pkg/daemon: detect ssh accesses before daemon started #381

runcom · 2019-02-05T11:15:29Z

Reads the journal checking for logind message ID and annotates the node
with the ssh accessed label if it finds out there were previous
accesses.

Close #379

Signed-off-by: Antonio Murdaca [email protected]

runcom · 2019-02-05T11:32:07Z

/test unit

runcom · 2019-02-05T11:47:31Z

so tests all fail because we're missing the systemd-devel dependency, does anybody know how to add that in the CI environment? /cc @cgwalters @jlebon et all

jlebon · 2019-02-05T14:36:39Z

I think right now it's failing because it's trying to link it for all the container builds but the dep was only added for the daemon Dockerfiles. @abhinavdahiya mentioned in #335 (comment) that we should only turn on CGO_ENABLED for the MCD. Doing that should fix it, I think?

(Also, can you do the vendoring part as a separate commit; can probably just cherry-pick 1068940 :)).

cgwalters · 2019-02-05T14:39:12Z

I believe the build container is derived from https://github.com/openshift/release/blob/a30cd48207d5f7244ed492450e111c6fbde5b757/projects/origin-release/golang-1.10/Dockerfile

I'm not sure about precedent for either adding to it or making a new one (or a derived container).

runcom · 2019-02-05T14:43:05Z

@abhinavdahiya mentioned in #335 (comment) that we should only turn on CGO_ENABLED for the MCD. Doing that should fix it, I think?

@jlebon I did that but still fails cause we're probably using another Dockerfile and image in tests (???)

(Also, can you do the vendoring part as a separate commit; can probably just cherry-pick 1068940 :)).

@jlebon is dep able to pull in vendors w/o a specific import in the code? in case it's not, I'd just wait for either PR to land and rebase the other one I guess. Otherwise, I'll create a separate commit.

I'm not sure about precedent for either adding to it or making a new one (or a derived container).

thanks, I'll check that out

cgwalters · 2019-02-05T14:47:41Z

While it may seem like a hack honestly I'd say we just fork off that journalctl command as a subprocess.

runcom · 2019-02-05T14:49:52Z

While it may seem like a hack honestly I'd say we just fork off that journalctl command as a subprocess.

that's fine with me, let's see how it goes when adding a build dep on the release image openshift/release#2783

jlebon · 2019-02-05T14:41:04Z

pkg/daemon/daemon.go

We don't even need to check the MESSAGE here. The msg id already represents the event we're looking for.

Also, there's no need for a for loop here, right? We can just .Next() and then .GetEntry() sequentially.

for the second point, just 1 entry is already enough to mark the node ssh/accessed so yeah, no need for a loop or sequentially calling GetEntry

pkg/daemon/daemon.go

jlebon · 2019-02-05T15:00:17Z

@jlebon is dep able to pull in vendors w/o a specific import in the code?

I've just been doing git add vendor/ and committing that separately first. GitHub does a good job of not expanding the vendoring churn in the "Files changed" tab, but in the terminal it's a pain to wade through.

yuqi-zhang · 2019-02-05T15:33:46Z

Running this locally shows:

# WHAT=machine-config-daemon ./hack/build-go.sh
Using version from git...
Building github.com/openshift/machine-config-operator/cmd/machine-config-daemon (v3.11.0-573-g10b54e42)
# github.com/openshift/machine-config-operator/vendor/github.com/coreos/go-systemd/sdjournal
vendor/github.com/coreos/go-systemd/sdjournal/journal.go:27:11: fatal error: systemd/sd-journal.h: No such file or directory
 // #include <systemd/sd-journal.h>
           ^~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

runcom · 2019-02-05T15:38:03Z

yes, we're waiting for openshift/release#2783 or go raw journalctl

openshift-merge-robot · 2019-02-06T06:27:56Z

/retest

openshift-merge-robot · 2019-02-06T12:17:30Z

/retest

ashcrow · 2019-02-07T15:36:54Z

openshift/release#2783 merged

ashcrow · 2019-02-07T15:37:05Z

/retest

ashcrow · 2019-02-07T18:19:08Z

/retest

cgwalters · 2019-02-07T22:46:48Z

So rhel-images will fail until the upstream change makes it there. Not sure how long that will take.

jlebon · 2019-02-08T17:17:47Z

hack/build-go.sh

I made this conditional on the MCD only in c02eb5d#diff-9283775b0feecc10455ec28bd08983b0.

Hmm, actually that might not work. It looks like other components will then fail to build. From #335:

--> RUN WHAT=machine-config-controller ./hack/build-go.sh Using version from git... Building github.com/openshift/machine-config-operator/cmd/machine-config-controller (v3.11.0-589-gf62a5cf6-dirty) vendor/github.com/coreos/go-systemd/sdjournal/functions.go...machine-config-operator/vendor/github.com/coreos/pkg/dlopen error: build error: running 'WHAT=machine-config-controller ./hack/build-go.sh' failed with exit code 1

I'm not familiar enough with the golang build system, but it seems like it's trying to bundle all the vendored packages for all the targets instead of only the ones that actually need them?

it's because the daemon package imports other packages (controller|server) and the build system bundle them together and that's why it's required for other components as well.

You can use build tags to include / build files only when those tags are set...
https://golang.org/pkg/go/build/#hdr-Build_Constraints

yeah, but that's gonna require some refactor as well

my point is yeah, we're going to refactor for build tags but I guess for this PR we can ship with CGO_ENABLED=1 anyway, I'm creating a new issue to track this.

ashcrow · 2019-02-08T20:37:43Z

could not wait for build: the build machine-config-controller failed after 2m16s with reason DockerBuildFailed: Docker build strategy has failed.

runcom · 2019-02-12T21:12:17Z

rebased and removed the vendoring since #335 pulled it already

This should be ready

runcom · 2019-02-12T23:19:41Z

/retest

runcom · 2019-02-13T00:40:07Z

/retest

jlebon

Just one minor nit, otherwise LGTM!

jlebon · 2019-02-13T14:24:53Z

pkg/daemon/daemon.go

Minor: could avoid the indentation here by checking for 0 and returning early.

thanks, fixed

Reads the journal checking for logind message ID and annotates the node with the ssh accessed label if it finds out there were previous accesses. Signed-off-by: Antonio Murdaca <[email protected]>

jlebon · 2019-02-13T14:39:57Z

/lgtm

openshift-ci-robot · 2019-02-13T14:40:12Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jlebon, runcom

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [jlebon,runcom]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

runcom · 2019-02-13T15:34:49Z

/retest

runcom · 2019-02-13T15:47:34Z

/retest

openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 5, 2019

openshift-ci-robot requested review from smarterclayton and wking February 5, 2019 11:15

openshift-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Feb 5, 2019

runcom force-pushed the early-ssh-accesses branch 3 times, most recently from 049ffe4 to ce09d42 Compare February 5, 2019 11:27

runcom force-pushed the early-ssh-accesses branch from ce09d42 to afb2de2 Compare February 5, 2019 11:41

runcom force-pushed the early-ssh-accesses branch 3 times, most recently from 93dcf8f to 8613c23 Compare February 5, 2019 12:23

runcom mentioned this pull request Feb 5, 2019

golang-1.10/Dockerfile: add systemd-devel for MCO journal bindings openshift/release#2783

Merged

runcom force-pushed the early-ssh-accesses branch from 8613c23 to 10b54e4 Compare February 5, 2019 14:56

jlebon reviewed Feb 5, 2019

View reviewed changes

runcom force-pushed the early-ssh-accesses branch 3 times, most recently from 43060b1 to 26f97f6 Compare February 5, 2019 17:07

runcom mentioned this pull request Feb 8, 2019

Use pivot.service to perform pivot #335

Merged

jlebon reviewed Feb 8, 2019

View reviewed changes

runcom mentioned this pull request Feb 8, 2019

decouple daemon code wrt platform #396

Closed

runcom force-pushed the early-ssh-accesses branch from 26f97f6 to a75271c Compare February 8, 2019 18:27

openshift-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 9, 2019

runcom force-pushed the early-ssh-accesses branch from a75271c to ad90c63 Compare February 12, 2019 21:11

openshift-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Feb 12, 2019

runcom force-pushed the early-ssh-accesses branch from ad90c63 to 0a7bdad Compare February 12, 2019 21:17

jlebon reviewed Feb 13, 2019

View reviewed changes

pkg/daemon: detect ssh accesses before daemon started

77cd586

Reads the journal checking for logind message ID and annotates the node with the ssh accessed label if it finds out there were previous accesses. Signed-off-by: Antonio Murdaca <[email protected]>

runcom force-pushed the early-ssh-accesses branch from 0a7bdad to 77cd586 Compare February 13, 2019 14:38

openshift-ci-robot assigned jlebon Feb 13, 2019

openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Feb 13, 2019

openshift-merge-robot merged commit 7d2cb71 into openshift:master Feb 13, 2019

runcom deleted the early-ssh-accesses branch February 13, 2019 17:12

pkg/daemon: detect ssh accesses before daemon started #381

pkg/daemon: detect ssh accesses before daemon started #381

Uh oh!

Conversation

runcom commented Feb 5, 2019

Uh oh!

runcom commented Feb 5, 2019

Uh oh!

runcom commented Feb 5, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jlebon commented Feb 5, 2019

Uh oh!

cgwalters commented Feb 5, 2019

Uh oh!

runcom commented Feb 5, 2019

Uh oh!

cgwalters commented Feb 5, 2019

Uh oh!

runcom commented Feb 5, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

runcom Feb 5, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

jlebon commented Feb 5, 2019

Uh oh!

yuqi-zhang commented Feb 5, 2019

Uh oh!

runcom commented Feb 5, 2019

Uh oh!

openshift-merge-robot commented Feb 6, 2019

Uh oh!

openshift-merge-robot commented Feb 6, 2019

Uh oh!

ashcrow commented Feb 7, 2019

Uh oh!

ashcrow commented Feb 7, 2019

Uh oh!

ashcrow commented Feb 7, 2019

Uh oh!

cgwalters commented Feb 7, 2019

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ashcrow commented Feb 8, 2019

Uh oh!

runcom commented Feb 12, 2019

Uh oh!

runcom commented Feb 12, 2019

Uh oh!

runcom commented Feb 13, 2019

Uh oh!

jlebon left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jlebon commented Feb 13, 2019

Uh oh!

runcom commented Feb 5, 2019 •

edited

Loading

runcom commented Feb 5, 2019 •

edited

Loading

runcom Feb 5, 2019 •

edited

Loading