Closed
Bug 642790
Opened 14 years ago
Closed 12 years ago
Nagios check to verify that slaves have all expected keys
Categories
(Release Engineering :: General, defect, P3)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 792836
People
(Reporter: armenzg, Unassigned)
References
Details
(Whiteboard: [nagios])
Moving slaves from one silo to another carries manual intervention at this moment.
Ensuring that the right keys are in the right slave would require a verification check.
AFAIK there are three sets we want to ensure to be correct:
- production keys
- staging keys
- try keys
Something like this could help:
cd ~/.ssh; sha1sum *.pub | sort
|
Reporter | |
Comment 1•14 years ago
|
||
Not sure how to programatically know which slaves are marked for production, which ones for try and which ones for staging.
Maybe the slave-alloc system has a DB somewhere.
Please update this doc once the bug is resolved:
https://wiki.mozilla.org/ReleaseEngineering/How_To/Move_a_Slave_Between_Production_and_Staging#SSH_Keys
Whiteboard: [nagios]
|
||
Comment 2•14 years ago
|
||
This is a better job for puppet than nagios, since it's difficult to dynamically reconfigure nagios.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 3•14 years ago
|
||
OK.
I have added the following command into the documentation [1]:
ssh -i ~/.ssh/xrbld_dsa xrbld@stage.mozilla.org
[1] https://wiki.mozilla.org/ReleaseEngineering/How_To/Adjust_SSH_keys_on_a_slave
|
||
Comment 4•14 years ago
|
||
No need to dynamically reconfig nagios, the plugin just needs to be able to determine what kind of slave it's looking at.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
||
Updated•14 years ago
|
Priority: -- → P3
|
|
||
Comment 6•14 years ago
|
||
|
|
||
Comment 7•14 years ago
|
||
I assume that's checking the .pub keys just as a proof of concept? I don't copy the .pub keys around since they're unused on the slaves.
Aside from that, this looks pretty good. I assume we'd distribute the script via puppet, which will also be distributing the keys, so it works for me.
|
|
||
Comment 8•14 years ago
|
||
(In reply to comment #7)
> I assume that's checking the .pub keys just as a proof of concept? I don't
> copy the .pub keys around since they're unused on the slaves.
>
> Aside from that, this looks pretty good. I assume we'd distribute the script
> via puppet, which will also be distributing the keys, so it works for me.
Would work with private keys just as well.
|
Assignee | |
Updated•12 years ago
|
Product: mozilla.org → Release Engineering
|
|
||
Comment 9•12 years ago
|
||
Puppet will be verifying this in bug 792836.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•