Page MenuHomePhabricator

monitor unsigned salt keys
Closed, DeclinedPublic

Description

Whenever an instance is added to the beta cluster and switched to the local salt master, we might forget to sign the key on the salt master. We should get a monitoring for any unsigned or rejected keys:

Example:

root@deployment-salt:~# salt-key --list rejected
Rejected Keys:
root@deployment-salt:~# salt-key --list unsigned
Unaccepted Keys:
i-000004f8.eqiad.wmflabs
i-000005ba.eqiad.wmflabs
root@deployment-salt:~#

Version: unspecified
Severity: enhancement

Details

Reference
bz70862

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 3:44 AM
bzimport set Reference to bz70862.
bzimport added a subscriber: Unknown Object (MLST).
hashar created this task.Sep 15 2014, 8:09 PM

Yuvi, I am not sure how familiar you are with diamond. Would it make sense to write a basic collector that list the rejected/unsigned keys on the salt master, send that to graphite and alert on them?

Indeed, that seems ok to do. *Ideally* we would just do this in icinga instead of with diamond, but considering icinga status on labs I'd say go ahead with doing it in diamond. We already have written some custom collectors for us (see minimalpuppetagent.py), and it should be fairly trivial to copy that and use it here.

Do you want to give it a shot? I can help with the diamond bits :)

I already have too many things to complete which are long overdue. So I am unlikely to look at writing a diamond collector anytime soon. If you have some spare bandwidth, please step in :-D

Alright, I'll put it on my 'spare bandwidth TODO' list :)

In the meantime, if anyone else wants to step in, please do! I'll be happy to help.

no autoacceptance in the works? That would take care of the problem.

hashar updated the task description. (Show Details)Nov 25 2014, 11:00 AM
hashar set Security to None.

Although not in the version we are running atm..

Also how are keys accepted for new labs instances now? @ArielGlenn

keys are autoaccepted on labs last I looked. I think.

yuvipanda closed this task as Declined.Mar 5 2015, 1:05 PM
yuvipanda claimed this task.

Should just be fixed with the next version upgrade that will have auto accepting keys.

Dzahn added a subscriber: Dzahn.Sep 5 2016, 4:26 PM

still needed for production as well ? -> T143846

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptSep 5 2016, 4:26 PM