Attachment 226746 Details for Bug 257464 – Add a weekly periodic job to check zrepl SSL certs for impending expiration.

[patch] Add a weekly periodic job to check zrepl SSL certs for impending expiration.

zrepl-periodic.diff (text/plain), 3.21 KB, created by Alan Somers on 2021-07-27 22:12:10 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alan Somers

Created: 2021-07-27 22:12:10 UTC

Size: 3.21 KB

patch

obsolete

>diff --git sysutils/zrepl/Makefile sysutils/zrepl/Makefile
>index 23b3cc16c683..ab6bed02def1 100644
>--- sysutils/zrepl/Makefile
>+++ sysutils/zrepl/Makefile
>@@ -3,7 +3,7 @@
> PORTNAME=	zrepl
> DISTVERSIONPREFIX=	v
> DISTVERSION=	0.4.0
>-PORTREVISION=	2
>+PORTREVISION=	3
> CATEGORIES=	sysutils
> 
> MAINTAINER=	lcook@FreeBSD.org
>@@ -17,7 +17,7 @@ USE_RC_SUBR=	zrepl
> 
> GO_MODULE=	github.com/${PORTNAME}/${PORTNAME}
> 
>-SUB_FILES=	pkg-message
>+SUB_FILES=	pkg-message 500.zrepl
> 
> OPTIONS_DEFINE=		EXAMPLES MANPAGES
> OPTIONS_DEFAULT=	MANPAGES
>@@ -53,6 +53,9 @@ post-install:
> 	${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf
> 	${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf
> 	${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample
>+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly
>+	${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \
>+		${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl
> 
> post-install-EXAMPLES-on:
> 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks
>diff --git sysutils/zrepl/files/500.zrepl.in sysutils/zrepl/files/500.zrepl.in
>new file mode 100644
>index 000000000000..9382d5e1409e
>--- /dev/null
>+++ sysutils/zrepl/files/500.zrepl.in
>@@ -0,0 +1,41 @@
>+#!/bin/sh
>+
>+# Check zrepl SSL certificates for impending expiration each week
>+#
>+# Add the following lines to /etc/periodic.conf:
>+#
>+# weekly_zrepl_enable (bool):	Set to "NO" by default
>+# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default
>+
>+# If there is a global system configuration file, suck it in.
>+#
>+if [ -r /etc/defaults/periodic.conf ]
>+then
>+    . /etc/defaults/periodic.conf
>+    source_periodic_confs
>+fi
>+
>+# 30 days in seconds
>+: ${weekly_zrepl_warntime="2592000"}
>+
>+rc=0
>+case "$weekly_zrepl_enable" in
>+    [Yy][Ee][Ss])
>+	echo
>+	echo "Check Zrepl certificates for upcoming expiration:"
>+
>+	for cert in %%ETCDIR%%/*.crt; do
>+		/usr/bin/openssl x509 --in "${cert}" \
>+			-checkend "${weekly_zrepl_warntime}"
>+
>+		if [ $? -gt 0 ]; then
>+			echo "${cert} will expire soon"
>+			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
>+			rc=3
>+		fi
>+	done
>+	;;
>+    *)  rc=0;;
>+esac
>+
>+exit $rc
>diff --git sysutils/zrepl/files/pkg-message.in sysutils/zrepl/files/pkg-message.in
>index f01100004e97..9d0cc7020a45 100644
>--- sysutils/zrepl/files/pkg-message.in
>+++ sysutils/zrepl/files/pkg-message.in
>@@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES:
> For any ZFS snapshot that you want to keep, at least one rule must match.
> This also applies to snapshots taken by means other than zrepl
> (e.g. snapshots taken manually or via boot environment tools).
>+
>+In order to automatically warn the operator of impending certificate
>+expiration, add this line to /etc/periodic.conf:
>+
>+    weekly_zrepl_enable="YES"
>+
>+More config details in the zrepl periodic script:
>+
>+    %%LOCALBASE%%/etc/periodic/weekly/500.zrepl
>+
> EOM
> }
> ]
>diff --git sysutils/zrepl/pkg-plist sysutils/zrepl/pkg-plist
>index 03420df4e9be..c6262c9bb43e 100644
>--- sysutils/zrepl/pkg-plist
>+++ sysutils/zrepl/pkg-plist
>@@ -1,4 +1,5 @@
> bin/zrepl
>+etc/periodic/weekly/500.zrepl
> @sample %%ETCDIR%%/zrepl.yml.sample
> %%PORTEXAMPLES%%%%EXAMPLESDIR%%/hooks/template.sh
> %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json

Actions: View | Diff

Attachments on bug 257464: 226746 | 236226