Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compare auth version only if ping is successful #14178

Merged
merged 16 commits into from
Jul 8, 2022
Merged

Compare auth version only if ping is successful #14178

merged 16 commits into from
Jul 8, 2022

Conversation

nklaassen
Copy link
Contributor

@nklaassen nklaassen commented Jul 7, 2022
edited
Loading

In lib/service/(*TeleportProcess).reconnectToAuthService we send a ping request to the auth server to check for connectivity. We also check the reported version of the auth server, and will return an error and exit if it is too old.

There is currently a bug where we will check the server version before checking if the ping request was successful, resulting in the following error:

"error":" is not in dotted-tri format","level":"warning","message":"Teleport process has exited with error."

This error causes us to break out of the reconnect loop and never successfully connect to the auth service if there is a single failed ping. This breaks CA rotation if you get unlucky with the timing of auth and proxy restarts.

With this PR, we only check the auth server version if the ping was actually successful.

Fixing the version check uncovered a segfault waiting to happen a few lines below when the error is still nil, this is fixed in the second commit here.

In my testing, this change improved the original pass rate of TestHSMRotation from 94/100 (with 5/6 failures hitting this bug), to 99/100 with the 1 failure being the segfault fixed in the second commit here, to 100/100 999/1000 in the current iteration.

@nklaassen nklaassen requested a review from capnspacehook July 7, 2022 08:43
@github-actions github-actions bot requested review from smallinsky and Tener July 7, 2022 08:44
smallinsky
smallinsky approved these changes Jul 7, 2022
View reviewed changes
lib/service/connect.go Outdated Show resolved Hide resolved
zmb3
zmb3 reviewed Jul 7, 2022
View reviewed changes
lib/service/connect.go Outdated Show resolved Hide resolved
capnspacehook
capnspacehook approved these changes Jul 7, 2022
View reviewed changes
Copy link
Contributor

@capnspacehook capnspacehook left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, sorry about introducing this in the first place 😬

@nklaassen nklaassen requested a review from zmb3 July 7, 2022 16:10
@nklaassen nklaassen enabled auto-merge (squash) July 7, 2022 16:49
This was referenced Jul 7, 2022
Closed
Closed
Closed
@nklaassen nklaassen merged commit cb9aa5e into master Jul 8, 2022
@github-actions
Copy link

github-actions bot commented Jul 8, 2022

@nklaassen See the table below for backport results.

Branch Result
branch/v10 Create PR

@nklaassen nklaassen mentioned this pull request Jul 8, 2022
Merged
@nklaassen nklaassen deleted the nklaassen/fix-auth-too-old branch July 8, 2022 04:00
@nklaassen nklaassen mentioned this pull request Jul 12, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@capnspacehook capnspacehook capnspacehook approved these changes

@smallinsky smallinsky smallinsky approved these changes

@zmb3 zmb3 zmb3 approved these changes

@Tener Tener Awaiting requested review from Tener

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nklaassen @zmb3 @smallinsky @capnspacehook @r0mant