Page MenuHomePhabricator
Create Task
Maniphest T72862

monitor unsigned salt keys
Closed, DeclinedPublic
Actions

Description

Whenever an instance is added to the beta cluster and switched to the local salt master, we might forget to sign the key on the salt master. We should get a monitoring for any unsigned or rejected keys:

Example:

root@deployment-salt:~# salt-key --list rejected
Rejected Keys:
root@deployment-salt:~# salt-key --list unsigned
Unaccepted Keys:
i-000004f8.eqiad.wmflabs
i-000005ba.eqiad.wmflabs
root@deployment-salt:~#

Version: unspecified
Severity: enhancement

Details

Reference
bz70862

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:44 AM
bzimport added projects: Beta-Cluster-Infrastructure, good first task.
bzimport set Reference to bz70862.
bzimport added a subscriber: Unknown Object (MLST).
hashar created this task.Sep 15 2014, 8:09 PM
hashar added a comment.Sep 16 2014, 7:41 AM

Yuvi, I am not sure how familiar you are with diamond. Would it make sense to write a basic collector that list the rejected/unsigned keys on the salt master, send that to graphite and alert on them?

yuvipanda added a comment.Sep 16 2014, 10:13 AM

Indeed, that seems ok to do. *Ideally* we would just do this in icinga instead of with diamond, but considering icinga status on labs I'd say go ahead with doing it in diamond. We already have written some custom collectors for us (see minimalpuppetagent.py), and it should be fairly trivial to copy that and use it here.

Do you want to give it a shot? I can help with the diamond bits :)

hashar added a comment.Sep 16 2014, 10:16 AM

I already have too many things to complete which are long overdue. So I am unlikely to look at writing a diamond collector anytime soon. If you have some spare bandwidth, please step in :-D

yuvipanda added a comment.Sep 16 2014, 10:17 AM

Alright, I'll put it on my 'spare bandwidth TODO' list :)

In the meantime, if anyone else wants to step in, please do! I'll be happy to help.

ArielGlenn added a comment.Oct 24 2014, 3:00 PM

no autoacceptance in the works? That would take care of the problem.

greg moved this task from To Triage to Next: Feature on the Beta-Cluster-Infrastructure board.Nov 25 2014, 12:08 AM
hashar updated the task description. (Show Details)Nov 25 2014, 11:00 AM
hashar set Security to None.
yuvipanda added a comment.Dec 26 2014, 12:05 AM

http://docs.saltstack.com/en/latest/ref/configuration/master.html#auto-accept salt has auto-accept now.

yuvipanda added a comment.Dec 26 2014, 12:06 AM

Although not in the version we are running atm..

yuvipanda added a comment.Dec 26 2014, 8:51 AM

Also how are keys accepted for new labs instances now? @ArielGlenn

yuvipanda added a parent task: T88971: Upgrade salt to 2014.7 (investigating).Feb 23 2015, 3:57 PM
ArielGlenn added a comment.Feb 23 2015, 4:01 PM

keys are autoaccepted on labs last I looked. I think.

yuvipanda closed this task as Declined.Mar 5 2015, 1:05 PM
yuvipanda claimed this task.

Should just be fixed with the next version upgrade that will have auto accepting keys.

yuvipanda moved this task from Next: Feature to To Triage on the Beta-Cluster-Infrastructure board.Mar 5 2015, 1:31 PM
greg moved this task from To Triage to Done on the Beta-Cluster-Infrastructure board.Mar 5 2015, 4:45 PM
Dzahn subscribed.Sep 5 2016, 4:26 PM

still needed for production as well ? -> T143846

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptSep 5 2016, 4:26 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:57 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits