Add more robust IPv6 support (woohgit#6)

* Quote config strings likely to start with strange characters
* Add "teleport_default_address" config option
* Update test Dockerfiles for python-netaddr
* Update README for python-netaddr requirement

README.md

@@ -36,8 +36,16 @@ Teleport stores the data locally under the `teleport_data_dir`.
     teleport_storage_type: 'bolt'
     teleport_pidfile: '/var/run/teleport.pid'
 
+    teleport_default_address: '0.0.0.0'
+
+This sets the default address used in the various `*_listen_address` variables
+below. The default of `'0.0.0.0'` means to listen on all IPv4 interfaces.
+Setting it to `'::'` would listen on all IPv6 (and IPv4, if your hosts have the
+appropriate networking option enabled) addresses. (Note that Teleport's IPv6
+support is not yet official; use this at your own risk.)
+
     teleport_auth_enabled: true
-    teleport_auth_listen_address: '0.0.0.0:3025'
+    teleport_auth_listen_address: '{{ teleport_default_address | ipwrap }}:3025'
     teleport_auth_cluster_name: 'main'
 
 
@@ -56,24 +64,25 @@ You probably want to have multiple nodes joined to our cluster. You can do that
 
 If you don't want to login to this server using Teleport, only via the standard SSH way, disable the SSH service by setting this value to `false`.
 
-    teleport_ssh_listen_address: '0.0.0.0:3022'
+    teleport_ssh_listen_address: '{{ teleport_default_address | ipwrap }}:3022'
     teleport_commands: []
 
     teleport_proxy_enabled: true
 
 If you want to disable the WebUI (proxy), set this setting to `false`.
 
-    teleport_proxy_listen_address: '0.0.0.0:3023'
-    teleport_proxy_web_listen_address: '0.0.0.0:3080'
-    teleport_proxy_tunnel_listen_address: '0.0.0.0:3024'
+    teleport_proxy_listen_address: '{{ teleport_default_address | ipwrap }}:3023'
+    teleport_proxy_web_listen_address: '{{ teleport_default_address | ipwrap }}:3080'
+    teleport_proxy_tunnel_listen_address: '{{ teleport_default_address | ipwrap }}:3024'
     teleport_proxy_https_key_file: ''
     teleport_proxy_https_cert_file: ''
 
 For full reference see the official [teleport documentation by gravitational](http://gravitational.com/teleport/docs/quickstart/).
 
 ## Dependencies
 
-None.
+- Ansible 2.4 or newer
+- Python `netaddr` package (available on Debian/EPEL as `python-netaddr`)
 
 ## Core Concepts
 

defaults/main.yml

@@ -13,9 +13,11 @@ teleport_log_level: 'WARN'
 teleport_storage_type: 'bolt'
 teleport_pidfile: '/var/run/teleport.pid'
 
+teleport_default_address: '0.0.0.0'
+
 # auth service
 teleport_auth_enabled: true
-teleport_auth_listen_address: '0.0.0.0:3025'
+teleport_auth_listen_address: '{{ teleport_default_address | ipwrap }}:3025'
 teleport_auth_cluster_name: 'main'
 teleport_auth_tokens_node: []
 teleport_auth_tokens_proxy: []
@@ -25,13 +27,13 @@ teleport_auth_oidc_connectors: []
 
 # ssh service
 teleport_ssh_enabled: true
-teleport_ssh_listen_address: '0.0.0.0:3022'
+teleport_ssh_listen_address: '{{ teleport_default_address | ipwrap }}:3022'
 teleport_commands: []
 
 # proxy service
 teleport_proxy_enabled: true
-teleport_proxy_listen_address: '0.0.0.0:3023'
-teleport_proxy_web_listen_address: '0.0.0.0:3080'
-teleport_proxy_tunnel_listen_address: '0.0.0.0:3024'
+teleport_proxy_listen_address: '{{ teleport_default_address | ipwrap }}:3023'
+teleport_proxy_web_listen_address: '{{ teleport_default_address | ipwrap }}:3080'
+teleport_proxy_tunnel_listen_address: '{{ teleport_default_address | ipwrap }}:3024'
 teleport_proxy_https_key_file: ''
 teleport_proxy_https_cert_file: ''

templates/teleport.yaml.j2

@@ -2,14 +2,14 @@ teleport:
   nodename: {{ teleport_nodename }}
   pid_file: {{ teleport_pidfile }}
 {% if teleport_auth_token %}  
-  auth_token: {{ teleport_auth_token }}
+  auth_token: "{{ teleport_auth_token }}"
 {% endif %}
 {% if teleport_advertise_ip | default(false) %}
-  advertise_ip: {{ teleport_advertise_ip }}
+  advertise_ip: "{{ teleport_advertise_ip }}"
 {% endif %}
   auth_servers:
 {% for auth_server in teleport_auth_servers %}
-    - {{ auth_server }}
+    - "{{ auth_server }}"
 {% endfor %}
   connection_limits:
     max_connections: 1000
@@ -23,7 +23,7 @@ teleport:
 auth_service:
 {% if teleport_auth_enabled | default(false) %}
   enabled: "yes"
-  listen_addr: {{ teleport_auth_listen_address }}
+  listen_addr: "{{ teleport_auth_listen_address }}"
   oidc_connectors: []
   cluster_name: {{ teleport_auth_cluster_name }}
 {% if teleport_auth_trusted_clusters|length > 0 %}
@@ -50,20 +50,20 @@ auth_service:
 ssh_service:
 {% if teleport_ssh_enabled | default(false) %}
   enabled: "yes"
-  listen_addr: {{ teleport_ssh_listen_address }}
+  listen_addr: "{{ teleport_ssh_listen_address }}"
 {% else %}
   enabled: "no"
 {% endif %}
 proxy_service:
 {% if teleport_proxy_enabled | default(false) %}
   enabled: "yes"
-  listen_addr: {{ teleport_proxy_listen_address }}
-  web_listen_addr: {{ teleport_proxy_web_listen_address }}
-  tunnel_listen_addr: {{ teleport_proxy_tunnel_listen_address }}
+  listen_addr: "{{ teleport_proxy_listen_address }}"
+  web_listen_addr: "{{ teleport_proxy_web_listen_address }}"
+  tunnel_listen_addr: "{{ teleport_proxy_tunnel_listen_address }}"
 {% if teleport_proxy_https_key_file %}
   https_key_file: {{ teleport_proxy_https_key_file }}
   https_cert_file: {{ teleport_proxy_https_cert_file }}
 {% endif %}
 {% else %}
   enabled: "no"
-{% endif %}
+{% endif %}

tests/Dockerfile.centos-7

@@ -17,11 +17,14 @@ RUN yum -y install epel-release
 RUN yum -y install git ansible sudo
 RUN yum clean all
 
+# Install python-netaddr
+RUN yum -y install python-netaddr
+
 # Disable requiretty
 RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/'  /etc/sudoers
 
 # Install Ansible inventory file
 RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts
 
 VOLUME ["/sys/fs/cgroup"]
-CMD ["/usr/sbin/init"]
+CMD ["/usr/sbin/init"]

tests/Dockerfile.fedora-24

@@ -1,5 +1,8 @@
 FROM fedora:24
 RUN dnf -y install ansible
 
+# Install python-netaddr
+RUN dnf -y install python-netaddr
+
 # Install Ansible inventory file
-RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
+RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

tests/Dockerfile.ubuntu-14.04

@@ -7,5 +7,8 @@ RUN apt-add-repository -y ppa:ansible/ansible
 RUN apt-get update
 RUN apt-get install -y ansible
 
+# Install python-netaddr
+RUN apt-get install -y python-netaddr
+
 # Install Ansible inventory file
-RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
+RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

tests/Dockerfile.ubuntu-16.04

@@ -7,5 +7,8 @@ RUN apt-add-repository -y ppa:ansible/ansible
 RUN apt-get update
 RUN apt-get install -y ansible
 
+# Install python-netaddr
+RUN apt-get install -y python-netaddr
+
 # Install Ansible inventory file
-RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
+RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts