Skip to content

[v18] [teleport-update] Stabilize tsh paths when run from agent installation #60873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sclevine merged 2 commits into from
Nov 10, 2025
Merged

[v18] [teleport-update] Stabilize tsh paths when run from agent installation #60873

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a40db2
stablize tsh paths when run from agent installation
sclevine Oct 27, 2025
23d57b6
cleanup
sclevine Oct 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 20 additions & 14 deletions tool/tsh/common/tsh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ import (
"github.com/gravitational/teleport/lib/asciitable"
"github.com/gravitational/teleport/lib/auth/authclient"
wancli "github.com/gravitational/teleport/lib/auth/webauthncli"
"github.com/gravitational/teleport/lib/autoupdate/tools"
autoupdateagent "github.com/gravitational/teleport/lib/autoupdate/agent"
autoupdatetools "github.com/gravitational/teleport/lib/autoupdate/tools"
"github.com/gravitational/teleport/lib/benchmark"
benchmarkdb "github.com/gravitational/teleport/lib/benchmark/db"
"github.com/gravitational/teleport/lib/client"
Expand Down Expand Up @@ -844,7 +845,7 @@ func Run(ctx context.Context, args []string, opts ...CliOption) error {
}
// Check local update for specific proxy from configuration.
name := utils.TryHost(strings.TrimPrefix(strings.ToLower(proxyArg), "https://"))
if err := tools.CheckAndUpdateLocal(ctx, name, args); err != nil {
if err := autoupdatetools.CheckAndUpdateLocal(ctx, name, args); err != nil {
return trace.Wrap(err)
}

Expand Down Expand Up @@ -1465,13 +1466,18 @@ func Run(ctx context.Context, args []string, opts ...CliOption) error {
bench.Hidden()
}

var err error
cf.executablePath, err = os.Executable()
if err != nil {
return trace.Wrap(err)
}
if reExecPath := tools.GetReExecPath(); reExecPath != "" {
if reExecPath := autoupdatetools.GetReExecPath(); reExecPath != "" {
// Always prefer Client Tools Managed Updates re-exec path (~/.tsh/bin/) if set
cf.executablePath = reExecPath
} else {
// Otherwise, use the Agent Managed Updates stable path, if available
var err error
cf.executablePath, err = autoupdateagent.StableExecutable()
if errors.Is(err, autoupdateagent.ErrUnstableExecutable) {
logger.WarnContext(ctx, "Templates may be rendered with an unstable path to the tsh executable; reinstall tsh with Managed Updates to prevent instability")
} else if err != nil {
return trace.Wrap(err, "determining executable path")
}
}

// configs
Expand Down Expand Up @@ -2071,7 +2077,7 @@ func onVersion(cf *CLIConf) error {
proxyPublicAddr = ppa
}

reExecFromVersion := tools.GetReExecFromVersion(cf.Context)
reExecFromVersion := autoupdatetools.GetReExecFromVersion(cf.Context)
format := strings.ToLower(cf.Format)
switch format {
case teleport.Text, "":
Expand Down Expand Up @@ -2242,7 +2248,7 @@ func onLogin(cf *CLIConf, reExecArgs ...string) (err error) {
// The user is not logged in and has typed in `tsh --proxy=... login`, if
// the running binary needs to be updated, update and re-exec.
if profile == nil {
if err := tools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
if err := autoupdatetools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
return trace.Wrap(err)
}
}
Expand All @@ -2260,7 +2266,7 @@ func onLogin(cf *CLIConf, reExecArgs ...string) (err error) {

// The user has typed `tsh login`, if the running binary needs to
// be updated, update and re-exec.
if err := tools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
if err := autoupdatetools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
return trace.Wrap(err)
}

Expand All @@ -2280,7 +2286,7 @@ func onLogin(cf *CLIConf, reExecArgs ...string) (err error) {

// The user has typed `tsh login`, if the running binary needs to
// be updated, update and re-exec.
if err := tools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
if err := autoupdatetools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
return trace.Wrap(err)
}

Expand Down Expand Up @@ -2356,7 +2362,7 @@ func onLogin(cf *CLIConf, reExecArgs ...string) (err error) {
default:
// The user is logged in and has typed in `tsh --proxy=... login`, if
// the running binary needs to be updated, update and re-exec.
if err := tools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
if err := autoupdatetools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
return trace.Wrap(err)
}
}
Expand Down Expand Up @@ -4515,7 +4521,7 @@ func wrapInitClientWithUpdateCheck(clientInitFunc ClientInitFunc, reExecArgs []s
return nil, trace.Wrap(err)
}
if cf.checkManagedUpdates {
if err := tools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
if err := autoupdatetools.CheckAndUpdateRemote(cf.Context, tc.WebProxyAddr, tc.InsecureSkipVerify, reExecArgs); err != nil {
return nil, trace.Wrap(err)
}
}
Expand Down
Loading