Skip to content

Resolve "[Alpamon Agent Refactoring] Integrate Main Branch Changes into Refactored Architecture" #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
geunwoonoh merged 89 commits into from
Dec 29, 2025
Merged

Resolve "[Alpamon Agent Refactoring] Integrate Main Branch Changes into Refactored Architecture" #163

geunwoonoh merged 89 commits into from
Dec 29, 2025

Conversation

@geunwoonoh
Copy link
Collaborator

@geunwoonoh geunwoonoh commented Dec 29, 2025

Summary

Integrates new features from main branch (Tunneling, Auth Manager, Logger refactoring, Ping/Pong) into the refactored architecture.

Changes

  • Integrate Tunneling feature using Handler pattern (TunnelHandler)
  • Add Auth Manager / MFA sudo approval workflow
  • Remove lumberjack from Logger, use systemd journald
  • Add WebSocket ping/pong heartbeat support

Test plan

  • go build -v ./... succeeds
  • go test -v ./... -p 1 all tests pass
  • Manual testing of Tunnel functionality
  • Manual testing of Auth Manager sudo approval

Detailed Changes

1. Tunneling Feature (PR #156 Integration)

New files:

  • pkg/executor/handlers/tunnel/tunnel.go - TunnelHandler implementation
  • pkg/executor/handlers/tunnel/types.go - Data type definitions
  • pkg/runner/tunnel_client.go - smux multiplexing tunnel client
  • pkg/runner/tunnel_worker.go - Tunnel worker subprocess
  • pkg/runner/tunnel_linux.go - Linux privilege demotion
  • pkg/runner/tunnel_darwin.go - macOS implementation
  • pkg/tunnel/conn.go - WebSocket adapter
  • pkg/tunnel/pool.go - Buffer pool
  • cmd/alpamon/command/tunnel/tunnel.go - CLI command

Modified files:

  • pkg/executor/factory.go - Register TunnelHandler
  • pkg/executor/handlers/common/types.go - Add OpenTunnel, CloseTunnel types
  • pkg/executor/handlers/common/args.go - Add TargetPort field
  • internal/protocol/command.go - Add TargetPort mapping
  • pkg/config/config.go - Add smux configuration

2. Auth Manager / MFA Feature (PR #101 Integration)

New files:

  • pkg/runner/auth_manager.go - Sudo approval request management (Unix socket)
  • pkg/runner/control_client.go - Control WebSocket client

Modified files:

  • cmd/alpamon/command/root.go - ControlClient, AuthManager initialization and shutdown
  • pkg/runner/pty.go - Add/remove PID mapping for PTY sessions

3. Logger Refactoring (PR #160 Integration)

Modified files:

  • pkg/logger/logger.go - Remove lumberjack, output to stdout/stderr
  • cmd/alpamon/command/root.go - Remove lumberjack-related code

4. Ping/Pong Handler (PR #158 Integration)

Modified files:

  • pkg/runner/client.go - Add SendPongResponse(), handle ping queries

5. Miscellaneous

  • .github/workflows/release.yml - PackageCloud channel separation
  • configs/alpamon.service - systemd service configuration update
  • go.mod, go.sum - Add smux dependency

Architecture Compliance

Compliance with refactoring architecture :

Item Status Notes
Handler Pattern Implemented as TunnelHandler
Factory Pattern Registered in factory.go
Pool Usage Commands executed through Pool
Context Propagation ctx parameter in all handlers
Circular Dependencies None

Security Considerations

  • Unix socket permissions 0600 (root only)
  • Tunnel connections localhost only (127.0.0.1)
  • Authentication header ID/Key based
  • TLS configuration option available

Concurrency Safety

Component Protection Method
AuthManager sync.RWMutex
ControlClient sync.Mutex
activeTunnels sync.RWMutex
terminals sync.RWMutex

Related Issues/PRs

hyunwoo hwang and others added 30 commits August 5, 2025 14:40
add auth manager and related changes
2af27c6
add test code and fix authmanager
a6e2e7e
@hyunwoo-alps
Update cmd/alpamon/command/root.go
b44eff0 
Co-authored-by: Copilot <[email protected]>
@hyunwoo-alps
Update pkg/runner/auth_manager.go
8c8ea5f 
Co-authored-by: Copilot <[email protected]>
Fix connection leak in handleSudoRequest by adding explicit unix_conn…
2d22993 
….Close() calls
Fix golangci-lint issues: handle error return values and unused fields
2842fd2
Fix staticcheck SA1006 by using fmt.Sprintf instead of string concate…
1a36799 
…nation
modify socket path directory management
82b8b33
add local fall back and alpacon_approval.c
5589152
fix mistake
c12ee1a
@hyunwoo-alps
Update pkg/runner/pty.go
1ba9fd6 
Co-authored-by: Copilot <[email protected]>
@hyunwoo-alps
Update pkg/runner/auth_manager.go
8419b0e 
Co-authored-by: Copilot <[email protected]>
update build
8c89095
Merge branch '99-sudo-privilege-verification-and-centralized-manageme…
36d51ae 
…nt-via-mfa-authentication' of https://github.com/alpacax/alpamon into 99-sudo-privilege-verification-and-centralized-management-via-mfa-authentication
@junho226
Merge remote-tracking branch 'origin' into 99-sudo-privilege-verifica…
0ea7abb 
…tion-and-centralized-management-via-mfa-authentication
@junho226
docs: add alpamon-pam as recommended package and update README
5470e3d 
- Add alpamon-pam as recommended dependency in .goreleaser.yaml
  - Debian/Ubuntu: recommends alpamon-pam
  - CentOS/RHEL: recommends alpamon-pam
- Update README.md with PAM module documentation
  - Add installation instructions with/without PAM module
  - Document PAM configuration steps for /etc/pam.d/sudo and /etc/sudo.conf
  - Add note about Alpamon service requirement for PAM authentication
@junho226
Merge remote-tracking branch 'origin' into 99-sudo-privilege-verifica…
779bf92 
…tion-and-centralized-management-via-mfa-authentication
@junho226
refactor: convert Korean comments to English
ab7a614 
Convert Korean comment in Dockerfile to English for better maintainability.

Changes:
- Dockerfiles/ubuntu/22.04/Dockerfile: Convert GOARCH architecture comment
@junho226
feat(auth): implement centralized sudo approval via MFA authentication
e94ed9a 
Add AuthManager for centralized sudo privilege verification:
- Unix domain socket server (/var/run/alpamon/auth.sock)
- Handle check_user requests from pam_alpamon.so
- Handle sudo_approval requests from alpacon_approval.so
- Distinguish Alpacon users (pidToSessionMap) vs local users (localSudoRequests)
- Retry logic with exponential backoff for WebSocket communication
- Response routing back to PAM/sudo plugin via Unix socket

Security improvements:
- Root-only socket permissions (0600)
- 30-second timeout to prevent DoS
- Request ID based mapping for concurrent requests
- Proper cleanup on timeout and connection errors

Integration:
- WebSocket communication with alpacon-server
- Coordinate with PtyClient session management
- Support both authenticated and local user approval flows
@junho226
fix(runner): use Msgf instead of Msg with fmt.Sprintf for proper form…
d92a672 
…atting

Replace Msg(fmt.Sprintf(...)) with Msgf(...) to fix staticcheck SA1006 linting error.
This resolves the golangci-lint failure in CI while maintaining the same functionality.
@junho226
fix(runner): replace Err with Str for string error logging
79aeaad 
Use Str() instead of Err(fmt.Errorf()) to fix staticcheck SA1006 error.
The result variable is already a string, so we use structured logging with Str().
@junho226
fix(auth): resolve mutex unlock bug and improve connection lifecycle
628ad43 
- Fix critical mutex double unlock bug in HandleSudoApprovalResponse
  - Previously unlocked mutex inside loop, causing panic on second unlock
  - Now unlocks once after checking both alpacon and local requests

- Improve connection lifecycle management in handleSudoRequest
  - Remove defer close() to prevent double-close with manual cleanup
  - Explicitly close connections after check_user requests
  - Document that sudo_approval connections are managed by response handlers

- Add default case for unknown request types with proper cleanup
- Improve timeout handling with explicit service shutdown cleanup
@junho226
refactor: standardize is_alpacon_user field naming in auth structs
4a43682 
- Rename is_alpcon_user to is_alpacon_user for consistency
  - SudoApprovalRequest, SudoApprovalResponse structs
  - MFAResponse, IsAlpconResponse structs
@sangyeong01
fix: set releasing packages action on matrix
732c331 
Signed-off-by: sangyeong01 <[email protected]>
@junho226
Merge remote-tracking branch 'origin' into 99-sudo-privilege-verifica…
8d7dc9b 
…tion-and-centralized-management-via-mfa-authentication
@junho226
refactor(runner): remove unconditional sudo group addition
828d370 
- Remove hardcoded sudo group addition in adduser
- Sudo privilege is now controlled by alpacon-server via gids
@junho226
feat(runner): add ControlClient for server control channel
b2a1fae 
- Add ControlClient to handle control WebSocket connection
- Refactor client.go to separate control logic into control_client.go
- Support sudo_approval request/response via control channel
@junho226
fix: correct typo in response type (is_alpcon_response -> is_alpacon_…
90ab531 
…response)
@junho226
fix(package): change alpamon-pam dependency from recommends to suggests
25203cb
@jisung-02
Add smux dependancy
3b7fe86
jisung-02 and others added 25 commits December 22, 2025 17:25
@jisung-02
Define constants for readability and place type definitions at the top
0889a1a
@jisung-02
Move constant definitions to the top to improve readability
94d914f
@jisung-02
Fix to prevent CPU spin in tunnel stream handler
3d4494e
@jisung-02
Fix to prevent data loss by ensuring all buffered data is read from b…
d933cdf 
…ufReader
@jisung-02
Suppress redundant error logs when killing finished processes
f6581a3
@junho226
fix: address PR review feedback for auth manager
0089a78 
- Rename variables to camelCase (unix_conn -> unixConn, sudo_approval_req -> sudoApprovalReq)
- Add BaseRequest struct for type-safe request parsing
- Extract createSendOperation method from sendSudoRequestWithRetry
- Add completion channels for proper timeout handling
- Close connection after sendSudoApprovalResponse in cleanupTimeoutRequest
- Call RemovePIDSessionMapping when PtyClient disconnects
@jisung-02
Protect WebSocket writes with mutex for concurrent stream safety
146ebf0
@jisung-02
Synchronize tunnel deletion to prevent race condition in cleanup
0291e0f
@jisung-02
Add port validation and fix potential issues in tunnel client
63c7c31
@jisung-02
Merge branch 'main' into 145-tunneling
15c253e
@eunyoung14
refactor(logger): remove lumberjack, use systemd journald for logging
845377a 
- Remove lumberjack dependency for log rotation
- Output logs to stderr for systemd/journald to capture
- Update systemd service to use journald (StandardOutput/Error=journal)
- Add log viewing instructions to README
@jisung-02
Suppress CodeQL SSRF warning for trusted tunnel URL
cad3df2
@junho226
Merge remote-tracking branch 'origin' into 99-sudo-privilege-verifica…
ea20dfe 
…tion-and-centralized-management-via-mfa-authentication
@junho226
Merge pull request #101 from alpacax/99-sudo-privilege-verification-a…
66268e2 
…nd-centralized-management-via-mfa-authentication

feat: implement MFA-based sudo approval system
@jisung-02
Reorder const and var declarations to follow Go conventions
dbcb7b0
@geunwoonoh
Merge remote-tracking branch 'origin/main' into refactor/remove-lumbe…
50687ca 
…rjack-use-stdout
@geunwoonoh
Merge pull request #160 from alpacax/refactor/remove-lumberjack-use-s…
e750b93 
…tdout

refactor(logger): remove lumberjack, use systemd journald for logging
@jisung-02
Merge pull request #156 from alpacax/145-tunneling
ab2f56d 
feat: Support for Websh based TCP-tunneling
@geunwoonoh
feat(ci): add PackageCloud channel separation for releases
4cd9f27 
Add support for deploying packages to different
PackageCloud repositories based on release tag patterns:
- stable (alpamon): vX.Y.Z tags
- latest (alpamon-latest): vX.Y.Z-rc.N tags
- dev (alpamon-dev): vX.Y.Z-dev, -beta.N, -alpha.N tags
Also enable automatic GitHub pre-release detection in goreleaser.
@geunwoonoh
Merge remote-tracking branch 'origin/main' into 157-separate-packagec…
058842d 
…loud-channels-stable-dev-latest
@geunwoonoh
Merge pull request #161 from alpacax/157-separate-packagecloud-channe…
1fa8107 
…ls-stable-dev-latest

Resolve "Separate PackageCloud Channels (stable, dev, latest)"
@geunwoonoh
Merge remote-tracking branch 'origin/main' into 162-alpamon-agent-ref…
cd8ada4 
…actoring-integrate-main-branch-changes-into-refactored-architecture
@geunwoonoh
feat(handlers): implement TunnelHandler
ea4d9be 
Add TunnelHandler to handle the following commands:
opentunnel, closetunnel
Define types and structs related to TunnelHandler.
@geunwoonoh
feat(protocol): add tunnel specific field
469b2ca 
Add fields related to tunneling functionality
in conjunction with TunnelHandler.
@geunwoonoh
feat(executor): update RegisterAll() to include TunnelHandler registr…
0052267 
…ation

Update RegisterAll() to include TunnelHandler registration.
@geunwoonoh geunwoonoh self-assigned this Dec 29, 2025
@geunwoonoh geunwoonoh merged commit 4cf6ff7 into 131-alpamon-agent-refactoring Dec 29, 2025
2 checks passed
@geunwoonoh geunwoonoh deleted the 162-alpamon-agent-refactoring-integrate-main-branch-changes-into-refactored-architecture branch December 29, 2025 08:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@junho226 junho226 Awaiting requested review from junho226

@jisung-02 jisung-02 Awaiting requested review from jisung-02

Assignees

@geunwoonoh geunwoonoh

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@geunwoonoh @hyunwoo-alps @junho226 @sangyeong01 @jisung-02 @mingyu-00 @eunyoung14