Closed Bug 1335820 Opened 7 years ago Closed 7 years ago

HPKP Warning alert

Categories

(Infrastructure & Operations Graveyard :: CIDuty, task)

Product:
Infrastructure & Operations Graveyard
Component:
CIDuty
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hwine, Assigned: sfraser)

References

Details

Attachments

(1 file)

proposed fix, before I put in a PR to sysadmins/puppet
1.45 KB, text/plain
Details 
This popped up in #buildduty today (thanks to :philor for reporting):
[09:04] < nagios-rele>| Wed 09:04:34 PST [4013] nagios1.private.releng.scl3.mozilla.com:HPKP Expiration - Nightly is WARNING: (null) (http://m.mozilla.org/HPKP+Expiration+-+Nightly)

Note the cutover of hg.m.o to https only occurred at ~0800 PT, so if the check used http protocol without following redirects, that could be part of the issue.

Unsure if this is related to bug 1303851
The format of the file changed in https://hg.mozilla.org/mozilla-central/rev/35aecea31459 due to https://hg.mozilla.org/mozilla-central/rev/b03c9f4ac1b0 (bug 1335294).

We'll need to adjust the nagios check to cope.
Assignee: nobody → sfraser
Comment on attachment 8832554 [details]
proposed fix, before I put in a PR to sysadmins/puppet

What's the value of searching for 2 anchors? (with increased complexity)

aiui, the file is auto-generated, so if one is present, the other will be as well. If we're going to handle the corner case of only one, don't we also have to check to ensure both values are identical when both are present?

The file format & check are complex enough that I think an explanation would help.
They won't both be present, it'll be one or the other, as the change filters through to aurora, and onwards. 

Although I agree about the compexity - I was initially worried about matching on too little, but this should be enough:

-EPOCH_ANCHOR = "static const PRTime kPreloadPKPinsExpirationTime = INT64_C("
+EPOCH_ANCHOR = " kPreloadPKPinsExpirationTime = INT64_C("
Bug 1335294 was backed out so the file is back to "static const PRTime" at the moment.

I'll need to play with the change a bit before re-landing. I probably won't touch kPreloadPKPinsExpirationTime next time, but I'll report back here if I do. Sorry for the back-and-forth.
It's likely a good idea to update the monitoring if it'll change in the future - assuming it's only going to be the type that changes rather than the name. Is it possible to say, at this stage?
(In reply to Simon Fraser [:sfraser] ⌚️GMT from comment #6)
> It's likely a good idea to update the monitoring if it'll change in the
> future - assuming it's only going to be the type that changes rather than
> the name. Is it possible to say, at this stage?

That sounds reasonable. I personally have no plans to change the name.
Note: IT also runs a similar HPKP check against release -- see bug 1336299. I don't know if this is the same plugin or not.
(In reply to Hal Wine [:hwine] (use NI) from comment #8)
> Note: IT also runs a similar HPKP check against release -- see bug 1336299.
> I don't know if this is the same plugin or not.

Yep, it is.
Depends on: 1336973
The MOC have now applied the patch, so a change to this type (but not variable name) won't break the monitoring
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Just a quick status note: I've re-landed bug 1335294 and didn't touch kPreloadPKPinsExpirationTime this time around.
Comment on attachment 8832554 [details]
proposed fix, before I put in a PR to sysadmins/puppet

clearing dangling review request
Attachment #8832554 - Flags: review?
Product: Release Engineering → Infrastructure & Operations
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: