= phenomenon =
I receive an odd message on bastion02 when I logon. The message is:
$system_identification has not been defined for this host. Please do so. For more information see /etc/system_identification
I actually see the contents of system_identification on puppet02.
Is there a reason why some hosts have this file and others don't? Where would one "fix" this? Would we add it in the puppet git repo and change the host configuration in puppet to include the corresponding module or constraint?
= reason =
This is an outstanding task that needs to be done and could be done by someone in apprentice. Get a list of systems and go around to see which ones don't have it, what they have on them, and what level they look to need to be at.
This config is usually in the group class for a set of systems. Not sure if this is the best way to do it but it is how it has been done in the past.
= recommendation =
Use the catalog of systems provided by skvidal to determine which hosts need a file. Generate classifications for each host, update the files and push the files through puppet after committing to git and receiving sign-off.
Here is an example:[[BR]]
Security Category: ''LOW | MEDIUM | High''[[BR]] Primary Contact: Fedora Admins - admin@fedoraproject.org[[BR]] Purpose: ''BE BRIEF - END WITH PERIOD''.[[BR]] Environment: ''Development | Staging | Test | Production''[[BR]] Relationship: ''BE BRIEF - NO PERIOD''[[BR]]
This document is provided as part of CSI standards.[[BR]] See http://infrastructure.fedoraproject.org/csi/security-policy/ for more information[[BR]]
The above contents should go in the puppet configuration for a particular host. It seems the following servergroups have this file defined:
noc[[BR]] people[[BR]] appRhel[[BR]] download-server[[BR]] proxy[[BR]] puppet[[BR]] secondary[[BR]]
each contain a file declaration data structure with a key (content) and value with the description contents. Here is an example:
file { '/etc/system_identification': content => "Security Category: High
Primary Contact: Fedora Admins - admin@fedoraproject.org Purpose: System provides configuration for all other systems. Environment: Production Relationship: All systems depend on puppet
This document is provided as part of CSI standards. See http://infrastructure.fedoraproject.org/csi/security-policy/ for more informa tion" }
This component is then introduced to the node through an include. For example, for the puppet01 node we include the class defined in the servergroups/puppet.pp file. I imagine we'll want to define server groups for our hosts and assign them appropriately. Now that this is researched the implementation should be trivial.
Make changes according to http://fedoraproject.org/wiki/Puppet_Infrastructure_SOP .
Here is an example for memcached01:
{{{ diff --git a/manifests/nodes/memcached01.phx2.fedoraproject.org.pp b/manifests/nodes/memcached01.phx2.fedoraproject.org.pp index 6cff99b..17860ac 100644 --- a/manifests/nodes/memcached01.phx2.fedoraproject.org.pp +++ b/manifests/nodes/memcached01.phx2.fedoraproject.org.pp @@ -28,4 +28,14 @@ node memcached01 { '-A INPUT -p tcp -m tcp -s 192.168.1.17 --dport 11211 -j ACCEPT', ] } + + file { '/etc/system_identification': + content => "Security Category: Moderate + Primary Contact: Fedora Admins - admin@fedoraproject.org + Purpose: System provides caching for applications. + Environment: Production + Relationship: Application servers depend on memcached01 + + This document is provided as part of CSI standards. See http://infrastructure.fedoraproject.org/csi/security-policy/ for more informa tion" + } }
}}}
Here is another for memcached03:
{{{ diff --git a/manifests/nodes/memcached03.phx2.fedoraproject.org.pp b/manifests/nodes/memcached03.phx2.fedoraproject.org.pp index 0e1699d..78acc6f 100644 --- a/manifests/nodes/memcached03.phx2.fedoraproject.org.pp +++ b/manifests/nodes/memcached03.phx2.fedoraproject.org.pp @@ -28,4 +28,14 @@ node memcached03 { '-A INPUT -p tcp -m tcp -s 192.168.1.17 --dport 11211 -j ACCEPT', ] } + + file { '/etc/system_identification': + content => "Security Category: Moderate + Primary Contact: Fedora Admins - admin@fedoraproject.org + Purpose: System provides caching for applications. + Environment: Production + Relationship: Application servers depend on memcached03 + + This document is provided as part of CSI standards. See http://infrastructure.fedoraproject.org/csi/security-policy/ for more informa tion" + } }
applied patches. thank you.
Various hosts are still missing this file. Reopening and fixing.
It looks like there is 27 hosts now without /etc/system_identification which fi-apprentice group can reach to.
{{{ diff --git a/manifests/nodes/noc02.fedoraproject.org.pp b/manifests/nodes/noc02.fedoraproject.org.pp index 2323838..966208d 100644 --- a/manifests/nodes/noc02.fedoraproject.org.pp +++ b/manifests/nodes/noc02.fedoraproject.org.pp @@ -22,5 +22,15 @@ node noc02{
semodule_deprecated { 'noc': }
} diff --git a/manifests/nodes/value03.phx2.fedoraproject.org.pp b/manifests/nodes/value03.phx2.fedoraproject.org.pp index e642e5e..299b9cc 100644 --- a/manifests/nodes/value03.phx2.fedoraproject.org.pp +++ b/manifests/nodes/value03.phx2.fedoraproject.org.pp @@ -5,4 +5,15 @@ node value03 { include supybot::zodbot include supybot-meetbot::app include hotfix::supybot-fedora + file { '/etc/system_identification': + content => "Security Category: Low +Primary Contact: Fedora Admins - admin@fedoraproject.org +Purpose: Provides smolt instance and zodbot. +Environment: Production +Relationship: zodbot depends on the account system for user info or + authentication. Zodbot also can query pkgdb and other services. + + +This document is provided as part of CSI standards. +See http://infrastructure.fedoraproject.org/csi/security-policy/ for more information" } } diff --git a/manifests/nodes/value04.phx2.fedoraproject.org.pp b/manifests/nodes/value04.phx2.fedoraproject.org.pp index d38ee0a..2cf280b 100644 --- a/manifests/nodes/value04.phx2.fedoraproject.org.pp +++ b/manifests/nodes/value04.phx2.fedoraproject.org.pp @@ -2,4 +2,13 @@ node value04 { include phx include valueadd include openvpn::client + file { '/etc/system_identification': + content => "Security Category: Low +Primary Contact: Fedora Admins - admin@fedoraproject.org +Purpose: Provides smolt instance. +Environment: Production + + +This document is provided as part of CSI standards. +See http://infrastructure.fedoraproject.org/csi/security-policy/ for more information" } } diff --git a/manifests/services/noc.pp b/manifests/services/noc.pp index 8ff6c7e..1d83422 100644 --- a/manifests/services/noc.pp +++ b/manifests/services/noc.pp @@ -40,10 +40,10 @@ class noc { file { '/etc/system_identification': content => "Security Category: Low Primary Contact: Fedora Admins - admin@fedoraproject.org -Purpose: Provides monitoring facilities and zodbot +Purpose: Provides monitoring facilities. Environment: Production -Relationship: Nagios and zodbot both depend on the account system for user info - or authentication. Zodbot also can query pkgdb and other services. +Relationship: Nagios depends on the account system for user info or + authentication.
This document is provided as part of CSI standards. See http://infrastructure.fedoraproject.org/csi/security-policy/ for more information" } }}}
ok, things have changed a bit since this ticket was setup. ;)
Instead of checking in these changes to the main puppet repo, machines now pull this info from the 'infra-hosts' repo and the 'notes' file for their host.
If you could adjust patches against that, that would be great. Also, checking what hosts don't have a 'notes' file should indicate which ones still need to be done. ;)
As I understood the description in infra-hosts is less strict formatted, so maybe this will fit:
{{{ diff --git a/hosted03.fedoraproject.org/notes b/hosted03.fedoraproject.org/notes new file mode 100644 index 0000000..b2bef1a --- /dev/null +++ b/hosted03.fedoraproject.org/notes @@ -0,0 +1 @@ +This is a fedorahosted.org server. diff --git a/hosted04.fedoraproject.org/notes b/hosted04.fedoraproject.org/notes new file mode 100644 index 0000000..b2bef1a --- /dev/null +++ b/hosted04.fedoraproject.org/notes @@ -0,0 +1 @@ +This is a fedorahosted.org server. diff --git a/noc01.phx2.fedoraproject.org/notes b/noc01.phx2.fedoraproject.org/notes new file mode 100644 index 0000000..4e9d0c1 --- /dev/null +++ b/noc01.phx2.fedoraproject.org/notes @@ -0,0 +1,4 @@ +This is a nagios server located inside PHX. + +It monitors general host statistics, puppet status, uptime, apache status +(up/down), SSH etc. diff --git a/noc01.stg.phx2.fedoraproject.org/notes b/noc01.stg.phx2.fedoraproject.org/notes new file mode 100644 index 0000000..789344e --- /dev/null +++ b/noc01.stg.phx2.fedoraproject.org/notes @@ -0,0 +1 @@ +This is a staging nagios server. diff --git a/noc02.fedoraproject.org/notes b/noc02.fedoraproject.org/notes new file mode 100644 index 0000000..9985a1e --- /dev/null +++ b/noc02.fedoraproject.org/notes @@ -0,0 +1,4 @@ +This is an external nagios server located outside of PHX. + +It monitors our user websites/applications (fedoraproject.org, FAS, +PackageDB, Bodhi/Updates). diff --git a/smolt01.phx2.fedoraproject.org/notes b/smolt01.phx2.fedoraproject.org/notes new file mode 100644 index 0000000..acb83b3 --- /dev/null +++ b/smolt01.phx2.fedoraproject.org/notes @@ -0,0 +1,3 @@ +This is a smolt instance. + +Also it runs zodbot. diff --git a/value03.phx2.fedoraproject.org/notes b/value03.phx2.fedoraproject.org/notes new file mode 100644 index 0000000..acb83b3 --- /dev/null +++ b/value03.phx2.fedoraproject.org/notes @@ -0,0 +1,3 @@ +This is a smolt instance. + +Also it runs zodbot. diff --git a/value04.phx2.fedoraproject.org/notes b/value04.phx2.fedoraproject.org/notes new file mode 100644 index 0000000..c83f96d --- /dev/null +++ b/value04.phx2.fedoraproject.org/notes @@ -0,0 +1 @@ +This is a smolt instance.
I will look into other hosts later on.
Applied with a few minor changes/additions. ;) Thanks!
Can you still see any hosts needing notes?
I see no hosts lacking notes now. ;)
I just added a quick script to check for nodes with no notes on them...
From an up-to-date clone of infra-hosts.git, just run: ./no-notes.sh to get the list (or no output if all nodes have notes).
./no-notes.sh
It uses a little bit of find hacketry. ;)
find
Login to comment on this ticket.