Filippo Giunchedi has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/378922 )
Change subject: base: ability to send syslog over TLS ...................................................................... base: ability to send syslog over TLS Also enable syslog over TLS in codfw for prometheus::ops as a test. Bug: T136312 Change-Id: I190c036d111593e625333a29eb8676c43fa4be7b --- M hieradata/role/codfw/prometheus/ops.yaml M modules/base/manifests/remote_syslog.pp M modules/base/templates/remote_syslog.conf.erb M modules/profile/manifests/base.pp 4 files changed, 36 insertions(+), 4 deletions(-) Approvals: jenkins-bot: Verified Filippo Giunchedi: Looks good to me, approved diff --git a/hieradata/role/codfw/prometheus/ops.yaml b/hieradata/role/codfw/prometheus/ops.yaml index b451f1a..e471841 100644 --- a/hieradata/role/codfw/prometheus/ops.yaml +++ b/hieradata/role/codfw/prometheus/ops.yaml @@ -2,3 +2,6 @@ prometheus::server::max_chunks_to_persist: '1048576' lvs::realserver::realserver_ips: - 10.2.1.25 + +profile::base::remote_syslog_tls: ['syslog.eqiad.wmnet:6154', 'syslog.codfw.wmnet:6154'] +profile::base::remote_syslog: [] diff --git a/modules/base/manifests/remote_syslog.pp b/modules/base/manifests/remote_syslog.pp index 667ba5a..21bf48b 100644 --- a/modules/base/manifests/remote_syslog.pp +++ b/modules/base/manifests/remote_syslog.pp @@ -11,14 +11,27 @@ # A list of host (and optional port) to forward syslog events to. # (e.g. ["syslog.eqiad.wmnet"] or ["deployment-logstash2.deployment-prep.eqiad.wmflabs:10514"]) # +# [*central_hosts_tls*] +# A list of host:port (port is *required*) to forward syslog using TLS. +# (e.g. ["syslog.eqiad.wmnet:6154"]) +# # class base::remote_syslog ( $enable, $central_hosts = [], + $central_hosts_tls = [], ) { if $enable { - if empty($central_hosts) { - fail('::base::remote_syslog::central_hosts required') + require_package('rsyslog-gnutls') + + if empty($central_hosts) and empty($central_hosts_tls) { + fail('::base::remote_syslog::central_hosts central_hosts_tls required') + } + + if ! empty($central_hosts_tls) { + ::base::expose_puppet_certs { '/etc/rsyslog': + provide_private => true, + } } rsyslog::conf { 'remote_syslog': diff --git a/modules/base/templates/remote_syslog.conf.erb b/modules/base/templates/remote_syslog.conf.erb index 1751668..da7740b 100644 --- a/modules/base/templates/remote_syslog.conf.erb +++ b/modules/base/templates/remote_syslog.conf.erb @@ -1,4 +1,15 @@ # NOTE: This file is managed by Puppet. +<%- unless @central_hosts_tls.empty? %> +# make gtls driver the default +$DefaultNetstreamDriver gtls + +$DefaultNetstreamDriverCAFile /var/lib/puppet/ssl/certs/ca.pem +$DefaultNetstreamDriverCertFile /etc/rsyslog/ssl/cert.pem +$DefaultNetstreamDriverKeyFile /etc/rsyslog/ssl/server.key + +$ActionSendStreamDriverAuthMode x509/certvalid +$ActionSendStreamDriverMode 1 # run driver in TLS-only mode +<% end -%> # By default, rsyslog will truncate programname[pid] to 32 characters. This # is a problem if logging to logstash, because programname will not be @@ -10,3 +21,6 @@ <% @central_hosts.sort.each do |log_host| %> *.info;mail.none;authpriv.none;cron.none @<%= log_host %>;LongTagForwardFormat <% end %> +<%- @central_hosts_tls.sort.each do |log_host| %> +*.info;mail.none;authpriv.none;cron.none @@<%= log_host %>;LongTagForwardFormat +<% end -%> diff --git a/modules/profile/manifests/base.pp b/modules/profile/manifests/base.pp index af965c5..ad59a12 100644 --- a/modules/profile/manifests/base.pp +++ b/modules/profile/manifests/base.pp @@ -6,6 +6,7 @@ $use_apt_proxy = hiera('profile::base::use_apt_proxy', true), $domain_search = hiera('profile::base::domain_search', $::domain), $remote_syslog = hiera('profile::base::remote_syslog', ['syslog.eqiad.wmnet', 'syslog.codfw.wmnet']), + $remote_syslog_tls = hiera('profile::base::remote_syslog_tls', []), $notifications_enabled = hiera('profile::base::notifications_enabled', '1'), $core_dump_pattern = hiera('profile::base::core_dump_pattern', '/var/tmp/core/core.%h.%e.%p.%t'), $ssh_server_settings = hiera('profile::base::ssh_server_settings', {}), @@ -51,8 +52,9 @@ if $remote_syslog { class { '::base::remote_syslog': - enable => true, - central_hosts => $remote_syslog, + enable => true, + central_hosts => $remote_syslog, + central_hosts_tls => $remote_syslog_tls, } } -- To view, visit https://gerrit.wikimedia.org/r/378922 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I190c036d111593e625333a29eb8676c43fa4be7b Gerrit-PatchSet: 12 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org> Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org> Gerrit-Reviewer: Gehel <guillaume.leder...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits