pam? ( sys-libs/pam )"
+
+src_compile() {
+ BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full
+}
+
+src_install() {
+ keepdir /var/lib/${PN} /etc/${PN}
+ dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+ insinto /etc/${PN}
+ newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+
+ newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+ newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+ systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service
+ systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}
+
+src_test() {
+ BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test
+}
next reply other threads:[~2019-06-20 6:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 6:32 Michał Górny [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-06-20 6:32 [gentoo-commits] repo/gentoo:master commit in: sys-cluster/teleport/files/, sys-cluster/teleport/ Michał Górny
2018-10-11 18:53 Michał Górny
2018-08-05 21:48 Patrice Clement
2018-07-26 20:39 Michał Górny
2018-07-26 20:39 Michał Górny
2018-03-18 8:33 Michał Górny
2017-06-14 7:48 Michał Górny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1561012245.a98d5007f46b36d5069c9f8541267c1ead647840.mgorny@gentoo \
--to=mgorny@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox