)]}' { "log": [ { "commit": "5e4fc2d107722f748f90cad06601c1b20e0934fc", "tree": "3f29a0772e9182a7e7cc0073b61b00f58013e071", "parents": [ "fa5c2fccc528b40f216687e02f0c1cd004e013d6" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Sep 22 18:35:15 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Sep 22 18:35:15 2020 +0200" }, "message": "Add support for runc container runtime\n\nAdds the runc container runtime, its containerd shim, required Linux features and plumbs it into\nKubernetes using RuntimeClasses and containerd runtime selection. Also adds support for building C-based\ntargets as part of our initramfs.\n\nThe Bazel portion is a bit verbose but since label dicts cannot be reasonably concatenated and closures\nare prohibited in Starlark I see no better way.\n\nFor this to be usable for most images new Linux binfmt options have been added. The hashbang binfmt\nshouldn\u0027t have any negative impact, but binfmt_misc has a registry which is only namespaced if used\nwith user namespaces, which are currently not used and thus might represent an exploit vector. This\nis tracked in T864.\n\nTest Plan: New E2E tests covering this feature have been added.\n\nX-Origin-Diff: phab/D625\nGitOrigin-RevId: 1e7e27166135437b2965eca4dc238f3255c9b1ba\n" }, { "commit": "fa5c2fccc528b40f216687e02f0c1cd004e013d6", "tree": "f39c24f681176b7bbf36fe6af304c6902124f552", "parents": [ "4efaa019244db96128941965aa72c0e1371b0d2d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Sep 28 13:32:12 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Sep 28 13:32:12 2020 +0200" }, "message": "Use CoreDNS for everything and make directives dynamic\n\nThis moves CoreDNS from Kubernetes to the network tree and uses\nit for OS-side resolution too. For this to work together with Kubernetes it now\ncontains a dynamic directive system which allows various parts of the OS\nto register and unregister directives at runtime. This system is used to hook\nKubernetes and DHCP-supplied DNS servers into the configuration.\n\nThis also enables the hosts plugin to resolve the local hostname from within\nCoreDNS to avoid querying external DNS servers for that (T773).\n\nTest Plan:\nCTS covers K8s-related tests, external resolution manually tested from\na container.\n\nBug: T860, T773\n\nX-Origin-Diff: phab/D628\nGitOrigin-RevId: f1729237f3d17d8801506f4d299b90e7dce0893a\n" }, { "commit": "ed0503cbe3c2d85d138f2604b87d73417be6c940", "tree": "66fce41e479e22ba8a735fbcbb62d768c0307bd3", "parents": [ "b9431c95082a3de6c87f96b700e69b72e4d87fdc" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:21:25 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 28 17:21:25 2020 +0200" }, "message": "Add Kubernetes CTS\n\nThis adds patches and build specifications for the Kubernetes Conformance Test Suite. This involves\ngating various cloud-specific tests behind the providerless flag (otherwise we\u0027d gain a ton of additional dependencies)\nand an additional 60MiB in test binary size.\nSince the CTS for weird reasons requires kubectl to be available in the path we first build a kubectl go_image and then\nstack the CTS on top of it. The output bundle is then preseeded for use.\n\nTest Plan: `bazel run //core/tests/e2e/k8s_cts`\n\nBug: T836\n\nX-Origin-Diff: phab/D615\nGitOrigin-RevId: 7d2cd780a3ffb63b217591c5854b4aec4031d83d\n" }, { "commit": "b9431c95082a3de6c87f96b700e69b72e4d87fdc", "tree": "2caae783a1f940e8d9c3ff4bf23ef150b537c225", "parents": [ "ca24cfaef52b388438f06e69352643a4ee0185ca" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Aug 24 18:16:51 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Aug 24 18:16:51 2020 +0200" }, "message": "supervisor: never give up\n\nThis fixes T756, in which supervised processes would reach a negative\nbackoff value. This seems to be caused by the backoff library\u0027s\nExponentialBackoff having a default MaxElapsedTime of 15 minutes, after\nwhich it returns \u0027Stop\u0027, or, -1 seconds.\n\nTest Plan: There\u0027s no easy way to test this. Unfortunately, the behaviour to return Stop is not after a number of calls, but after time has elapsed. We don\u0027t want to wait 15 minutes for a test, and we don\u0027t have an easy way to mock time, either. But I did test this manually and I cannot observe the \u0027negative backoffs\u0027 after 15 minutes anymore.\n\nBug: T756\n\nX-Origin-Diff: phab/D619\nGitOrigin-RevId: 49d8617bcf2c8b36127cb43acde8afb7cc35c99f\n" }, { "commit": "ca24cfaef52b388438f06e69352643a4ee0185ca", "tree": "7333d3472dcf2f57cd7ed73349c5fc224749c296", "parents": [ "339582bb8d52b930c15cee77548f11794bb3b362" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Aug 18 13:49:37 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Aug 18 13:49:37 2020 +0200" }, "message": "Fixups after Node refactor\n\nTest Plan: Tested in the CTS revision.\n\nX-Origin-Diff: phab/D618\nGitOrigin-RevId: 4c591d463a0709fc944f52e32069cb7ababd55ca\n" }, { "commit": "339582bb8d52b930c15cee77548f11794bb3b362", "tree": "00de879bf5fe2b6e227b9439584b2359b935cadd", "parents": [ "b29e0b07048697a8e8b4b33adb98dd6d8e79eddf" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 29 18:13:35 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 29 18:13:35 2020 +0200" }, "message": "Add Kubernetes DNS with CoreDNS\n\nThis adds Kubernetes DNS with a CoreDNS instance running on the host. This has some distinct advantages over\nrunning it inside a container, like a simplified lifecycle (no state reconciliation) and the possibility of redirecting\nall host DNS requests over this instance for observability or central DNSSEC enforcement.\n\nTest Plan: Manually tested (`host kubernetes` in an Alpine container), will be covered by CTS.\n\nX-Origin-Diff: phab/D616\nGitOrigin-RevId: 281f5f384f4ef7eba2c3c3190be8e6a89772295c\n" }, { "commit": "8b0431a9d22b1f2bb8ab3e6eb66ffda5ca4a2ea9", "tree": "9ce1dd78a249056144e83e0884eb19b6febcda18", "parents": [ "b682ba55d4a51babad2beebb470b0fef0e6067ca" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Jul 13 16:56:36 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Jul 13 16:56:36 2020 +0200" }, "message": "Implement image preseeding\n\nThis pulls in the infrastructure to build OCI bundles with Bazel and adds a loader to\nload them into containerd at runtime.\n\nTest Plan: New E2E test using a simple hello world Go image.\n\nBug: T793\n\nX-Origin-Diff: phab/D585\nGitOrigin-RevId: 3bc5e35a89a80a9683778ced72cc79e2d0b684ed\n" }, { "commit": "b682ba55d4a51babad2beebb470b0fef0e6067ca", "tree": "d94c2bb98f3a47896558d9cd4d2cc0271a4558c7", "parents": [ "f85748717f32f0a74816de01b1e5f2e0104342c5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 14:51:36 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 14:51:36 2020 +0200" }, "message": "Add service proxy\n\nThis adds a service proxy based on nfproxy and changes to the service IP allocation to make it work.\nAlso adds support for masquerading outbound traffic for outbound network connectivity.\n\nTest Plan:\nCurrently manually tested by creating an alpine pod and running \u0027apk add curl \u0026\u0026 curl -k https://192.168.188.1:443/\u0027.\nWill be covered later by CTS.\n\nBug: T810\n\nX-Origin-Diff: phab/D580\nGitOrigin-RevId: cace863fd8c2f045560f8abf84c40cc77bc275d4\n" }, { "commit": "57b4375dc2763dbf8444a4786bd41b7ec1a8172b", "tree": "96c6ec6648426bd51bbf82573b2fbe28f2044868", "parents": [ "73fc59541abfc457598cc5e62ae4d2c3b84065a1" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 19:17:48 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 19:17:48 2020 +0200" }, "message": "core/internal/cluster: implement multi-node clusters with \u0027golden ticket\u0027.\n\nAs we have fully ripped out all traces of the node management service or\nintegrity checks, we implement a stopgap system that allows us to\ncontinue developing multi-node clusters. This mechanism is enrolment\nusing \u0027golden tickets\u0027, which are protobuf messages that can be\ngenerated via the debug service on an existing cluster, and set on a new\nnode\u0027s EnrolmentConfig to bring that enrol that node into the cluster.\n\nAs this is a stopgap measure (waiting for better cluster lifecycle\ndesign), this is somewhat poorly implemented, with known issues:\n - odd enrolment flow that creates all certificates off-node and results\n in some code duplication in the cluster manager and node debug\n service\n - (more) assumptions that every node is both a kubernetes and etcd\n member.\n - absolutely no protection against consensus loss due to even quorum\n membership, repeated issuance of certificates\n - dependence on knowing the IP address of the new node ahead of time,\n which is not something that our test harness supports well (or that\n we want to rely on at all)\n\nTest Plan: part of existing multi-node tests\n\nX-Origin-Diff: phab/D591\nGitOrigin-RevId: 8f099e6ef37f8d47fb2272a3a14b25ed480e377a\n" }, { "commit": "1ebd1e133bac1a7fe0d667ec2ac95f87f63c3701", "tree": "c84bca5f68d4bbe959006215bf4711050af04288", "parents": [ "c2c7ad97b50194a550e77b875570ece90259f4ea" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 19:17:16 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 19:17:16 2020 +0200" }, "message": "core/internal/cluster: add new single-node cluster code\n\nThis adds a cluster library, that consists of:\n - a Node object that can be loaded from and saved into etcd,\n representing a node of the cluster that can have different \u0027role\n tags\u0027 assigned to it\n - a cluster Manager, that is responsible for bringing up the local node\n into a cluster (by creaating a new cluster, enrolling into or joining a\n cluster)\n\nThis also gets wired into core/cmd/init, and as such completes a chunk\nof The Refactor. This code should pass tests.\n\nTest Plan: this should work! should be covered by existing e2e tests.\n\nX-Origin-Diff: phab/D590\nGitOrigin-RevId: e88022164e4353249b29fc16849a02805f15dd49\n" }, { "commit": "c2c7ad97b50194a550e77b875570ece90259f4ea", "tree": "cc0d43c49c5d1cb787adf5c548c589fa50e9e72e", "parents": [ "efdb6e9da9ed4d575afe72fde02a27817eca37c4" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:20:09 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:20:09 2020 +0200" }, "message": "core/internal: move containerd and kubernetes to localstorage\n\nThis moves the last users of the old \u0027storage\u0027 library onto \u0027localstorage\u0027. We move a lot of \u0027runtime\u0027 directories to a single `/ephemeral` root. This could be called `/run`, but that might imply FHS compliance - which we don\u0027t have, nor want to have.\n\nWe also slightly refactor Kubernetes services to be a bit nicer to spawn. But generally, this is a pure refactor, with no functional changes.\n\nTest Plan: this should fail. part of a larger stack. D590 is the first tip of the stack that should work.\n\nX-Origin-Diff: phab/D589\nGitOrigin-RevId: d2a7c0bb52c2a7c753199221c609e03474936c22\n" }, { "commit": "efdb6e9da9ed4d575afe72fde02a27817eca37c4", "tree": "b1e1a9bff4b1b91ada8da8673e042bfecda2f505", "parents": [ "b7689bd2d426a5b5fa8375bb6e72aa853610707f" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:19:27 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:19:27 2020 +0200" }, "message": "core/api: move to core/proto\n\nThis is keeping in line with conventions that protobuf files generally\nlive in a \u0027proto/\u0027 directory. Even without that, a lot of the protos in\nthere aren\u0027t actually part of an API, so keeping them in `api/` is a bit\nof a misnomer.\n\nWe also remove unused protos that were part of the old\nintegrity/lifecycle flow. Again, these will make a comeback.\n\nTest Plan: this should fail. part of a larger stack. D590 is the first tip of the stack that should work.\n\nX-Origin-Diff: phab/D588\nGitOrigin-RevId: 4a7af494810348f6bcabd49e63902b4c47e6ec35\n" }, { "commit": "b7689bd2d426a5b5fa8375bb6e72aa853610707f", "tree": "d0e5ff620e783246260f3120cc2b7f74f07f6099", "parents": [ "cb883e2810f61d74df76f0db58be7c5ad31bf8e3" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 18:02:34 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 18:02:34 2020 +0200" }, "message": "cluster/internal: remove old cluster enrolment/integrity/management\n\nThis had to be done sooner or later, as it has been woefully\nunderdesigned. A lot of the TPM2 code will make a comeback, but keeping\nthis around (and buildable) right now is too painful. Once we get\nmulti-node clusters again, and properly design node/cluster lifecycle,\nwe\u0027ll add integrity/attestation support back in.\n\nTest Plan: this should fail. part of a larger stack. D590 is the first tip of the stack that should work.\n\nX-Origin-Diff: phab/D587\nGitOrigin-RevId: e8a43906a767aa4cb66b051027d619ce364269e7\n" }, { "commit": "cb883e2810f61d74df76f0db58be7c5ad31bf8e3", "tree": "2eb844cd60992866181bd061624e9cd1281f4cdc", "parents": [ "a5eaeb8670b0b56f884fbda8ddb92ea0bf78fb5d" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 06 17:47:55 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 06 17:47:55 2020 +0200" }, "message": "core/internal/consensus: refactor\n\nThis refactors the consensus to:\n - use localstorage\n - use the supervisor system\n - have a significantly simpler API for callers (no more\n PrecreateCertificate, etc.)\n - use a watcher for CRLs\n - actually have all bootstrap paths tested\n - keep the CA key in memory (keeping it in etcd only seems like odd\n threat modelling and can posisbly cause issues on quorum losses)\n\nThis breaks the build, as is part of a multi-revision refactor of the\ncore node service code.\n\nTest Plan: adds tests \\o/\n\nX-Origin-Diff: phab/D579\nGitOrigin-RevId: fadee7785028ef806d8243a770c70cb0fb82c20e\n" }, { "commit": "a5eaeb8670b0b56f884fbda8ddb92ea0bf78fb5d", "tree": "9cf2ea8bcfb5ee1170f4055979a69a0cd4266ab9", "parents": [ "f042e6f95bb7dc771bf79f309dbdf0b34da933da" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Jul 16 15:06:50 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Jul 16 15:06:50 2020 +0200" }, "message": "Increase zeroing performance for data partition\n\nIt\u0027s possible to increase queue depth for O_DIRECT in simple cases like ours by just\nsubmitting bigger buffers. As long as they are an exact multiple of the block size this is fine\nand the kernel doesn\u0027t complain. This also enables O_SYNC to prevent any buffering on the guest.\nThis should help to push out data quicker and prevent buffer bloat. The host has its own cache\nanyways.\n\nTest Plan:\nNo change in functionality, I observe more predictable performance (previously\nI sometimes had stalls where the initialization would take \u003e 60s).\n\nX-Origin-Diff: phab/D599\nGitOrigin-RevId: 19554fd9e6d709bde738d01a0d2de190c441640e\n" }, { "commit": "f042e6f95bb7dc771bf79f309dbdf0b34da933da", "tree": "f18c60fb92202ce2d5ec7041c85579865a81509d", "parents": [ "b876fc31f12628562a51c70668b318b9fc50478b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:46:09 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:46:09 2020 +0200" }, "message": "Add Wireguard-based K8s pod networking\n\nThis adds a pod networking runnable based on Wireguard which watches all nodes\nand adds their K8s IPAM allocations as routes into the kernel \u0026 WireGuard. It only depends\non K8s and only performs direct routing.\n\nTest Plan: Manually tested by spinning up a two-node cluster and running two Alpine pods pinging eachother. Can be covered by E2E tests once we can do image preseeding for the test infra (T793).\n\nBug: T487\n\nX-Origin-Diff: phab/D573\nGitOrigin-RevId: ba3fc36f421fd75002f6cf8bea25ed6f1eb457b0\n" }, { "commit": "b876fc31f12628562a51c70668b318b9fc50478b", "tree": "b7f4001c6ab56712dd26473b216e74222b1903f0", "parents": [ "78fd97294dbc8bbf5ef1a490b2d7b7ad96fddcae" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 14 13:54:01 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jul 14 13:54:01 2020 +0200" }, "message": "Update containerd to 1.4.0-beta.2 and K8s to 1.19.0-rc.0\n\nThis unbreaks bbolt (as part of containerd) on 1.14+ (see https://github.com/etcd-io/bbolt/pull/201 and\nhttps://github.com/etcd-io/bbolt/pull/220), pulls in my patch to ignore image-defined volumes\n(https://github.com/containerd/cri/pull/1504) and gets us some robustness fixes in containerd CNI/CRI integration\n(https://github.com/containerd/cri/pull/1405). This also updates K8s at the same time since they share a lot of\ndependencies and only updating one is very annoying. On the K8s side we mostly get the standard stream of fixes\nplus some patches that are no longer necessary.\n\nOne annoying on the K8s side (but with no impact to the functionality) are these messages in the logs of various\ncomponents:\n```\nW0714 11:51:26.323590 1 warnings.go:67] policy/v1beta1 PodSecurityPolicy is deprecated in v1.22+, unavailable in v1.25+\n```\nThey are caused by KEP-1635, but there\u0027s not explanation why this gets logged so aggressively considering the operators\ncannot do anything about it. There\u0027s no newer version of PodSecurityPolicy and you are pretty much required to use it if\nyou use RBAC.\n\nTest Plan: Covered by existing tests\n\nBug: T753\n\nX-Origin-Diff: phab/D597\nGitOrigin-RevId: f6c447da1de037c27646f9ec9f45ebd5d6660ab0\n" }, { "commit": "cca74b6b61a165e2d1679847731902eaed04bd94", "tree": "d26996a382862fa446febd25b8bb0c1fc18f621b", "parents": [ "56ae577a9f31df1a903dab7b72cf3f2ac518e5de" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:27:53 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jul 13 17:27:53 2020 +0200" }, "message": "core/internal/common/supervisor: remove debug logs\n\nThis is currently _extremely_ verbose. We should add this back when we\nget LogTree support landed.\n\nTest Plan: no behavioral changes\n\nX-Origin-Diff: phab/D586\nGitOrigin-RevId: 51295c1394e5583135ecdbd102c7936126ef2664\n" }, { "commit": "70f65b237aa29f2e9aced8a4a1e1739b6544cb92", "tree": "35f9b86b2e8b33572495935039e3b9c0a65d30c0", "parents": [ "52f7f291c1987fe98bd10d3ad79d4a0c8772ad03" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 17:02:47 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jul 08 17:02:47 2020 +0200" }, "message": "Add init debugging support\n\nThis adds Delve into the initramfs and a conditional hook which attaches Delve to our init\nafter the network is up. This allows for breakpoint-debugging the init itself, at least after the\nvery early node bringup.\n\nTest Plan:\n`bazel run -c dbg //:launch`, then use IDEA\u0027s Go Remote target to connect to localhost:2345\nand set a breakpoint.\n\nBug: T786\n\nX-Origin-Diff: phab/D581\nGitOrigin-RevId: f6b32e7b7f4d36c8492df3e11ee97588817dbd8e\n" }, { "commit": "52f7f291c1987fe98bd10d3ad79d4a0c8772ad03", "tree": "eaf212647f9bab001e62bb35647255b5f107bd2e", "parents": [ "3ff5af330857b2aadcdae9d9e6ca37b7e5d2c56e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:42:02 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:42:02 2020 +0200" }, "message": "Add nanoswitch and cluster testing\n\nAdds nanoswitch and the `switched-multi2` launch target to launch two Smalltown instances on a switched\nnetwork and enroll them into a single cluster. Nanoswitch contains a Linux bridge and a minimal DHCP server\nand connects to the two Smalltown instances over virtual Ethernet cables. Also moves out the DHCP client into\na package since nanoswitch needs it.\n\nTest Plan:\nManually tested using `bazel run //:launch -- switched-multi2` and observing that the second VM\n(whose serial port is mapped to stdout) prints that it is enrolled. Also validated by `bazel run //core/cmd/dbg -- kubectl get node -o wide` returning two ready nodes.\n\nX-Origin-Diff: phab/D572\nGitOrigin-RevId: 9f6e2b3d8268749dd81588205646ae3976ad14b3\n" }, { "commit": "3ff5af330857b2aadcdae9d9e6ca37b7e5d2c56e", "tree": "9792637a9babc59ab73baaafbd370c5ba8a5bd5a", "parents": [ "e50ec399203fa409bfb405169e19f86141d71336" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:34:11 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Jun 24 16:34:11 2020 +0200" }, "message": "Expand launch infrastructure and make dependencies use it\n\nAdds support for launching MicroVMs and networking multiple machines to the launch infrastructure\nand its consumers. Also makes use of our own qboot. Also converts ktests to that infra and and fixes\nthe issue making it succeed if the VM couldn\u0027t be started.\n\nTest Plan: E2E tests \u0026 ktests still pass\n\nX-Origin-Diff: phab/D571\nGitOrigin-RevId: 0f317f6d8a06e4a3da343b4a7ff5c87918401426\n" }, { "commit": "e50ec399203fa409bfb405169e19f86141d71336", "tree": "7491ce33f7891e1c2267fee4318a354111465f6a", "parents": [ "2e30e88fe6afcf06bdd01478bc584619e91d4c1b" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Jun 30 21:41:39 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Jun 30 21:41:39 2020 +0200" }, "message": "core/internal/localstorage: init\n\nThis implements localstorage and localstorage/declarative, a small\nlibrary for better typed filesystem access. Further down the road this\nwill replace //core/internal/storage, but we\u0027re trying to commit this\nearly.\n\nThis is not used anywhere, and instead comes with a basic test to show\nits workings.\n\nTest Plan: covered by unit tests\n\nX-Origin-Diff: phab/D578\nGitOrigin-RevId: 9a225bc105cc331ce139eb6c195e9af216c8633e\n" }, { "commit": "dbfc638fa03704d274f78b31f508dde1e37502ee", "tree": "607f2fbd8683bfd5fc855cd03bce700a107f68fd", "parents": [ "71f7a567f372b41b3ea5cf72dfebd0546e3ff7df" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jun 19 20:35:43 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jun 19 20:35:43 2020 +0200" }, "message": "core/internal/kubernetes: refactor PKI fully\n\nWe move ad-hoc certificate/key creation to a little declarative,\nfuture-inspired API.\n\nThe API is split into two distinct layers:\n - an etcd-backed managed certificate storage that understands server\n certificates, client certificates and CAs\n - a Kubernetes PKI object, that understands what certificates are\n needed to bring up a cluster\n\nThis allows for deduplicated path names in etcd, some semantic\ninformation about available certificates, and is in general groundwork\nfor some future improvements, like:\n - a slightly higher level etcd \u0027data store\u0027 api, with\n less-stringly-typed paths\n - simplification of service startup code (there\u0027s a bunch of cleanups\n that can be still done in core/internal/kubernetes wrt. to\n certificate marshaling to the filesystem, etc)\n\nTest Plan: covered by existing tests - but this should also now be nicely testable in isolation!\n\nX-Origin-Diff: phab/D564\nGitOrigin-RevId: a58620c37ac064a15b7db106b7a5cbe9bd0b7cd0\n" }, { "commit": "71f7a567f372b41b3ea5cf72dfebd0546e3ff7df", "tree": "ef5ea6804ca0419e8851d1a21f956508764ba446", "parents": [ "5a09142af47b710bb76df16eca94edefcd3052d7" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 22 16:37:28 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 22 16:37:28 2020 +0200" }, "message": "Revert \"scripts/create_container: fix cockroachdb startup\"\n\nThis reverts commit 25aee769a555d34ae3c9f12560a8a29986601034.\n\nThis was uh messed up in phabricator and contains changes that shouldn\u0027t\nhave landed.\n\nTest Plan: it\u0027s a revert.\n\nX-Origin-Diff: phab/D567\nGitOrigin-RevId: 0dee3a91f708a9c2aba6cc7dbc929c3c887647c3\n" }, { "commit": "5a09142af47b710bb76df16eca94edefcd3052d7", "tree": "6be9238cf37c51dfc8f99aded4ef06c4ac81bb12", "parents": [ "385c12f84a0f1b6b5d70f228a0fb629f6f8f316c" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 22 14:01:45 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Jun 22 14:01:45 2020 +0200" }, "message": "scripts/create_container: fix cockroachdb startup\n\nAfter moving the build container to --net\u003dhost this broke building //...\n(as sqlboiler touches a local crdb in order to generate SQL\nboilerplate...). This moves cockroachdb to also run with --net\u003dhost, and\nfixes the advertisement address in the same way as it\u0027s fixed in\nrun_ci.sh.\n\nTest Plan: tested this locally :/\n\nX-Origin-Diff: phab/D562\nGitOrigin-RevId: 25aee769a555d34ae3c9f12560a8a29986601034\n" }, { "commit": "a013ffaf2d7bc71a06148584020d429903456fff", "tree": "95abf15e717ee2e1b0378ec4f922e84e57c0a1eb", "parents": [ "fc5dbc6646c6e332f5cbb88f6a68b6fbcffebe77" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Jun 03 15:09:32 2020 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Jun 03 15:09:32 2020 +0200" }, "message": "core/tests/e2e: wait for all subprocesses we created\n\nTest Plan: `bazel test core/tests/e2e/... --runs_per_test\u003d10`\n\nX-Origin-Diff: phab/D548\nGitOrigin-RevId: e7ed0d0f782fc38dfa94f83ded890187c6fd9c70\n" }, { "commit": "fc5dbc6646c6e332f5cbb88f6a68b6fbcffebe77", "tree": "4ea7cb93b2f0abfca9f547ee1401d39b73a79f5d", "parents": [ "140bddcbe1aac46b168f6fc2178eb9c3870a434c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 28 12:18:07 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 28 12:18:07 2020 +0200" }, "message": "Add E2E tests for basic functionality and port launching to Go\n\nThis adds a new E2E test suite replacing the old log-parsing\nbased one. It also moves launching and controlling Smalltown VMs into\na Go package and command and exposes the \u0027//:launch\u0027 alias.\nThe new E2E test suite covers basic conditions (IP assigned, Data\navailable) and Kubernetes Node, Deployment and StatefulSet tests.\n\nTest Plan: This consists of E2E tests\n\nX-Origin-Diff: phab/D544\nGitOrigin-RevId: 7c624c667c849068bafa544a3a6c635d6d406e1c\n" }, { "commit": "e6030f696613983ea00fc93b9e8b826cea7a1e9a", "tree": "89a0459f2d021a77701faaa73742c21a24f07843", "parents": [ "4cc664da40ef91422fb90039b2a1e90a3f997078" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed Jun 03 17:52:59 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed Jun 03 17:52:59 2020 +0200" }, "message": "core/internal/kubernetes: refactor reconciler, move to subpackage\n\nThis makes the reconciler a bit more generic, and thus allows for\nwriting some basic tests (of the reconciler logic and of the declared\nresources).\n\nWe also start the cleanup of //core/internal/kubernetes by moving the\nreconciler into a separate subpackage. This creates two sketchy\ncross-package references that we\u0027ll need to fix in the future once we\ncontinue the cleanup and modularization of the Kubernetes package.\n\nTest Plan: the reconciler is now tested with unit tests!\n\nX-Origin-Diff: phab/D552\nGitOrigin-RevId: b43643065c8174402922c62e80cd9c87fdce2f13\n" }, { "commit": "4cc664da40ef91422fb90039b2a1e90a3f997078", "tree": "9742180802c0f4364641bbc9607dea521d7a9a86", "parents": [ "980d003d69087eb3ef8976a2a7c2df6c7d3c54e7" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jun 02 16:08:24 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jun 02 16:08:24 2020 +0200" }, "message": "Reconciler fixup\n\nI made some changes further down the revision stack which weren\u0027t properly propagated.\nThis makes sure the code from subsequent revisions also has the necessary changes.\n\nTest Plan: `bazel run //:launch` no longer shows the reconciler looping\n\nX-Origin-Diff: phab/D547\nGitOrigin-RevId: 2d8c6121b071504048f10cd8a34cbfba2a0f94b7\n" }, { "commit": "b15abadcd33cc25c220a2e8987f11bd967af5765", "tree": "e9744eb8694a12238f345fa409ba1553f813d18d", "parents": [ "0db90ba4fde0be782f2dc43f4e6d269d7c1c5f0b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Apr 16 11:17:12 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Apr 16 11:17:12 2020 +0200" }, "message": "Add PV provisioner\n\nThis adds a new PV provisioner which works together with the\nCSI Node driver to provide storage to workloads on Smalltown.\nIt talks to Kubernetes and listens for PVCs which need to be provisioned\nand PVs which have been released and need to be deleted.\n\nIs is implemented as a per-node agent where every node provisions the\nvolumes scheduled onto it by kube-scheduler.\n\nTest Plan: Manually tested by running `bazel run //core/cmd/dbg -- kubectl create -f $PWD/pv-test.yml` and observing a provisioned PV that\u0027s attached to the pod. An example `test-pv.yml` is in P137.\n\nX-Origin-Diff: phab/D482\nGitOrigin-RevId: 75a871b039e71dd248f937719c471e0277887964\n" }, { "commit": "0db90ba4fde0be782f2dc43f4e6d269d7c1c5f0b", "tree": "49237accda7efdae1c8398aa10da4aaa3ee9a4c8", "parents": [ "8e3b8fc9c4ccf5f92179c249de692e38a92d6ee0" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Apr 06 14:04:52 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Apr 06 14:04:52 2020 +0200" }, "message": "Implement CSI node plugin\n\nThis implements a CSI node plugin with registration support\nbacked by bind mounts from our XFS data partition.\nIt supports online volume expansion (and technically shrinking,\nbut K8s does not support shrinking) and CSI statistics backed by fsquota\n\nTest Plan: TBD\n\nX-Origin-Diff: phab/D471\nGitOrigin-RevId: 6bc37dac3726b39bd5d71cfddb2d53aeee0c8b4d\n" }, { "commit": "8e3b8fc9c4ccf5f92179c249de692e38a92d6ee0", "tree": "0cb705a7be0e42ac642cef771edab856f6676098", "parents": [ "8da5377d65930ff0a4085449c61f09fcfe64ec02" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 19 14:29:40 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 19 14:29:40 2020 +0200" }, "message": "Port kubernetes package to supervisor\n\nThis replaces the ad-hoc goroutine and process management\npreviously in the kubernetes package with a nice supervisor-based\nimplementation which should make it easier to understand and more\nreliable. It also prevents creation of more ad-hoc launching code\nfor future features (like CSI \u0026 Provisioning).\n\nSince porting SmalltownNode is rather involved I just instantiated a\nnew supervision tree in the Kubernetes main service and wired it\nup to the old interface. Once we port SmalltownNode we can just\nremove the legacy Start() method and directly call Run().\n\nTest Plan:\nPasses Bazel tests, Kubernetes functionality was manually\ntested by running `bazel run //core/cmd/dbg -- kubectl run -i --image alpine:edge sh`\nto verify that Kubernetes still works properly. Automated tests for this\nare being worked on.\n\nX-Origin-Diff: phab/D534\nGitOrigin-RevId: 001de38eaa5c7ee661bf5db9a7c3d0125c1b6af2\n" }, { "commit": "6acfc323aa74a424220907218cfa7f303b6992cc", "tree": "abb236a6ff03f48907c3feb398a1fac70212cf64", "parents": [ "878f5f9e5f9de93b09d354db7d116fd3d558dbfa" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed May 13 17:01:26 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed May 13 17:01:26 2020 +0200" }, "message": "Add support for gVisor logging\n\nTest Plan: Started Container using `bazel run //core/cmd/dbg -- kubectl run -i busybox --image\u003dbusybox test`, then observed logs using `bazel run //core/cmd/dbg logs containerd.runsc`\n\nX-Origin-Diff: phab/D527\nGitOrigin-RevId: 10dfa1704cbc18becc2005e7b38cc881e6ec50b5\n" }, { "commit": "878f5f9e5f9de93b09d354db7d116fd3d558dbfa", "tree": "994b67ea5264f7e38bb67e9043a369454eaab75d", "parents": [ "9a741a861a4cb5c52b0251a4abf3a2c606b06198" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue May 12 16:15:39 2020 +0200" }, "message": "Add Kubernetes Worker and infrastructure\n\nAdds Kubernetes Kubelet with patches for syscall-based mounting and\nsyscall-based (and much faster) metrics. fsquota patches have been\ndeferred to a further revision (for robust emptyDir capacity isolation).\n\nChanges encoding of the node ID to hex since Base64-URL is not supported\nas a character set for K8s names. Also adds `/etc/machine-id` and\n`/etc/os-release` since Kubernetes wants them. `os-release` is generated\nby stamping, `machine-id` is the hex-encoded node ID derived from the\npublic key.\n\nAlso includes a primitive reconciler which automatically ensures a set of\nbuilt-in Kubernetes objects are always present. Currently this includes\na PSP and some basic RBAC policies that are elementary to proper cluster\noperations.\n\nAdds an additional gRPC service (NodeDebugService) to cleanly\ncommunicate with external debug and test tooling. It supports reading\nfrom logbuffers for all externally-run components, checking conditions\n(for replacing log matching in testing and debugging) and getting\ndebug credentials for the Kubernetes cluster.\n\nA small utility (dbg) is provided that interfaces with NodeDebugService\nand provides access to its functions from the CLI. It also incorporates\na kubectl wrapper which directly grabs credentials from the Debug API\nand passes them to kubectl\n(e.g. `bazel run //core/cmd/dbg -- kubectl describe node`).\n\nTest Plan:\nManually tested.\nKubernetes:\n`bazel run //core/cmd/dbg -- kubectl create -f test.yml`\n\nChecked that pods run, logs are accessible and exec works.\n\nReading buffers:\n`bazel run //core/cmd/dbg -- logs containerd`\n\nOutputs containerd logs in the right order.\n\nAutomated testing is in the works, but has been deferred to a future\nrevision because this one is already too big again.\n\nX-Origin-Diff: phab/D525\nGitOrigin-RevId: 0fbfa0c433de405526c7f09ef10c466896331328\n" }, { "commit": "d3c59d22955d01ff4afcada9d4845cd935d820b7", "tree": "faa355d618630f556b053707cbe5ee60f84a534e", "parents": [ "c88c82db8b1a7f8a07782c970e1d0dfb453f9f66" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon May 11 16:00:22 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon May 11 16:00:22 2020 +0200" }, "message": "Update to Go 1.14\n\nUpdates the Go toolchain to 1.14 and gets rid of all upstreamed\npatches. Also shrinks binary sizes.\n\nTest Plan: Should be covered by CI.\n\nX-Origin-Diff: phab/D515\nGitOrigin-RevId: 1c400a6ba6a8d78a02aba925d95486b807eda0e9\n" }, { "commit": "c88c82db8b1a7f8a07782c970e1d0dfb453f9f66", "tree": "22072c4f18e4aaa855577ff0b42a86ef77a9c4cb", "parents": [ "60febd9db40970a31a2f49bdb969897a37c11cc6" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Fri May 08 14:35:04 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Fri May 08 14:35:04 2020 +0200" }, "message": "Add containerd \u0026 gVisor support\n\nThis adds containerd, CNI, gVisor and all the necessary shims\nand supporting infrastructure. It also enables all relevant features in\nthe Linux kernel. containerd is designed as a simple supervisor.Runnable.\nIt is not being started yet, this will happen in D497.\n\nSplit out from feature/kubelet.\n\nTest Plan:\nHas been tested in conjunction with the rest of D497, will be\ncovered by a K8s E2E test there.\n\nX-Origin-Diff: phab/D509\nGitOrigin-RevId: 92523516b7e361a30da330eb187787e6045bfd17\n" }, { "commit": "60febd9db40970a31a2f49bdb969897a37c11cc6", "tree": "8ac7756b46db3333e0f81dea04ce1d8bbfe38e62", "parents": [ "fc2c4f5bc24286f24d3fe130bec61cf9fc59982d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 07 14:08:18 2020 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu May 07 14:08:18 2020 +0200" }, "message": "Clean up consensus etcd log output\n\nIntegrates our Zap logger into our etcd embedded instance to\nclean up the logs. Split out from D497 (ex feature/kubelet).\n\nTest Plan:\n`bazel run //core/scripts:launch` no longer shows etcd JSON\noutput.\n\nX-Origin-Diff: phab/D498\nGitOrigin-RevId: 8df3b9c3edd20310079306479adfadf983af7da2\n" }, { "commit": "ac6b6441f65fa160c1a3d2e9b31277e747c96a32", "tree": "340b921508eba906823c28740b2010733d108c13", "parents": [ "19bb4125a7eb155a51143046a8501b40702aa650" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed May 06 19:13:43 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed May 06 19:13:43 2020 +0200" }, "message": "core/internal/common/supervisor: deflake\n\nWe fix several flaky tests in the supervisor framework, and one bug in the\nsupervisor itself.\n\nTests are deflaked by depending less on tight timing and instead on a\n\u0027settled\u0027 state of the supervisor, which is basically a wait to join the\nsupervisor when it\u0027s done with whatever work it\u0027s currently taking care\nof.\n\nAnother flake, TestBackoff, is fixed by widening the allowed restart\ntime.\n\nFinally, we fix a bug in the supervisor that caused it to spuriously\nrestart children when it would schedule them when their future parents\ncontext was canceled.\n\nFinally, we make some log messages less verbose.\n\nTest Plan: Covered by existing tests that are now less flaky. This was tested with bazel test --runs_per_test\u003d100 to not flake anymore.\n\nX-Origin-Diff: phab/D495\nGitOrigin-RevId: f92f7368708c54c59644d3e7dca03b2b5692c30a\n" }, { "commit": "19bb4125a7eb155a51143046a8501b40702aa650", "tree": "3b3bbc665edc254ba901baaf883ac96712125c18", "parents": [ "f64021170952839c39f25e13e8771d8e377af898" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon May 04 17:57:50 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon May 04 17:57:50 2020 +0200" }, "message": "//core/internal/supervisor: drop panic propagation flag\n\nThis made the race detector unhappy (for a good reason), and was\nactually unused. The only place where we do want panic propagation is in\ntests, and making it configurable by an option passed to New() is much\nmore friendly, anyway.\n\nTest Plan: Behaviour unchanged, covered by existing tests.\n\nX-Origin-Diff: phab/D490\nGitOrigin-RevId: 465a8244445906bbb12e8fec13ccab0c87ab50f6\n" }, { "commit": "bb7db92ee6e788b576e22ece70914e0321a785f7", "tree": "1f4fee21a390625bd9766d0394e3076cf7e34d48", "parents": [ "547b33f2b38dba41f2c171f8730ff5093b267eaf" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Apr 30 12:43:10 2020 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Apr 30 12:43:10 2020 +0200" }, "message": "Add all dependencies for Kubernetes worker\n\nAdds Kubelet, CNI plugins, containerd, runc and gVisor using a\npre-baked list of dependencies generated using scripts/gazelle-deps/sh.\n\nThis moves all dependencies of gVisor, Kubernetes, runc, etc into the\nsame \u0027namespace\u0027 of Bazel external repositories, giving us ease of\naccessing code as libraries, and benefits when it comes to version\nauditing.\n\nThe gazelle-deps.sh script is a temporary solution that will be replaced\nASAP, see T725.\n\nThis unblocks T486.\n\nThis is an alternative to D389.\n\nTest Plan: `bazel build //core:image` runs and picks up the new binaries\n\nX-Origin-Diff: phab/D487\nGitOrigin-RevId: a28a25071fa2ae76b272d237ce9af777485065ff\n" }, { "commit": "b1b742f91489cafa199bf5dd6e83d965cb23f63f", "tree": "11ad76da23350c0d70ee2f21aa50e56cb1421b57", "parents": [ "9c09c4e9a637dedc1643e32419f56f789e79fec8" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 24 13:58:19 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 24 13:58:19 2020 +0100" }, "message": "core/internal/network: move to supervisor\n\nTest Plan: behaviour shouldn\u0027t change, covered by existing tests\n\nBug: T653\n\nX-Origin-Diff: phab/D430\nGitOrigin-RevId: b92f0953daba6da84bad96120cde2021c4a82e5c\n" }, { "commit": "9c09c4e9a637dedc1643e32419f56f789e79fec8", "tree": "3f8d222ee9d25ede79ba11fee50eb095b6d5658f", "parents": [ "7b5d994379ef72ccf9f4de15d01b9604fc650287" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 24 13:58:01 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 24 13:58:01 2020 +0100" }, "message": "supervisor: init\n\nThis introduces the service supervisor (or supervisor, for short) - a\nlibrary used to reliably run parts of Smalltown.\n\nThe design is outlined in [[ https://phab.monogon.dev/u/supervision | go/supervision ]].\n\nThis only implements the supervision itself, and does not actually use\nit in Smalltown. Another revision based on this one will aims to move at\nleast parts of the codebase onto this library.\n\nTest Plan: the supervision code is integration tested\n\nBug: T653\n\nX-Origin-Diff: phab/D429\nGitOrigin-RevId: cffa73de5957e95af629b78379ffc0c7e8681afb\n" }, { "commit": "581b0bd6386a077e29107710e008983b62233ccf", "tree": "85cf721d9711e7adc88c744c55ee12a96ee7114d", "parents": [ "79d7a625709242204993cffbd99ed734dc1c50a5" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Mar 12 13:36:43 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Mar 12 13:36:43 2020 +0100" }, "message": "init: remount to tmpfs\n\nrunsc needs to be able to pivot_root. According to @lorenz this does not\nwork from initramfs. This introduces a temporary fix to re-mount and\nre-exec into a new root based on tmpfs.\n\nA proper fix would be to use a real filesystem instead of initramfs\n(like squashfs), but this will do for now.\n\nWe also use this opportunity to use devtmpfs instead of manually\nmanaging /dev. This collides with the storage manager that tries to\ncreate all storage nodes - we just remove that.\n\nTest Plan: shouldn\u0027t change behaviour\n\nX-Origin-Diff: phab/D433\nGitOrigin-RevId: aa59fec6551bab1b1b9c2fe037dce410e550981b\n" }, { "commit": "8fba0f84d52095ff933b442f2acaec315e2eb1da", "tree": "f8b168b9f2395ada0ea11980800836daee009dd5", "parents": [ "8efe51e0fd63e9df72cd61ab610ffe0a6dd27834" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Jan 22 18:46:25 2020 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Jan 22 18:46:25 2020 +0100" }, "message": "Review comments for TPM attestation\n\nLots of comments and an updated boot test. Generously increase the timeout to eliminate random CI failures.\n\nTest Plan: Boot test works\n\nBug: T499\n\nX-Origin-Diff: phab/D319\nGitOrigin-RevId: cf17fe7c599f670ff8b6f0ac60486f2a04f13a5a\n" }, { "commit": "8efe51e0fd63e9df72cd61ab610ffe0a6dd27834", "tree": "250202ef0188f8018193626c43f03b2cb3165de0", "parents": [ "30b00d6d9f0bc6928ea81a6780883d252def5a3c" ], "author": { "name": "Hendrik Hofstadt", "email": "hendrik@nexantic.com", "time": "Fri Feb 28 12:53:41 2020 +0100" }, "committer": { "name": "Hendrik Hofstadt", "email": "hendrik@nexantic.com", "time": "Fri Feb 28 12:53:41 2020 +0100" }, "message": "ide: use goimports instead of gofmt\n\nTest Plan: changed import sorting and saved file. Imports were resorted.\n\nX-Origin-Diff: phab/D413\nGitOrigin-RevId: 72ce771a9724f62f839e44211ee5cd64c89c56d7\n" }, { "commit": "1a5a667667849db21b533405245239445947b7fb", "tree": "fe1574ae959b3dcbd462af740f0f384ae8346479", "parents": [ "cdb8c78eb7d29e6595053c455141007cb1c13a83" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Feb 18 10:09:43 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Feb 18 10:09:43 2020 +0100" }, "message": "core/internal/network: use DHCP router/gateway\n\nThis makes us actually set up a default route now. We also stop using github.com/insomniacslk/dhcp types, and instead use our type for the DHCP status. Finally, we also comment the DHCP client a bit better.\n\nThis fixes T651.\n\nTest Plan: lacking a regression test, working on one now.\n\nBug: T651\n\nX-Origin-Diff: phab/D403\nGitOrigin-RevId: caead83016cfe2f1783fad33e8d71723a3a32057\n" }, { "commit": "cdb8c78eb7d29e6595053c455141007cb1c13a83", "tree": "db17ef01058c8185887e26e31131d62c168a23c7", "parents": [ "6c8d5f9319706be576563b990c875afc0d60d02d" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 17 12:34:02 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 17 12:34:02 2020 +0100" }, "message": "Revamp DHCP, add basic context management\n\nThis started off as a small change to make the network service DHCP client a bit nicer, and ended up basically me half-assedly starting to add context within Smalltown.\n\nIn my opionion a simple OnStart/OnStop lifecycle management for services will stop working once we have to start handling failing services. I think taking inspiration from Erlang\u0027s OTP and implementing some sort of supervision tree is the way to go. I think this also ties nicely together with Go\u0027s context system, at least partially. Implementing the full supervision tree system is out of scope for this change, but at least this introduces .Context() on the base service struct that service implementations can use. Currently each service has its own background context, but again, this should tie into some sort of supervision tree in the future. There will be a design document for this.\n\nI also rejigger the init code to have a context available immediately, and use that to acquire (with timeout) information about DHCP addresses from the network service.\n\nI also fix a bug where the network service is started twice (once by init, once by the smalltown node code; now the smalltown node code takes in a dependency injected network service instead).\n\nI also fix a bug where OnStop would call OnStart. Whoops.\n\nTest Plan: no new functionality, covered by current tests\n\nBug: T561\n\nX-Origin-Diff: phab/D396\nGitOrigin-RevId: adddf3dd2f140b6ea64eb034ff19533d32c4ef23\n" }, { "commit": "aa6b7346a87a5512fbdd5b39db766000c0e10415", "tree": "8b7665934b854d4d2ee18e90a289752f8cd85942", "parents": [ "5e0bd2d43ab72cf4091e7689d02f95e07b1c1010" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Dec 12 02:55:02 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Dec 12 02:55:02 2019 +0100" }, "message": "Attestation \u0026 Identity \u0026 Global Unlock \u0026 Enrolment\n\nThis changes the node startup sequence significantly. Now the following three startup procedures replace the old setup/join mechanic:\n* If no enrolment config is present, automatically bootstrap a new cluster and become master for it.\n* If an enrolment config with an enrolment token is present, register with the NodeManagementService.\n* If an enrolment config without an enrolment token is present, attempt a normal cluster unlock.\n\nIt also completely revamps the GRPC management services:\n* NodeManagementService is a master-only service that deals with other nodes and has a cluster-wide identity\n* NodeService is only available in unlocked state and keyed with the node identity\n* ClusterManagement is now a master-only service that\u0027s been spun out of the main NMS since they have very different authentication models and also deals with EnrolmentConfigs\n\nThe TPM support library has also been extended by:\n* Lots of integrity attestation and verification functions\n* Built-in AK management\n* Some advanced policy-based authentication stuff\n\nAlso contains various enhancements to the network service to make everything work in a proper multi-node environment.\n\nLots of old code has been thrown out.\n\nTest Plan: Passed a full manual test of all three startup modes (bootstrap, enrolment and normal unlock) including automated EnrolmentConfig generation and consumption in a dual-node configuration on swtpm / OVMF.\n\nBug: T499\n\nX-Origin-Diff: phab/D291\nGitOrigin-RevId: d53755c828218b1df83a1d7ad252c7b3231abca8\n" }, { "commit": "7ba3152b450889e81e85a02bd2e28f992edba2b0", "tree": "f543b51e889ff997beff6780e86a2eb4aab6aa50", "parents": [ "71049afd7c1828f5deb660c059527e5d99e8d1c7" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 03 16:08:19 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 03 16:08:19 2020 +0100" }, "message": "core/internal/api: use gRPC statuses as much as possible\n\nReturning plain go errors via gRPC will always result in a gRPC \u0027INTERNAL\u0027 error code, which is suboptimal. We go ahead and semanticize some of the possible error paths, and at the same time:\n\n - swallow some internal errors into logs and serve sanitized errors\n - move some of the internal service implementations to also use gRPC statuses\n - change a panic() call into a status.Unimplemented return type\n\nThere\u0027s still plenty work to be done on this front, but this is a good first change.\n\nTest Plan: if this is not covered by tests we\u0027re screwed anyways\n\nX-Origin-Diff: phab/D366\nGitOrigin-RevId: 71880a9e23c65631d6c4df6338855864c34bb11f\n" }, { "commit": "71049afd7c1828f5deb660c059527e5d99e8d1c7", "tree": "cae977fc7e2640c2630d662ef3d97525468a9691", "parents": [ "dcb3a56fe915f2359a5832c685aa2789027ee5fb" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 03 16:05:52 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Feb 03 16:05:52 2020 +0100" }, "message": "core/api: fix RemoveNode return type.\n\nTest Plan: should be covered by API tests\n\nX-Origin-Diff: phab/D365\nGitOrigin-RevId: 71cb5ae7c91fff1a57bae508f027cac6f2f2fa74\n" }, { "commit": "a4516f9887e43b774e49c22db93cdf289dc9cfb1", "tree": "8a0761a3480074b01d5584a1cd5c111a69f76594", "parents": [ "6e8f69c53a2c82f5a760ab2e8152218cc86f3430" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Dec 04 20:27:05 2019 +0000" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Dec 04 20:27:05 2019 +0000" }, "message": "Add minimal functionality test for k8s control plane\n\nBasic functionality test that sends the bootstrap RPC call,\nwaits for the k8s control plane to come up and runs a simple\nkubectl command (that is expected to fail).\n\nAdds reflection to the server to make grpc_cli easier to use.\n\nTest Plan:\nRan `:launch` (because we modified its config) and `:test_boot`,\nsaw a nicely booted k8s cluster:\n\n{P90}\n\nX-Origin-Diff: phab/D275\nGitOrigin-RevId: fe01e3f3ed09877aa76c15946664c9d9bdc4751b\n" }, { "commit": "6e8f69c53a2c82f5a760ab2e8152218cc86f3430", "tree": "1556b56e0a0cdb5108c301dc88710b5b2d74ba1b", "parents": [ "b7a18fd9be7732e9ed9b29f33b7f545916da207b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 18 10:44:24 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 18 10:44:24 2019 +0100" }, "message": "Initial Kubernetes Control Plane\n\nThis adds a minimum viable Kubernetes Control Plane consisting of a\nkube-apiserver, kube-controller-manager and kube-scheduler. It contains\ntwo small CAs for Kubernetes Identity management based on shared\ncertificates and contains changes for exposing etcd via UNIX socket\nso that the apiserver can talk to it.\n\nTest Plan:\nTested by manually calling Setup() and observing subsequent logs and\nconnecting to the API server.\n\nBug: T485\n\nX-Origin-Diff: phab/D271\nGitOrigin-RevId: e56f3e50eb9d33ea291289faa1aac3bebdeb3346\n" }, { "commit": "45333b68dd60942adc61a29f50b2c72420b792e3", "tree": "64d2997e5b7bf68d5bc7084b07a765ddf5c9aa58", "parents": [ "719362043a48b7d1575b53885c3e95dade55f0bf" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 11 15:26:27 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Nov 11 15:26:27 2019 +0100" }, "message": "Enable network loopback interface\n\nAbsence of a properly enabled loopback interface caused weird\nbehavior in the Kubernetes control plane.\n\nTest Plan: Issues with kube-apiserver were no longer observed.\n\nX-Origin-Diff: phab/D257\nGitOrigin-RevId: 9b8a18a28463a29e85945587765f155de86f68b3\n" }, { "commit": "68c58755e0a56e1b1c565d80f99056ec4948fbec", "tree": "f122ab392769d33620077c65ddf0f0a3aed43d1c", "parents": [ "5ed291ea1833ffd07665b6194f7b6db2b7c1c4aa" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Thu Nov 14 21:00:59 2019 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Thu Nov 14 21:00:59 2019 +0100" }, "message": "Improve documentation, remove dead code plus some minor refactorings\n\nThis improves our code-to-comments ratio by a lot.\n\nOn the refactorings:\n\n- Simplify the cluster join mode to just a single protobuf message -\n a node can either join an existing cluster or bootstrap a new one.\n All of the node-level setup like hostname and trust backend is done\n using the setup call, since those are identical for both cases.\n\n- We don\u0027t need a node name separate from the hostname. Ideally, we would\n get rid of IP addresses for etcd as well.\n\n- Google API design guidelines suggest the `List` term (vs. `Get`).\n\n- Add username to comments for consistency. I think the names provide\n useful context, but git blame is a thing. What do you think?\n\n- Fixed or silenced some ignored error checks in preparation of using\n an errcheck linter. Especially during early boot, many errors are\n obviously not recoverable, but logging them can provide useful debugging info.\n\n- Split up the common package into smaller subpackages.\n\n- Remove the audit package (this will be a separate service that probably\n uses it own database, rather than etcd).\n\n- Move storage constants to storage package.\n\n- Remove the unused KV type.\n\nI also added a bunch of TODO comments with discussion points.\nAdded both of you as blocking reviewers - please comment if I\nmisunderstood any of your code.\n\nTest Plan: Everything compiles and scripts:launch works (for whatever that\u0027s worth).\n\nX-Origin-Diff: phab/D235\nGitOrigin-RevId: 922fec5076e8d683e1138f26d2cb490de64a9777\n" }, { "commit": "a4ea9d03f1fb4248739392615967eaf07842e74b", "tree": "e2b8e2e3d9aa83ca7f650f2a0d972023869c1d3b", "parents": [ "e47ace84cb3e30375dcb4236c17ee9710a77a6ad" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Oct 31 11:40:30 2019 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Thu Oct 31 11:40:30 2019 +0100" }, "message": "Added bootstrap CA\n\nThis adds a self-contained CA for bootstrapping and securing etcd\nusing certificates of infinite duration and a CRL for near-instant\nrevocation.\n\nThe bootstrapping problem is addressed by first\ngenerating the CA and issuing initial certificates and then\ninjecting them once the consensus system is up and running.\nAll files are also kept on the encrypted persistent data store to\nprevent the same bootstrapping problem when the node is already\ninitialized. The CRL is synchronized using a sync loop on every\nnode running the consensus service and distributed inside that.\n\nThe CA uses Ed25519-based cryptography and identifies the\nhosts by their external hostname.\n\nTest Plan:\nInitial bootstrapping manually tested on a single node using a\nmanual gRPC call for Setup() and openssl s_client for connecting\nto etcd.\n\nX-Origin-Diff: phab/D233\nGitOrigin-RevId: bd67818b5b649b13e0c098e480059ef990826542\n" }, { "commit": "0d7c91e331022831a974c2e34d32bb5b89ddc89c", "tree": "5b822873c015053f4b697d60c33fa3b1ef9a3a4b", "parents": [ "043daa57020dd36e074488dcb432114a548a3d2a" ], "author": { "name": "Hendrik Hofstadt", "email": "hendrik@certus.one", "time": "Wed Oct 23 21:44:47 2019 +0200" }, "committer": { "name": "Hendrik Hofstadt", "email": "hendrik@certus.one", "time": "Wed Oct 23 21:44:47 2019 +0200" }, "message": "Implement monorepo layout\n\nImplemented the nexantic monorepo.\n\nSmalltown code was moved to `core`. From now on all code will live in top level directories named after the projects with the exception for general purpose libraries which should go to `\u003clang\u003elibs`.\n\nGeneral build and utility folders are underscore prefixed.\n\nThe repo name will from now on be rNXT (nexantic). I think this change makes sense since components in this repo will not all be part of Smalltown, the Smalltown brand has been claimed by Signon GmbH so we need to change it anyway and the longer we wait the harder it will be to change/move it.\n\nTest Plan: Launched Smalltown using `./scripts/bin/bazel run //core/scripts:launch`\n\nX-Origin-Diff: phab/D210\nGitOrigin-RevId: fa5a7f08143d2ead2cb7206b4c63ab641794162c\n" } ] }