github.com/gravitational/teleport/api@v0.0.0-20240507183017-3110591cbafc/types/installers/agentless-installer.sh.tmpl (about) 1 #!/usr/bin/env bash 2 3 set -o errexit 4 set -o pipefail 5 set -o nounset 6 7 upgrade_endpoint="{{ .PublicProxyAddr }}/v1/webapi/automaticupgrades/channel/default" 8 9 # upgrade_endpoint_fetch loads the specified value from the upgrade endpoint. the only 10 # currently supported values are 'version' and 'critical'. 11 upgrade_endpoint_fetch() { 12 host_path="${upgrade_endpoint}/${1}" 13 14 if sf_output="$(curl --proto '=https' --tlsv1.2 -sSf "https://${host_path}")"; then 15 # emit output with empty lines and extra whitespace removed 16 echo "$sf_output" | grep -v -e '^[[:space:]]*$' | awk '{$1=$1};1' 17 return 0 18 else 19 return 1 20 fi 21 } 22 23 # get_target_version loads the current value of the /version endpoint. 24 get_target_version() { 25 if tv_output="$(upgrade_endpoint_fetch version)"; then 26 # emit version string with leading 'v' removed if one is present 27 echo "${tv_output#v}" 28 return 0 29 fi 30 return 1 31 } 32 33 run_teleport() { 34 TOKEN="$1" 35 PRINCIPALS="$2" 36 LABELS="$3" 37 ADDRESS="$4" 38 39 sudo /usr/local/bin/teleport join openssh \ 40 --openssh-config="${SSHD_CONFIG}" \ 41 --join-method=iam \ 42 --token="$TOKEN" \ 43 --proxy-server="{{ .PublicProxyAddr }}" \ 44 --additional-principals="$PRINCIPALS" \ 45 --labels="$LABELS" \ 46 --address="$ADDRESS":22 \ 47 --restart-sshd 48 } 49 50 get_metadata_item() { 51 IMDS_TOKEN="$1" 52 ENDPOINT="$2" 53 54 curl -m5 -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data/$ENDPOINT" 55 } 56 57 get_principals() { 58 IMDS_TOKEN="$1" 59 60 LOCAL_IP="$(get_metadata_item "$IMDS_TOKEN" local-ipv4)" 61 PUBLIC_IP="$(get_metadata_item "$IMDS_TOKEN" public-ipv4 || echo "")" 62 63 PRINCIPALS="" 64 if [ ! "$LOCAL_IP" = "" ]; then 65 PRINCIPALS="$LOCAL_IP,$PRINCIPALS" 66 fi 67 if [ ! "$PUBLIC_IP" = "" ]; then 68 PRINCIPALS="$PUBLIC_IP,$PRINCIPALS" 69 fi 70 71 echo "$PRINCIPALS" 72 } 73 74 get_address() { 75 IMDS_TOKEN="$1" 76 77 PUBLIC_IP=$(get_metadata_item "$IMDS_TOKEN" public-ipv4 || echo "") 78 if [ ! "$PUBLIC_IP" = "" ]; then 79 echo "$PUBLIC_IP" 80 return 0 81 fi 82 83 LOCAL_IP="$(get_metadata_item "$IMDS_TOKEN" local-ipv4)" 84 if [ ! "$LOCAL_IP" = "" ]; then 85 echo "$LOCAL_IP" 86 return 0 87 fi 88 89 echo "Failed to retreive an IP address to connect to, which is a required parameter" 90 return 1 91 } 92 93 get_labels() { 94 IMDS_TOKEN="$1" 95 96 INSTANCE_INFO=$(curl -m5 -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" http://169.254.169.254/latest/dynamic/instance-identity/document) 97 98 ACCOUNT_ID="$(echo "$INSTANCE_INFO" | jq -r .accountId)" 99 INSTANCE_ID="$(echo "$INSTANCE_INFO" | jq -r .instanceId)" 100 REGION="$(echo "$INSTANCE_INFO" | jq -r .region)" 101 102 LABELS="teleport.dev/instance-id=${INSTANCE_ID},teleport.dev/account-id=${ACCOUNT_ID},teleport.dev/aws-region=${REGION}" 103 104 echo "$LABELS" 105 } 106 107 install_teleport() { 108 # shellcheck disable=SC1091 109 . /etc/os-release 110 111 TELEPORT_PACKAGE="{{ .TeleportPackage }}" 112 TELEPORT_UPDATER_PACKAGE="{{ .TeleportPackage }}-updater" 113 114 if [ "$ID" = "debian" ] || [ "$ID" = "ubuntu" ]; then 115 # old versions of ubuntu require that keys get added by `apt-key add`, without 116 # adding the key apt shows a key signing error when installing teleport. 117 if [ "$VERSION_CODENAME" = "xenial" ] || [ "$VERSION_CODENAME" = "trusty" ]; then 118 curl -o /tmp/teleport-pubkey.asc https://apt.releases.teleport.dev/gpg 119 sudo apt-key add /tmp/teleport-pubkey.asc 120 echo "deb https://apt.releases.teleport.dev/ubuntu ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list 121 rm /tmp/teleport-pubkey.asc 122 else 123 curl https://apt.releases.teleport.dev/gpg | sudo tee /usr/share/keyrings/teleport-archive-keyring.asc 124 echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list >/dev/null 125 fi 126 sudo apt-get update 127 128 # shellcheck disable=SC2050 129 if [ "{{ .AutomaticUpgrades }}" = "true" ]; then 130 # automatic upgrades 131 if ! target_version="$(get_target_version)"; then 132 # error getting the target version 133 sudo apt-get install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 134 elif [ "$target_version" == "none" ]; then 135 # no target version advertised 136 sudo apt-get install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 137 else 138 # successfully retrieved target version 139 sudo apt-get install -y "$TELEPORT_PACKAGE=$target_version" jq "$TELEPORT_UPDATER_PACKAGE=$target_version" 140 fi 141 else 142 # no automatic upgrades 143 sudo apt-get install -y "$TELEPORT_PACKAGE" jq 144 fi 145 146 elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ]; then 147 if [ "$ID" = "rhel" ]; then 148 VERSION_ID=${VERSION_ID//\.*/} # convert version numbers like '7.2' to only include the major version 149 fi 150 sudo yum install -y yum-utils 151 sudo yum-config-manager --add-repo \ 152 "$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/{{ .RepoChannel }}/teleport.repo")" 153 154 # shellcheck disable=SC2050 155 if [ "{{ .AutomaticUpgrades }}" = "true" ]; then 156 # automatic upgrades 157 if ! target_version="$(get_target_version)"; then 158 # error getting the target version 159 sudo yum install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 160 elif [ "$target_version" == "none" ]; then 161 # no target version advertised 162 sudo yum install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 163 else 164 # successfully retrieved target version 165 sudo yum install -y "$TELEPORT_PACKAGE-$target_version" jq "$TELEPORT_UPDATER_PACKAGE-$target_version" 166 fi 167 else 168 # no automatic upgrades 169 sudo yum install -y "$TELEPORT_PACKAGE" jq 170 fi 171 172 elif [ "$ID" = "sles" ] || [ "$ID" = "opensuse-tumbleweed" ] || [ "$ID" = "opensuse-leap" ]; then 173 if [ "$ID" = "opensuse-tumbleweed" ]; then 174 VERSION_ID="15" # tumbleweed uses dated VERSION_IDs like 20230702 175 else 176 VERSION_ID="${VERSION_ID//.*/}" # convert version numbers like '7.2' to only include the major version 177 fi 178 sudo rpm --import "https://zypper.releases.teleport.dev/gpg" 179 sudo zypper --non-interactive addrepo "$(rpm --eval "https://yum.releases.teleport.dev/sles/$VERSION_ID/Teleport/%{_arch}/{{ .RepoChannel }}/teleport.repo")" 180 sudo zypper --gpg-auto-import-keys refresh 181 # shellcheck disable=SC2050 182 if [ "{{ .AutomaticUpgrades }}" = "true" ]; then 183 # automatic upgrades 184 if ! target_version="$(get_target_version)"; then 185 # error getting the target version 186 sudo zypper --non-interactive install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 187 elif [ "$target_version" == "none" ]; then 188 # no target version advertised 189 sudo zypper --non-interactive install -y "$TELEPORT_PACKAGE" jq "$TELEPORT_UPDATER_PACKAGE" 190 else 191 # successfully retrieved target version 192 sudo zypper --non-interactive install -y "$TELEPORT_PACKAGE-$target_version" jq "$TELEPORT_UPDATER_PACKAGE-$target_version" 193 fi 194 else 195 # no automatic upgrades 196 sudo zypper --non-interactive install -y "$TELEPORT_PACKAGE" jq 197 fi 198 else 199 echo "Unsupported distro: $ID" 200 exit 1 201 fi 202 } 203 204 ( 205 flock -n 9 || exit 1 206 207 TOKEN="$1" 208 209 if ! test -f /usr/local/bin/teleport; then 210 install_teleport 211 fi 212 213 IMDS_TOKEN=$(curl -m5 -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300") 214 PRINCIPALS="$(get_principals "$IMDS_TOKEN")" 215 LABELS="$(get_labels "$IMDS_TOKEN")" 216 ADDRESS="$(get_address "$IMDS_TOKEN")" 217 run_teleport "$TOKEN" "$PRINCIPALS" "$LABELS" "$ADDRESS" 218 219 ) 9>/var/lock/teleport_install.lock