Page MenuHomePhabricator
Create Task
Maniphest T273182

Revert OpenSSL min version configuration introduced for bacula compatibility
Closed, ResolvedPublic
Actions

Description

Right now, the only jessie hosts left that have backups (according to cumin P:backup::host 'cat /etc/debian_version' are:

conf[2001-2003].codfw.wmnet

I would like to revert it back to safer defaults, but I am unsure how to do it properly. Just reverting:

doesn't seem like a good idea. So, a few questions:

  • Do we need to maintain an openssl conf, different from the package provided one?
  • Should we revert already and just put an exception on conf2* hosts (not sure when those will be upgraded)?
  • Do we remove the file? (but then, what is the safe procedure to revert to the package version one?)

Details

SubjectRepoBranchLines +/-
jessie: Revert openssl conf on director/storage to package defaultsoperations/puppetproduction+1 -1
bacula: Revert TLS 1.0 downgrade on storage servers (including director)operations/puppetproduction+0 -371
jessie: Remove old openssl override after revert to package versionoperations/puppetproduction+0 -371
Customize query in gerrit

Related Objects
Search...

Event Timeline

jcrespo created this task.Jan 28 2021, 12:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 28 2021, 12:42 PM
jcrespo triaged this task as Medium priority.EditedJan 28 2021, 12:46 PM
jcrespo mentioned this in T271573: upgrade conf2* servers to buster.

I have asked on ^this ticket about potential schedule, if they answer we can decide to go for exception or wait for upgrade.

jcrespo mentioned this in T224549: Track remaining jessie systems in production.Jan 29 2021, 11:16 AM
jcrespo moved this task from Triage to Refine on the Data-Persistence-Backup board.Jan 29 2021, 3:36 PM
jcrespo added a comment.Feb 1 2021, 2:10 PM

I didn't get any answer here or on the other ticket, so this is my plan now:

  • Add a conditional so the above code only affects jessie host (conf2*)
  • For all other hosts
    • (that have backups enabled), update openssl.conf to one identical to the one shipped by the package
    • Remove the code updating it after some days

*When conf2* are upgraded, remove the exception completely

As I believe this will be the safest way to approach that to avoid breakages (even on wmcs or weird usages)

jcrespo added a comment.Feb 1 2021, 3:00 PM

I'm silly, I was totally convinced that the revert applied to clients. It does not, only to storage hosts, which is easier to revert. That also means T271573 is a real blocker.

jcrespo added a subtask: T271573: upgrade conf2* servers to buster.Feb 1 2021, 3:00 PM
gerritbot added a comment.Feb 1 2021, 3:08 PM

Change 660856 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] jessie: Revert openssl conf on director/storage to package defaults

https://gerrit.wikimedia.org/r/660856

gerritbot added a project: Patch-For-Review.Feb 1 2021, 3:08 PM

Change 660857 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] jessie: Remove old openssl override after revert to package version

https://gerrit.wikimedia.org/r/660857

LSobanski added a subscriber: LSobanski.Feb 1 2021, 6:00 PM
gerritbot added a comment.Feb 15 2021, 5:28 PM

Change 664314 had a related patch set uploaded (by Jcrespo; owner: Jcrespo):
[operations/puppet@production] bacula: Revert TLS 1.0 downgrade on storage servers (including director)

https://gerrit.wikimedia.org/r/664314

gerritbot added a comment.Feb 15 2021, 5:29 PM

Change 660857 abandoned by Jcrespo:
[operations/puppet@production] jessie: Remove old openssl override after revert to package version

Reason:
Abandoned in favour of more recent https://gerrit.wikimedia.org/r/c/operations/puppet/ /664314

https://gerrit.wikimedia.org/r/660857

jcrespo mentioned this in T238048: Followup to backup1001 bacula switchover (misc pending tasks).Feb 15 2021, 6:14 PM
gerritbot added a comment.Apr 29 2021, 7:31 AM

Change 664314 merged by Jcrespo:

[operations/puppet@production] bacula: Revert TLS 1.0 downgrade on storage servers (including director)

https://gerrit.wikimedia.org/r/664314

jcrespo added a comment.EditedApr 29 2021, 7:45 AM

Doing on backup1001|1002|2001|2002:

run-puppet-agent
rm /etc/ssl/openssl.cnf
apt install --reinstall -o Dpkg::Options::="--force-confask,confnew,confmiss" openssl

( puppet doesn't touch the file, so no need for run-puppet-agent)

I will then do a full restart when bacula has no running processes to make sure there are no ongoing connections left using TLS 1.0.

Stashbot added a comment.Apr 29 2021, 7:48 AM

Mentioned in SAL (#wikimedia-operations) [2021-04-29T07:48:39Z] <jynus> rolling restart of bacula hosts T273182

jcrespo removed a subtask: T271573: upgrade conf2* servers to buster.Apr 29 2021, 8:18 AM
jcrespo closed this task as Resolved.Apr 29 2021, 8:37 AM

This has been successfully reverted and a backup each has been run from both stretch and buster hosts. This is now finally resolved!

gerritbot added a comment.Jun 1 2021, 4:38 PM

Change 660856 abandoned by Jcrespo:

[operations/puppet@production] jessie: Revert openssl conf on director/storage to package defaults

Reason:

Done already at https://gerrit.wikimedia.org/g/operations/puppet/ /382f88a6a8c40c82f7be18b05eb3494d8c44f9ef

https://gerrit.wikimedia.org/r/660856

Maintenance_bot removed a project: Patch-For-Review.Jun 1 2021, 5:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL