search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.41k stars 1.74k forks source link

Curl installation script seems broken on SLES #39340

Open vmdude opened 6 months ago

vmdude commented 6 months ago

We actually got an error with teleport agent installation (through curl step) that points to the shasum -a 256 usage with SHA_COMMAND variable:

ec2-user@ip-XXX:~> curl https://goteleport.com/static/install.sh | bash -s 14.1.5
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10922    0 10922    0     0   136k      0 --:--:-- --:--:-- --:--:--  138k
There is no officially supported package for your package manager. Downloading and installing Teleport via curl.
Downloading https://cdn.teleport.dev/teleport-v14.1.5-linux-amd64-bin.tar.gz
+ sudo curl -fL -o /tmp/teleport-Oy4zdWuIVQ/teleport-v14.1.5-linux-amd64-bin.tar.gz https://cdn.teleport.dev/teleport-v14.1.5-linux-amd64-bin.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  145M  100  145M    0     0   189M      0 --:--:-- --:--:-- --:--:--  189M
+ set +x
Downloading https://cdn.teleport.dev/teleport-v14.1.5-linux-amd64-bin.tar.gz.sha256
+ sudo curl -fL -o /tmp/teleport-Oy4zdWuIVQ/teleport-v14.1.5-linux-amd64-bin.tar.gz.sha256 https://cdn.teleport.dev/teleport-v14.1.5-linux-amd64-bin.tar.gz.sha256
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0   3163      0 --:--:-- --:--:-- --:--:--  3212
+ set +x
+ cd /tmp/teleport-Oy4zdWuIVQ
+ sudo 'shasum -a 256' -c /tmp/teleport-Oy4zdWuIVQ/teleport-v14.1.5-linux-amd64-bin.tar.gz.sha256
sudo: shasum -a 256: command not found

When I'll look into the shell installation script on line 187 (the one generating the error) it seems that the line with issue is the way variable alias is enclosed with double quote:

  $SUDO "$SHA_COMMAND" -c "$TMP_CHECKSUM"

A way to reproduce was:

ip-XXX:~ # SHA_COMMAND="shasum -a 256"
ip-XXX:~ # "$SHA_COMMAND" -c install.sh.sha256 
If 'shasum -a 256' is not a typo you can use command-not-found to lookup the package that contains it, like this:
    cnf shasum -a 256
ip-XXX:~ # $SHA_COMMAND -c install.sh.sha256
install.sh: OK
ip-XXX:~ #

It work well when SHA_COMMAND is a single command but when it contains arg, bash try to look into the command WITH arg as a single binary.

Other information about system:

ip-XXX:~ # bash --version
GNU bash, version 4.4.23(1)-release (x86_64-suse-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
ip-XXX:~ # cat /etc/os-release 
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
VARIANT_ID="sles-sap"
ptgott commented 6 months ago

Hi @vmdude, we're adding zypper support to the one-line installation script today. Please let me know if that addresses the issue!

dgiorgio commented 6 months ago

Hi @vmdude, we're adding zypper support to the one-line installation script today. Please let me know if that addresses the issue!

I tried now and the problem still persists.

~> curl https://goteleport.com/static/install.sh | bash -s 14.3.7
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 11574    0 11574    0     0   160k      0 --:--:-- --:--:-- --:--:--  161k
There is no officially supported package for your package manager. Downloading and installing Teleport via curl.
Downloading https://cdn.teleport.dev/teleport-v14.3.7-linux-amd64-bin.tar.gz
+ sudo curl -fL -o /tmp/teleport-xMEiLzsNu4/teleport-v14.3.7-linux-amd64-bin.tar.gz https://cdn.teleport.dev/teleport-v14.3.7-linux-amd64-bin.tar.gz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  149M  100  149M    0     0  56.8M      0  0:00:02  0:00:02 --:--:-- 56.7M
+ set +x
Downloading https://cdn.teleport.dev/teleport-v14.3.7-linux-amd64-bin.tar.gz.sha256
+ sudo curl -fL -o /tmp/teleport-xMEiLzsNu4/teleport-v14.3.7-linux-amd64-bin.tar.gz.sha256 https://cdn.teleport.dev/teleport-v14.3.7-linux-amd64-bin.tar.gz.sha256
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   106  100   106    0     0   4219      0 --:--:-- --:--:-- --:--:--  4240
+ set +x
+ cd /tmp/teleport-xMEiLzsNu4
+ sudo 'shasum -a 256' -c /tmp/teleport-xMEiLzsNu4/teleport-v14.3.7-linux-amd64-bin.tar.gz.sha256
sudo: shasum -a 256: comando não encontrado
~> cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.5"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.5"
PRETTY_NAME="openSUSE Leap 15.5"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.5"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Leap"
LOGO="distributor-logo-Leap"
mbertram commented 6 months ago

This issue is also present on Fedora and likely affects other Linux distributions due to how the script is executed in Bash. The problem occurs with the installer script hosted at https://goteleport.com/static/install.sh.

Specifically, the issue stems from how $SHA_COMMAND is quoted on line 205. In the current script, the command and its arguments are enclosed within quotes, which Bash interprets as a single string. This prevents the arguments from being recognised separately, as also noted by @vmdude.

One solution would be to remove the quotes from around $SHA_COMMAND, changing the line from:

$SUDO "$SHA_COMMAND" -c "$TMP_CHECKSUM"

to:

$SUDO $SHA_COMMAND -c "$TMP_CHECKSUM"

I couldn't locate the source code for this script in the repository. If someone can show me where it is, I’d love to help fix it with a pull request.

dgiorgio commented 6 months ago 
SHA_COMMAND

https://github.com/gravitational/teleport/blob/7d48e90717ae78cbfa2b11d2d9a2e2838a835b22/lib/web/scripts/node-join/install.sh#L359

mbertram commented 6 months ago

https://github.com/gravitational/teleport/blob/7d48e90717ae78cbfa2b11d2d9a2e2838a835b22/lib/web/scripts/node-join/install.sh#L359

Thank you, @dgiorgio. However, the file linked doesn't run the hash compare as root, unlike what we are seeing in https://goteleport.com/static/install.sh. I also checked the history of the linked file, and it differs from the install.sh found on the website. Could there be a mix-up, or might there be details I've overlooked?

chirale commented 5 months ago

Identical issue on Slackware 15.

Solved changing the install script w. this, using sha256sum instead of the other needing the argument:

  # require shasum/sha256sum
  SHA_COMMAND=""
  if type sha256sum &>/dev/null; then
   SHA_COMMAND="sha256sum"
  else
    echo "ERROR: This script requires sha256sum or shasum to validate the download. Please install it and try again."
    exit 1
  fi

Putting the sha256sum condition before the other is another viable option to fix the issue on Slackware but maybe can help on other distros too.

Then running the previously downloaded install script like this (x.x.x is the teleport version):

cat ./changedinstall.sh | bash -s x.x.x
mbertram commented 1 month ago

This is now working for me on Fedora 39. The quotes were removed in the installer script.

Here is the relevant change in the script:

223c223,224
<   $SUDO "$SHA_COMMAND" -c "$TMP_CHECKSUM"
---
>   # shellcheck disable=SC2086
>   $SUDO $SHA_COMMAND -c "$TMP_CHECKSUM"