Commit graph

290 commits

Author SHA1 Message Date
Hannes Mehnert da8b71cd2e bash is needed now (for parsexp 0.14) 2020-07-05 21:28:59 +02:00
Hannes Mehnert c7b468fe09 new command: get which downloads a unikernel and dumps it into a file 2020-07-05 21:27:44 +02:00
Hannes Mehnert 5adc2f0a8a vmm_asn: instead of potentially losing information, be honest and fail if requested to encode older versions of unikernel configuration 2020-07-05 20:53:57 +02:00
Hannes Mehnert 125711ac6d further rng cleanups (remove deps from dune); albatross-client-inspect-dump which reads a state file (for cautious upgrades) 2020-07-05 20:39:29 +02:00
Hannes Mehnert d93a683d94 tls: no need to initialize rng (tls.lwt does this for us) 2020-06-23 20:03:59 +02:00
Hannes Mehnert c98ac0494d retry-connections now defaults to 0
this makes it much easier to reason about the initialization.

for production, init scripts should enforce the dependency order
for testing, provide your own if desired

//cc MagnusS

also move enable_stats and retry_connections up (before exit codes)
2020-06-16 11:45:47 +02:00
Hannes Mehnert 21406965e7 require OCaml 4.08.0 since mirage-crypto depends on 4.08 2020-06-15 18:17:12 +02:00
Hannes Mehnert b07f09ba12 remove superfluous and outdated .ocamlinit 2020-06-15 16:48:59 +02:00
Hannes Mehnert a4c4331b71 TLS applications: initialize RNG 2020-06-15 16:33:11 +02:00
Hannes Mehnert ceafacbd2a require tls 1.3, avoid renegotiation (client certificate is now already encrypted) 2020-05-19 21:07:39 +02:00
Hannes Mehnert ccf3cae68c albatrossd: style cleanups 2020-05-19 21:00:37 +02:00
Magnus Skjegstad 50958a32f5
Albatrossd: --enable-stats and --retry-connections (#33)
* Make albatrossd wait for other sockets to appear if --retry-connections is specified
* Connect to log/console before creating main socket
* Disable stats by default unless --enable stats is specified
2020-05-19 20:51:32 +02:00
Hannes Mehnert 604f3ec52e Bos.OS.Cmd.run_out needs to check the exit status (using Bos.OS.Cmd.success) 2020-05-11 13:26:35 +02:00
Hannes Mehnert ab76e1ef89 metrics got released, no longer pin-depend 2020-05-09 22:47:54 +02:00
Hannes Mehnert 0920ae142e on cirrus, watermark (dune subst) and build with release profile before packaging and uploading 2020-05-02 22:08:59 +02:00
Hannes Mehnert 7cad9bd08d on linux, be a bit smarter which network device name to use 2020-04-25 19:59:19 +02:00
Hannes Mehnert 0c5af23848 vmmd: unikernel_info no longer transfers the unikernel image
regression introduced in dfd22be62b
(which prepared dumping to a file, and restart-on-failure)
this is not desired from a bandwidth point of view, if it is
considered to be a useful feature, there should be a separate
command for it
2020-04-25 17:12:41 +02:00
Hannes Mehnert 1fbec307ab update FreeBSD in cirrus to 12.1 2020-04-25 16:42:39 +02:00
Hannes Mehnert 0932d06c41 client: provide exit code depending on failure
fixes #31, piggy-backs on the 'a in type 'a result = [ `Ok of 'a | ... ]
the code uses Ok Albatross_cli.Remote_command_failed to signal "exit 123"
2020-04-25 16:28:48 +02:00
Hannes Mehnert 9bc4d478d5 albatross_cli: fix docstring of dbdir location on linux 2020-04-21 11:19:12 +02:00
Hannes Mehnert c0f093d39c add ISC license (fixes #13, re-requested by Poulpe on discord) 2020-04-21 11:10:46 +02:00
Hannes Mehnert 4c9faf4262 adapt to x509 0.11.0 API changes 2020-04-21 11:10:39 +02:00
Hannes Mehnert b7747a2547 linux tap device discovery: redirect stderr of run to /dev/null 2020-04-21 11:07:57 +02:00
Hannes Mehnert 03c9948526 avoid brctl on Linux, use ip instead 2020-04-09 17:02:17 +02:00
Hannes Mehnert be83686a22 Vmm_unix: fix ip tuntap command (provide tap name earlier), also set link up 2020-04-03 17:44:21 +02:00
Hannes Mehnert 18728a7601 packaging/linux: cleanups of systemd scripts
- console creates the run directories (albatross albatross/fifo albatross/util)
-> log depends on console
- albatross/fifo needs special permission (albatross_daemon creates fifo there, albatross_console needs to read them)
- use /var/lib/albatross/albatross.log for the log file
- only require root in albatross_daemon, use user albatross in albatross_console and albatross_log
- defer albatross_stat for now
2020-04-03 17:43:45 +02:00
Hannes Mehnert 59212bdca9 [ci skip] minor rewording 2020-03-31 21:18:09 +02:00
Hannes Mehnert 14f861b945 stats: instead of executing the sysctl kinfo_proc twice (for retrieving kinfo_mem and rusage), only execute it once 2020-03-31 11:53:07 +02:00
Hannes Mehnert 65693ea188 revise the "--net=yyy" argument to (optionally) contain a service:bridge
it used to only contain service, and used the same string for the bridge. This
is not flexible enough to run off-the-shelf unikernels (configured for bridge
"service" and "management" on multi-homed servers). The old behaviour is the
new default (i.e. "--net=service" creates and attaches a tap device to bridge
"service", and passes "--net:service=tapYY" to the solo5 tender). But it is more
flexible now: "--net=service:other-bridge" will create a tap device attached to
"other-bridge" and pass "--net:service=tapYY" to the tender. This way, there's
no need to match bridge names on the actual server with network device names of
the unikernels.

NB: this is (mostly) backwards-compatible: the on-disk data structures are
versioned (and the version is bumped with this PR), an old albatross client can
send "create" commands to a new server. But a new client will get a parse error
from an old server - which is fine taking into consideration the deployment
base.
2020-03-25 16:09:23 +01:00
Hannes Mehnert 19a817e26c cirrus: install pkgconf 2020-03-13 18:37:12 +01:00
Hannes Mehnert a134218b64 use mirage-crypto and modern tls 2020-03-13 16:36:05 +01:00
Hannes Mehnert 22ce1fbdbc
Merge pull request #25 from hannesm/linux2
Linux support
2020-02-20 21:01:52 +01:00
Hannes Mehnert da5ed22a14 compute uptime from now - started 2020-02-16 19:47:39 +01:00
Hannes Mehnert ff59f05660 compatibility with x509 0.9.0 2020-02-16 16:33:19 +01:00
Hannes Mehnert eebecd4a96 adjust cirrus for new location of create_package.sh 2019-11-27 11:28:38 +01:00
Hannes Mehnert 05ab18457b systemd services, based on ee49c6240aa2cf2c9dac47eff6c751ce8c17efb5 by @cfcs 2019-11-27 11:27:55 +01:00
Hannes Mehnert 3dc21c037e move FreeBSD packaging to packaging/FreeBSD 2019-11-27 11:27:55 +01:00
Hannes Mehnert eccdaeafda set umask in mkfifo 2019-11-27 11:27:55 +01:00
Hannes Mehnert 34817a2090 notes about brctl, could potentially be replaced by ip 2019-11-27 11:27:55 +01:00
Hannes Mehnert 6206e8681a make dbdir and tmpdir platform-specific and overwritable by all command line utilities 2019-11-27 11:27:55 +01:00
Hannes Mehnert 56aa5545f8 basic cirrus on FreeBSD set 2019-11-27 11:27:25 +01:00
Hannes Mehnert 2d26a56c0d
Merge pull request #24 from hannesm/versioning
Versioning
2019-11-13 19:01:44 +01:00
Hannes Mehnert 13e731b78e albatross tls: re-allow root in leaf certificate (i.e. root) to fix log and info commands via tls
this is an interaction of 057dbbf147 (allow multiple labels in leaf certificates) and a579a8e143 (print root as "." instead of "")
2019-11-11 23:20:03 +01:00
Hannes Mehnert ff067255b0 albatrossd: acquire lock for restore 2019-11-11 23:20:03 +01:00
Hannes Mehnert 784429744c versioning: revise it all, use a 'current' in Vmm_commands, all daemons reply with the received version on that particular stream 2019-11-11 23:20:03 +01:00
Hannes Mehnert 365a569b25 albatross_ca: compare request vs my version, write mine, bump to AV4 2019-11-11 19:18:48 +01:00
Hannes Mehnert af04739575 albatross_ca: default to 1 day for leaf certificates, 1 year for intermediate policy_add certificates 2019-11-10 23:23:42 +01:00
Hannes Mehnert b1272a75ec create from state in series, not parallel to avoid communication mishappenings
the socket lock was removed in 58c34907 in favour of a global lock -- but the
bootup used an iter_p for create (which is usually called with the lock being
held by the caller)
2019-11-09 21:32:49 +01:00
Hannes Mehnert bcb3efcb23 canonical tag is vm (historical reasons), let's unify 2019-11-09 20:52:39 +01:00
Hannes Mehnert 057dbbf147 revise naming freedom: multiple labels are allowed in certificate common names
influx may drop topmost label (if --drop-label provided)
2019-11-09 20:36:32 +01:00