Attachment 236226 Details for Bug 257464 – Add a weekly periodic job to check zrepl SSL certs for impending expiration

[patch] Add a weekly periodic job to check zrepl SSL certs for impending expiration

pr257464-zrepl.diff (text/plain), 3.28 KB, created by Alan Somers on 2022-08-29 17:31:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Alan Somers

Created: 2022-08-29 17:31:23 UTC

Size: 3.28 KB

patch

obsolete

>diff --git sysutils/zrepl/Makefile sysutils/zrepl/Makefile
>index fc745f8cbf62..f04a87beddb2 100644
>--- sysutils/zrepl/Makefile
>+++ sysutils/zrepl/Makefile
>@@ -1,7 +1,7 @@
> PORTNAME=	zrepl
> DISTVERSIONPREFIX=	v
> DISTVERSION=	0.5.0-8
>-PORTREVISION=	3
>+PORTREVISION=	4
> DISTVERSIONSUFFIX=	-g19b2deb
> CATEGORIES=	sysutils
> 
>@@ -19,7 +19,7 @@ GO_BUILDFLAGS=	-ldflags "\
> 		-s -w\
> 		-X ${GO_MODULE}/version.${PORTNAME}Version=${DISTVERSIONFULL}"
> 
>-SUB_FILES=	pkg-message
>+SUB_FILES=	pkg-message 500.zrepl
> 
> OPTIONS_DEFINE=		EXAMPLES MANPAGES
> OPTIONS_DEFAULT=	MANPAGES
>@@ -55,6 +55,9 @@ post-install:
> 	${INSTALL_DATA} ${FILESDIR}/newsyslog.conf ${STAGEDIR}${EXAMPLESDIR}/newsyslog.conf
> 	${INSTALL_DATA} ${FILESDIR}/syslog.conf ${STAGEDIR}${EXAMPLESDIR}/syslog.conf
> 	${INSTALL_DATA} ${FILESDIR}/zrepl.yml ${STAGEDIR}${ETCDIR}/zrepl.yml.sample
>+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/periodic/weekly
>+	${INSTALL_SCRIPT} ${WRKDIR}/500.zrepl \
>+		${STAGEDIR}${PREFIX}/etc/periodic/weekly/500.zrepl
> 
> post-install-EXAMPLES-on:
> 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}/hooks
>diff --git sysutils/zrepl/files/500.zrepl.in sysutils/zrepl/files/500.zrepl.in
>new file mode 100644
>index 000000000000..b7f1b3abb4d3
>--- /dev/null
>+++ sysutils/zrepl/files/500.zrepl.in
>@@ -0,0 +1,41 @@
>+#!/bin/sh
>+
>+# Check zrepl SSL certificates for impending expiration each week
>+#
>+# Add the following lines to /etc/periodic.conf:
>+#
>+# weekly_zrepl_enable (bool):	Set to "NO" by default
>+# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default
>+
>+# If there is a global system configuration file, suck it in.
>+#
>+if [ -r /etc/defaults/periodic.conf ]
>+then
>+    . /etc/defaults/periodic.conf
>+    source_periodic_confs
>+fi
>+
>+# 30 days in seconds
>+: ${weekly_zrepl_warntime="2592000"}
>+
>+rc=0
>+case "$weekly_zrepl_enable" in
>+    [Yy][Ee][Ss])
>+	echo
>+	echo "Check Zrepl certificates for upcoming expiration:"
>+
>+	for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do
>+		/usr/bin/openssl x509 --in "${cert}" \
>+			-checkend "${weekly_zrepl_warntime}"
>+
>+		if [ $? -gt 0 ]; then
>+			echo "${cert} will expire soon"
>+			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
>+			rc=3
>+		fi
>+	done
>+	;;
>+    *)  rc=0;;
>+esac
>+
>+exit $rc
>diff --git sysutils/zrepl/files/pkg-message.in sysutils/zrepl/files/pkg-message.in
>index f01100004e97..9d0cc7020a45 100644
>--- sysutils/zrepl/files/pkg-message.in
>+++ sysutils/zrepl/files/pkg-message.in
>@@ -22,6 +22,16 @@ DANGER - SNAPSHOT PRUNING REQUIRES EXPLICIT KEEP RULES:
> For any ZFS snapshot that you want to keep, at least one rule must match.
> This also applies to snapshots taken by means other than zrepl
> (e.g. snapshots taken manually or via boot environment tools).
>+
>+In order to automatically warn the operator of impending certificate
>+expiration, add this line to /etc/periodic.conf:
>+
>+    weekly_zrepl_enable="YES"
>+
>+More config details in the zrepl periodic script:
>+
>+    %%LOCALBASE%%/etc/periodic/weekly/500.zrepl
>+
> EOM
> }
> ]
>diff --git sysutils/zrepl/pkg-plist sysutils/zrepl/pkg-plist
>index 717dee74d8ff..6d0b39c2f3d6 100644
>--- sysutils/zrepl/pkg-plist
>+++ sysutils/zrepl/pkg-plist
>@@ -1,4 +1,5 @@
> bin/zrepl
>+etc/periodic/weekly/500.zrepl
> @sample %%ETCDIR%%/zrepl.yml.sample
> %%PORTEXAMPLES%%%%EXAMPLESDIR%%/bandwidth_limit.yml
> %%PORTEXAMPLES%%%%EXAMPLESDIR%%/grafana-prometheus-zrepl.json

Actions: View | Diff

Attachments on bug 257464: 226746 | 236226