summaryrefslogtreecommitdiffstats
path: root/node-admin
Commit message (Collapse)AuthorAgeFilesLines
* Upgrade to gcc 12Henning Baldersheim2023-01-192-2/+2
|
* Just use Streams.toList as that is unmdifiable.Henning Baldersheim2023-01-183-3/+3
|
* Revert "Revert "open wireguard port for config servers""Andreas Eriksen2023-01-165-66/+102
|
* Revert "open wireguard port for config servers (#25586)"Henning Baldersheim2023-01-165-102/+66
| | | | This reverts commit 2ee6905f0c6535fe95cc0516e4634f3ac37414b2.
* open wireguard port for config servers (#25586)Andreas Eriksen2023-01-165-66/+102
|
* Resolve /proc/cpuinfo with test filesystemValerij Fredriksen2023-01-102-2/+3
|
* Remove unused codeValerij Fredriksen2023-01-102-51/+2
|
* Use Path.of() instead to avoid extra importValerij Fredriksen2023-01-105-16/+16
|
* Add http-utils as explicit dependencyBjørn Christian Seime2023-01-091-0/+7
|
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-091-2/+3
|
* Revert "Ensure that HTTPS clients only use allowed ciphers and protocol ↵Andreas Eriksen2023-01-061-3/+2
| | | | versions" (#25436)
* Ensure that HTTPS clients only use allowed ciphers and protocol versionsBjørn Christian Seime2023-01-061-2/+3
|
* Update expected token with new token versionTor Brede Vekterli2023-01-051-1/+1
|
* Use ChaCha20-Poly1305 instead of AES-GCM for shared key-based cryptoTor Brede Vekterli2023-01-052-2/+2
| | | | | | | | | | | | | | | | | | | | | This is to get around the limitation where AES GCM can only produce a maximum of 64 GiB of ciphertext for a particular <key, IV> pair before its security properties break down. ChaCha20-Poly1305 does not have any practical limitations here. ChaCha20-Poly1305 uses a 256-bit key whereas the shared key is 128 bits. A HKDF is used to internally expand the key material to 256 bits. To let token based decryption be fully backwards compatible, introduce a token version 2. V1 tokens will be decrypted with AES-GCM 128, while V2 tokens use ChaCha20-Poly1305. As a bonus, cryptographic operations will generally be _faster_ after this cipher change, as we use BouncyCastle ciphers and these do not use any native AES instructions. ChaCha20-Poly1305 is usually considerably faster when running without specialized hardware support. An ad-hoc experiment with a large ciphertext showed a near 70% performance increase over AES-GCM 128.
* Merge pull request #25374 from vespa-engine/jonmv/no-metricsp-proxy-logs-to-s3Jon Marius Venstad2023-01-032-1/+16
|\ | | | | Avoid uploading metrics-proxy access logs
| * Avoid regexJon Marius Venstad2023-01-031-1/+1
| |
| * Avoid uploading metrics-proxy access logsjonmv2023-01-032-1/+16
| |
* | OrchestratorException should not increment unhandled_exceptionsHåkon Hallingstad2023-01-031-1/+1
|/
* Merge pull request #25279 from ↵Håkon Hallingstad2022-12-214-8/+49
|\ | | | | | | | | vespa-engine/revert-25274-revert-25247-bjormel/yum_--disablerepo Revert "Revert "support for disablerepo in yum command""
| * do not disable other repos by defaultbjormel2022-12-192-9/+20
| |
| * test for disable other reposbjormel2022-12-191-0/+6
| |
| * mimic maybeEscapeArgument() in CommandLinebjormel2022-12-191-1/+5
| |
| * Revert "Revert "support for disablerepo in yum command""Bjørn Meland2022-12-164-13/+33
| |
* | Clean up /opt/vespa/var/tmp in content node too...bjormel2022-12-181-2/+3
| |
* | Clean up /opt/vespa/var/tmp in containerbjormel2022-12-182-2/+8
|/
* Revert "support for disablerepo in yum command"Bjørn Meland2022-12-154-33/+13
|
* default '--disablerepo=*'bjormel2022-12-142-7/+11
|
* Change order of enable and disablebjormel2022-12-133-20/+20
|
* yum --disablerepobjormel2022-12-133-8/+24
|
* Wg parameter store (#25225)gjoranv2022-12-136-0/+149
| | | | | | | * Remove unused import * Add a parameter store for Wireguard and a model for its parameters Co-authored-by: gjoranv <gv@verizonmedia.com>
* Enable container warmup in CD systemsValerij Fredriksen2022-12-081-3/+2
|
* Reboot in real node repoHåkon Hallingstad2022-12-062-0/+12
|
* Create file with correct permissionsHåkon Hallingstad2022-12-063-16/+26
|
* Revert "Revert collect(Collectors.toList())"Henning Baldersheim2022-12-0417-26/+26
|
* Revert collect(Collectors.toList())Henning Baldersheim2022-12-0417-26/+26
|
* collect(Collectors.toList()) -> toList()Henning Baldersheim2022-12-0217-26/+26
|
* Stop using report-cores-via-cfgHåkon Hallingstad2022-12-015-233/+67
|
* Add GPU fields to node repository clientMartin Polden2022-12-012-12/+25
|
* Revert "Re-create container if wanted create command changes"Martin Polden2022-11-308-52/+20
|
* Update signature in mockMartin Polden2022-11-282-2/+2
|
* Pass wanted resourcesMartin Polden2022-11-253-4/+4
|
* Re-create container if wanted create command changesMartin Polden2022-11-258-20/+52
|
* Revert "Re-create container if wanted create command changes"Valerij Fredriksen2022-11-258-52/+20
|
* Re-create container if wanted create command changesMartin Polden2022-11-248-20/+52
|
* Merge pull request #24902 from vespa-engine/enclaves-apigjoranv2022-11-171-1/+2
|\ | | | | Enclaves api
| * Add test for enclave nodes, and necessary supporting infrastructuregjoranv2022-11-161-1/+2
| |
* | Use BouncyCastle AES GCM cipher and I/O streams instead of JCATor Brede Vekterli2022-11-161-3/+1
|/ | | | | | | | | | | | | | | | | | This resolves two issues: * `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions when the stream is closed, which means that corruptions (intentional or not) are not caught. This is documented behavior, but still very surprising and a rather questionable default. BC's interchangeable `CipherOutputStream` throws as expected. To avoid regressions, add an explicit test that both ciphertext and MAC tag corruptions are propagated. * The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit decrypted plaintext per `update()` chunk, but buffer everything until `doFinal()` is invoked when the stream is closed. This means that decrypting very large ciphertexts can blow up memory usage since internal output buffers are reallocated and increased per iteration...! Instead use an explicit BC `GCMBlockCipher` which has the expected behavior (and actually lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to avoid leaking BC APIs outside the security module.
* Revert "Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵Eirik Nygaard2022-11-072-6/+6
| | | | [run-systemtest]""""
* Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵Eirik Nygaard2022-11-072-6/+6
| | | | [run-systemtest]"""
* Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp [run-systemtest]""Eirik Nygaard2022-11-042-6/+6
|