Page MenuHomePhabricator
Create Task
Maniphest T157702

Followup for TLS MariaDB server roll-out
Open, MediumPublic
Actions

Description

After the main support for TLS was added on the db hosts (as pert of T134809).

This is more of a "decisions" ticket, specific actions decided should have its own subticket:

  • Pending, non-critical, to be decomm'ed hosts: T111654#3010354
  • Enforce TLS by all clients
  • Once it is enforced, which is the preferred cipher? size?
  • Renewal policy
  • Enforce TLS by MySQL as a client (replication user) and make sure it is verified
    • Do we have a plan in case of disaster?
  • Plans in case of a) 1 server/client private's key compromised b) CA gets fully compromised
  • Check validity/expiration of certificates on icinga
  • Add other names other than the public dns to the certs (s1-master, s1-replica, ip address, etc.)

Details

ProjectBranchLines +/-Subject
operations/puppet/mariadbmaster+12 -28Remove old CA (ssl='on') and add a new option "socket"
operations/puppetproduction+1 -1Apply a3ded1b40909f9351 (mariadb client install) to production
operations/puppet/mariadbmaster+1 -1Install wmf-mariadb-client for client-only installs
Customize query in gerrit

Related Objects
Search...

Event Timeline

jcrespo created this task.Feb 9 2017, 5:31 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 9 2017, 5:31 PM
jcrespo added a parent task: T151583: Use tls for dump backup generation.Feb 9 2017, 5:37 PM
gerritbot added a subscriber: gerritbot.Feb 10 2017, 2:24 PM

Change 337018 had a related patch set uploaded (by Jcrespo):
Install wmf-mariadb-client for client-only installs

https://gerrit.wikimedia.org/r/337018

gerritbot added a project: Patch-For-Review.Feb 10 2017, 2:24 PM
gerritbot added a comment.Feb 10 2017, 2:29 PM

Change 337018 merged by Jcrespo:
Install wmf-mariadb-client for client-only installs

https://gerrit.wikimedia.org/r/337018

gerritbot added a comment.Feb 10 2017, 2:33 PM

Change 337022 had a related patch set uploaded (by Jcrespo):
Apply a3ded1b40909f9351 (mariadb client install) to production

https://gerrit.wikimedia.org/r/337022

gerritbot added a comment.Feb 10 2017, 3:18 PM

Change 337022 merged by Jcrespo:
Apply a3ded1b40909f9351 (mariadb client install) to production

https://gerrit.wikimedia.org/r/337022

jcrespo moved this task from Triage to Backlog on the DBA board.Feb 14 2017, 3:04 PM
jcrespo added a subtask: T152427: Create a check/calendar alert for MariaDB TLS certs.Feb 21 2017, 4:11 PM
gerritbot added a comment.Feb 21 2017, 4:18 PM

Change 338988 had a related patch set uploaded (by Jcrespo):
Remove old CA (ssl='on') and add a new option "socket"

https://gerrit.wikimedia.org/r/338988

jcrespo added a comment.Mar 2 2017, 4:16 PM

m1 slave db1001 has been restarted and TLS enabled.

gerritbot added a comment.Mar 3 2017, 5:14 PM

Change 338988 merged by jenkins-bot:
[operations/puppet/mariadb] Remove old CA (ssl='on') and add a new option "socket"

https://gerrit.wikimedia.org/r/338988

jcrespo added subtasks: T183469: Setup newer machines and replace all old misc (m*) and x1 eqiad machines, T183470: Setup newer machines and replace all old misc (m*) and x1 codfw machines.Mar 9 2018, 3:30 PM
Marostegui closed subtask T183469: Setup newer machines and replace all old misc (m*) and x1 eqiad machines as Resolved.Mar 22 2018, 6:41 AM
jcrespo added a project: observability.Mar 22 2018, 7:38 AM
jcrespo updated the task description. (Show Details)
jcrespo updated the task description. (Show Details)Jun 26 2018, 4:50 PM
jcrespo added a subscriber: Vgutierrez.

CC @Vgutierrez pending work regarding TLS rollout FYI

Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 9:04 PM
fgiunchedi moved this task from Inbox to Radar on the observability board.Jul 20 2020, 1:16 PM
RhinosF1 added a subscriber: RhinosF1.Jan 12 2021, 11:27 AM
LSobanski removed a project: SRE.May 25 2021, 11:53 AM
jcrespo removed a parent task: T151583: Use tls for dump backup generation.Mar 7 2022, 1:57 PM
Krinkle removed a parent task: T111654: Set up TLS for MariaDB replication.May 31 2022, 11:41 PM
Krinkle updated the task description. (Show Details)
Marostegui closed subtask T152427: Create a check/calendar alert for MariaDB TLS certs as Declined.Dec 12 2022, 6:56 AM
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL