)]}' { "log": [ { "commit": "1dc567e8f342e0e410a4fe7beb149bf66eb34a56", "tree": "3ace3e556e159355f6d5aa0da7b90da7267604b7", "parents": [ "20d1dd1fdae016c19fcdf9607ab1503f1a45722a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Jul 01 01:24:47 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Wed Jul 06 11:08:28 2022 +0000" }, "message": "m/n/c/r/resolver: enable keepalive on updaters\n\nThis prevents the resolver from getting stuck waiting for TCP timeout\nwhen the node it\u0027s connected to partitions. This was observed a few times in manual testing when restarting nodes.\n\nChange-Id: I7126888b77e9e1dfbcfcfc009f04639e65119fa6\nReviewed-on: https://review.monogon.dev/c/monogon/+/815\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "d57ef1c61a520fa251ede0b4ef2491b8c3ebd3b8", "tree": "75e52624d70b3351fb5a8c26394acbfd19c785f2", "parents": [ "5f8414dd1409f96b3f70e621a5189b11c68cddcc" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Jul 01 12:22:33 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Jul 01 11:26:42 2022 +0000" }, "message": "m: remove references to LUK, GUK\n\nThis unifies the unlock key nomenclature throughout the repository:\n- Local Unlock Key becomes a Node Unlock Key\n- Global Unlock Key becomes a Cluster Unlock Key\n\nChange-Id: I674ad68a50b3845705f3e2c57952fc7fba5be665\nReviewed-on: https://review.monogon.dev/c/monogon/+/816\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "5f8414dd1409f96b3f70e621a5189b11c68cddcc", "tree": "c12fabd2ff9f7ebc8cd070a7d2f4fe93806950e3", "parents": [ "867107d6f8ab9e237f476c290c21381829e18e22" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Jun 24 13:02:11 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Jul 01 10:40:50 2022 +0000" }, "message": "m/n/core: fix panic logging\n\nWe fix a few issues:\n\n 1. Logging to the runtime file descriptors didn\u0027t work for some\n reason. Opening the FD(s) manually works.\n 2. We didn\u0027t log into consoles.\n 3. We didn\u0027t return errors/results correctly. RawSyscall performs its\n own \u0027\u003e0\u0027 check on a syscall result and routes the result to either\n the first or last return value. We need to undo this check to return\n the same unified argument as runtime.write expects and\n runtime.write1 provides.\n\nChange-Id: Ie718a47139dd0f700d53466a1250593025c9dcbd\nReviewed-on: https://review.monogon.dev/c/monogon/+/809\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "58ddc0981614e7582a3ad5a505d64e4c48cd2800", "tree": "3060609a9e68a4a032c133330c5f2f18218e52be", "parents": [ "5bb8a33c73eb418729227e071af6777703913a65" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 30 18:23:33 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 30 17:55:07 2022 +0000" }, "message": "m/n/c/r/resolver: allow disabling curator updater\n\nThis allows some resolvers to not attempt to contact the cluster for\ncurator node updates. We use this in the Join and Register resolvers as\nthey don\u0027t have permission to access this data anywa.\n\nWe also generalize Resolver options into a proper WithX setup. We also\nuse this opportunity to move the resolver creation in node code outside\nof the roleserver, as it should have been in the first place.\n\nChange-Id: I1cc227711d784e07959371873029e09fc8cd1b99\nReviewed-on: https://review.monogon.dev/c/monogon/+/808\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b43d0f0765916e029db8f784e44659fc8468e945", "tree": "f19bd58546b20c3a4c19eab62492e454a7f230a8", "parents": [ "fcfebbc0a05f8e5186b259b334463afdb358e299" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 17:32:10 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 30 15:55:44 2022 +0000" }, "message": "m/node: use resolver for intra-cluster connections\n\nThis replaces all instances of \u0027just connect to the first node for now\u0027\nwith usage of a proper leader-aware cluster resolver.\n\nThis isn\u0027t tested yet, as all of this will be exercised in an E2E test.\n\nChange-Id: I9f6bfb49ff9ae0dd70ac1a3131c5ee021d9bb5a5\nReviewed-on: https://review.monogon.dev/c/monogon/+/796\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "fcfebbc0a05f8e5186b259b334463afdb358e299", "tree": "4856e7ea62d94f063405a6ac4edb1b2bd1799146", "parents": [ "b401d635b65ce03c798f679f81d8ab602d7e61e8" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 16:50:27 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 30 15:36:45 2022 +0000" }, "message": "m/n/c/rpc: make resolver leader-aware\n\nThis is a fairly large change which makes the resolver only contact the\ncurrent leader of the control plane, not all nodes in a round-robin\nfashion.\n\nThis resolver isn\u0027t yet used by the cluster, the tests, or metroctl -\nbut that will come in upcoming CLs.\n\nWe also move the resolver to a subpackage of rpc, in preparation for\nmoving it into a package path designed to be depended upon by users.\n\nChange-Id: I230853bbf552fbde947de05f95de37cea93a168c\nReviewed-on: https://review.monogon.dev/c/monogon/+/795\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "2a64fff55720780c1702d1013be2a80575d80aa7", "tree": "95853f97d350f35a77a2d6b1aa0895a964d51902", "parents": [ "655a780e0a1957da1720b747431a49406fc9f55a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 17:43:02 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Jun 27 12:10:27 2022 +0000" }, "message": "m/n/c/curator: lower leader failover TTL to 10s\n\nThis allows us to make some (future) tests faster, and generally sounds\nlike a good idea to make the cluster more responsive to partitioning\nproblems.\n\nChange-Id: I086b766584c8b5aeec0de9de53130697ca59d2b0\nReviewed-on: https://review.monogon.dev/c/monogon/+/798\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "655a780e0a1957da1720b747431a49406fc9f55a", "tree": "ade5bf169069a33e20640de9aa7fec400c46929a", "parents": [ "966d40cb382754d0f4cea6cbcaa3195373b38f48" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 21 13:55:15 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Jun 27 12:10:20 2022 +0000" }, "message": "m/n/c/network: be more verbose about receiving new IP addresses and using interfaces\n\nWe never really logged these anywhere. This helps debugging.\n\nChange-Id: Ifcddeb454ca317becc512b96b2daa6c069bce36f\nReviewed-on: https://review.monogon.dev/c/monogon/+/781\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "966d40cb382754d0f4cea6cbcaa3195373b38f48", "tree": "a4c8b4d6d7b88de7ac187f379d348aba8dabf4bb", "parents": [ "97d6808057059338d3112c07ef57863d5f180ba9" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 13:27:16 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Jun 24 13:35:22 2022 +0000" }, "message": "m/proto: Add RunningCurator to status, report in status pusher\n\nThis data allows more dynamic reporting of a node\u0027s Curator status, and\nnotably allows reporting which port it\u0027s running on.\n\nWe weren\u0027t planning on supporting running on non-standard ports, and we\nprobably still don\u0027t, but it\u0027s actually super useful to have this\nability in (future) tests.\n\nWe use the opportunity to refactor the roleserver\u0027s statuspush worker,\nand to add a test for it.\n\nChange-Id: I53322e6c8d268186ede085d4a05b646acb422a6b\nReviewed-on: https://review.monogon.dev/c/monogon/+/793\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "97d6808057059338d3112c07ef57863d5f180ba9", "tree": "6766d4c92110b1b64b67822cccda25ea90769e3b", "parents": [ "05c1db9d0f608b793cee96e8f947534d682c3694" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 13:15:21 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Jun 24 13:20:55 2022 +0000" }, "message": "m/n/c/consensus: add debug logging about PKI data presence\n\nChange-Id: I51fb0ffecb26f529f85ea7966b217f8c1a0a08ef\nReviewed-on: https://review.monogon.dev/c/monogon/+/791\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "05c1db9d0f608b793cee96e8f947534d682c3694", "tree": "b0681c760d1bf825d54d4393207e412ca93800d7", "parents": [ "1fbc5975a74174c3719ae2a15b60d202b6b4e609" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 14:24:29 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Jun 24 13:11:47 2022 +0000" }, "message": "m/n/c/rpc: remove leftover ClusterServices\n\nThese were mostly used back when the Curator leader/follower had per-method dispatching. We don\u0027t do that anymore.\n\nChange-Id: I202254e4deabfb3dc150d69a28156d8824009032\nReviewed-on: https://review.monogon.dev/c/monogon/+/794\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "944cb53d38e1b506eb5dcb0ca17fa0811195b09f", "tree": "adb106cb1a620fb7d804c6f3cee1d665a872fb5c", "parents": [ "ddf19b4b194936cc310eae9fc5c01bedcedbb900" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Jun 20 16:54:17 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu Jun 23 16:27:33 2022 +0000" }, "message": "m/p/api: use protobuf.Duration in Management.Node\n\nThis switches Management.Node message\u0027s time_since_heartbeat backing\ntype from int64 to google.protobuf.Duration in order to enable duration\nbased predicates in Management.GetNodes filter expressions.\n\nChange-Id: Ia2663475d1b9ee535dc5578f16d53b70c6686b7c\nReviewed-on: https://review.monogon.dev/c/monogon/+/776\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "5055d727cdcf6692d0049a8963ec56ac3401721b", "tree": "ae398512c886c4594a48ec681aa14d3a130c9d71", "parents": [ "98206b93355539404dccd04bd0882aa59ec8cd8b" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Jun 20 14:48:10 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu Jun 23 16:22:54 2022 +0000" }, "message": "m/n/c/curator: test role filtering in GetNodes\n\nThis makes sure that node roles can be inspected with filter predicates\nsupplied to Management.GetNodes.\n\nIn addition, the common putNode test helper was refactor to accommodate\nnew use cases.\n\nChange-Id: I1948e877ef657d4649bba0f25f81268b6adfcd95\nReviewed-on: https://review.monogon.dev/c/monogon/+/775\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "aaa4d45a0a88e69137f4b946f26f3ce5f8ad0642", "tree": "12ab62f9b999ef2de7710fd1dfb22ab6b1266ac1", "parents": [ "268dd8c3801c9b6b1f81e584bc4eff218d1892c5" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 13:13:51 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 14:53:04 2022 +0000" }, "message": "m/n/c/cluster: add proper exponential backoff to Join\n\nChange-Id: I929ef0552912d1f765cbea7d2e0fb19561d2198c\nReviewed-on: https://review.monogon.dev/c/monogon/+/790\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "268dd8c3801c9b6b1f81e584bc4eff218d1892c5", "tree": "88dd3913948b0af276a983f1d5f24b96640c3407", "parents": [ "003a3b0aa43141f3db9b91e7f1c3612ce188b30c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 12:50:44 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Jun 23 14:52:15 2022 +0000" }, "message": "m/n/c/curator: add CuratorLocal.GetCurrentLeader\n\nThis adds a service (CuratorLocal) which runs on both leader and\nfollower curators. It has one RPC, GetCurrentLeader, which returns\ninformation about the leader election status from the point of view of\nthe callee.\n\nWe add a test to make sure the current leader returns correct data, but\nwe don\u0027t yet have a test for a follower (that would require a\nsignificant test harness). In an upcoming CL we\u0027ll be exercising this in\nan end-to-end test, however.\n\nChange-Id: I4dea780953bdc196bbc5a744f49ee688327c3269\nReviewed-on: https://review.monogon.dev/c/monogon/+/784\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "003a3b0aa43141f3db9b91e7f1c3612ce188b30c", "tree": "9f782dadbe310de04ea339c7b6cd7f72415a6d29", "parents": [ "50f5ec7d1687bef93be3edcef2132b48335b7b9a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 12:58:24 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 14:35:24 2022 +0000" }, "message": "m/n/c/rpc: allow authenticated connections to unauthenticated endpoints\n\nThis allows authenticated clients to use whatever channel they already\nhave (ie., an already authenticated one) to perform connections to\nendpoints marked as \u0027unauthenticated\u0027.\n\nChange-Id: I6d10f145aa0cc9e2f37068ac7ec5f9ef37fe8303\nReviewed-on: https://review.monogon.dev/c/monogon/+/783\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "50f5ec7d1687bef93be3edcef2132b48335b7b9a", "tree": "74622e6db3ff32e950dc5f3dc809541fa3444d2d", "parents": [ "949e4253da78a9c1cdb945b6c4be48f703ab4192" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 21 14:16:56 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 12:42:13 2022 +0000" }, "message": "m/n/c/consensus: close CRL watcher\n\nChange-Id: I3f5702822f69a05a30bdcd8e5502dfa03ed22cbb\nReviewed-on: https://review.monogon.dev/c/monogon/+/782\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "949e4253da78a9c1cdb945b6c4be48f703ab4192", "tree": "ff909756ac9c19231859bcf2a4ff8b8fa8225c6b", "parents": [ "3e5e580d97747b2e7273397515c277887f0a2dd0" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 21 13:52:05 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 11:46:16 2022 +0000" }, "message": "m/node: fix etcd join data assigned to first node\n\nWe accidentall populated the node\u0027s etcd role with curator/node\ncertificates instead of etcd certificates. We fix this, also moving out\nthe EnableConsensusMember call to the roleserver, putting it next to\nEnableKubernetesWorker.\n\nChange-Id: I2a9bce889a2fda032798e370be06cdc2c5078ac9\nReviewed-on: https://review.monogon.dev/c/monogon/+/780\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "5e9cb57fea22628d21ce9d2cceee0cc4113564b1", "tree": "dee8deda66583a1ca9232ed32221bcebe00debc7", "parents": [ "78cefcafa315af20d9f603fefd1423fe7bab7483" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon May 16 15:54:50 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 22 09:01:00 2022 +0000" }, "message": "m/n/c/rpc: replace SetupExternalGRPC with an option generator\n\nThis is one step closer to making interactions with gRPC not magic.\nWe\u0027ve done a similar cleanup on the client side, now we do it on server\nside too.\n\nChange-Id: I6b7d7767044db47ab6b0660fd985723a91607f71\nReviewed-on: https://review.monogon.dev/c/monogon/+/687\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "78cefcafa315af20d9f603fefd1423fe7bab7483", "tree": "b5d8ab0ce4652e30ace81c0cedf64b847260612d", "parents": [ "4025c9bf83aa038c8858c82bc80bd65acecd7210" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 12:59:55 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:44:25 2022 +0000" }, "message": "m/n/kubernetes: factor out cluster domain\n\nThis removes the hardcoded Kubernetes cluster domain and pushes it out\nto a single place at the root of the Kubernetes supervisor tree.\nThis will later be aligned with the cluster domain specified in the\nidentity design document, currently this does not change any behavior.\n\nIt also removes a bogous SAN from the Kubernetes API server certificate\n(kubernetes.default.svc.cluster) for which there is no corresponding\nsearch path.\n\nChange-Id: I30b8907a7b846415f5002c09a24d2d37930a9cd1\nReviewed-on: https://review.monogon.dev/c/monogon/+/773\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "4025c9bf83aa038c8858c82bc80bd65acecd7210", "tree": "85fa8d59380e18566a2b13ab27add626c259fb73", "parents": [ "2175ec96b7cb0c70820ea99f304d4f437aeb620c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 16 16:12:53 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:44:10 2022 +0000" }, "message": "m/node: refactor panic handling\n\nThis change significantly changes how we handle panics and runtime\nerrors in our core process. The explicit panic handler is gone and has\nbeen replaced by a file storing the panic persistently and\nthe informational message has been moved out to minit.\nThe runtime log file is stored on the ESP to allow for debugging if the\nnode crashes before unlocking and gets reset every boot. It also dumps\nits previous state into the logtree to allow administrators to look into\nthese errors without launching another OS to dump the file.\n\nChange-Id: I3503eeced2da0bbcb6301a6c39e502bbb9afa827\nReviewed-on: https://review.monogon.dev/c/monogon/+/772\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2175ec96b7cb0c70820ea99f304d4f437aeb620c", "tree": "0999642c67de8cde0cb1ab7e528f224cc9371581", "parents": [ "bb2edbe8a69a04b0d72c5a565bdead5040959125" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Jun 13 09:29:09 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue Jun 21 11:19:47 2022 +0000" }, "message": "m/p/api: rename Node.HeartbeatTimestamp\n\nNode.HeartbeatTimestamp was renamed to Node.TimeSinceHeartbeat to\nbetter reflect the nature of its contents.\n\nChange-Id: Icef000cf7493a06f7b3aabfc2aba57b380433887\nReviewed-on: https://review.monogon.dev/c/monogon/+/765\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "bb2edbe8a69a04b0d72c5a565bdead5040959125", "tree": "3d9286bd95757222431a279db7e9fcb1b6238dfb", "parents": [ "83e8b6c897aaabb4230ae73a28bba0ed0aca039c" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Wed Jun 08 11:57:09 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue Jun 21 11:19:32 2022 +0000" }, "message": "m/n/c/curator: add Management.UpdateNodeRoles\n\nThis provides an API for node role adjustments.\n\nWhile changes to KubernetesWorker role are registered, not all side\neffects are accounted for as of now. Specifically, disabling this role\nwithin a node won\u0027t lead to its removal from the Kubernetes cluster.\n\nChange-Id: Ie8e65990108b8cf82afecf3374f40f2e857fa776\nReviewed-on: https://review.monogon.dev/c/monogon/+/767\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "83e8b6c897aaabb4230ae73a28bba0ed0aca039c", "tree": "03d2ff42dee689b5c735ce97a5cd13821c389c29", "parents": [ "100e22fac40295424b76fcae5a05eddf0f25d345" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 17:26:10 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:18:07 2022 +0000" }, "message": "m/n/core: retry node joining call indefinitely\n\nThis causes nodes to get stuck if anything on the network side is not\nworking perfectly. Additionally this races the network runnable itself,\nmaking this even more likely.\n\nBug: 128\nChange-Id: I8c6847d6fb22a4527ca58def02cd5e994bd3dfff\nReviewed-on: https://review.monogon.dev/c/monogon/+/777\nTested-by: Jenkins CI\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "100e22fac40295424b76fcae5a05eddf0f25d345", "tree": "d9bc91fef41712260e7715395aa2b1463800d1b4", "parents": [ "05e420db50f6d01a9214957dc9e8ac32316525ab" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 14:23:57 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:17:34 2022 +0000" }, "message": "m/n/core: fix pstore runnable\n\nMake it first signal healthy, then done. Otherwise it seems to panic\nsometimes. Also move all signalling code to the end of the runnable.\n\nChange-Id: I4911f94aafbd324a49f7ff5af9904a778ddb8dce\nReviewed-on: https://review.monogon.dev/c/monogon/+/774\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "05e420db50f6d01a9214957dc9e8ac32316525ab", "tree": "fc718a60ac46c9be63f5f199af578109c3113fd9", "parents": [ "955e46e2e6cca29481b61c7303b1dd9746309bf7" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Jun 13 14:26:08 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu Jun 16 11:41:33 2022 +0000" }, "message": "m/n/curator: return complete roleset from GetNodes\n\nThis fixes the issue of Management.GetNodes not returning information on\nConsensusMember role.\n\nChange-Id: I5dbe91d55d07fb29b075842a7937f97d3e8011b2\nReviewed-on: https://review.monogon.dev/c/monogon/+/766\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "955e46e2e6cca29481b61c7303b1dd9746309bf7", "tree": "7cea2df4b72c9b04eaeffd6d9e10570be096027a", "parents": [ "1b2df233817ae3dd09ff33ad18d319a50be10584" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri May 27 18:00:50 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu Jun 16 11:41:27 2022 +0000" }, "message": "m/n/c/curator: add result filtering to GetNodes\n\nThis introduces result filtering to management.GetNodes Curator API\ncall. GetNodesRequest payload was modified to contain an optional CEL\nexpression. GetNodes will return only node protobuf messages for which\nthe expression evaluates to boolean truth. GetNodes behavior remains\nunchanged for empty expression strings, returning all nodes.\n\nSee: https://github.com/google/cel-go\nhttps: //github.com/google/cel-spec\nChange-Id: Ibdd847c73d305de22b7df496c401e9bc37f9f0bc\nReviewed-on: https://review.monogon.dev/c/monogon/+/768\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "1b2df233817ae3dd09ff33ad18d319a50be10584", "tree": "380e12519010691e7f701d71b171225a9c853e15", "parents": [ "f8da2e7dfbcbb144ee894875e46c44a525e57c5c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 14 12:42:03 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 16 09:59:11 2022 +0000" }, "message": "m/n/core: add pstore handling\n\nAdds a one-shot runnable which dumps all kmsg dumps to the system log\nand then clears the pstore. This makes sure that there is always space\nfor new pstore entries and gives administrators the option of reading\ncrash logs without booting another operating system. It also helps some\nbroken EFI firmware to not fail to boot.\n\nChange-Id: Icbf30c0a0898e0e660910a80637d544f022a97cd\nReviewed-on: https://review.monogon.dev/c/monogon/+/770\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "32b192929c34e408bec6286de471313a4cfce5e2", "tree": "5a05f888581a3749ede7f09340119171422150e2", "parents": [ "08cb464d60f859ad029a52abe161cae02a0bf405" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 17 13:26:55 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri May 27 10:24:27 2022 +0000" }, "message": "m/n/core: implement node heartbeats\n\nThis change introduces cluster member node health monitoring by\nimplementing a bidirectional RPC stream the nodes will periodically\nsend their heartbeat updates through. Management.GetNodes call was\nmodified to include the new node health information.\n\nRelevant data available through the management API is non-persistent,\nand stored within current Curator leader\u0027s local state. As such, it\nwill become briefly unavailable in an event of leader re-election. The\ninformation returned, however, is guaranteed to be correct.\n\nChange-Id: I916ac48f496941a7decc09d672ecf72a914b0d88\nReviewed-on: https://review.monogon.dev/c/monogon/+/694\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "619029b4ec9b2908baf8f873b34ba4800738f12d", "tree": "f78827c3603694eb93e6b6499b26cf0811ee370b", "parents": [ "ad10ecea0bf387c0093c7cb8ed7b873ccd039896" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu May 05 17:18:26 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Wed May 25 14:52:03 2022 +0000" }, "message": "m/n/c/consensus: fix a typo\n\nThis thing might bite someday.\n\nChange-Id: I093d30c2f6511f36595f71d6862113fadf211280\nReviewed-on: https://review.monogon.dev/c/monogon/+/677\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "2d91aa323b5cb576b3c7749eedb91058be1f8f57", "tree": "1d4a2a79f2f63cca28614df7f37fd044fd0844da", "parents": [ "b354453656f82d0a38b3f2ed0d1ebf843c14d922" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 25 13:29:31 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue May 24 15:31:27 2022 +0000" }, "message": "curator: remove dispatch system\n\nThis vastly simplifies the curator by removing the dispatch and per-RPC\nswitch logic, instead replacing it with the gRPC server stopping\nwhenever the leadership status of a curator switches.\n\nThe downside is technically the possibility of some \u0027stale\u0027 RPC\nhandling, where a leader/follower accepts some new RPC even though it\u0027s\nin the process of switching its leadership.\n\nThe rationale for this change is:\n\n 1. Leadership-exclusive actions are guarded by the etcd leadership\n lock being held, so there\u0027s no chance a long pending RPC to a\n leader that just stepped down will cause split brain scenarios.\n\n 2. We\u0027re moving away from follower proxying, and followers will\n instead just serve a \u0027who\u0027s the leader\u0027 RPC. These are okay to\n serve stale data (ie. when the contacted follower should\u0027ve\n switched to be a leader, or a follower of another leader), as\n during leadership failover we expect clients to perform retry\n loops until a new leadership connection is established.\n\nAnother downside (or perhaps upside) is that we don\u0027t start the listener\nuntil we\u0027re ready to serve data, either the full API as a leader or a\nreduced API as a follower. The downside is that clients will have to\nretry connections until the leader is running, and that it might be\ndifficult to tell apart a node which isn\u0027t yet running the curator from\na broken node, or one that will not run the curator at all. On the other\nhand, succesfully establishing a connections means that we are sure to\nget a gRPC response instead of a hang because the curator isn\u0027t yet ready\nto serve.\n\nChange-Id: I2ec35f00bce72f0f337e8e25e8c71f5265a7d8bb\nReviewed-on: https://review.monogon.dev/c/monogon/+/685\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b354453656f82d0a38b3f2ed0d1ebf843c14d922", "tree": "7e6eb4938857ff9351af6ca8cd9356b1244ec5ff", "parents": [ "defff5220d4ed1123a85cf41300eeeeb558b7cc6" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon May 16 16:44:43 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue May 24 15:31:24 2022 +0000" }, "message": "m/n/c/localstorage: fix import grouping\n\nChange-Id: I963b4eeddbdd1a11f62d06e230462b08057fbeb2\nReviewed-on: https://review.monogon.dev/c/monogon/+/686\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "defff5220d4ed1123a85cf41300eeeeb558b7cc6", "tree": "9082dd3faaa58a3e219be579b0c7c6138b434b53", "parents": [ "a81096f56a337b5709e7cc692e89cb0e55e45708" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon May 16 17:28:16 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue May 24 15:31:20 2022 +0000" }, "message": "metropolis: fix tests using etcd\n\nEver since we bumped etcd, we have started calling\nintegration.BeforeTest. The correct call is BeforeTestExternal,\notherwise some internal-etcd-integration-test logic is invoked, which\nseems to break test error calls (!) in some cases (probably goroutine\nleak detection, which is enabled by default when using BeforeTest -\nwhich we don\u0027t care about, as we don\u0027t [yet] expect our tests to be fully\nclean).\n\nWe also have to modify the harnesses used by curator tests to\nsynchronously terminate the cluster on each test end. Otherwise, etcd\nwill fail due to conflicts on domain sockets on which test members\nlisten. Unfortunately, there doesn\u0027t seem to be an easy way to run each\ncluster/test in a totally separate, non-conflicting socket setup.\n\nChange-Id: I2fb1332edb35349b66af131684feb378ae3a13ee\nReviewed-on: https://review.monogon.dev/c/monogon/+/688\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "e11ffb67bab34f1faa439b13aeb2630d86714441", "tree": "9cc70a9f0f754a43bfbd2249ac298b82439a544b", "parents": [ "c7b40912c5f5acfc1a72f3838395acf32d311d6e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed May 04 17:36:01 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed May 04 17:49:54 2022 +0000" }, "message": "m/n/c/s/crypt: enable fast inline data path\n\nNot using workqueues for de/encryption skips a lot of expensive context\nswitching that needs to be done for each IO operation.\n\nAlso see https://blog.cloudflare.com/speeding-up-linux-disk-encryption/\nfor more details on what these do.\n\nChange-Id: I3adc9b26e297b69bde6f01e1691c06f3b2c235b4\nReviewed-on: https://review.monogon.dev/c/monogon/+/672\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "c7b40912c5f5acfc1a72f3838395acf32d311d6e", "tree": "60436dae38be108a01f0160d29981d8e76c70774", "parents": [ "b30a41d6fea59cc6658192ad3866f6838d4e3fb7" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue May 03 14:32:53 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed May 04 12:56:17 2022 +0000" }, "message": "m/n/c/localstorage: fix synchronous mounting flag\n\nAs it turns out, MS_SYNC is not actually a mount(2) flag anymore,\nonly MS_SYNCHRONOUS is.\n\nChange-Id: I4d2adbdf1a335b35a6c1e5d3725ee5451f6b5339\nReviewed-on: https://review.monogon.dev/c/monogon/+/671\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "b30a41d6fea59cc6658192ad3866f6838d4e3fb7", "tree": "aefa32aba26eab3fadc77227a765300fe4c0d577", "parents": [ "de82150a3be691178d8113e50c65e052b6739e19" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Apr 29 17:14:50 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 03 12:11:19 2022 +0000" }, "message": "m/n/core: automatically update ClusterDirectory\n\nThis extends the hostsfile service to also update ClusterDirectory\nwhenever cluster member address information is received.\n\nChange-Id: I30dcd15ba4a59f13e48501ff1032c189e2e961af\nReviewed-on: https://review.monogon.dev/c/monogon/+/662\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "de82150a3be691178d8113e50c65e052b6739e19", "tree": "945df1463e04b093a472979a4f23c2d9aaa87ec3", "parents": [ "0246f5eb3a48f8a521ab20d776b923fcf0af6e1c" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Apr 29 16:37:17 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 03 12:11:19 2022 +0000" }, "message": "m/n/c/cluster: sanitize ClusterDirectory\n\nThis change enforces the suggested ClusterDirectory usage described in\nmetropolis/proto/common/common.proto.\n\nSee also: https://review.monogon.dev/c/monogon/+/662\n\nChange-Id: If00edcc078b6dccc80990fc95e9a1c87d945d74e\nReviewed-on: https://review.monogon.dev/c/monogon/+/669\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2930e9966deca2ebcb9b497d4d133ffb6258ed87", "tree": "f992bedb41005e2430ae768e83ef8d62c51298ae", "parents": [ "312a2274d58020ef8afdc6f83d9c4e76ce8c59c2" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Apr 25 12:52:35 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 03 12:11:19 2022 +0000" }, "message": "m/n/c/{cluster,roleserve}: implement Join Flow\n\nThis implements Join Flow for:\n- Registered nodes attempting to re-join the cluster.\n- Nodes bootstrapping the cluster.\n\nSee: Cluster Lifecycle and Integrity design document\n\nChange-Id: I74ab98fdec650c4f6aa59e34a16c0f95745dc0e9\nReviewed-on: https://review.monogon.dev/c/monogon/+/556\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "312a2274d58020ef8afdc6f83d9c4e76ce8c59c2", "tree": "441801586699b496e7b682f463fc983f3c25355a", "parents": [ "336a96c770c72d4671901d631d5bd93c87780c12" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Apr 25 12:03:58 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 03 12:11:19 2022 +0000" }, "message": "m/n/c/curator: implement Join Flow\n\nThis implements Join Flow in Curator, as described in Cluster Lifecycle\nand Integrity design document.\n\nChange-Id: Idabb471575e1d22a7eb7cce2ad29d18f1f94760a\nReviewed-on: https://review.monogon.dev/c/monogon/+/667\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "336a96c770c72d4671901d631d5bd93c87780c12", "tree": "1cf05d9300f7ea3451ac2910b029cd87cea04e3a", "parents": [ "898125b5d04bf820b50541c0290d1a1801de2ea4" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Apr 15 13:29:15 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue Apr 26 11:07:26 2022 +0000" }, "message": "m/n/c/localstorage: add ClusterDirectory to ESP\n\nThis defines ESPClusterDirectory within localstorage, the presence of\nwhich is required by the upcoming Join Flow implementation.\n\nChange-Id: I6b5b4bf9f3a74f11c9d455581a1ad83d1bd86a96\nReviewed-on: https://review.monogon.dev/c/monogon/+/661\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "83a28c93a0e48f500db619492f24f96938cb9b00", "tree": "8ff1b1d60577d5dc52ff455b0862b854a467734b", "parents": [ "832bc77f0f0530059dd66b59cfd8a000b59b6251" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Apr 19 13:59:38 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Apr 22 12:36:22 2022 +0000" }, "message": "m/node: minit: fix logging\n\nThis makes minit log into the same console devices as the Go core\nitself.\n\nChange-Id: I4fedd92d6f86ac224759a67ffd9704ece552b73c\nReviewed-on: https://review.monogon.dev/c/monogon/+/660\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "fdc3a2473e4ebfd77db342252e1088882e01b2d6", "tree": "addfe894acce55d3088764cc49a6c1c3cee55573", "parents": [ "33ce3bcd5c4791cb66a3020b7792829c534c97c6" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 06 15:56:38 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Apr 19 08:01:17 2022 +0000" }, "message": "third_party/go: fix `go mod tidy`\n\nThis makes our root repository somewhat more gomod-compliant, to the\npoint where we can run `go mod tidy` to manage dependencies.\n\nThe generated placeholder files turn their parent paths into enough of a\nGo package that the go tooling is appeased, but they are ignored by\nGazelle.\n\nIdeally, we will generate these placeholders automatically before\nrunning `go mod tidy` and gitignore them, but this will do as a first\npass.\n\nWe also remove some unused dependencies which got caught by `go mod\ntidy`.\n\nChange-Id: I81e7e92a45f22c8ef9c92207f67a5bd6cc773da5\nReviewed-on: https://review.monogon.dev/c/monogon/+/652\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "33ce3bcd5c4791cb66a3020b7792829c534c97c6", "tree": "a968a2aeae9e96c84c6260fcbd22e12063dc1ef2", "parents": [ "ee4bfdb9c59848d618975f24746c78b418e9aebc" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Mar 11 11:57:48 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 06 17:28:21 2022 +0000" }, "message": "m/n/core/rpc: add ClusterResolver\n\nThis is a first-pass implementation of a baseline, functioning, but not\nfully featured gRPC resolver builder that connects to a given Metropolis\ncluster based on just a single functioning node.\n\nThis is planned to be extended to be aware of node health, and possibly\ncurator leadership. It will then replace the main roleserver client and\nallow metroctl to connect to a cluster given just a single node.\n\nChange-Id: I8321a6ce19bdaead35b5f266dd9774ce1b78f075\nReviewed-on: https://review.monogon.dev/c/monogon/+/637\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d13c1c64387ca9a83bb832a3faa5c4b07268d265", "tree": "0c0f534db4726e4400486aad25235e8c573d455e", "parents": [ "79a1a8f9dd49afe8e0a2364c4586b8f39525b204" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Mar 30 19:58:58 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Apr 05 10:35:29 2022 +0000" }, "message": "treewide: switch to gomod and bump everything\n\nThis switches version resolution from fietsje to gomod and updates\nall Go dependencies. It also bumps rules_go (required by gVisor) and\nswitches the Gazelle naming convention from go_default_xxx to the\nstandard Bazel convention of the default target having the package\nname.\n\nSince Kubernetes dropped upstream Bazel support and doesn\u0027t check in\nall generated files I manually pregenerated the OpenAPI spec. This\nshould be fixed, but because of the already-huge scope of this CL\nand the rebase complexity this is not in here.\n\nChange-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833\nReviewed-on: https://review.monogon.dev/c/monogon/+/639\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "399ce5537c9d74b2335add19dcb6a4043d9468b5", "tree": "a7e086c69c69f8745ca123764c6929e090e0d80b", "parents": [ "0ea448a92ad342bcb0ecb05a2aa9652ebe48b62a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 29 12:52:42 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 30 15:50:59 2022 +0000" }, "message": "m/n/core/rpc: provide lower-level gRPC dialing constructs\n\nThis replaces the 2x2 cartesian product of ready-made dialing functions\n(New{Authenticated,Ephemeral}Client{Test,}) with plain gRPC Dial\nOptions.\n\nThis is partially to reduce the magical aspect of the RPC library (after\nall, we are just using gRPC here, no need for these wrappers), but\nmostly in preparation for having another dimension added: dynamic\ncluster resolving, which will also be just provided as a Dial Option.\n\nChange-Id: Id051ca5204e4b44afcc10164f376ccf08af46120\nReviewed-on: https://review.monogon.dev/c/monogon/+/640\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "f3c4b42225fb7340e12cc74f9afc2ecc241e4304", "tree": "b4d570c6a64df0444216c62903445880f0ce915b", "parents": [ "58cf3bca19e0d04a5dda6ad32a72459bb03df3cf" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 10 00:37:57 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 15 12:50:10 2022 +0000" }, "message": "m/n/core/rpc: remove leftover local/external listener abstractions\n\nThis continues cleanup work after review.monogon.dev/624.\n\nChange-Id: Ic38f4547627d382a4405cf4b3336aa7cac80849b\nReviewed-on: https://review.monogon.dev/c/monogon/+/629\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "58cf3bca19e0d04a5dda6ad32a72459bb03df3cf", "tree": "5c11fb1f25eae37790ef870b1b937bfe6302674b", "parents": [ "ec19b60842e905a4400e5f8b46b783a54d0a025a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 09 20:33:36 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Mar 11 11:40:50 2022 +0000" }, "message": "m/n/core: remove local listener from curator\n\nWhile working on a client library to access a cluster reliably, a\nthought popped into my head:\n\nDo we even need to run the local (UNIX domain socket) listener in the\nCurator?\n\nAnd, after checking all code paths, to my surprise... no, not really.\nWhy did we ever do it? Perhaps because we started differently structured\ncluster bootstrap codebase that caused it to be a hard requirement. Or\nmaybe it was just a momentary lapse of reason. Regardless, with the\ncurrent codebase, it makes no sense: we always have Node credentials\navailable, and we run the Curator on all network interfaces. So why not\njust connect over loopback and use TLS?\n\nHere are some of the benefits of removing the local listener:\n\nIt removes a whole bunch of code, and pulling at a few more threads in\nthe Curator and RPC codebases will probably let us remove quite a bit\nmore now unused abstractions.\n\nIt leads to a more secure product, as we have one less privilege domain\nsocket to worry about (although we still have the etcd one... but that\u0027s\na whole different can of worms).\n\nAnd most importantly, it paves the way for a vastly simplified cluster\nclient - one in which the transport is the same regardless of whether we\nconnect to a local or remote curator. This should let us use bog\nstandard gRPC load balancing / resolving extensions to reach the Curator\nin an idiomatic and robust way.\n\nChange-Id: I1fe9b04ba3b5f4e001050c25aec61a761077492f\nReviewed-on: https://review.monogon.dev/c/monogon/+/624\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "0e22b1a41b028693e0e69db22cc8b708b09070f0", "tree": "e191f9275622f25b9d671abffe74f7f35d1724f8", "parents": [ "d348fd1c66194c0fff46e39a16131a7bd0e45707" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Feb 14 15:00:55 2022 +0100" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Mon Mar 07 13:41:55 2022 +0000" }, "message": "m/n/core: save NUK and Node Credentials\n\nThis makes the node save its Node Unlock Key and Node Credentials after\nregistering.\n\nChange-Id: Ie16e8fd149745e22a2c02e56ccf3c2d87d052079\nReviewed-on: https://review.monogon.dev/c/monogon/+/537\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "b6aa3f7a4bb57fa3d29c846fcfcc6c0d267ae8b7", "tree": "6a5ddca18251baf74ba5a0734bd86fd54ab89def", "parents": [ "f099c09760ea9b860b87776b8386f8c29a164fea" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Mar 01 20:28:54 2022 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Mar 03 11:39:00 2022 +0000" }, "message": "m/n/core: print scary warning message when running debug build\n\nThis is to make users aware that debug builds of Metropolis provide\nabsolutely no security and should never be used if not debugging.\n\nChange-Id: I64cbe6d77ba40b9539abb5e946fa3231658eec21\nReviewed-on: https://review.monogon.dev/c/monogon/+/553\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ac82c0d984cd23b4b35163b223c9ed0001df8f55", "tree": "8f89e032104961783859b32a5c3525cda48b638a", "parents": [ "6dff6d6a57b999eb91f1b9cf956e2ebc18c2defd" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Mar 01 13:32:45 2022 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Mar 01 19:23:13 2022 +0000" }, "message": "m/n/core: only run debug service in debug build\n\nThis excludes the debug service from non-debug builds as it exposes a\nbunch of unauthenticated interfaces for debugging to the world.\nThe Kubernetes tests were the last user of this service but getting\nKubernetes credentials is now handled by an authenticated production\nservice (the authproxy).\nSome parts of the debug service functionality, namely GetLogs will also\nbe needed outside of debug builds, but nothing depends on its\navailability so we can do this right away.\n\nChange-Id: I5ba3d2853c69ae295d6224b359b36c160b58c430\nReviewed-on: https://review.monogon.dev/c/monogon/+/552\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "6dff6d6a57b999eb91f1b9cf956e2ebc18c2defd", "tree": "4db4fa350e81b0fc52db7cf81f4c620114b28d18", "parents": [ "636032e843efcdef0716ed9956f40642d07b8d4c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Jan 28 18:15:14 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Feb 23 16:15:54 2022 +0000" }, "message": "m/n/roleserve: reactive service management\n\nBottom line up first: this starts etcd, the curator and Kubernetes on\nnodes that register into the cluster. Effectively, this is multi-node\nsupport.\n\nThis significantly refactors the node roleserver to start both the\ncontrol plane and Kubernetes on demand, based on roles assigned by the\ncluster (or due to bootstrapping a new cluster). Most importantly, we\npretty much remove all cluster-bootstrapping code from the node startup\nprocess, thereby making the first node and any subsequent nodes not go\nthrough different codepaths.\n\nIn addition, access to the cluster Curators is now also mediated via\nthe roleserver, which is the component aware whether the node code\nshould connect to the local curator (if the control plane is running) or\nto remote curators (if the control plane is not [yet] running).\n\nThis implementation is a bit verbose as we make heavy use of untyped\nEvent Values, and we add quite a few lines repeated of code to combine\ndata from different values into something that a goroutine can wait on.\nOnce Go 1.18 lands we should be able to make this code much nicer.\n\nThere\u0027s still a few things that need to be implemented for all flows to\nbe working fully (notably, we can end up with stale curator clients,\ncurator clients are not load balanced across multiple curators, and\ncluster directories for connecting to the curator do not get updated\nafter startup). However, these are all features that we should be able\nto easily implement once this lands.\n\nCurrently this is only covered by the e2e test. The individual workers\nwithin roleserver should be able to be independently tested, and this is\nsomething I plan on doing very soon as another change on top, while this\none is being reviewed.\n\nWith time, the two large startup components (the cluster \"enrolment\"\nmanager and the roleserver) have slightly lost their original purpose\nand their names aren\u0027t exactly fitting anymore. I might rename them in\nan upcoming change, if anyone has any good naming ideas I\u0027m all ears :).\n\nChange-Id: Iaf0fc9f6fdd2122e6aae19607be1648382063e66\nReviewed-on: https://review.monogon.dev/c/monogon/+/532\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "636032e843efcdef0716ed9956f40642d07b8d4c", "tree": "9499a197eec2483636b1fc940d8b7e78d3a29161", "parents": [ "5839e97231f31fac6730a1d553fe7114d37a1521" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jan 26 14:21:33 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Feb 23 16:15:54 2022 +0000" }, "message": "m/test/launch: fail ROC on non-UNAVAILABLE errors\n\nThis makes RetrieveOwnerKeys fail fast in tests if some non-transient\n(ie. non-UNAVAILABLE) error is encountered. I hit this while developing\nsomething around the codebase and it took me way too long to figure out\nwhy the e2e test was stalling.\n\nThis really begs doing a pass on all retry loops to make sure we don\u0027t\nget stuck like this. Perhaps we should formalize this, too.\n\nChange-Id: I048f5ac79802330f789e67ba316bc38f04d83331\nReviewed-on: https://review.monogon.dev/c/monogon/+/531\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "5839e97231f31fac6730a1d553fe7114d37a1521", "tree": "9a3da7bf6f6546c527750bd8e5c101ecb3824740", "parents": [ "54c4f181c3195f4cc4e53aa5f8311ee161c75bbd" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 16 15:46:19 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Feb 23 16:15:54 2022 +0000" }, "message": "m/n/core/{curator,cluster}: refactor against new Consensus API\n\nThis updates the Curator and the Cluster Manager to use the new\nConsensus API, notably to use JoinParameters and ServiceHandle.Watch.\n\nUsing JoinParameters end-to-end requires piping them through a node\u0027s\nroles. For this we create a new ConsensusMember role and replicate all\nthe data from JoinParameters there.\n\nWe also move a whole bunch of logic that used to live in the Cluster\nManager\u0027s Status object away from it. Instead, now the Consensus\nServiceHandle is exposed directly to downstream users, providing the\nsame functionality.\n\nChange-Id: I8cfa247011554553836019f60ea172dd6069f49c\nReviewed-on: https://review.monogon.dev/c/monogon/+/522\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "54c4f181c3195f4cc4e53aa5f8311ee161c75bbd", "tree": "63885ce4e8b7d2020731fe0a658250f0a9b9ce23", "parents": [ "5a637b05610cfa0ecc7bfb5a6875f6c5fa98da11" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Feb 18 13:20:13 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Feb 21 11:58:32 2022 +0000" }, "message": "m/n/c/rpc: trace authentication details\n\nThis slightly reworks the server interceptors to clearly log\nauthentication information and resulting PeerInfo, if any.\n\nChange-Id: I2114b0a6958dd79cf9e4c91f07e909650e1f6de6\nReviewed-on: https://review.monogon.dev/c/monogon/+/543\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "5a637b05610cfa0ecc7bfb5a6875f6c5fa98da11", "tree": "02db33e64d1574b71582b36c846d0d7bb79312a9", "parents": [ "fb0fb6db2a30038fecea4500ffd4281ad510c1d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Feb 18 12:18:04 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Feb 21 11:58:32 2022 +0000" }, "message": "m/n/c/curator: inject Spans into RPCs, log events\n\nThis uses the new Span/Trace API in the RPC library to inject some spans\ninto all Curator RPC handlers, and converts a bunch of TODO: add logging\ncomments into Trace(ctx).Printf.\n\nChange-Id: Ie480fa7020246b60befa024e000f9e452daabe0c\nReviewed-on: https://review.monogon.dev/c/monogon/+/542\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "fb0fb6db2a30038fecea4500ffd4281ad510c1d3", "tree": "2d2e9a9457da5c50af1a30aa258e9c5d58ba8d15", "parents": [ "d9775a656cb709133407507b1e3a94793dd0ea49" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Feb 18 12:11:28 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Feb 21 11:58:32 2022 +0000" }, "message": "m/n/c/rpc: implement Span/Trace\n\nThis is a first pass at implementing basic support for\nDapper/OpenTracing/OpenTelemetry-style tracing within Metropolis RPCs.\n\nMore precisely, this implements an API to expose an RPC-local Span to\nRPC handlers (unary and streaming). These Spans are currently backed by\na logtree logger, and aren\u0027t processed further (ie. there\u0027s no support\nfor child spans and carrying span information over the wire when\nperforming remote calls from an active Span). However, this allows us to\nat least start emitting Span Events and use them for debugging purposes.\n\nSince we don\u0027t yet have OpenTelemetry in our GOPATH, we reimplement a\nminimum subset of the Span type that should still be compatible with\nreal OpenTelemetry types. Once OpenTelemetry lands in our GOPATH (by way\nof it landing in k8s, for example), we\u0027ll move over to using the real\ntype instead. Then, we can also begin integrating with OpenTelemetry\nproper, ie. start sending traces over to collectors, start\ninjecting/extracing span information over gRPC, etc.\n\nAnother change on top of this one actually uses the Trace(ctx)\nfunctionality within the curator - this is just the library\nimplementation.\n\nChange-Id: I85506303538aacc137a28828ab39ccfd9ff72924\nReviewed-on: https://review.monogon.dev/c/monogon/+/541\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "e803fc1e34e349ebdd61e174b0e63c1eeea98d5a", "tree": "5e76224defdb77441c1750029ab36665a99c2caa", "parents": [ "4c326027feb8b02f5ea0497cd6d2e9ac3956c70a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jan 25 14:58:24 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Jan 26 10:10:45 2022 +0000" }, "message": "m/n/core: verbose logging to tty0 and ttyS0\n\nhttps://review.monogon.dev/517 broke console logging in Nodes, this\nre-enables it by explicitly logging to all available consoles instead of\njust using whatever we get as stderr.\n\nChange-Id: I3ffde421f1ac07492a1bc3293c31f934f602aefb\nReviewed-on: https://review.monogon.dev/c/monogon/+/523\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "87bf0bf46c83f3a59536f577171985b4fa1db1eb", "tree": "2d1e3dc9ba4346a3ee79fb7e70727b973ad2aab0", "parents": [ "73c3fc11b053505a50c29feee878eee0ee2608a2" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 14:27:36 2022 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 16:46:06 2022 +0000" }, "message": "m/n/core/network/dhcp4c: fix logic bug in DNSServers\n\nThis previously accepted all non-undefined (0.0.0.0) IPs as servers on\naccount of the `|| ip4Num !\u003d 0` in the condition. That\u0027s unnecessary\nanyways, so let\u0027s drop it.\nWhile we\u0027re in there I also changed the deduplicating map from a\nmap[uint32]struct{} to a map[uint32]bool, making the code a bit shorter.\n\nChange-Id: Ic15cb96217a300913ebc58580d4314a6449da923\nReviewed-on: https://review.monogon.dev/c/monogon/+/516\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "73c3fc11b053505a50c29feee878eee0ee2608a2", "tree": "848b4bcf51a81fdb6d5780e43ccb7329ce7ecd5c", "parents": [ "8b786897cc419483fa586fd620c3d725d7bd6a95" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 14:24:11 2022 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 16:46:06 2022 +0000" }, "message": "m/n/core/network: fix mistake in requested DHCP options\n\nThis previously requested NameServer (option 5), not DomainNameServer\n(option 6), which meant that on DHCP servers only returning explicitly-\nrequested options we got no DNS servers. While we\u0027re in there also add\nClasslessStaticRoutes to the requested options as a hint that we can now\nprocess that option.\n\nChange-Id: I738c33abbf572c2b7da4e36d4a6cae5b971c830c\nReviewed-on: https://review.monogon.dev/c/monogon/+/515\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "8b786897cc419483fa586fd620c3d725d7bd6a95", "tree": "1e4f582b8c2272b73970e4727171175320aeab7c", "parents": [ "57d06a7cfa461f367d4362ccecf4a2d66068a1f9" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 14:21:16 2022 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 13 16:46:06 2022 +0000" }, "message": "m/n/core: only warn if no TPM 2.0 has been found\n\nCurrently the TPM is basically unused. The only user is the generator of\nnode and cluster unlock keys, which get fed with both TPM and local entropy\nwhich marginally increases security.\nThis converts a missing TPM 2.0 into a warning and falls back to generating\nboth of those keys purely with Linux entropy, allowing Metropolis to boot\non hardware without a TPM 2.0.\n\nChange-Id: I910f9768ede554e5ec2c3a35079a6799d1ee9c8c\nReviewed-on: https://review.monogon.dev/c/monogon/+/514\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "1de8b1845e75dc1e020df21b997b2d6fc66fb65e", "tree": "4a41005b1931aa13c3ed4a1b0732de31482a6eb8", "parents": [ "367f759f54e59b24b55024c8070513f9f7e6f4c1" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Dec 21 17:15:18 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Dec 22 15:57:16 2021 +0000" }, "message": "m/node: pass node identity into k8s\n\nThis plumbs through the node identity to K8s as an identity.Node\nobject and gets rid of the os.Hostname invocation that passed around\nthis data out-of-band. It also changes everything in its path to use\nthe newer identity.Node object instead of a plain string so that the\nMetropolis Identity CA is more accessible.\n\nChange-Id: I6db8e1db7e333c0ea364aefd61c27bf50acc25f3\nReviewed-on: https://review.monogon.dev/c/monogon/+/505\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "f05e80af8721a0b0ccf5425c4775695d84d09fdf", "tree": "1f4f15962293b345b02ae66e588a9aad35ce2be3", "parents": [ "a9b455f2be1fb9dbda3217adb69bc0076113a814" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 12 11:53:34 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Dec 16 16:32:51 2021 +0000" }, "message": "m/n/core/consensus: refactor for reliability and multinode support\n\nThis implements a big refactor of our consensus service/runnable.\n\nFirst, we move away from the old bespoke API for retrieving the\nconsensus status (and consensus clients) into using Event Values, as the\nrest of the codebase does.\n\nSecond, we move away from the bespoke PKI library used to generate\ncertificates in-memory and then commit them to etcd into using the\nstandard metropolis pki library. We then change the bootstrap process to\nstart a PKI-less etcd instance first, generate the PKI data directly on\nthe running instance, and then restart into a fully PKI-supporting etcd\ninstance.\n\nWe also move away from using etcd-specific private keys into reusing the\nnode\u0027s private key. This makes management slightly easier, but reviewers\nshould consider the security implications of this change.\n\nFinally, we implement and test multi-member cluster support, which is\ndone by exposing an AddNode method to the newly exposed status, and a\nJoinCluster option in the node configuration.\n\nChange-Id: Iea2bf6114cb699d3792efd45d06de2fa5a48feb1\nReviewed-on: https://review.monogon.dev/c/monogon/+/466\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "fdb7322f8a9061c6c57c89ee1fb4b754589802e7", "tree": "4590b3e79ba54e670c46642be4bd6e689231b150", "parents": [ "6c35e97e7da34dd8497f4d40172ecf745448ad21" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 13 05:19:25 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Dec 16 11:57:45 2021 +0000" }, "message": "m/n/c/n/dhcp4c: support route configuration (including RFC 3442)\n\nThis implements support for configuring routes other than the default\nroute via our DHCP client. It extends the DHCP lease interface with a\nmethod to return canonicalized routes from a lease containing Router,\nStaticRoute or ClasslessStaticRouting options.\nIt also extends and renames the former ManageDefaultRoutes callback into\nManageRoutes and makes it use the new canonicalized routing data instead\nof just the default router.\n\nChange-Id: Ie6ec20d67c0e9cdfa6be088324b42e0d811e81e9\nReviewed-on: https://review.monogon.dev/c/monogon/+/482\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "6c35e97e7da34dd8497f4d40172ecf745448ad21", "tree": "17e023a1849f629a641c43eff27e4dfdc7a9c04a", "parents": [ "999e1db0130f148ac6e79e1acbb5ee68db1dcb64" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Dec 14 03:08:23 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Dec 14 11:27:13 2021 +0000" }, "message": "metropolis: align EFI partition layout\n\nThis moves non-EFI-related data inside the ESP from under the EFI\nsubdirectory to the root. The data moved is never accessed from EFI and\nthus shouldn\u0027t be under the EFI folder. This also aligns localstorage\nwith the new layout as previously it and osimage didn\u0027t agree on a\nspecific layout, indirectly breaking the installer.\n\nChange-Id: I36bdc9782e181dafab40aaa85cc0b4eaf2448f6e\nReviewed-on: https://review.monogon.dev/c/monogon/+/483\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "e78a08987e48aa5d9f77954886b7cc544f218638", "tree": "77d91020801cf19d2979db69495e40f3aeb889d5", "parents": [ "957c5b142abf8976c212ae013e6c36c4ff80f6c8" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 07 17:03:49 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Dec 09 17:51:43 2021 +0000" }, "message": "m/n/c/cluster: implement register flow\n\nChange-Id: I197cbfa96d34c9912c7fc19710db25276e7440fc\nReviewed-on: https://review.monogon.dev/c/monogon/+/454\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "a554528f7b9658e283efae618eb474d9161e0be1", "tree": "443119f6281b390418a589b25864d8a0b99b72df", "parents": [ "612a0335e94100137d8d95cbaf43da328bfb2e80" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Sat Dec 04 23:29:44 2021 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Dec 08 19:29:07 2021 +0000" }, "message": "m/n/c/cluster: retrieve node parameters from GCP metadata\n\nThis allows configuration via GCP instance metadata.\n\nChange-Id: I56609019cef998aa779c5a602232767b920a9721\nReviewed-on: https://review.monogon.dev/c/monogon/+/462\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "764a2de7911a42d57720911332a12895f0aad707", "tree": "dd0e31cee8fb5c753a762462e9eb16f776c3ec73", "parents": [ "e65731049afb6fd49da80f064fa40a28c9d5741d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 16:26:36 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 20:39:51 2021 +0000" }, "message": "tree-wide: rewrite ioutil functions to their replacements\n\nThe ioutil package has been deprecated in Go 1.16 [1]. This CL removes\nall our own users of that package and rewrites them to use their\nreplacements in the os package. I initially wanted to do this with a\ngofix but because all replacements were signature-compatible I just\ndid it with a few string replaces and then ran goimports to fix up the\nimports.\n\nI intentionally didn\u0027t rewrite the patches as that would require a\ndifferent process and is IMO of less value.\n\n[1] https://github.com/golang/go/issues/42026\n\nChange-Id: Iac6663a1f1ee49f9b1c6e4b3d97e73f2c3b54a13\nReviewed-on: https://review.monogon.dev/c/monogon/+/449\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "a7d65e1e672f996746084afd679869518a4a2b42", "tree": "13d6955bd78a589b68297916d9215062d3c10323", "parents": [ "030a551eb6a6faa99aa184a243acffcf7c74323e" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Nov 18 17:29:49 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 22 11:19:04 2021 +0000" }, "message": "m/n/c/curator: deflake leader election test\n\nThe check for proper leadership re-election was vulnerable to a race\nwhere it assumed optimistically that if a leader got re-elected, other\nnodes would have already established them as followers. This isn\u0027t\nalways the case, so we re-work the check to instead be a wait-until\nconstruct.\n\nChange-Id: I6326dad9a88f7b1ba61c218e37a73e868d722506\nReviewed-on: https://review.monogon.dev/c/monogon/+/448\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "030a551eb6a6faa99aa184a243acffcf7c74323e", "tree": "9e83f1af010b51383a69795a6143f1071d148d09", "parents": [ "cb1e4da5b3c1d2d5efa6a4495af40f8fc50c72ad" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Nov 18 16:39:39 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 22 11:18:43 2021 +0000" }, "message": "m/n/c/curator: factor out node{Load,Save}\n\nThis removes some duplicated logic between RPC implementations.\n\nChange-Id: I3683ba11635a53f792def4d8dabddc09776ab427\nReviewed-on: https://review.monogon.dev/c/monogon/+/447\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "cb1e4da5b3c1d2d5efa6a4495af40f8fc50c72ad", "tree": "39b896bb35e4a4e55a03e8cff431018b8390737d", "parents": [ "1612d4b51f74e439d1efb4b8957d440d148035b7" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Nov 11 16:42:52 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 22 11:18:43 2021 +0000" }, "message": "m/n/c/curator: implement Curator.CommitNode\n\nThis takes a node from STANDBY to UP. This is the last step required in\na node\u0027s registration flow.\n\nChange-Id: I6806e84abb862088335a76c42738db43aec75c62\nReviewed-on: https://review.monogon.dev/c/monogon/+/443\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "1612d4b51f74e439d1efb4b8957d440d148035b7", "tree": "c69d3d08b638ed54ef938a97166893e7b9779cf5", "parents": [ "5b60e581bdc1cd420a281e3a110367e310337850" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Nov 12 13:54:15 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 22 11:18:43 2021 +0000" }, "message": "m/n/c/curator: implement Management.ApproveNode\n\nThis takes a node from NEW to STANDBY. This is the second-to-last\nstep requires in a node\u0027s regsitration flow.\n\nChange-Id: I88f9c7d2cd824c7d3182195b784a725ec9528d28\nReviewed-on: https://review.monogon.dev/c/monogon/+/442\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "5611447f05c85eb5d0b7f7c5865911b1d560ef66", "tree": "19274d1fae7747027ad2758d3027f0e09b9c599e", "parents": [ "6cefe518de0b964db90c1b10d57b8be47aa4448e" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 11 14:47:54 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Nov 18 15:40:45 2021 +0000" }, "message": "m/n/c/curator: implement Management.GetNodes\n\nThis is a management call that provides detailed per-node details.\nCurrently it returns all information about all nodes, but can be then\nextended to allow filtering and selective/masked field retrieval.\n\nThis call is then used to implement a test which exercises\nCurator.NodeRegister and GetNodes.\n\nChange-Id: Ia093d9f03a4213b01acbb0fdac9714d8e7b02dd3\nReviewed-on: https://review.monogon.dev/c/monogon/+/434\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "fbd38e280916f0883263cf0b566984d3fea4ff39", "tree": "44abb583a39606b61940523e873af4d92a787be4", "parents": [ "579015afff6be9d6c87c867b0645f254b9aeb2d8" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Oct 08 14:41:16 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Nov 18 13:01:16 2021 +0000" }, "message": "m/proto: switch from CA pubkey to CA certificate in ClusterDirectory/Register\n\nA CA certificate is a strict superset of the public key, and using it\ninstead of a public key allows us to connect to the cluster securely by\nreusing standard/existing x509 CA auth, instead of having to implement a\ncheck based on just a public key.\n\nBackwards-incompatible proto change, but we\u0027re pre-MVP, and this flow is\njust being implemented.\n\nChange-Id: I014780a6ec3e5e8c6e81532531b18ad1438c8258\nReviewed-on: https://review.monogon.dev/c/monogon/+/424\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "516d300df9a34da5b39944017cebf1b11897e7a0", "tree": "b045662801001e5c53412baa6d744346892830f0", "parents": [ "c6c092be9c8774192867620d1df41c6014e20de1" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Oct 01 00:05:41 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 16 14:39:15 2021 +0000" }, "message": "m/n/c/curator: implement Curator.RegisterNode\n\nThis is the \u0027Register\u0027 call from the cluster lifecycle design document.\nWe don\u0027t yet call it from node startup code, but we do exercise it in a\nCurator test.\n\nChange-Id: Ife617b148a25fc8aecb0ed15f78a758ca4538016\nReviewed-on: https://review.monogon.dev/c/monogon/+/423\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "f73d8a993251c8fda30ce665c7f4eabdb7a203e3", "tree": "80d1f94ce1be04bef15b4632083ad7e2745bbcb3", "parents": [ "80861fd796e8f32e2866fa3757ff92ee186a9e8f" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 02 21:19:45 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 09 17:01:29 2021 +0000" }, "message": "m/n/c/network/hostsfile: implement\n\nThis implementes a dedicated runnable for maintaining hostsfile-like\nlocal state based on the node\u0027s local state and any possible cluster\ndata.\n\nThis needs to be able to be maintained by a single runnable regardless\nof the cluster enrolment process (bootstrap, register or join), and\nregardless of the state of enrolment (don\u0027t have networking data, only\nhave local networking data, have cluster state from any kind of\navailable cluster dialer).\n\nFor now this is just piped into the bootstrap logic and has no access to\ncluster data, but a planned revamp of the enrolment logic into the\nroleserver will fully integrate this with cluster information.\n\nChange-Id: Icc472a0da302109882c5a6d8b4e124a7b9af4813\nReviewed-on: https://review.monogon.dev/c/monogon/+/422\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "80861fd796e8f32e2866fa3757ff92ee186a9e8f", "tree": "3e02b5ce623b8d429f082a0e8f8a06fba546c163", "parents": [ "f758ce419a4a63261e4cacf8b8795a17d024df87" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 02 22:14:06 2021 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Nov 09 16:41:17 2021 +0000" }, "message": "m/n/c/curator: implement Watching NodesInCluster\n\nThis pipes etcd ranged watchers for nodes into a Curator RPC. This is to\nbe used by systems that need to compile information based on all/some\nnodes in the cluster, eg. when building a cluster directory or hosts\nfile with DNS mappings.\n\nThe existence of both NodeInCluster and NodesInCluster could be argued\nas unnecessary, and it might make sense to merge NodeInCluster\nfunctionality into NodesInCluster with a filter-by-node-id field. We\nshould consider doing this once the dust settles.\n\nWe also use this opportunity to write tests for Node{,s}InCluster.\n\nChange-Id: I544657b1bfe266a37230760236510024c6007c24\nReviewed-on: https://review.monogon.dev/c/monogon/+/420\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "8d45a0598ae83b8da89442ce8960e64f065182c7", "tree": "76fc262f260152be7be130ed2a078738e03073c2", "parents": [ "52304a8aa84604846e316e28c955b67e68c52f34" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 18 17:24:24 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Nov 03 15:01:37 2021 +0000" }, "message": "m/pkg/event/etcd: implement ranged watchers\n\nThis adds a new mode of operation to etcd Values/Watchers in which a\nrange of etcd keys is watched for updates instead of a single key.\n\nThis allows the implementation of watching a collection of objects\nstored in etcd for updates, eg. the node state in the Curator.\n\nThis has been implemented within the existing API of Event Values, which\nis likely the biggest contention point of this change. An alternative\nwould be to design a separate API for multi-value use, but this should\nallow us to more easily integrate with the existing code. We make use of\nGo\u0027s options-as-varargs paradigm to not break any existing use of this\ncodebase.\n\nSome behaviour of the Get() operation in ranged context is left\nunderdefined, but none of the expected users of this codebase are\nexpected to depend on this. Once the dust settles a bit, we can attempt\nto formalize this more strongly.\n\nChange-Id: I8f84d74332765e52b9bbec04b626d00f05c23071\nReviewed-on: https://review.monogon.dev/c/monogon/+/419\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "52304a8aa84604846e316e28c955b67e68c52f34", "tree": "df8518bb50b9665af7f4897665d8aa16f4a43e7f", "parents": [ "ba7bf7dc83c15cbd94a1f71b7992df7d7fc7d752" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Oct 29 16:56:18 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Nov 03 11:36:20 2021 +0000" }, "message": "m/node: implement Port type for node ports\n\nThis allows us to use %v/%s to get a pretty port name where needed.\n\nWe also drive-by remove MasterServicePort which is a leftover from\na pre-curator cluster service implementation.\n\nChange-Id: Id8feddf87269b13dd1dad2460a015c1a7ecbc6d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "6ef7f9bb94890748cc7c635f187fce7c5f497fe3", "tree": "8252a2bfde15ebc883195717762ba313978ca946", "parents": [ "da3be1bde2f7cffc518433c8f65569079a30655e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Oct 21 13:02:40 2021 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Oct 25 18:46:55 2021 +0000" }, "message": "m/n/core: mount efivars\n\nWe will need them for lots of upcoming things, let\u0027s mount them\nso things which need them can use them.\n\nChange-Id: I4417c370615da154bc7cb8b8804cb268d0fd617e\nReviewed-on: https://review.monogon.dev/c/monogon/+/405\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "2f58ac0ba336ad64e5708a4bb72163e368410959", "tree": "f0047b265e47d3e934220f93147bbe663d7ac097", "parents": [ "eac8f7312382f20c17082f2871b50aea92e0a45e" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 11:47:20 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 16:07:56 2021 +0000" }, "message": "m/n/c/curator: return CA public key in GetClusterInfo\n\nThis is needed for node registration (and is generally useful data\nwhenever a caller might not be aware of the CA\u0027s public key but already\nhas access to a Management client). In theory, all callers should be\naware of the public key, but in the future some other cluster\nverification might be performed with the CA public key ignored on\nconnectivity, but used by some other logic.\n\nChange-Id: If1928435bd5606c733460eb1a4a29a6578c8c723\nReviewed-on: https://review.monogon.dev/c/monogon/+/342\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "eac8f7312382f20c17082f2871b50aea92e0a45e", "tree": "cb1e0051ef3d97a64e367c77eaaf1c1217df2fbd", "parents": [ "bf5994514f50390c64c2ae6be2371687d312850c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 23:30:37 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 16:03:27 2021 +0000" }, "message": "m/n/core: run dedicated PID 1 reaper\n\nThis introduces minit, a tiny init implementation, written in C, built\nagainst musl. It does one thing: reap children. No support for TTY, no\nconfigurability, just the bare minimum for a working system.\n\nWe also drive-by remove some dead code from main.go.\n\nThis solves https://github.com/monogon-dev/monogon/issues/15\n\nChange-Id: I666ff2042f19639465ff918590a39b8e219ee7d6\nReviewed-on: https://review.monogon.dev/c/monogon/+/346\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "bf68fa9d8cbf6d283da8d538c1f28d8f53df0fcd", "tree": "d62cda0e060b4376dec815629f72e1661d77a73f", "parents": [ "bc671d09b9cdeb420260797c22020aa12059eb36" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:53:58 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 14:50:09 2021 +0000" }, "message": "m/n/c/roleserve: implement ClusterAgent\n\nThe ClusterAgent is a runnable that is scheduled to run on all cluster\nnodes. It\u0027s currently used to report the current node status to the\nCluster, and in the future can be used to implement hearbeat detection\nfor nodes.\n\nChange-Id: Iff394e2cc37064d1e42fd27e40884dda83d88418\nReviewed-on: https://review.monogon.dev/c/monogon/+/341\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "bc671d09b9cdeb420260797c22020aa12059eb36", "tree": "868fe4b9601c2c5c1f63106f3f0160037cb76462", "parents": [ "3be483247a07a6ebe73dd044f6ad299e19a04c7b" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:53:32 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 14:49:55 2021 +0000" }, "message": "m/n/core: implement GetClusterInfo\n\nThis implements Management.GetClusterInfo which is used to retrieve a\nClusterDirectory. This in turn will be used by nodes that wish to\nregister into a cluster.\n\nThis could\u0027ve been skipped and instead Curator.Watch could\u0027ve been used.\nHowever, the Curator service is only really (currently) intended to be\nused by node-to-node communications. To keep with the current design, we\nimplement a separate RPC, but we should maybe reconsider if this\nseparation makes sense.\n\nChange-Id: Ie9d475731f4faafdc51a2aa51a1582ee1a259fd2\nReviewed-on: https://review.monogon.dev/c/monogon/+/340\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "3be483247a07a6ebe73dd044f6ad299e19a04c7b", "tree": "91e414202d66fd57a7064d9cd6ff975530b56143", "parents": [ "826a9e94db7345bbb1932fa51049bc6e090391e3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:24:26 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 14:49:50 2021 +0000" }, "message": "m/n/c/curator: share locks across leader service instances\n\nThis is needed to lock access to nodes between the Curator and Managment\ninstances.\n\nChange-Id: I4609d87a961339235a13af57236f80c9976819ed\nReviewed-on: https://review.monogon.dev/c/monogon/+/339\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "27b6c4fd36a3e664cb9ed209e498404090d550a2", "tree": "bf7a7ed35c26d8c560be92e33dd0ab09a82c4a5a", "parents": [ "2893e980368c0bbb843aa422386462a964623b40" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 18:55:46 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:37:21 2021 +0000" }, "message": "m/n/c/curator: use UnimplementedXXX stubs for follower unimplemented code\n\nChange-Id: Iecf9adf91c8ae4c6af5854e35dbf3362b1b31865\nReviewed-on: https://review.monogon.dev/c/monogon/+/344\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2893e980368c0bbb843aa422386462a964623b40", "tree": "0e95252b16a85991de6f0901bc7dcaf2ac566145", "parents": [ "96043bc1cb55b1271b21309b2011d64d2361a0fd" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 09 13:06:16 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:29:42 2021 +0000" }, "message": "m/n/c/curator: add UpdateStatus\n\nThis implements Curator.UpdateStatus, which lets nodes self-report some\nstatus items. Currently this is their external IP address, which is\nneeded to generate a Cluster Directory which is in turn needed to\nregister into a cluster.\n\nChange-Id: Ib5464ca78ee3466d9b9f89b7af8b40f613ae8dcc\nReviewed-on: https://review.monogon.dev/c/monogon/+/332\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "96043bc1cb55b1271b21309b2011d64d2361a0fd", "tree": "b4db59595d8635154de74b0a244a6bb28bc52d2d", "parents": [ "3379a5d0ffcd652031c135f2ffe7600272fa0093" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 12:10:13 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:29:16 2021 +0000" }, "message": "*: import reformats\n\nAs caused by my IntelliJ/gofmt locally. We really need to do gofmt\nchecks in CI, especially now that we nearly have the tooling ready for\nit.\n\nChange-Id: Id105ba9ad8a34b8b8e883d52d621d47b0ea888d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/338\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "3379a5d0ffcd652031c135f2ffe7600272fa0093", "tree": "6c771e39336d5df9f7d956fadb9578b94b25b174", "parents": [ "6adf8840e846b15b7b34151c3432c886b540f420" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 09 12:56:40 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:13:53 2021 +0000" }, "message": "m/n/core: factor out gRPC/TLS into rpc and identity libraries\n\nThis is an annoying large change, which started its life as me pulling\nthe \u0027let\u0027s add tests for authentication\u0027 thread, and ended up in\nunifying a whole bunch of dispersed logic under two new libraries.\n\nNotable changes:\n\n - m/n/core/identity now contains the NodeCertificate (now called Node)\n and NodeCredentials types. These used to exist in the cluster code,\n but were factored out to prevent loops between the curator, the\n cluster enrolment logic, and other code. They can now be shared by\n nearly all of the node code, removing the need for some conversions\n between subsystems/packages.\n - Alongside Node{,Credentials} types, the identity package contains\n code that creates x509 certificate templates and verifies x509\n certificates, and has functions specific to nodes and users - not\n clients and servers. This allows moving most of the rest of\n certificate checking code into a single set of functions, and allows\n us to test this logic thoroughly.\n - pki.{Client,Server,CA} are not used by the node core code anymore,\n and can now be moved to kubernetes-specific code (as that was their\n original purpose and that\u0027s their only current use).\n - m/n/core/rpc has been refactored to deduplicate code between the\n local/external gRPC servers and unary/stream interceptors for these\n servers, also allowing for more thorough testing and unified\n behaviour between all.\n - A PeerInfo structure is now injected into all gRPC handlers, and is\n unified to contain information both about nodes, users, and possibly\n unauthenticated callers.\n - The AAA.Escrow implementation now makes use of PeerInfo in order to\n retrieve the client\u0027s certificate, instead of rolling its own logic.\n - The EphemeralClusterCredentials test helper has been moved to the rpc\n library, and now returns identity objects, allowing for simplified\n test code (less juggling of bare public keys and\n {x509,tls}.Certificate objects).\n\nChange-Id: I9284966b4f18c0d7628167ca3168b4b4037808c1\nReviewed-on: https://review.monogon.dev/c/monogon/+/325\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "bc7614ee942aee814865a5967c642802040476ed", "tree": "12573dc1932f0477dffec7a21cf635f8b3ea140a", "parents": [ "356b896eb4c3db9608d637c775845a09fc20fd07" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 09 13:07:09 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 29 13:04:33 2021 +0000" }, "message": "m/n/c/curator: fix watch fail on context timeout\n\nFixes https://github.com/monogon-dev/monogon/issues/75.\n\nChange-Id: Iefb772fa55499271e85fec500f50e6c77e49d05a\nReviewed-on: https://review.monogon.dev/c/monogon/+/326\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "080f7ff710e359f2dab0d8ace98f0aa8e443d98d", "tree": "f515ece2d0503d897d2c09e18d9fcb5e2f57cee3", "parents": [ "44d6b832490adc28d787f392db1c9e40c9ff3438" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 09 13:01:00 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Sep 21 08:41:43 2021 +0000" }, "message": "m/n/core/curator: add thin etcd storage abstraction\n\nThis implements etcdPrefix, a more formalized way to represent objects\nstored within etcd under some unique ID key.\n\nThis ensures any time objects are retrieved by key they are not\naccidentally traversing /-delimited \u0027path\u0027 elements, and implements the\nmildly complex range start/end computation operation for when all\nobjects from within a prefix must retrieved.\n\nChange-Id: Ib095f466faaf453b5f61a35642df6b0c1076ae05\nReviewed-on: https://review.monogon.dev/c/monogon/+/322\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "44d6b832490adc28d787f392db1c9e40c9ff3438", "tree": "f04b490de46c451931df9e078969eb550632e937", "parents": [ "e306d780504ae3ddfad3eb852c7adc5ec9757d89" ], "author": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Mon Sep 06 22:02:04 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Sep 08 12:21:08 2021 +0000" }, "message": "Use a temporary ntp.monogon.dev CNAME instead of pool.ntp.org\n\nWe\u0027re currently trying to get a vendor zone assigned\n(monogon-dev/monogon#72). Meanwhile, use a CNAME pointing\nto pool.ntp.org to avoid a freak accident where someone uses\na WIP version of Metropolis to deploy a million plastic routers.\n\nChange-Id: Ib39006c65a23d2df3a1230c28b0b7245b9e3e3c4\nReviewed-on: https://review.monogon.dev/c/monogon/+/320\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e306d780504ae3ddfad3eb852c7adc5ec9757d89", "tree": "3e8e2c7a21430777db525c9ed4717a2cab1c114a", "parents": [ "d7d6e0284de38cbeeb185ca17c0853b4b2c10ee9" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Sep 01 13:01:06 2021 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Sep 06 09:05:40 2021 +0000" }, "message": "m/n/time: add time service\n\nThis adds a bare-minimum time service based on chrony/NTP for keeping\nthe system clock and RTC on Metropolis nodes accurate.\n\nIt also introduces a UID/GID registry in the Metropolis node code\nas this is the first unprivileged service to run on the node itself.\n\nIt does not yet use a secure time source, this is tracked as #73.\n\nChange-Id: I873971e6d3825709bc8c696e227bece4cfbda93a\nReviewed-on: https://review.monogon.dev/c/monogon/+/319\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "d7d6e0284de38cbeeb185ca17c0853b4b2c10ee9", "tree": "37e0b443caf904f0b78d423ba6580c1416f5bc11", "parents": [ "9ffa1f9577003ab70a6b483475874f3552d1ccc3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 01 15:03:06 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Sep 03 11:15:40 2021 +0000" }, "message": "m/n/core/rpc: create library for common gRPC functions\n\nThis is the beginning of consolidating all gRPC-related code into a\nsingle package.\n\nWe also run the Curator service publicly and place it behind a new\nauthorization permission bit. This is in preparation for Curator\nfollowers needing access to this Service.\n\nSome of the service split and authorization options are likely to be\nchanged in the future (I\u0027m considering renaming Curator to something\nelse, or at least clearly stating that it\u0027s a node-to-node service).\n\nChange-Id: I0a4a57da15b35688aefe7bf669ba6342d46aa3f5\nReviewed-on: https://review.monogon.dev/c/monogon/+/316\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "9ffa1f9577003ab70a6b483475874f3552d1ccc3", "tree": "a688d02424e8601ed830d12021b5867688d31438", "parents": [ "6bd415920b84bd695038caeb386f1e97184f0c51" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 01 15:42:23 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 02 10:38:15 2021 +0000" }, "message": "m/n/core/curator: authenticated RPC\n\nThis adds authentication middleware (server interceptors) for gRPC\nservices running on the public curator listener.\n\nMost of this code is testing harnesses to start up just the curator\nlistener with enough of a PKI infrastructure copy from a real Metropolis\ncluster to be able to start running tests against GetRegisterTicket.\n\nChange-Id: I429ff29e3c1233d74e8da619ddb543d56bc051b9\nReviewed-on: https://review.monogon.dev/c/monogon/+/311\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "6bd415920b84bd695038caeb386f1e97184f0c51", "tree": "60a125e0a299663c392218ed8b80cf33ea31aabd", "parents": [ "68dcee136984e2e16b7682e0c0758c1df831a84c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Aug 23 13:18:37 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 01 12:56:15 2021 +0000" }, "message": "m/node: add Management service, implement GetRegisterTicket RPC\n\nThis follows the Cluster Lifecycle design document.\n\nDO NOT MERGE: this needs a stacked CL on top which implements\nauthentication for the Management service.\n\nChange-Id: I19422a63b9dbf2fc0c7f4cbe204851af35b4dbdf\nReviewed-on: https://review.monogon.dev/c/monogon/+/307\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "c1bf6aa7ac83513659d56756009d572deffa7177", "tree": "fafe3258a74a97171a9d11d917a19c2e7387db73", "parents": [ "1f9a03b3f952320824b1ae49e56da3cb814cd5b0" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Aug 23 13:05:24 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 24 17:26:35 2021 +0000" }, "message": "m/n/core/curator: fix listener stuckness on restarts\n\nThis makes both gRPC listener runnables (local and public) manage their\nown listening sockets, allowing them to restart independently of\neachother, and making sure that any listening sockets are cleaned up.\n\nWe also fix the existing curator test (which does not exercise the\nlisteners, just leadership election) to place the curators and their\nlocal sockets in /tmp instead of the default bazel tempdir (as a path\nbased on that is longer than the maximum domain socket path). This makes\nthese tests slightly less noisy (as they kept crashing while not being\nable to listen to the local socket).\n\nThis should\u0027ve been caught by a curator listener test, if we had one\n(other than the e2e test). I\u0027m growing keen on spending some time\nwriting enough of a harness to actually do that. Maybe once we have a\nfollower implementation ready…\n\nChange-Id: I0267292781b6ee8aff1d0557d420bbaa3c3d79f6\nReviewed-on: https://review.monogon.dev/c/monogon/+/304\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b9044c888097757c36933062f27b5f5ee103ee5f", "tree": "b07722231a9cf0fd3c0b81486bd637e11cbd7b6b", "parents": [ "3bb23219009a98643a562b1e59e3a4080f422c51" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 24 11:59:47 2021 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 24 16:12:52 2021 +0000" }, "message": "m/p/devicemapper: make parameter encoding part of package\n\nThe DM kernel interface gets a single parameter string for each DM\ntarget in a table but internally the kernel immediately decodes it into\nan argv-style list of string arguments. Because everything needs to do\nit and it can be quite hard to get right, let\u0027s make it part of the\ndevicemapper package. Properly encoding this also means you get\nactionable errors when you pass invalid data instead of weird kernel\nerrors or misbehavior.\n\nChange-Id: I8060871a7459183c0395e5e4e8aac517544b2e87\nReviewed-on: https://review.monogon.dev/c/monogon/+/309\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "41d275a63864e67deacad5b2ec0b435b01984034", "tree": "b5acf06483c0c33f0e988c82cbb25db4ceea777f", "parents": [ "5b2ae5500a90dc48b9713095e5f1580b9c9646d9" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 17 13:09:43 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 24 13:18:12 2021 +0000" }, "message": "m/n/c/curator: implement AAA.Escrow for initial owner pubkey\n\nThis finally implements AAA.Escrow in Metropolis.\n\nWe\u0027re not yet implementing multi-user support, so this currently only\nimplements retrieving an Owner certificate using the owner public key\nspecified in NodeParameters.cluster_bootstrap.\n\nChange-Id: I64a7ba025a8069d82b3c804ca3e2a706de2b0fbf\nReviewed-on: https://review.monogon.dev/c/monogon/+/289\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "5b2ae5500a90dc48b9713095e5f1580b9c9646d9", "tree": "1f6efbed2aa20716c18772bb30dbafacd6f07db3", "parents": [ "03758714f4b7be2a712831beecfdfcbf151b4c66" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 17 13:00:14 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Aug 23 12:26:16 2021 +0000" }, "message": "m/n/c/curator: listen on public gRPC\n\nThis enables listening on CuratorPort (which was called\nNodeServicePort) using TLS node certificates. No service is yet running\non the new gRPC listener.\n\nChange-Id: I436ac1ae9cbdb257419ad114262fc2a7516396b1\nReviewed-on: https://review.monogon.dev/c/monogon/+/288\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "03758714f4b7be2a712831beecfdfcbf151b4c66", "tree": "1a7e2f3096a130897f53c28d4f9b72ea871264d0", "parents": [ "8ff4b7c6f20c9dda91c0eefc524e9bb6c3bff52d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 17 12:52:11 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Aug 20 09:03:18 2021 +0000" }, "message": "m/n/core: save owner public key in etcd\n\nThis is an early implementation of storing user credentials. It\ncurrently does not support more then the owner credentials.\n\nThese are not yet used anywhere, but will be in a follow-up CL.\n\nChange-Id: Ib876f7aaff44531dcae5a27875a960aaa9ec029f\nReviewed-on: https://review.monogon.dev/c/monogon/+/287\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" } ], "next": "158e9a415a72bfacfdf9f46eb06b30486680299f" }