Boundary 0.15.0 fails to create a listening socket on Mac OS M1 (arm)

[macmiranda]

Describe the bug boundary connect fails to create a listening socket on Mac OS M1 (arm). The build I'm using is:

Version information:
  Build Date:          2024-01-30T11:04:05Z
  Git Revision:        18f863514ee5c4cfa6e0cb0c497049f1b5104511
  Version Number:      0.15.0

To Reproduce Steps to reproduce the behavior:

1. Run boundary authenticate ...
2. Run boundary connect postgres -target-id ****** -dbname *****
3. See error

   psql: error: connection to server at "127.0.0.1", port 61474 failed: Connection refused
   Is the server running on that host and accepting TCP/IP connections?

Expected behavior Boundary is able to connect to the target

Additional context Downgrading Boundary CLI to 0.14.2 solves the issue.

[irenarindos]

@macmiranda thank you for reporting this; we've reproduced it and are actively looking into a solution.

[irenarindos]

@macmiranda apologies, I thought I had reproduced the issue but was mistaken; do you have controller logs from the error you'd be willing to share?

[macmiranda]

@irenarindos it seems to be an issue with boundary on the local machine. The communication with the controller happens as usual (no errors on either client or controller side), we get the credentials from vault (for the dynamic role) as usual but when we try to connect to the designated port, connection is refused, in fact there is no process bound to it.

For version 0.14.2:

Version information:
  Build Date:          2023-10-31T11:02:50Z
  Git Revision:        a86ee182c2853913f019c2559f1451d926235707
  Version Number:      0.14.2

boundary connect -target-id ttcp_********c -listen-port 54321

Proxy listening information:
  Address:             *********
  Connection Limit:    -1
  Expiration:          Thu, 01 Feb 2024 17:37:49 CET
  Port:                54321
  Protocol:            tcp
  Session ID:          s_Sg7XzO4KBW

  Credentials:
    Credential Source Description: Staging Vault credential library for <redacted> database's editor role
    Credential Source ID:          clvlt_*******V3T
    Credential Source Name:        staging_<redacted>_vault_role
    Credential Store ID:           csvlt_FI*****aY
    Credential Store Type:         vault-generic
    Secret:
        {
              "password": "********************",
              "username": "v-token-to-product--*****************"
        }

and from a different terminal

lsof -i :54321
COMMAND    PID     USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
boundary 32974 maurelio   13u  IPv4 0x577271de32181917      0t0  TCP localhost:54321 (LISTEN)

When using boundary 0.15.0, it behaves the same but the last command yields:

lsof -i :54321

[!NOTE] Our controllers and workers are running image 0.14.3

[macmiranda]

I'm guessing it's related to this PR @jefferai

[covetocove]

Hi @macmiranda, thanks for raising this so quickly. We recognize we have not given users explicit guidance around whether to use Boundary clients on newer versions than your control plane.

After some investigation and internal discussion we've come to the conclusion that this should not be supported. Guaranteeing support for clients on newer versions than your control plane would make it impossible to add new features or deprecate old ones. As a best practice, we've now added that clients should be on the same version as control planes or one version older than their control plane.

For example, Boundary clients version 0.14.0 are compatible with Boundary control plane running Boundary 0.15.0. However, they will not have compatibility once the control plane is updated to version 0.16.0 or above. Boundary clients version 0.15.0 are not compatible with Boundary control plane running Boundary 0.14.0 or lower. Customers are recommended to run the latest versions of Boundary on all cluster resources (clients, controllers, workers) in order to leverage the newest features and bug fixes.

We have now made this explicit in our documentation: https://developer.hashicorp.com/boundary/docs/enterprise/supported-versions and are looking for any other places in documentation we can make this more clear.

[covetocove]

Updated guidance around client <-> control plane compatibility: https://developer.hashicorp.com/boundary/docs/enterprise/supported-versions

[macmiranda]

Ok, @PPacent thanks for clarifying it. On a side note, you may want to fix some typos in that doc

[covetocove]

Thanks for the catch @macmiranda, should be fixed now