profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/dnephin/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

alecthomas/gometalinter 3553

DEPRECATED: Use https://github.com/golangci/golangci-lint

d11wtq/dockerpty 140

Pseudo-tty handler for docker Python client

aanand/compose-file 61

Parser for the Compose file format (version 3)

dnephin/compose-addons 49

Tools to supplement the feature set of docker-compose

dnephin/alpine-package-mirror 23

Dockerfile to run an alpine package mirror or private package repo

dnephin/alpine-s6 11

Minimal example of using s6 in a docker container to handle signals as pid1

aluzzardi/dind 8

Docker in Docker Images

dnephin/cobra 2

A Commander for modern Go CLI interactions

dnephin/compose 1

A fork

create barnchhashicorp/consul

branch : dnephin/acl-resolver-3

created branch time in 19 hours

PR opened hashicorp/consul

acl: decouple filtering from ACLResolver and remove a couple methods pr/no-changelog theme/acls

Branched from #10742

Best viewed by individual commit. There is more context in the commit messages.

This PR is another small incremental step toward two goals: making the ACL system easier to understand (by making it easier to trace the code), and making the code easier to change (by improving the structure). No structural changes yet, but these small changes will make it easier to move ACLResolver out of the agent/consul package.

+52 -67

0 comment

11 changed files

pr created time in 20 hours

create barnchhashicorp/consul

branch : dnephin/acl-resolver-2

created branch time in 21 hours

PR opened hashicorp/consul

acl: move agent/consul vet functions pr/no-changelog theme/acls

While looking at possibly moving ACLResolver into a package under acl I noticed these "vet" functions in agent/consul/acl.go. Most of what's in agent/consul/acl.go is the ACLResolver and filtering. These vet functions are not really related to the ACLResolver, and they are only called from one place (either the catalog RPC endpoints or Txn RPC endpoints).

This PR moves the vet function to where they are used, which seems like a better place for them. It is done in hopes that moving the ACLResolver can be done as mostly a file rename without a large diff. But even if that doesn't happen, this change seems like an improvement. These functions are actually part of the catalog and txn components, not part of the ACL system.

Now that #10632 has merged, this change also removes the authz == nil checks in these functions, because those cases are no longer possible.

+709 -731

0 comment

5 changed files

pr created time in a day

create barnchhashicorp/consul

branch : dnephin/acl-resolver

created branch time in a day

PullRequestReviewEvent

Pull request review commenthashicorp/consul

acl: remove the last of the authz == nil checks

 func (t *Txn) preCheck(authorizer acl.Authorizer, ops structs.TxnOps) structs.Tx 			}  			service := &op.Service.Service-			// This is intentionally nil as we will authorize the request-			// using vetServiceTxnOp next instead of doing it in servicePreApply-			if err := servicePreApply(service, nil); err != nil {+			// acl.ManageAll is used here because the request will be authorized+			// later using vetServiceTxnOp.+			if err := servicePreApply(service, acl.ManageAll()); err != nil {

Calling out this change as it's slightly different from the rest.

The goal of this chain of PRs is to remove these nil checks, so we replace the nil we pass in here with ManageAll to achieve the same goal.

dnephin

comment created time in a day

PR opened hashicorp/consul

acl: remove the last of the authz == nil checks

Branched from #10737, this PR continues the work from #10632

This diff is larger because it removes some checks that were around larger blocks of code. You can use "hide whitespace" to reduce the diff significantly.

There is one last remaining authz != nil check here: https://github.com/hashicorp/consul/blob/v1.10.1/agent/consul/acl.go#L1239-L1241 That one has to remain because it can be nil in OSS. Since this is internal to the "ACL system" it seems like a reasonable exception. We could probably change make an acl.DefaultAll authorize to use in its place, but I'm not sure its worth it for this one small case.

+133 -163

0 comment

13 changed files

pr created time in a day

create barnchhashicorp/consul

branch : dnephin/remove-authorizer-nil-checks-2

created branch time in a day

Pull request review commenthashicorp/consul

acl: remove authz == nil checks

 func (ixn *Intention) CanRead(authz acl.Authorizer) bool { }  func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {-	if authz == nil || authz == acl.ManageAll() {+	if authz == acl.ManageAll() { 		return true 	} 	var authzContext acl.AuthorizerContext +	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above 	if ixn.DestinationName == "" { 		return false 	}

cc @freddygv @rboyer Thoughts on this proposed change? Any concerns?

dnephin

comment created time in a day

PullRequestReviewEvent

Pull request review commenthashicorp/consul

acl: remove authz == nil checks

 func (ixn *Intention) CanRead(authz acl.Authorizer) bool { }  func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {-	if authz == nil || authz == acl.ManageAll() {+	if authz == acl.ManageAll() { 		return true 	} 	var authzContext acl.AuthorizerContext +	// TODO: this line seems to require checking 'authz == acl.ManageAll()' above 	if ixn.DestinationName == "" { 		return false 	}

Calling out this TODO. In all other cases we've found (so far) simply using the acl.Authorizer without checking its value is correct.

In this case it seems like it may not be , so we had to add an authz == acl.ManangeAll() check above (the ManageAll authorized is returned when acls are disabled).

Is this ixn.DestinationName == "" in the right place? Maybe it should be in authz.IntentionWrite (called below)? I believe if we made that change we could remove the authz == acl.ManangeAll() the acl.Authorizer interface would be much safer to use in general.

dnephin

comment created time in a day

PullRequestReviewEvent

PR opened hashicorp/consul

acl: remove authz == nil checks pr/no-changelog theme/acls

Follow up to #10632

Best viewed by individual commit.

Remove more of the authz == nil checks now that resolving a token should never return a nil. There are a few more auth != nil checks to handle, but I'll do that in another PR to keep the diff small.

Also cleans up some agent methods that were only used by tests.

+121 -192

0 comment

13 changed files

pr created time in a day

push eventhashicorp/consul

Blake Covarrubias

commit sha 11f1f3fe34b7873253ce142db2fc75e154fb052e

Add OSS changes for specifying audit log permission mode

view details

Blake Covarrubias

commit sha 2c78cbbee73fda6b77ba8e14aa12932db13389a8

Add changelog

view details

Blake Covarrubias

commit sha c919f2d9eaf59f3d22c49af76852e01344fb9451

api: Support QueryOptions on additional agent endpoints (#10691) Add support for setting QueryOptions on the following agent API endpoints: - /agent/health/service/name/:name - /agent/health/service/id/:id - /agent/service/maintenance/:id This follows the same pattern used in #9903 to support query options for other agent API endpoints. Resolves #9710

view details

Daniel Nephin

commit sha 97fed4770845e7b8a3d215d263771e5d2d47f950

Merge pull request #10632 from hashicorp/pairing/acl-authorizer-when-acl-disabled acls: Update ACL authorizer to return meaningful permission when ACLs are disabled

view details

Kenia

commit sha 2ee501be8d5314252f86345a8ebaf87ffddd887f

ui: Add copy button for Secret ID in Tokens list page (#10735)

view details

hc-github-team-consul-core

commit sha 323039dd06d364b411744eb4b31aba1ff21b3367

auto-updated agent/uiserver/bindata_assetfs.go from commit 2ee501be8

view details

Daniel Nephin

commit sha 9dd6d26d05c1d8ce035d63d2f37eb7b9afc8f089

acl: remove rule == nil checks

view details

Daniel Nephin

commit sha b8ae00c23b7e7a76e3ab36fbdb0e74ccd20ddea5

agent: remove unused agent methods These methods are no longer used. Remove the methods, and update the tests to use actual method used by production code. Also removes the 'authz == nil' check is no longer a possible code path now that we are returning a non-nil acl.Authorizer when ACLs are disabled.

view details

Daniel Nephin

commit sha f497d5ab306321ef5bc66b6167bcfbcf5293b561

acl: remove many instances of authz == nil

view details

Daniel Nephin

commit sha 4f1a36629ad814ad523f0d42377db6731d18e834

acl: remove authz == nil checks These case are already impossible conditions, because most of these functions already start with a check for ACLs being disabled. So the code path being removed could never be reached. The one other case (ConnectAuthorized) was already changed in a previous commit. This commit removes an impossible branch because authz == nil can never be true.

view details

push time in a day

create barnchhashicorp/consul

branch : dnephin/remove-authorizer-nil-checks

created branch time in a day

push eventhashicorp/consul

Daniel Nephin

commit sha 84fac3ce0e789c559aea29e9d9a09dce22020d34

acl: use acl.ManangeAll when ACLs are disabled Instead of returning nil and checking for nilness Removes a bunch of nil checks, and fixes one test failures.

view details

Evan Culver

commit sha 727b81a7576ef829ddf7a27348682e65f3cdfd0c

Fix intention endpoint test

view details

Evan Culver

commit sha f2d30bbc8866f4f176d27eb07ebc4e248a7cdc5b

Fix api/agent test

view details

Evan Culver

commit sha 24db06f5039cd95132dad39c65aa367721dd86a7

Fix maint test

view details

Evan Culver

commit sha 4c4bbfb7c0ca4f47d1802bcca1d231a25dcbfb7a

Fix api/agent test

view details

Daniel Nephin

commit sha 97fed4770845e7b8a3d215d263771e5d2d47f950

Merge pull request #10632 from hashicorp/pairing/acl-authorizer-when-acl-disabled acls: Update ACL authorizer to return meaningful permission when ACLs are disabled

view details

push time in a day

delete branch hashicorp/consul

delete branch : pairing/acl-authorizer-when-acl-disabled

delete time in a day

PR merged hashicorp/consul

Reviewers
acls: Update ACL authorizer to return meaningful permission when ACLs are disabled pr/no-changelog theme/api theme/cli theme/envoy/xds

As part of the discussion in #10399, we thought that we could clean up the main token resolution API to return a non-nil value for the case where ACLs are disabled so that users don't need to do counter-intuitive nil checks on the result.

By changing this API, we had to update a few cases that were making assumptions out of the nil return. I think this makes more sense and cleans up the code ever so slightly. Curious if others agree.

Note: the primary change is the one in agent/consul/acl.go -- everything else is fallout.

+52 -52

2 comments

19 changed files

eculver

pr closed time in a day

pull request commenthashicorp/consul

acls: Update ACL authorizer to return meaningful permission when ACLs are disabled

The one test failure is a flake so I'm going to merge this

eculver

comment created time in a day

push eventhashicorp/consul

Daniel Nephin

commit sha 6117ba3b2eeb89d897c299c6e207ceb34a4bbeb4

Remove a few unused things from build-support

view details

Daniel Nephin

commit sha f31aa12cf1264b877a0927b040f4604b25e11205

dns: remove unnecessary function wrapping The dispatch function was called from a single place and did nothing but add a default value. Removing it makes code easier to trace by removing an unnecessary hop.

view details

Daniel Nephin

commit sha 4beff900d193762204019e02f86ca9d9f7e40244

dns: remove unused method It was added in 5934f803bfb54c1ceeeb6518398f1b82a726459f but it was never used.

view details

Daniel Nephin

commit sha b96c8195a5ee7515e50182ea9c61d1c35930ffec

dns: small refactor to setEDNS to return early Using a guard clause instead of a long nested if. The diff is best viewed with whitespace turned off.

view details

Daniel Nephin

commit sha 68d6f1315f1fc24453077037a796c20949d2f18b

dns: refactor dispatch to use an explicit return in each case In preparation for changing the return value, so that SOA, eDNS trimming and 'not found' errors can be handled in a single place.

view details

Daniel Nephin

commit sha 9267b09c32a5ba6846237cbbef1ed9525ec02790

dns: error response from dispatch So that dispatch can communicate status back to the caller.

view details

Daniel Nephin

commit sha 436a02af31ad39014b837d3cf4d05161fec7fadb

dns: handle errors from dispatch

view details

Daniel Nephin

commit sha 42f79632527fd0912cd2e2f2e4247ece131df515

dns: trim response immediately before the write Previously the response was being trimmed before adding the EDNS values, which could cause it to exceed the max size.

view details

Daniel Nephin

commit sha d116bda958c084fd6fffca4809ce71131e189a20

dns: remove network parameter from two funcs Now that trimDNSResponse is handled by the caller we don't need to pass this value around. We can remove it from both the serviceLookup struct, and two functions.

view details

Dhia Ayachi

commit sha f8f2756967d7acfcbbb0b857aa74fddd688a759f

add missing test for truncate

view details

Dhia Ayachi

commit sha ad2065f2aa047f5e5ea8027d245f2971fa1d7e6d

Check response len do not exceed max Buffer size

view details

Daniel Nephin

commit sha 204bf2b345f324bbd5d5a6ad1ec98f53b39451e0

dns: correct rcode for qtype not supported A previous commit started using QueryRefuced, but that is not correct. QueryRefuced refers to the OpCode, not the query type. Instead use errNoAnswer because we have no records for that query type.

view details

Dhia Ayachi

commit sha 6d331691dc9b2f7181f6d1641c2cd17743917c8c

add changelog entry

view details

Daniel Nephin

commit sha baa2b8628e41ba577fb893ef490f16480b3f1dc4

consul: fix data race in leader CA tests Some global variables are patched to shorter values in these tests. But the goroutines that read them can outlive the test because nothing waited for them to exit. This commit adds a Wait() method to the routine manager, so that tests can wait for the goroutines to exit. This prevents the data race because the 'reset to original value' can happen after all other goroutines have stopped.

view details

Daniel Nephin

commit sha 970f5d78ec1f0704a2b5dd6593e385fabacce2f8

agent: fix two data race in agent tests The LogOutput io.Writer used by TestAgent must allow concurrent reads and writes, and a bytes.Buffer does not allow this. The bytes.Buffer must be wrapped with a lock to make this safe.

view details

Daniel Nephin

commit sha 0acfc2c65bf48098431fea7e28430873445c7048

agent: fix a data race in DNS tests The dnsConfig pulled from the atomic.Value is a pointer, so modifying it in place creates a data race. Use the exported ReloadConfig interface instead.

view details

Daniel Nephin

commit sha 678014de1d528de1d10da9f432fb1e628cfb87bc

agent: fix a data race in a test The test was modifying a pointer to a struct that had been passed to another goroutine. Instead create a new struct to modify. ``` WARNING: DATA RACE Write at 0x00c01407c3c0 by goroutine 832: github.com/hashicorp/consul/agent.TestServiceManager_PersistService_API() /home/daniel/pers/code/consul/agent/service_manager_test.go:446 +0x1d86 testing.tRunner() /usr/lib/go/src/testing/testing.go:1193 +0x202 Previous read at 0x00c01407c3c0 by goroutine 938: reflect.typedmemmove() /usr/lib/go/src/runtime/mbarrier.go:177 +0x0 reflect.Value.Set() /usr/lib/go/src/reflect/value.go:1569 +0x13b github.com/mitchellh/copystructure.(*walker).Primitive() /home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:289 +0x190 github.com/mitchellh/reflectwalk.walkPrimitive() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:252 +0x31b github.com/mitchellh/reflectwalk.walk() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:179 +0x24d github.com/mitchellh/reflectwalk.walkStruct() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:386 +0x4ec github.com/mitchellh/reflectwalk.walk() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:188 +0x656 github.com/mitchellh/reflectwalk.walkStruct() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:386 +0x4ec github.com/mitchellh/reflectwalk.walk() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:188 +0x656 github.com/mitchellh/reflectwalk.Walk() /home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:92 +0x164 github.com/mitchellh/copystructure.Config.Copy() /home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:69 +0xe7 github.com/mitchellh/copystructure.Copy() /home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:13 +0x84 github.com/hashicorp/consul/agent.mergeServiceConfig() /home/daniel/pers/code/consul/agent/service_manager.go:362 +0x56 github.com/hashicorp/consul/agent.(*serviceConfigWatch).handleUpdate() /home/daniel/pers/code/consul/agent/service_manager.go:279 +0x250 github.com/hashicorp/consul/agent.(*serviceConfigWatch).runWatch() /home/daniel/pers/code/consul/agent/service_manager.go:246 +0x2d4 Goroutine 832 (running) created at: testing.(*T).Run() /usr/lib/go/src/testing/testing.go:1238 +0x5d7 testing.runTests.func1() /usr/lib/go/src/testing/testing.go:1511 +0xa6 testing.tRunner() /usr/lib/go/src/testing/testing.go:1193 +0x202 testing.runTests() /usr/lib/go/src/testing/testing.go:1509 +0x612 testing.(*M).Run() /usr/lib/go/src/testing/testing.go:1417 +0x3b3 main.main() _testmain.go:1181 +0x236 Goroutine 938 (running) created at: github.com/hashicorp/consul/agent.(*serviceConfigWatch).start() /home/daniel/pers/code/consul/agent/service_manager.go:223 +0x4e4 github.com/hashicorp/consul/agent.(*ServiceManager).AddService() /home/daniel/pers/code/consul/agent/service_manager.go:98 +0x344 github.com/hashicorp/consul/agent.(*Agent).addServiceLocked() /home/daniel/pers/code/consul/agent/agent.go:1942 +0x2e4 github.com/hashicorp/consul/agent.(*Agent).AddService() /home/daniel/pers/code/consul/agent/agent.go:1929 +0x337 github.com/hashicorp/consul/agent.TestServiceManager_PersistService_API() /home/daniel/pers/code/consul/agent/service_manager_test.go:400 +0x17c4 testing.tRunner() /usr/lib/go/src/testing/testing.go:1193 +0x202 ```

view details

Daniel Nephin

commit sha a0ca381037666ded6f1a72def303fbaa62d01a24

agent: remove deprecated call in a test

view details

Daniel Nephin

commit sha 414ce3f09b4e92c28e0f3f65797a861c121b2a92

Update serf To pick up data race fixes

view details

Daniel Nephin

commit sha fa47c04065a559f3b411e31e7f3053e2399d08f7

Fix a data race in TestACLResolver_Client By setting the hash when we create the policy. ``` WARNING: DATA RACE Read at 0x00c0028b4b10 by goroutine 1182: github.com/hashicorp/consul/agent/structs.(*ACLPolicy).SetHash() /home/daniel/pers/code/consul/agent/structs/acl.go:701 +0x40d github.com/hashicorp/consul/agent/structs.ACLPolicies.resolveWithCache() /home/daniel/pers/code/consul/agent/structs/acl.go:779 +0xfe github.com/hashicorp/consul/agent/structs.ACLPolicies.Compile() /home/daniel/pers/code/consul/agent/structs/acl.go:809 +0xf1 github.com/hashicorp/consul/agent/consul.(*ACLResolver).ResolveTokenToIdentityAndAuthorizer() /home/daniel/pers/code/consul/agent/consul/acl.go:1226 +0x6ef github.com/hashicorp/consul/agent/consul.resolveTokenAsync() /home/daniel/pers/code/consul/agent/consul/acl_test.go:66 +0x5c Previous write at 0x00c0028b4b10 by goroutine 1509: github.com/hashicorp/consul/agent/structs.(*ACLPolicy).SetHash() /home/daniel/pers/code/consul/agent/structs/acl.go:730 +0x3a8 github.com/hashicorp/consul/agent/structs.ACLPolicies.resolveWithCache() /home/daniel/pers/code/consul/agent/structs/acl.go:779 +0xfe github.com/hashicorp/consul/agent/structs.ACLPolicies.Compile() /home/daniel/pers/code/consul/agent/structs/acl.go:809 +0xf1 github.com/hashicorp/consul/agent/consul.(*ACLResolver).ResolveTokenToIdentityAndAuthorizer() /home/daniel/pers/code/consul/agent/consul/acl.go:1226 +0x6ef github.com/hashicorp/consul/agent/consul.resolveTokenAsync() /home/daniel/pers/code/consul/agent/consul/acl_test.go:66 +0x5c Goroutine 1182 (running) created at: github.com/hashicorp/consul/agent/consul.TestACLResolver_Client.func4() /home/daniel/pers/code/consul/agent/consul/acl_test.go:1669 +0x459 testing.tRunner() /usr/lib/go/src/testing/testing.go:1193 +0x202 Goroutine 1509 (running) created at: github.com/hashicorp/consul/agent/consul.TestACLResolver_Client.func4() /home/daniel/pers/code/consul/agent/consul/acl_test.go:1668 +0x415 testing.tRunner() /usr/lib/go/src/testing/testing.go:1193 +0x202 ```

view details

push time in a day

Pull request review commenthashicorp/consul

acls: Update ACL authorizer to return meaningful permission when ACLs are disabled

 func (ixn *Intention) CanRead(authz acl.Authorizer) bool { }  func (ixn *Intention) CanWrite(authz acl.Authorizer) bool {-	if authz == nil {+	if authz == nil || authz == acl.ManageAll() {

I think that's right. I'm going to do a second pass after this to remove more of the nil checks that should no longer be necessary.

eculver

comment created time in a day

PullRequestReviewEvent

push eventhashicorp/consul

Daniel Nephin

commit sha 7cb3652288d016aebd37a1cc626a58febcb87ab7

wip: add secure-defaults setting

view details

push time in a day

PR opened hashicorp/consul

config: add secure-defaults setting theme/config type/enhancement

This is a quick spike to demonstrate the idea of a -secure-defaults setting.

The setting would force enable a bunch of settings required for a secure setup (ex: ACLs enabled), and would make others required (ex: an agent TLS cert and key).

+66 -4

0 comment

5 changed files

pr created time in a day

create barnchhashicorp/consul

branch : dnephin/secure-defaults

created branch time in a day

PullRequestReviewEvent

pull request commenthashicorp/serf

Fix mdns with CVE-2019-19794

The test failures looks to be related to this change: https://github.com/hashicorp/mdns/pull/73

The underlying error is hidden in the test output, because the tests are using MockUI, but when I changed that to BasicUI I saw this:

[ERR] agent.mdns: Failed to poll for new hosts: write udp6 [::]:59553->[ff02::fb]:5353: sendto: cannot assign requested address

What I'm not sure about is why ipv6UnicastConn.WriteToUDP is being called. I would have expected ipv6UnicastConn to be nil, since we can see the bind failed with "setsockopt: no such device".

Maybe it's only the IPv6 multicast that failed to bind, and ipv6UnicastConn is indeed not nil, but still fails to write anyway.

adzeitor

comment created time in 2 days

issue commenthashicorp/consul

0 returned instead of NaN for `consul.autopilot.healthy|consul_autpilot_healthy` metric in Consul 1.10

Thank you for reporting this issue! We made some changes to telemetry in 1.9.x, and some minor changes to 1.10.x, but I'm not seeing anything that would have caused followers to report 0. From my reading of the code, we still only report this metric on leaders: https://github.com/hashicorp/consul/blob/v1.10.1/agent/consul/autopilot.go#L46-L53

Which version were you running previous to the upgrade? It's possible that the telemetry changes in 1.9.x could have caused this if you upgraded from 1.8.x.

dschaaff

comment created time in 2 days

push eventhashicorp/consul

Daniel Nephin

commit sha eb6505b5266616987a214956ec6689af524efa61

ci: query for max number of possible labels To fix a failure in our docs-cherrypick automation. This started to fail today, I suspect because github silently changed the order the labels were being returned, and by default it only returns 30 labels. We currently have 68 labels, so using per_page=100 (the maximum allowed) we should be able to fix this failure.

view details

Daniel Nephin

commit sha b2480d229f64d1d2a1af1ffcc988774691c7b35f

Merge pull request #10729 from hashicorp/dnephin/fix-docs-cherrypick ci: query for max number of possible labels

view details

push time in 2 days