aboutsummaryrefslogtreecommitdiffstats
path: root/node-admin
Commit message (Collapse)AuthorAgeFilesLines
* Reboot in real node repoHåkon Hallingstad2022-12-062-0/+12
|
* Create file with correct permissionsHåkon Hallingstad2022-12-063-16/+26
|
* Revert "Revert collect(Collectors.toList())"Henning Baldersheim2022-12-0417-26/+26
|
* Revert collect(Collectors.toList())Henning Baldersheim2022-12-0417-26/+26
|
* collect(Collectors.toList()) -> toList()Henning Baldersheim2022-12-0217-26/+26
|
* Stop using report-cores-via-cfgHåkon Hallingstad2022-12-015-233/+67
|
* Add GPU fields to node repository clientMartin Polden2022-12-012-12/+25
|
* Revert "Re-create container if wanted create command changes"Martin Polden2022-11-308-52/+20
|
* Update signature in mockMartin Polden2022-11-282-2/+2
|
* Pass wanted resourcesMartin Polden2022-11-253-4/+4
|
* Re-create container if wanted create command changesMartin Polden2022-11-258-20/+52
|
* Revert "Re-create container if wanted create command changes"Valerij Fredriksen2022-11-258-52/+20
|
* Re-create container if wanted create command changesMartin Polden2022-11-248-20/+52
|
* Merge pull request #24902 from vespa-engine/enclaves-apigjoranv2022-11-171-1/+2
|\ | | | | Enclaves api
| * Add test for enclave nodes, and necessary supporting infrastructuregjoranv2022-11-161-1/+2
| |
* | Use BouncyCastle AES GCM cipher and I/O streams instead of JCATor Brede Vekterli2022-11-161-3/+1
|/ | | | | | | | | | | | | | | | | | This resolves two issues: * `javax.crypto.OutputCipherStream` swallows MAC tag mismatch exceptions when the stream is closed, which means that corruptions (intentional or not) are not caught. This is documented behavior, but still very surprising and a rather questionable default. BC's interchangeable `CipherOutputStream` throws as expected. To avoid regressions, add an explicit test that both ciphertext and MAC tag corruptions are propagated. * The default-provided `AES/GCM/NoPadding` `Cipher` instance will not emit decrypted plaintext per `update()` chunk, but buffer everything until `doFinal()` is invoked when the stream is closed. This means that decrypting very large ciphertexts can blow up memory usage since internal output buffers are reallocated and increased per iteration...! Instead use an explicit BC `GCMBlockCipher` which has the expected behavior (and actually lets cipher streams, well, _stream_). Add an `AeadCipher` abstraction to avoid leaking BC APIs outside the security module.
* Revert "Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵Eirik Nygaard2022-11-072-6/+6
| | | | [run-systemtest]""""
* Revert "Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp ↵Eirik Nygaard2022-11-072-6/+6
| | | | [run-systemtest]"""
* Revert "Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp [run-systemtest]""Eirik Nygaard2022-11-042-6/+6
|
* Revert "Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmp [run-systemtest]"Arnstein Ressem2022-11-042-6/+6
|
* Move $VESPA_HOME/tmp to $VESPA_HOME/var/tmpEirk Nygaard2022-11-042-6/+6
| | | | | Prepare to support immutable container image where only var and logs directories must be writable. Create symlink from old tmp directory to $VESPA_HOME/var/tmp
* Wire core dump encryption public key ID to core dump handler logicTor Brede Vekterli2022-11-043-9/+67
|
* Merge pull request #24715 from vespa-engine/vekterli/encapsulate-key-idTor Brede Vekterli2022-11-021-1/+2
|\ | | | | Encapsulate key identifier in own object
| * Encapsulate key identifier in own objectTor Brede Vekterli2022-11-021-1/+2
| | | | | | | | Enforces invariants and avoids having to pass raw byte arrays around.
* | Log core dump processingHåkon Hallingstad2022-11-025-20/+164
|/
* Write absolute path of fileHåkon Hallingstad2022-11-011-1/+1
|
* Merge pull request #24689 from ↵Valerij Fredriksen2022-11-018-33/+265
|\ | | | | | | | | vespa-engine/hakonhall/guard-core-dump-upload-via-cfg Guard core dump upload via cfg
| * Guard core dump upload via cfgHåkon Hallingstad2022-11-018-33/+265
| |
* | Let token key IDs be UTF-8 byte strings instead of just an integerTor Brede Vekterli2022-11-011-1/+1
|/ | | | | | | | | | | | | | This makes key IDs vastly more expressive. Max size is 255 bytes, and UTF-8 form is enforced by checking that the byte sequence can be identity-transformed to and from a string with UTF-8 encoding. In addition, we now protect the integrity of the key ID by supplying it as the AAD parameter to the key sealing and opening operations. Reduce v1 token max length of `enc` part to 255, since this is always an X25519 public key, which is never bigger than 32 bytes (but may be _less_ if the random `BigInteger` is small enough, so we still have to encode the length).
* zst is the extension for std compressed files.Henning Baldersheim2022-11-012-5/+5
|
* Add encryption capabilities to core dump handlerTor Brede Vekterli2022-11-012-35/+132
| | | | | | | | | | | | | Once wired in (not currently the case), a Supplier of non-null `SecretSharedKey` instances will trigger: 1. Wrapping the output stream with an encrypting output stream using the secret component of the supplied key. Zstd compression is handled on the input stream, so this should transparently encrypt compressed data. To disambiguate, encrypted core dumps are suffixed with an additional `.enc` file extension. 2. Emitting a public decryption token as part of the metadata using the shared component of the supplied key.
* Add missing suffix newlineHåkon Hallingstad2022-11-011-1/+1
|
* Export com.yahoo.vespa.hosted.node.admin.configserver.coresHåkon Hallingstad2022-11-012-1/+9
|
* Revert "Revert "New cores client in node-admin""Håkon Hallingstad2022-11-0112-43/+297
|
* Revert "New cores client in node-admin"Håkon Hallingstad2022-11-0112-297/+43
|
* New cores client in node-adminHåkon Hallingstad2022-10-3112-43/+297
|
* * apply new common bootstrapArne Juul2022-10-241-0/+3
| | | | | * remove now-duplicated code * prefer using ${VESPA_HOME} environment variable
* Allow suffix of base name of filename for upload URIHåkon Hallingstad2022-10-201-8/+20
|
* Start wireguard on configserver hosts (#24345)gjoranv2022-10-134-6/+24
| | | Co-authored-by: gjoranv <gv@verizonmedia.com>
* Use UnixPath::existsHåkon Hallingstad2022-10-121-1/+1
|
* Don't ignore exit codeOla Aunronning2022-09-301-1/+0
|
* Get systemctl service propertyOla Aunronning2022-09-302-0/+12
|
* Remove pem-trust-store flagHåkon Hallingstad2022-09-291-14/+6
|
* Add wantToRebuild fieldMartin Polden2022-09-283-47/+71
|
* Trust store path is associated with ZTSHåkon Hallingstad2022-09-231-9/+9
|
* Merge pull request #24130 from ↵Harald Musum2022-09-201-17/+15
|\ | | | | | | | | vespa-engine/hakonhall/refresh-identity-from-pem-trust-store Refresh identity from PEM trust store
| * Refresh identity from PEM trust storeHåkon Hallingstad2022-09-191-17/+15
| |
* | Dont fail coredump reports if /proc/cpuinfo is missing microcode information.Arnstein Ressem2022-09-161-1/+1
| |
* | Fail service dump request gracefully if JSON is invalidBjørn Christian Seime2022-09-153-10/+52
|/
* Support censoring of command argumentsMartin Polden2022-09-083-14/+46
|