move host id helpers into their own package

integrations/event-handler/go.mod

@@ -163,7 +163,6 @@ require (
 	github.com/google/go-tpm-tools v0.4.4 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect

integrations/event-handler/go.sum

@@ -1114,8 +1114,6 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM=
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
-github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=
 github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
 github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA=
 github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f h1:o2yGZLlsOj5H5uvtQNEdi6DeA0GbUP3lm0gWW5RvY0s=

integrations/terraform/go.mod

@@ -184,7 +184,6 @@ require (
 	github.com/google/go-tspi v0.3.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect
-	github.com/google/renameio/v2 v2.0.0 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/safetext v0.0.0-20240104143208-7a7d9b3d812f // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect

integrations/terraform/go.sum

@@ -1252,6 +1252,7 @@ github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af h1:kmjWCqn2qkEml422C2Rrd27c3VGxi6a/6HNq8QmHRKM=
 github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
+github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/renameio/v2 v2.0.0 h1:UifI23ZTGY8Tt29JbYFiuyIU3eX+RNFtUwefq9qAhxg=
 github.com/google/renameio/v2 v2.0.0/go.mod h1:BtmJXm5YlszgC+TD4HOEEUFgkJP3nLxehU6hfe7jRt4=

lib/service/service.go

@@ -164,6 +164,7 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 	awsutils "github.com/gravitational/teleport/lib/utils/aws"
 	"github.com/gravitational/teleport/lib/utils/cert"
+	"github.com/gravitational/teleport/lib/utils/hostid"
 	logutils "github.com/gravitational/teleport/lib/utils/log"
 	vc "github.com/gravitational/teleport/lib/versioncontrol"
 	"github.com/gravitational/teleport/lib/versioncontrol/endpoint"
@@ -2932,7 +2933,7 @@ func (process *TeleportProcess) initSSH() error {
 		storagePresence := local.NewPresenceService(process.storage.BackendStorage)
 
 		// read the host UUID:
-		serverID, err := utils.ReadOrMakeHostUUID(cfg.DataDir)
+		serverID, err := hostid.ReadOrCreateFile(cfg.DataDir)
 		if err != nil {
 			return trace.Wrap(err)
 		}
@@ -4437,7 +4438,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 	}
 
 	// read the host UUID:
-	serverID, err := utils.ReadOrMakeHostUUID(cfg.DataDir)
+	serverID, err := hostid.ReadOrCreateFile(cfg.DataDir)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -6496,7 +6497,7 @@ func readOrGenerateHostID(ctx context.Context, cfg *servicecfg.Config, kubeBacke
 		if err := persistHostIDToStorages(ctx, cfg, kubeBackend); err != nil {
 			return trace.Wrap(err)
 		}
-	} else if kubeBackend != nil && utils.HostUUIDExistsLocally(cfg.DataDir) {
+	} else if kubeBackend != nil && hostid.ExistsLocally(cfg.DataDir) {
 		// This case is used when loading a Teleport pre-11 agent with storage attached.
 		// In this case, we have to copy the "host_uuid" from the agent to the secret
 		// in case storage is removed later.
@@ -6535,14 +6536,14 @@ func readHostIDFromStorages(ctx context.Context, dataDir string, kubeBackend kub
 	}
 	// Even if running in Kubernetes fallback to local storage if `host_uuid` was
 	// not found in secret.
-	hostID, err := utils.ReadHostUUID(dataDir)
+	hostID, err := hostid.ReadFile(dataDir)
 	return hostID, trace.Wrap(err)
 }
 
 // persistHostIDToStorages writes the cfg.HostUUID to local data and to
 // Kubernetes Secret if this process is running on a Kubernetes Cluster.
 func persistHostIDToStorages(ctx context.Context, cfg *servicecfg.Config, kubeBackend kubernetesBackend) error {
-	if err := utils.WriteHostUUID(cfg.DataDir, cfg.HostUUID); err != nil {
+	if err := hostid.WriteFile(cfg.DataDir, cfg.HostUUID); err != nil {
 		if errors.Is(err, fs.ErrPermission) {
 			cfg.Logger.ErrorContext(ctx, "Teleport does not have permission to write to the data directory. Ensure that you are running as a user with appropriate permissions.", "data_dir", cfg.DataDir)
 		}
@@ -6561,7 +6562,7 @@ func persistHostIDToStorages(ctx context.Context, cfg *servicecfg.Config, kubeBa
 // loadHostIDFromKubeSecret reads the host_uuid from the Kubernetes secret with
 // the expected key: `/host_uuid`.
 func loadHostIDFromKubeSecret(ctx context.Context, kubeBackend kubernetesBackend) (string, error) {
-	item, err := kubeBackend.Get(ctx, backend.NewKey(utils.HostUUIDFile))
+	item, err := kubeBackend.Get(ctx, backend.NewKey(hostid.FileName))
 	if err != nil {
 		return "", trace.Wrap(err)
 	}
@@ -6574,7 +6575,7 @@ func writeHostIDToKubeSecret(ctx context.Context, kubeBackend kubernetesBackend,
 	_, err := kubeBackend.Put(
 		ctx,
 		backend.Item{
-			Key:   backend.NewKey(utils.HostUUIDFile),
+			Key:   backend.NewKey(hostid.FileName),
 			Value: []byte(id),
 		},
 	)

lib/service/service_test.go

@@ -69,6 +69,7 @@ import (
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/local"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/hostid"
 )
 
 func TestMain(m *testing.M) {
@@ -1167,7 +1168,7 @@ func Test_readOrGenerateHostID(t *testing.T) {
 			dataDir := t.TempDir()
 			// write host_uuid file to temp dir.
 			if len(tt.args.hostIDContent) > 0 {
-				err := utils.WriteHostUUID(dataDir, tt.args.hostIDContent)
+				err := hostid.WriteFile(dataDir, tt.args.hostIDContent)
 				require.NoError(t, err)
 			}
 

lib/srv/regular/sshserver.go

@@ -71,6 +71,7 @@ import (
 	"github.com/gravitational/teleport/lib/sshutils/x11"
 	"github.com/gravitational/teleport/lib/teleagent"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/hostid"
 )
 
 var log = logrus.WithFields(logrus.Fields{
@@ -724,7 +725,7 @@ func New(
 	options ...ServerOption,
 ) (*Server, error) {
 	// read the host UUID:
-	uuid, err := utils.ReadOrMakeHostUUID(dataDir)
+	uuid, err := hostid.ReadFile(dataDir)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

lib/teleterm/services/connectmycomputer/connectmycomputer.go

@@ -41,6 +41,7 @@ import (
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/teleterm/clusters"
 	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/hostid"
 )
 
 type RoleSetup struct {
@@ -395,7 +396,7 @@ func (n *NodeJoinWait) getNodeNameFromHostUUIDFile(ctx context.Context, cluster
 			// the file is empty.
 			//
 			// Here we need to be able to distinguish between both of those two cases.
-			out, err := utils.ReadPath(utils.GetHostUUIDPath(dataDir))
+			out, err := utils.ReadPath(hostid.GetPath(dataDir))
 			if err != nil {
 				if trace.IsNotFound(err) {
 					continue
@@ -536,7 +537,7 @@ type NodeDelete struct {
 
 // Run grabs the host UUID of an agent from a disk and deletes the node with that name.
 func (n *NodeDelete) Run(ctx context.Context, presence Presence, cluster *clusters.Cluster) error {
-	hostUUID, err := utils.ReadHostUUID(getAgentDataDir(n.cfg.AgentsDir, cluster.ProfileName))
+	hostUUID, err := hostid.ReadFile(getAgentDataDir(n.cfg.AgentsDir, cluster.ProfileName))
 	if trace.IsNotFound(err) {
 		return nil
 	}
@@ -585,7 +586,7 @@ type NodeName struct {
 
 // Get returns the host UUID of the agent from a disk.
 func (n *NodeName) Get(cluster *clusters.Cluster) (string, error) {
-	hostUUID, err := utils.ReadHostUUID(getAgentDataDir(n.cfg.AgentsDir, cluster.ProfileName))
+	hostUUID, err := hostid.ReadFile(getAgentDataDir(n.cfg.AgentsDir, cluster.ProfileName))
 	return hostUUID, trace.Wrap(err)
 }
 

lib/teleterm/services/connectmycomputer/connectmycomputer_test.go

@@ -35,7 +35,7 @@ import (
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
 	"github.com/gravitational/teleport/lib/teleterm/clusters"
-	"github.com/gravitational/teleport/lib/utils"
+	"github.com/gravitational/teleport/lib/utils/hostid"
 )
 
 func TestRoleSetupRun_WithNonLocalUser(t *testing.T) {
@@ -472,7 +472,7 @@ func mustMakeHostUUIDFile(t *testing.T, agentsDir string, profileName string) st
 	err = os.MkdirAll(dataDir, agentsDirStat.Mode())
 	require.NoError(t, err)
 
-	hostUUID, err := utils.ReadOrMakeHostUUID(dataDir)
+	hostUUID, err := hostid.ReadOrCreateFile(dataDir)
 	require.NoError(t, err)
 
 	return hostUUID

lib/utils/hostid/hostid.go

@@ -0,0 +1,144 @@
+// Teleport
+// Copyright (C) 2024 Gravitational, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package hostid
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/google/renameio/v2"
+	"github.com/google/uuid"
+	"github.com/gravitational/trace"
+
+	"github.com/gravitational/teleport/lib/utils"
+)
+
+const (
+	// FileName is the file name where the host UUID file is stored
+	FileName = "host_uuid"
+)
+
+// GetPath returns the path to the host UUID file given the data directory.
+func GetPath(dataDir string) string {
+	return filepath.Join(dataDir, FileName)
+}
+
+// ExistsLocally checks if dataDir/host_uuid file exists in local storage.
+func ExistsLocally(dataDir string) bool {
+	_, err := ReadFile(dataDir)
+	return err == nil
+}
+
+// ReadFile reads host UUID from the file in the data dir
+func ReadFile(dataDir string) (string, error) {
+	out, err := utils.ReadPath(GetPath(dataDir))
+	if err != nil {
+		if errors.Is(err, fs.ErrPermission) {
+			//do not convert to system error as this loses the ability to compare that it is a permission error
+			return "", err
+		}
+		return "", trace.ConvertSystemError(err)
+	}
+	id := strings.TrimSpace(string(out))
+	if id == "" {
+		return "", trace.NotFound("host uuid is empty")
+	}
+	return id, nil
+}
+
+// WriteFile writes host UUID into a file
+func WriteFile(dataDir string, id string) error {
+	err := os.WriteFile(GetPath(dataDir), []byte(id), os.ModeExclusive|0400)
+	if err != nil {
+		if errors.Is(err, fs.ErrPermission) {
+			//do not convert to system error as this loses the ability to compare that it is a permission error
+			return err
+		}
+		return trace.ConvertSystemError(err)
+	}
+	return nil
+}
+
+// ReadOrCreateFile looks for a hostid file in the data dir. If present,
+// returns the UUID from it, otherwise generates one
+func ReadOrCreateFile(dataDir string) (string, error) {
+	hostUUIDFileName := GetPath(dataDir)
+	hostUUIDFileLock := hostUUIDFileName + ".lock"
+	iterationLimit := 3
+
+	for i := 0; i < iterationLimit; i++ {
+		id, err := ReadFile(dataDir)
+		if err == nil {
+			return id, nil
+		}
+		if !trace.IsNotFound(err) {
+			return "", trace.Wrap(err)
+		}
+
+		// Checking error instead of the usual uuid.New() in case uuid generation
+		// fails due to not enough randomness. It's been known to happen happen when
+		// Teleport starts very early in the node initialization cycle and /dev/urandom
+		// isn't ready yet.
+		rawID, err := uuid.NewRandom()
+		if err != nil {
+			return "", trace.BadParameter("" +
+				"Teleport failed to generate host UUID. " +
+				"This may happen if randomness source is not fully initialized when the node is starting up. " +
+				"Please try restarting Teleport again.")
+		}
+
+		id = rawID.String()
+
+		writeFile := func() (string, error) {
+			unlock, err := utils.FSTryWriteLock(hostUUIDFileLock)
+			if err != nil {
+				return "", trace.Wrap(err)
+			}
+			defer unlock()
+
+			if read, err := ReadFile(dataDir); err == nil {
+				return read, nil
+			} else if !trace.IsNotFound(err) {
+				return "", trace.Wrap(err)
+			}
+
+			if err := renameio.WriteFile(hostUUIDFileName, []byte(id), 0o400); err != nil {
+				return "", trace.Wrap(err)
+			}
+
+			return id, nil
+		}
+
+		id, err = writeFile()
+		if err != nil {
+			if errors.Is(err, fs.ErrPermission) || errors.Is(err, utils.ErrUnsuccessfulLockTry) {
+				time.Sleep(10 * time.Millisecond)
+				continue
+			}
+
+			return "", trace.Wrap(err)
+		}
+
+		return id, nil
+	}
+
+	return "", trace.LimitExceeded("failed to obtain host uuid")
+}