Skip to content

Releases: ComputeStacks/node-agent

v2.0.0

Choose a tag to compare

@github-actions github-actions released this 01 Jul 18:53
04f4edd

Major release — the agent becomes the node's data plane (part of the Consul-retirement /
node-autonomy re-architecture). Three independent changes ship together; production rolls out staged
(native deploy first, then the firewall and metadata cutovers, validated on a canary).

  • [CHANGE] Native deployment. The agent now runs as a native systemd binary installed from a
    self-hosted, GPG-signed apt repo
    , replacing the docker run container unit. The container image
    is kept for local dev only. cs-agent -version reports the build version/commit/date.
  • [CHANGE] nftables firewall. Published-port DNAT/forwarding is rendered into a native cs_agent
    nftables table via netlink, replacing the iptables shell-out + string-diff. Cross-project isolation
    stays in DOCKER-USER. Fail-closed: published ports are closed until the first reconcile. Reads
    the same ingress_rules desired state. (Relies on the project bridges' nat-unprotected mode, under
    which Docker already accepts the forwarded ingress.)
  • [FEATURE] Customer metadata served by the agent. A new HTTP API on node.primary_ip:8500 serves
    per-project customer metadata from embedded SQLite — no more Consul KV for the /db/ space, and
    no value size cap (kills the 512 KB ceiling). Bearer→tenant auth + a per-node admin Bearer; a
    compatibility shim serves the legacy …/metadata?raw=true read. Migrations are rollback-tolerant
    (additive + schema-version guard).

Upgrading a node to v2.0.0

Take a maintenance window — the firewall cutover (+ optional reboot) briefly closes published ports.
All nodes must be Debian 12/13 (iptables = the nft backend). Snapshot the firewall first:
iptables-save > /root/iptables.pre-upgrade.

  1. Native binary — add the apt source + keyring, stop the old container unit, install:
    curl -fsSL https://repo.computestacks.com/public/computestacks.gpg.asc \
      | gpg --dearmor | sudo tee /etc/apt/keyrings/computestacks.gpg >/dev/null
    echo "deb [signed-by=/etc/apt/keyrings/computestacks.gpg] https://repo.computestacks.com/public stable main" \
      | sudo tee /etc/apt/sources.list.d/computestacks.list
    sudo systemctl disable --now cs-agent; docker rm -f cs-agent 2>/dev/null || true
    sudo rm -f /etc/systemd/system/cs-agent.service   # the package unit lives in /lib/systemd/system
    sudo apt-get update && sudo apt-get install -y cs-agent
    
  2. Metadata / Consul port — the agent binds :8500, so Consul's HTTP listener moves to :8502
    (provisioner); confirm the agent's consul.host + the admin-token hash are configured. New
    containers receive CS_NODE_ID; existing ones use the compatibility shim — no recreation needed.
  3. Firewall — the agent renders the cs_agent nft table on start (nft list table ip cs_agent).
    The host firewall itself is applied at boot by cs-iptables.service (a oneshot that runs
    /usr/local/bin/cs-recover_iptables); the agent does not manage that file. Edit that file
    directly
    to delete the lines the agent has now taken over — the expose-ports/container-inbound chain setup — then reboot
    so the oneshot re-applies the trimmed ruleset from a clean slate (or, to avoid a reboot, delete
    those rules from the live ruleset by hand). Verify published ports still reach containers and
    iptables -S shows none of the old expose-ports/container-inbound artifacts.
    • Rollback — v2.0.0 is the first native release, so there is no previous .deb; the
      prior version ran as a Docker container, so rolling back means undoing the deployment-model
      change, not just downgrading a package:
      1. sudo apt-get purge cs-agent (removes the native binary + the /lib/systemd/system unit).
      2. Restore the old containerized cs-agent.service (the docker run unit) and pull the agent
        image — i.e. re-apply the previous provisioner config.
      3. Restore the host firewall: sudo iptables-restore < /root/iptables.pre-upgrade, and
        revert /usr/local/bin/cs-recover_iptables to the version that re-creates the
        expose-ports/container-inbound chains — the old containerized
        agent appends to those chains and silently loses published ports without them.
      4. Re-bind Consul's HTTP listener to :8500 (the old agent and customer containers reach
        metadata via Consul there).
        From v2.0.1 onward rollback is a normal apt-get install --allow-downgrades cs-agent=<prev>;
        never roll back across a non-additive DB migration.

The controller/provisioner changes (CS_NODE_ID injection, the Consul port move, the host-firewall
trim, the apt source) ship alongside — coordinate per the rollout runbook.

v2.0.0-rc1

v2.0.0-rc1 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 28 Jun 23:05

Major release — the agent becomes the node's data plane (part of the Consul-retirement /
node-autonomy re-architecture). Three independent changes ship together; production rolls out staged
(native deploy first, then the firewall and metadata cutovers, validated on a canary).

  • [CHANGE] Native deployment. The agent now runs as a native systemd binary installed from a
    self-hosted, GPG-signed apt repo
    , replacing the docker run container unit. The container image
    is kept for local dev only. cs-agent -version reports the build version/commit/date.
  • [CHANGE] nftables firewall. Published-port DNAT/forwarding is rendered into a native cs_agent
    nftables table via netlink, replacing the iptables shell-out + string-diff. Cross-project isolation
    stays in DOCKER-USER. Fail-closed: published ports are closed until the first reconcile. Reads
    the same ingress_rules desired state. (Relies on the project bridges' nat-unprotected mode, under
    which Docker already accepts the forwarded ingress.)
  • [FEATURE] Customer metadata served by the agent. A new HTTP API on node.primary_ip:8500 serves
    per-project customer metadata from embedded SQLite — no more Consul KV for the /db/ space, and
    no value size cap (kills the 512 KB ceiling). Bearer→tenant auth + a per-node admin Bearer; a
    compatibility shim serves the legacy …/metadata?raw=true read. Migrations are rollback-tolerant
    (additive + schema-version guard).

Upgrading a node to v2.0.0

Take a maintenance window — the firewall cutover (+ optional reboot) briefly closes published ports.
All nodes must be Debian 12/13 (iptables = the nft backend). Snapshot the firewall first:
iptables-save > /root/iptables.pre-upgrade.

  1. Native binary — add the apt source + keyring, stop the old container unit, install:
    curl -fsSL https://repo.computestacks.com/public/computestacks.gpg.asc \
      | gpg --dearmor | sudo tee /etc/apt/keyrings/computestacks.gpg >/dev/null
    echo "deb [signed-by=/etc/apt/keyrings/computestacks.gpg] https://repo.computestacks.com/public stable main" \
      | sudo tee /etc/apt/sources.list.d/computestacks.list
    sudo systemctl disable --now cs-agent; docker rm -f cs-agent 2>/dev/null || true
    sudo rm -f /etc/systemd/system/cs-agent.service   # the package unit lives in /lib/systemd/system
    sudo apt-get update && sudo apt-get install -y cs-agent
    
  2. Metadata / Consul port — the agent binds :8500, so Consul's HTTP listener moves to :8502
    (provisioner); confirm the agent's consul.host + the admin-token hash are configured. New
    containers receive CS_NODE_ID; existing ones use the compatibility shim — no recreation needed.
  3. Firewall — the agent renders the cs_agent nft table on start (nft list table ip cs_agent).
    The host firewall itself is applied at boot by cs-iptables.service (a oneshot that runs
    /usr/local/bin/cs-recover_iptables); the agent does not manage that file. Edit that file
    directly
    to delete the lines the agent has now taken over — the 10000:50000 INPUT range and
    the expose-ports/container-inbound chain setup — then reboot
    so the oneshot re-applies the trimmed ruleset from a clean slate (or, to avoid a reboot, delete
    those rules from the live ruleset by hand). Verify published ports still reach containers and
    iptables -S shows none of the old expose-ports/container-inbound/10000:50000 artifacts.
    • Rollback — v2.0.0 is the first native release, so there is no previous .deb; the
      prior version ran as a Docker container, so rolling back means undoing the deployment-model
      change, not just downgrading a package:
      1. sudo apt-get purge cs-agent (removes the native binary + the /lib/systemd/system unit).
      2. Restore the old containerized cs-agent.service (the docker run unit) and pull the agent
        image — i.e. re-apply the previous provisioner config.
      3. Restore the host firewall: sudo iptables-restore < /root/iptables.pre-upgrade, and
        revert /usr/local/bin/cs-recover_iptables to the version that re-creates the
        expose-ports/container-inbound chains + the 10000:50000 range — the old containerized
        agent appends to those chains and silently loses published ports without them.
      4. Re-bind Consul's HTTP listener to :8500 (the old agent and customer containers reach
        metadata via Consul there).
        From v2.0.1 onward rollback is a normal apt-get install --allow-downgrades cs-agent=<prev>;
        never roll back across a non-additive DB migration.

The controller/provisioner changes (CS_NODE_ID injection, the Consul port move, the host-firewall
trim, the apt source) ship alongside — coordinate per the rollout runbook.