Conversation
fspmarshall
left a comment
fspmarshall
left a comment
There was a problem hiding this comment.
nit: docs/pages/management/admin/setup-automatic-agent-update.mdx appears empty. Is this intended?
hugoShaka
force-pushed
the
hugo/document-teleport-agent-update
branch
from
917f5a7 to
b805264
Compare
This commit adds the updater documentation covering: - its architecture - how to setup a self-hosted version server for on-prem users - how to enroll an agent into automatic updates - the `cluster_maintenance_config` resource reference The PR currently restricts the automatic update scope to enterprise and cloud. Technically oss users could benefit from it but we don't have an oss package yet. Hopefully this should happen post 13.0 release.
github-actions
Bot
requested review from
alexfornuto,
ptgott,
r0mant,
xinding33 and
zmb3
hugoShaka
force-pushed
the
hugo/document-teleport-agent-update
branch
from
b0612b4 to
fda56ba
Compare
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
| The best practice is to always align the agent version with the proxy and auth | ||
| ones. This ensures the agents benefit from all available features and bug | ||
| fixes for the given auth/proxy version. |
There was a problem hiding this comment.
In addition to using proper nouns for the services as above, what if the Proxy and Auth Services are not in alignment? Does one take precedence?
There was a problem hiding this comment.
The rule is Auth >= Proxy >= agents. Ideally, all versions should be equal. During a version update, all three versions might differ. I added a link to our upgrade guide, which goes into greater detail.
| their version server and choose their target version. They are responsible for | ||
| ensuring the targeted version is compatible with their current auth/proxy | ||
| versions. They must also monitor the agent's health and rollout status to | ||
| ensure every agent is healthy and running the correct version. |
There was a problem hiding this comment.
Would you agree that a "Next steps" or "Learn more" section pointing to the other new pages under operations would make sense here?
| Automatic agent update is available starting from Teleport `13.0`. | ||
| </Details> | ||
|
|
||
| Starting with Teleport 13, agents running in systemd or Kubernetes environments |
There was a problem hiding this comment.
I added in the architecture page first paragraph that we need both systemd and apt/yum. and I expanded the requirements section to mention
A Teleport agent, either:
- started via systemd on a distribution using the
aptoryumpackage managers
Nice. Now should this section be aligned to also mention apt/yum?
| Automatic agent update is available starting from Teleport `13.0`. | ||
| </Details> | ||
|
|
||
| Starting with Teleport 13, agents running in systemd or Kubernetes environments |
There was a problem hiding this comment.
Should we mention apt/yum here as well?
| And mark the update as not critical: | ||
|
|
||
| ```code | ||
| $ echo -n "no" > current/critical |
There was a problem hiding this comment.
Almost missed this! Without another >, won't this overwrite?
❯ echo -n "line 1" > example
❯ echo -n "line 2" > example
❯ cat example
line 2
| $ echo -n "no" > current/critical | |
| $ echo -n "no" >> current/critical |
And I'm not sure the best way to adjust to resolve, but using -n on both commands yields a single line, which I don't think is intended:
❯ echo -n "line 1" > example
❯ echo -n "line 2" >> example
❯ cat example
line 1line 2%
There was a problem hiding this comment.
Both commands are writing to different files (at least they're supposed to), the first one wites to current/version and the second one writes to current/critical. The file should have no newline at the end (updaters should be resilient but I'm more comfortable not testing the limits of the system). I think overwriting is the sane behaviour here as it allows the user to mistakenly run the command twice.
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
| Install the `teleport-ent-updater` package (note: your teleport agent will be restarted during install): | ||
|
|
||
| ```code | ||
| $ apt install teleport-ent-updater |
There was a problem hiding this comment.
@marcoandredinis @hugoShaka Do we need to update our Discover install script and auto-discovery install script to use this package name when auto-upgrades env. var is set? IIRC we only change the repository channel right now.
There was a problem hiding this comment.
Yup, I thought this was part of this ticket but it's not.
There was a problem hiding this comment.
Should we include teleport-updater as a dependency of teleport apt/yum package?
(and teleport-ent-updater a dep of teleport-ent)
If we do so, then we would only need to tell users to configure and then systemctl enable --now the service.
I do understand that this is one more binary we add to the base installation but it seems we are going to allow all users to run the upgrader, so we should be ok with this being on user's machine.
I'll open the PR to install the package on our install scripts but please let me know what you think.
There was a problem hiding this comment.
I think we do it the other way: if you install teleport-ent-updater, you also get teleport-ent with the right systems unit and the correct env vars set so the maintenance schedule is exported. cc @fspmarshall for confirmation
We don't have a teleport-updater OSS package yet 😢 . Everything is OSS-friendly but the packaging didn't happen because we were short on time.
| maintenance window has been updated | ||
| ``` | ||
|
|
||
| ## Next steps |
There was a problem hiding this comment.
I dont' see a section on troubleshooting. What if the automatic upgrade fails. What logs can you look at. how do you recover.
There was a problem hiding this comment.
added a few lines on how to trigger an update check manually and check the logs
| "slug": "/architecture/authorization/" | ||
| }, | ||
| { | ||
| "title": "Automatic Agent Update", |
There was a problem hiding this comment.
This name seems out of place with the rest of the theme. I would name Update Management and move it lower in the list.
There was a problem hiding this comment.
renamed to Agent Update Management
| The release channel must be hosted on a webserver with trusted TLS certificates | ||
| and reachable by all agents. | ||
|
|
||
| Public cloud buckets like Amazon S3 or Google Cloud Storage are good |
There was a problem hiding this comment.
WE should provide examples of using S3 and Google Cloud storage. That can go in a subsequent release but since a number of folks are not famililar with that or setting up nginx good to ahve concrete examples. Also good if Teleport could provide this in some way.
There was a problem hiding this comment.
When we'll come back to automatic updates we'll likely have those endpoints served by the proxies themselves.
stevenGravy
left a comment
stevenGravy
left a comment
There was a problem hiding this comment.
Approved with comments.
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
public-teleport-github-review-bot
Bot
removed request for
ptgott,
xinding33 and
zmb3
|
@hugoShaka See the table below for backport results.
|
* docs: document the updater This commit adds the updater documentation covering: - its architecture - how to setup a self-hosted version server for on-prem users - how to enroll an agent into automatic updates - the `cluster_maintenance_config` resource reference The PR currently restricts the automatic update scope to enterprise and cloud. Technically oss users could benefit from it but we don't have an oss package yet. Hopefully this should happen post 13.0 release. * add new page to section index and sort * Apply suggestions from code review Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * docs feedback pt.1 * docs feedback pt.2 * fix tabs and edit innards * Apply suggestions from code review Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com> * docs feedback pt.3 * docs feedback pt.4 * Apply suggestions from code review Co-authored-by: Roman Tkachenko <roman@goteleport.com> * docs feedback pt.5 * mark as preview --------- Co-authored-by: alexfornuto <alex.fornuto@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* docs: document the updater This commit adds the updater documentation covering: - its architecture - how to setup a self-hosted version server for on-prem users - how to enroll an agent into automatic updates - the `cluster_maintenance_config` resource reference The PR currently restricts the automatic update scope to enterprise and cloud. Technically oss users could benefit from it but we don't have an oss package yet. Hopefully this should happen post 13.0 release. * add new page to section index and sort * Apply suggestions from code review * docs feedback pt.1 * docs feedback pt.2 * fix tabs and edit innards * Apply suggestions from code review * docs feedback pt.3 * docs feedback pt.4 * Apply suggestions from code review * docs feedback pt.5 * mark as preview --------- Co-authored-by: alexfornuto <alex.fornuto@goteleport.com> Co-authored-by: Roman Tkachenko <roman@goteleport.com>
6 participants
Part of #23091
This commit adds the updater documentation covering:
cluster_maintenance_configresource referenceThe PR currently restricts the automatic update scope to enterprise and cloud. Technically oss users could benefit from it but we don't have an oss package yet. Hopefully this should happen post 13.0 release.