Commit graph

282 commits

Author SHA1 Message Date
Hannes Mehnert a4c4331b71 TLS applications: initialize RNG 2020-06-15 16:33:11 +02:00
Hannes Mehnert ceafacbd2a require tls 1.3, avoid renegotiation (client certificate is now already encrypted) 2020-05-19 21:07:39 +02:00
Hannes Mehnert ccf3cae68c albatrossd: style cleanups 2020-05-19 21:00:37 +02:00
Magnus Skjegstad 50958a32f5
Albatrossd: --enable-stats and --retry-connections (#33)
* Make albatrossd wait for other sockets to appear if --retry-connections is specified
* Connect to log/console before creating main socket
* Disable stats by default unless --enable stats is specified
2020-05-19 20:51:32 +02:00
Hannes Mehnert 604f3ec52e Bos.OS.Cmd.run_out needs to check the exit status (using Bos.OS.Cmd.success) 2020-05-11 13:26:35 +02:00
Hannes Mehnert ab76e1ef89 metrics got released, no longer pin-depend 2020-05-09 22:47:54 +02:00
Hannes Mehnert 0920ae142e on cirrus, watermark (dune subst) and build with release profile before packaging and uploading 2020-05-02 22:08:59 +02:00
Hannes Mehnert 7cad9bd08d on linux, be a bit smarter which network device name to use 2020-04-25 19:59:19 +02:00
Hannes Mehnert 0c5af23848 vmmd: unikernel_info no longer transfers the unikernel image
regression introduced in dfd22be62b
(which prepared dumping to a file, and restart-on-failure)
this is not desired from a bandwidth point of view, if it is
considered to be a useful feature, there should be a separate
command for it
2020-04-25 17:12:41 +02:00
Hannes Mehnert 1fbec307ab update FreeBSD in cirrus to 12.1 2020-04-25 16:42:39 +02:00
Hannes Mehnert 0932d06c41 client: provide exit code depending on failure
fixes #31, piggy-backs on the 'a in type 'a result = [ `Ok of 'a | ... ]
the code uses Ok Albatross_cli.Remote_command_failed to signal "exit 123"
2020-04-25 16:28:48 +02:00
Hannes Mehnert 9bc4d478d5 albatross_cli: fix docstring of dbdir location on linux 2020-04-21 11:19:12 +02:00
Hannes Mehnert c0f093d39c add ISC license (fixes #13, re-requested by Poulpe on discord) 2020-04-21 11:10:46 +02:00
Hannes Mehnert 4c9faf4262 adapt to x509 0.11.0 API changes 2020-04-21 11:10:39 +02:00
Hannes Mehnert b7747a2547 linux tap device discovery: redirect stderr of run to /dev/null 2020-04-21 11:07:57 +02:00
Hannes Mehnert 03c9948526 avoid brctl on Linux, use ip instead 2020-04-09 17:02:17 +02:00
Hannes Mehnert be83686a22 Vmm_unix: fix ip tuntap command (provide tap name earlier), also set link up 2020-04-03 17:44:21 +02:00
Hannes Mehnert 18728a7601 packaging/linux: cleanups of systemd scripts
- console creates the run directories (albatross albatross/fifo albatross/util)
-> log depends on console
- albatross/fifo needs special permission (albatross_daemon creates fifo there, albatross_console needs to read them)
- use /var/lib/albatross/albatross.log for the log file
- only require root in albatross_daemon, use user albatross in albatross_console and albatross_log
- defer albatross_stat for now
2020-04-03 17:43:45 +02:00
Hannes Mehnert 59212bdca9 [ci skip] minor rewording 2020-03-31 21:18:09 +02:00
Hannes Mehnert 14f861b945 stats: instead of executing the sysctl kinfo_proc twice (for retrieving kinfo_mem and rusage), only execute it once 2020-03-31 11:53:07 +02:00
Hannes Mehnert 65693ea188 revise the "--net=yyy" argument to (optionally) contain a service:bridge
it used to only contain service, and used the same string for the bridge. This
is not flexible enough to run off-the-shelf unikernels (configured for bridge
"service" and "management" on multi-homed servers). The old behaviour is the
new default (i.e. "--net=service" creates and attaches a tap device to bridge
"service", and passes "--net:service=tapYY" to the solo5 tender). But it is more
flexible now: "--net=service:other-bridge" will create a tap device attached to
"other-bridge" and pass "--net:service=tapYY" to the tender. This way, there's
no need to match bridge names on the actual server with network device names of
the unikernels.

NB: this is (mostly) backwards-compatible: the on-disk data structures are
versioned (and the version is bumped with this PR), an old albatross client can
send "create" commands to a new server. But a new client will get a parse error
from an old server - which is fine taking into consideration the deployment
base.
2020-03-25 16:09:23 +01:00
Hannes Mehnert 19a817e26c cirrus: install pkgconf 2020-03-13 18:37:12 +01:00
Hannes Mehnert a134218b64 use mirage-crypto and modern tls 2020-03-13 16:36:05 +01:00
Hannes Mehnert 22ce1fbdbc
Merge pull request #25 from hannesm/linux2
Linux support
2020-02-20 21:01:52 +01:00
Hannes Mehnert da5ed22a14 compute uptime from now - started 2020-02-16 19:47:39 +01:00
Hannes Mehnert ff59f05660 compatibility with x509 0.9.0 2020-02-16 16:33:19 +01:00
Hannes Mehnert eebecd4a96 adjust cirrus for new location of create_package.sh 2019-11-27 11:28:38 +01:00
Hannes Mehnert 05ab18457b systemd services, based on ee49c6240aa2cf2c9dac47eff6c751ce8c17efb5 by @cfcs 2019-11-27 11:27:55 +01:00
Hannes Mehnert 3dc21c037e move FreeBSD packaging to packaging/FreeBSD 2019-11-27 11:27:55 +01:00
Hannes Mehnert eccdaeafda set umask in mkfifo 2019-11-27 11:27:55 +01:00
Hannes Mehnert 34817a2090 notes about brctl, could potentially be replaced by ip 2019-11-27 11:27:55 +01:00
Hannes Mehnert 6206e8681a make dbdir and tmpdir platform-specific and overwritable by all command line utilities 2019-11-27 11:27:55 +01:00
Hannes Mehnert 56aa5545f8 basic cirrus on FreeBSD set 2019-11-27 11:27:25 +01:00
Hannes Mehnert 2d26a56c0d
Merge pull request #24 from hannesm/versioning
Versioning
2019-11-13 19:01:44 +01:00
Hannes Mehnert 13e731b78e albatross tls: re-allow root in leaf certificate (i.e. root) to fix log and info commands via tls
this is an interaction of 057dbbf147 (allow multiple labels in leaf certificates) and a579a8e143 (print root as "." instead of "")
2019-11-11 23:20:03 +01:00
Hannes Mehnert ff067255b0 albatrossd: acquire lock for restore 2019-11-11 23:20:03 +01:00
Hannes Mehnert 784429744c versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 23:20:03 +01:00
Hannes Mehnert 365a569b25 albatross_ca: compare request vs my version, write mine, bump to AV4 2019-11-11 19:18:48 +01:00
Hannes Mehnert af04739575 albatross_ca: default to 1 day for leaf certificates, 1 year for intermediate policy_add certificates 2019-11-10 23:23:42 +01:00
Hannes Mehnert b1272a75ec create from state in series, not parallel to avoid communication mishappenings
the socket lock was removed in 58c34907 in favour of a global lock -- but the
bootup used an iter_p for create (which is usually called with the lock being
held by the caller)
2019-11-09 21:32:49 +01:00
Hannes Mehnert bcb3efcb23 canonical tag is vm (historical reasons), let's unify 2019-11-09 20:52:39 +01:00
Hannes Mehnert 057dbbf147 revise naming freedom: multiple labels are allowed in certificate common names
influx may drop topmost label (if --drop-label provided)
2019-11-09 20:36:32 +01:00
Hannes Mehnert ec9f00b39a vmm_ring revise implementation 2019-10-29 20:42:51 +01:00
Hannes Mehnert 8a113e5ce0 revise log and console subscription protocol, require either since or count 2019-10-29 20:17:50 +01:00
Hannes Mehnert 90d1fd9d7d console: use Lwt_unix.openfile (RDONLY; NONBLOCK) to open the fifo, followed
by Lwt_unix.wait_read (in read_console, called asynchronously in a fresh task)
and only then convert to a Lwt_io.t (of_fd ~mode:Input) -- thanks to @cfcs

This allows albatross to be run on Linux, where the former code lead to:
- open FIFO
- read <- EOF (although no writer was connected yet)

this works nicely around ocsigen/lwt#741
2019-10-27 23:23:54 +01:00
Hannes Mehnert 82782363b8 Vmm_unix.check_commands : unit -> (unit, [> `Msg of string ]) result - which
checks (platform-dependent) all required executables
Vmm_unix.prepare/exec execute solo5-{spt/hvt} depending on the image type
 (solo5-elftool figures that out), use jsonm to parse output
Vmm_unix: use ip on linux, no longer ifconfig
2019-10-27 21:31:37 +01:00
Hannes Mehnert 01f6983325 cosmetics 2019-10-27 19:47:37 +01:00
Hannes Mehnert 1d33c17b53 use a variant for uname result, not strings 2019-10-27 19:43:54 +01:00
Hannes Mehnert e1239366e1 travis: use docker, test on 4.08 and 4.09 as well 2019-10-15 20:25:44 +02:00
Hannes Mehnert 537c113a8a albatross_log: a read-only mode to read a log file 2019-10-15 00:50:16 +02:00