Filippo Giunchedi has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/378922 )
Change subject: base: ability to send syslog over TLS
......................................................................
base: ability to send syslog over TLS
Also enable syslog over TLS in codfw for prometheus::ops as a test.
Bug: T136312
Change-Id: I190c036d111593e625333a29eb8676c43fa4be7b
---
M hieradata/role/codfw/prometheus/ops.yaml
M modules/base/manifests/remote_syslog.pp
M modules/base/templates/remote_syslog.conf.erb
M modules/profile/manifests/base.pp
4 files changed, 36 insertions(+), 4 deletions(-)
Approvals:
jenkins-bot: Verified
Filippo Giunchedi: Looks good to me, approved
diff --git a/hieradata/role/codfw/prometheus/ops.yaml
b/hieradata/role/codfw/prometheus/ops.yaml
index b451f1a..e471841 100644
--- a/hieradata/role/codfw/prometheus/ops.yaml
+++ b/hieradata/role/codfw/prometheus/ops.yaml
@@ -2,3 +2,6 @@
prometheus::server::max_chunks_to_persist: '1048576'
lvs::realserver::realserver_ips:
- 10.2.1.25
+
+profile::base::remote_syslog_tls: ['syslog.eqiad.wmnet:6154',
'syslog.codfw.wmnet:6154']
+profile::base::remote_syslog: []
diff --git a/modules/base/manifests/remote_syslog.pp
b/modules/base/manifests/remote_syslog.pp
index 667ba5a..21bf48b 100644
--- a/modules/base/manifests/remote_syslog.pp
+++ b/modules/base/manifests/remote_syslog.pp
@@ -11,14 +11,27 @@
# A list of host (and optional port) to forward syslog events to.
# (e.g. ["syslog.eqiad.wmnet"] or
["deployment-logstash2.deployment-prep.eqiad.wmflabs:10514"])
#
+# [*central_hosts_tls*]
+# A list of host:port (port is *required*) to forward syslog using TLS.
+# (e.g. ["syslog.eqiad.wmnet:6154"])
+#
#
class base::remote_syslog (
$enable,
$central_hosts = [],
+ $central_hosts_tls = [],
) {
if $enable {
- if empty($central_hosts) {
- fail('::base::remote_syslog::central_hosts required')
+ require_package('rsyslog-gnutls')
+
+ if empty($central_hosts) and empty($central_hosts_tls) {
+ fail('::base::remote_syslog::central_hosts central_hosts_tls
required')
+ }
+
+ if ! empty($central_hosts_tls) {
+ ::base::expose_puppet_certs { '/etc/rsyslog':
+ provide_private => true,
+ }
}
rsyslog::conf { 'remote_syslog':
diff --git a/modules/base/templates/remote_syslog.conf.erb
b/modules/base/templates/remote_syslog.conf.erb
index 1751668..da7740b 100644
--- a/modules/base/templates/remote_syslog.conf.erb
+++ b/modules/base/templates/remote_syslog.conf.erb
@@ -1,4 +1,15 @@
# NOTE: This file is managed by Puppet.
+<%- unless @central_hosts_tls.empty? %>
+# make gtls driver the default
+$DefaultNetstreamDriver gtls
+
+$DefaultNetstreamDriverCAFile /var/lib/puppet/ssl/certs/ca.pem
+$DefaultNetstreamDriverCertFile /etc/rsyslog/ssl/cert.pem
+$DefaultNetstreamDriverKeyFile /etc/rsyslog/ssl/server.key
+
+$ActionSendStreamDriverAuthMode x509/certvalid
+$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
+<% end -%>
# By default, rsyslog will truncate programname[pid] to 32 characters. This
# is a problem if logging to logstash, because programname will not be
@@ -10,3 +21,6 @@
<% @central_hosts.sort.each do |log_host| %>
*.info;mail.none;authpriv.none;cron.none @<%= log_host %>;LongTagForwardFormat
<% end %>
+<%- @central_hosts_tls.sort.each do |log_host| %>
+*.info;mail.none;authpriv.none;cron.none @@<%= log_host %>;LongTagForwardFormat
+<% end -%>
diff --git a/modules/profile/manifests/base.pp
b/modules/profile/manifests/base.pp
index af965c5..ad59a12 100644
--- a/modules/profile/manifests/base.pp
+++ b/modules/profile/manifests/base.pp
@@ -6,6 +6,7 @@
$use_apt_proxy = hiera('profile::base::use_apt_proxy', true),
$domain_search = hiera('profile::base::domain_search', $::domain),
$remote_syslog = hiera('profile::base::remote_syslog',
['syslog.eqiad.wmnet', 'syslog.codfw.wmnet']),
+ $remote_syslog_tls = hiera('profile::base::remote_syslog_tls', []),
$notifications_enabled = hiera('profile::base::notifications_enabled',
'1'),
$core_dump_pattern = hiera('profile::base::core_dump_pattern',
'/var/tmp/core/core.%h.%e.%p.%t'),
$ssh_server_settings = hiera('profile::base::ssh_server_settings', {}),
@@ -51,8 +52,9 @@
if $remote_syslog {
class { '::base::remote_syslog':
- enable => true,
- central_hosts => $remote_syslog,
+ enable => true,
+ central_hosts => $remote_syslog,
+ central_hosts_tls => $remote_syslog_tls,
}
}
--
To view, visit https://gerrit.wikimedia.org/r/378922
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I190c036d111593e625333a29eb8676c43fa4be7b
Gerrit-PatchSet: 12
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Alexandros Kosiaris <akosia...@wikimedia.org>
Gerrit-Reviewer: BryanDavis <bda...@wikimedia.org>
Gerrit-Reviewer: Filippo Giunchedi <fgiunch...@wikimedia.org>
Gerrit-Reviewer: Gehel <guillaume.leder...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Muehlenhoff <mmuhlenh...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
