Commit graph

16899 commits

Author SHA1 Message Date
Michael Lange 2dac1d6705 Refactor ability tests to use a setup hook for ability lookup 2020-01-30 21:29:21 -08:00
Michael Lange 1fae4083eb Add an ability for client permissions 2020-01-30 21:29:19 -08:00
Michael Schurter 1d8f1ee473
Merge pull request #7026 from hashicorp/post-0103
Post 0103
2020-01-30 15:25:26 -08:00
Michael Schurter 77bd6c0b9c docs: add v0.10.3 release to changelog 2020-01-30 15:24:33 -08:00
Michael Schurter 60e1ae5012 docs: bump 0.10.2 -> 0.10.3 2020-01-30 15:22:59 -08:00
Michael Schurter 54324bb91c
Merge pull request #7023 from hashicorp/b-tls-validation
Validate role and region for mTLS
2020-01-30 11:05:37 -08:00
Michael Schurter dd7712795d
Merge branch 'master' into b-tls-validation 2020-01-30 11:05:15 -08:00
Michael Schurter c7d63305b0
Merge pull request #7022 from hashicorp/f-handshake-deadlines-oss
core: add limits to unauthorized connections
2020-01-30 11:01:10 -08:00
Mahmood Ali a9f551542d Merge pull request #160 from hashicorp/b-mtls-hostname
server: validate role and region for RPC w/ mTLS
2020-01-30 12:59:17 -06:00
Michael Schurter 8d18b5d6be docs: document limits
Taken more or less verbatim from Consul.
2020-01-30 10:38:42 -08:00
Michael Schurter c82b14b0c4 core: add limits to unauthorized connections
Introduce limits to prevent unauthorized users from exhausting all
ephemeral ports on agents:

 * `{https,rpc}_handshake_timeout`
 * `{http,rpc}_max_conns_per_client`

The handshake timeout closes connections that have not completed the TLS
handshake by the deadline (5s by default). For RPC connections this
timeout also separately applies to first byte being read so RPC
connections with TLS enabled have `rpc_handshake_time * 2` as their
deadline.

The connection limit per client prevents a single remote TCP peer from
exhausting all ephemeral ports. The default is 100, but can be lowered
to a minimum of 26. Since streaming RPC connections create a new TCP
connection (until MultiplexV2 is used), 20 connections are reserved for
Raft and non-streaming RPCs to prevent connection exhaustion due to
streaming RPCs.

All limits are configurable and may be disabled by setting them to `0`.

This also includes a fix that closes connections that attempt to create
TLS RPC connections recursively. While only users with valid mTLS
certificates could perform such an operation, it was added as a
safeguard to prevent programming errors before they could cause resource
exhaustion.
2020-01-30 10:38:25 -08:00
Seth Hoenig 9a4e0c354d
Merge pull request #7018 from hashicorp/f-e2e-specify-suite
e2e: add a -suite flag to e2e.Framework
2020-01-30 08:41:02 -06:00
Mahmood Ali 3c8136671f
Merge pull request #7009 from hashicorp/golang-1.12.16
use golang 1.12.16
2020-01-29 20:32:24 -05:00
Seth Hoenig 93d347442f e2e: add a -suite flag to e2e.Framework
This change allows for providing the -suite=<Name> flag when
running the e2e framework. If set, only the matching e2e/Framework.TestSuite.Component
will be run, and all ther suites will be skipped.
2020-01-29 14:57:43 -06:00
Drew Bailey 3e9e8262f8
Merge pull request #7015 from hashicorp/b-allow-monitor-by-server-id
Allow nomad monitor command to lookup server UUID
2020-01-29 14:46:53 -05:00
Drew Bailey da4af9bef3
fix tests, update changelog 2020-01-29 13:55:39 -05:00
Drew Bailey a61bf32314
Allow nomad monitor command to lookup server UUID
Allows addressing servers with nomad monitor using the servers name or
ID.

Also unifies logic for addressing servers for client_agent_endpoint
commands and makes addressing logic region aware.

rpc getServer test
2020-01-29 13:55:29 -05:00
Mahmood Ali fb68c7dcdc use golang 1.12.16 2020-01-29 09:52:03 -05:00
Nick Ethier 25a0a697f9
Merge pull request #7005 from shantanugadgil/patch-2
canary_meta will be part of 0.10.3 (not 0.10.2)
2020-01-29 00:18:31 -05:00
Shantanu Gadgil 3cc952754a
canary_meta will be part of 0.10.3 (not 0.10.2)
I assume this is just an oversight. I tried adding the `canary_meta` stanza to an existing v0.10.2 setup (Nomad v0.10.2 (0d2d6e3dc5a171c21f8f31fa117c8a765eb4fc02) and it did show the error message:
```
* group: 'ggg', task: 'tttt', invalid key: canary_meta
```
2020-01-29 10:42:26 +05:30
Mahmood Ali 9611324654
Merge pull request #6922 from hashicorp/b-alloc-canoncalize
Handle Upgrades and Alloc.TaskResources modification
2020-01-28 15:12:41 -05:00
Mahmood Ali 90cae566e5
Merge pull request #6935 from hashicorp/b-default-preemption-flag
scheduler: allow configuring default preemption for system scheduler
2020-01-28 15:11:06 -05:00
Mahmood Ali bc183a3654 tests: run_for is already a string 2020-01-28 14:58:57 -05:00
Mahmood Ali af17b4afc7 Support customizing full scheduler config 2020-01-28 14:51:42 -05:00
Mahmood Ali f7a51a14c6
Merge pull request #6977 from hashicorp/b-leadership-flapping-2
Handle Nomad leadership flapping (attempt 2)
2020-01-28 11:40:41 -05:00
Mahmood Ali a0340016b9 client: canonicalize alloc.Job on restore
There is a case for always canonicalizing alloc.Job field when
canonicalizing the alloc.  I'm less certain of implications though, and
the job canonicalize hasn't changed for a long time.

Here, we special case client restore from database as it's probably the
most relevant part.  When receiving an alloc from RPC, the data should
be fresh enough.
2020-01-28 09:59:05 -05:00
Mahmood Ali 687d2b7054 tests: defer closing shutdownCh 2020-01-28 09:53:48 -05:00
Mahmood Ali ded4233c27 tweak leadership flapping log messages 2020-01-28 09:49:36 -05:00
Mahmood Ali 79823ae07d handle channel close signal
Always deliver last value then send close signal.
2020-01-28 09:44:34 -05:00
Mahmood Ali d202924a93 include test and address review comments 2020-01-28 09:06:52 -05:00
Mahmood Ali 6602427236 docs: tweaks 2020-01-28 08:39:58 -05:00
Mahmood Ali 112625e769
Merge pull request #6997 from hashicorp/docs-bootstrap-reset
docs: reseting bootstrap doesn't invalidate token
2020-01-28 08:37:45 -05:00
Nick Ethier 7e7f558fdc
Merge pull request #6690 from hashicorp/f-canary-meta
consul: add support for canary meta
2020-01-27 21:48:48 -05:00
Tim Gross 7681f09ae4
e2e: packer builds should not be public (#6998) 2020-01-27 16:28:25 -05:00
Mahmood Ali 9926614df2
Update website/source/guides/security/acl.html.markdown
Co-Authored-By: Tim Gross <tim@0x74696d.com>
2020-01-27 14:17:44 -05:00
Nick Ethier 5636203d4e consul: fix var name from rebase 2020-01-27 14:00:19 -05:00
Mahmood Ali d2531ccb83 docs: reseting bootstrap doesn't invalidate token 2020-01-27 13:45:52 -05:00
Michael Schurter ed926a9d03
Merge pull request #6938 from hashicorp/e2e-vault
test: download Vault binaries for e2e test
2020-01-27 10:26:48 -08:00
Nick Ethier 0ae99b3c9c consul: fix var name from rebase 2020-01-27 12:55:52 -05:00
Michael Schurter b2398e68c9
Merge pull request #6994 from hashicorp/docs-go
docs: add Go versioning policy
2020-01-27 08:19:33 -08:00
Michael Schurter b5869240c6 docs: add Go versioning policy 2020-01-27 08:18:58 -08:00
Mahmood Ali 3fc345a500
Merge pull request #6918 from hashicorp/vendor-godiscover-7698de1
Update go-discover library
2020-01-27 10:10:17 -05:00
Nick Ethier 6d0556bc30 website: add canary meta to api docs 2020-01-27 09:53:30 -05:00
Nick Ethier 5cbb94e16e consul: add support for canary meta 2020-01-27 09:53:30 -05:00
Mahmood Ali 5d27317a2c
Merge pull request #6950 from hashicorp/c-golang-1.12.15
Upgrade to using golang 1.12.15
2020-01-27 09:10:55 -05:00
Mahmood Ali 7921a82a4e fix comment 2020-01-27 09:10:38 -05:00
Michael Lange 0c18d92395
Merge pull request #6819 from hashicorp/f-ui-node-drain
UI: Invoke Node Drains
2020-01-23 16:48:57 -08:00
Michael Lange d7a3c15530 Replace custom parse-duration implementation with an existing lib 2020-01-23 16:34:38 -08:00
Michael Lange c0d57149ca Update client detail test given change to the compositeStatus property 2020-01-23 16:34:38 -08:00
Michael Lange 75987840bb Tweak vertical spacing of headings 2020-01-23 16:34:37 -08:00