TDC: Test-driven configuration, the first module

The first module I want to develop with TDC is just a small one. I want to distribute email certificates obtained by Lets Encrypt to some email servers:

 class email_cert {

 }

I am using the puppet module puppet-tdc , that is at the moment only available on github.

The first things to add are some tests:

 class email_cert {
  class{'tdc':
  }
  class{'tdc::test_directory':
     directory    => ['/etc/email-cert'],
  }
  class{'tdc::test_file':
     file    => ['/etc/email-cert/mail-fullchain.pem', '/etc/email-cert/mail-privkey.pem'],
  }
 }

I am using the new class tdc and want to check whether the directory for the certificates is available and whether the certificates itself are there.

Great, after awhile my nagios shows lots of red stuff. Every server that uses my new class email_cert is automatically creating tests for nagios and distributes them. All of them fail.

So now it is time for the real data:

class email_cert {

  class{'tdc':
  }
  class{'tdc::test_directory':
     directory    => ['/etc/email-cert'],
  }
  class{'tdc::test_file':
     file    => ['/etc/email-cert/mail-fullchain.pem', '/etc/email-cert/mail-privkey.pem'],
  }

  file { [ '/etc/email-cert', 
         ]:
          ensure => 'directory',
          mode   => '750',
          owner  => 'Debian-exim',
          group  => 'nagios',
       }
  file { 'cert-fullchain.pem': 
         path    => "/etc/email-cert/mail-fullchain.pem", 
         ensure  => file, 
         mode    => '640',
         owner   => 'Debian-exim',
         group   => 'nagios',
         source  => "puppet:///modules/email_cert/cert/mail-$fqdn-fullchain.pem"
  } 
  file { 'cert-privkey.pem': 
         path    => "/etc/email-cert/mail-privkey.pem", 
         ensure  => file, 
         mode    => '640',
         owner   => 'Debian-exim',
         group   => 'nagios',
         source  => "puppet:///modules/email_cert/cert/mail-$fqdn-privkey.pem"
  } 
 }

After waiting some time, my nagios calms down and everything is green again. According to aNag, I also got 30 new tests.

Of course I had to change the config of nrpe and nagios a bit. In nrpe_local.cfg I had to add:

include_dir=/usr/local/nagios/tdc/config

in order to let nrpe know those newly created tests on the puppet agent.

I also had to tell the nagios server via its puppet module, that there is a new directory containing config data:

      file { '/etc/nagios4/conf.d/tdc':
          ensure => 'directory',
          source => 'puppet:///modules/nagios4_server/tdc',
          recurse => 'remote',
          path => '/etc/nagios4/conf.d/tdc',
          owner => 'root',
          group => 'root',
          mode  => '0755',
          notify  => Service["nagios4"],
        }

TDC: Test-driven configuration, the first steps

During TDD (Test-driven development) you have some kind of specifications that your new module needs to fulfill. Hence you know what functions need to be implemented and what kind of tests you need to write.

During TDC things are similar. You know the software you are going to install. Hence you know how this software works, what configuration is needed and what kind of features you and your users want to use in the beginning.

This results in a number of similar tests for each software.

  1. In a first step you need to check whether …
    • … the binaries are available
    • … the common config files are available
    • … the directories are available
    • … all files and directories have the correct owner and access permissions

    In case you install a package from your distribution, a set of predefined config files should be included in the delivery and your test should be green immediately after installation.

    In case you do a manual installation you need to fiddle around with the configuration files. But as you thought before what config is needed, this task should be an easy one.

    These tests are not only important for the initial installation, but also later on, when you upgrade your system or just install a newer release.
    Often enough names of binaries have been changed (apache -> apache2), the path of config files has been changed, the name of the package has been changed ) or even some binaries are now part of a different package.

    If a test fails, you immediately know that something changed and your configuration (or only the tests) needs to be adapted.

  2. If all files are in the proper place, in the second step you need to check whether their contents is fine as well. Some software has its own tool to check the config files.

    For example “apache2ctl configtest” does a syntax check of the Apache config. Nagios does such checks with “nagios -v nagios.cfg”.

  3. The third step would be to check whether the newly installed software is running. You also need to check whether the correct number of processes is running. For example exim4 basically starts a process for each incoming email and normaly (at least in my case) there are up to five processes running. In case you have 128 exim4 processes running, this might be an indicator that there is something wrong with your incoming email.

As written in the previous article, I am doing configuration management with puppet, so the corresponding puppet module will appear in this repository.

TDC: Test-driven configuration

Is there anything more terrible than getting a phone call and someone complaining about a printer that does not work?
Yes, you have to admit that something is broken and you are not able to repair it immediately.

So, how can you avoid such situations?

For some time now in software development you can find a concept called TDD (Test-driven development). Basically you repeat three steps:

  1. develop a test for a new function; as this function does not exist yet, this test has to fail in the beginning
  2. develop the function; the aim in this step is to pass the test and don’t break any other test
  3. refactor code; code can be optimized and improved, do not break any test in this step

Would it be possible to introduce something similar for the configuration of computers/software? Analogous to TDD one could call this TDC (Test-driven configuration).

There is only one relevant Google hit for this keyword. It is an article written by David Lutz from 2011. Other Keywords like “Test-driven Sysadmin” show among others some slides of Johan van den Dorpe which led to Behavioral Driven Development (BDD) and some software called cucumber. Another software that is mentioned is babushka.

Unfortunately these software does not fit into existing solutions for configuration management like puppet or testing like nagios. They are independent software packages that need their own configuration, which might lead to some kind of synchronization error between both worlds.

Is this really such a weird idea that just a few people thought about this?

Anyway, I will also give it a try and I am curious where all of this is going.

In Wikipedia there is a huge list of configuration management software. As all my systems are running on Debian, I will limit my work on software that is part of Debian and has an arbitrary popcon value of at least 1000. So my main target will be puppet. Other software I will look into are ansible and salt. Due to their trademark policy, chef won’t be part of Debian soon, so I won’t consider it.

In Wikipedia one can also see an even bigger list of network monitoring system. My main target on this list will be nagios. I will also look into zabbix and prometheus.

Finally I found a tweet from Jaana Dogan:
“Configuration testing is quite underrated in an industry where the majority of work is becoming configuration.”

My Debian Activities in June 2020

FTP master

This month I accepted 377 packages and rejected 30. The overall number of packages that got accepted was 411.

Debian LTS

This was my seventy-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2255-1] libtasn1-6 security update for one CVE
  • [DLA 2256-1] libtirpc security update for one CVE
  • [DLA 2257-1] pngquant security update for one CVE
  • [DLA 2258-1] zziplib security update for eight CVEs
  • [DLA 2259-1] picocom security update for one CVE
  • [DLA 2260-1] mcabber security update for one CVE
  • [DLA 2261-1] php5 security update for one CVE

I started to work on curl as well but did not upload a fixed version, so this has to go to ELTS now.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty fourth ELTS month.

Unfortunately in the last month of Wheezy ELTS even I did not find any package to fix a CVE, so during my small allocated time I didn’t uploaded anything.

But at least I did some days of frontdesk duties und updated my working environment for the new ELTS Jessie.

Other stuff

I uploaded a new upstream version of …

My Debian Activities in May 2020

FTP master

This month I accepted 211 packages and rejected only 9. The overall number of packages that got accepted was 228.

Debian LTS

This was my seventy-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 17.25h. During that time I did LTS uploads of:

  • [DLA 2196-2] pound regression update
  • [DLA 2219-1] feh security update for one CVE
  • [DLA 2218-1] transmission security update for one CVE
  • [DLA 2220-1] cracklib2 security update for one CVE
  • [DLA 2224-1] dosfstools security update for two CVEs
  • [DLA 2225-1] gst-plugins-good0.10 security update for two CVEs
  • [DLA 2226-1] gst-plugins-ugly0.10 security update for two CVEs
  • [DLA 2227-1] bind9 security update for two CVEs

I started to work on php5 as well but did not upload a fixed version yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty third ELTS month.

During my small allocated time I uploaded:

  • ELA-230-1 for bind9 fixing two CVEs
  • ELA-231-1 for php5 fixing one CVE

I also did some days of frontdesk duties.

Other stuff

I improved packaging of …

I sponsored uploads of …

  • … ulfius

On my Go challenge I uploaded:
golang-github-apparentlymart-go-versions, golang-github-hashicorp-go-slug, golang-github-mozillazg-go-httpheader, golang-github-hashicorp-terraform-json, golang-github-hashicorp-terraform-plugin-test, golang-github-sean–pager, golang-github-sean–seed, golang-github-timberio-go-datemath,

My Debian Activities in April 2020

FTP master

This month I accepted 384 packages and rejected 47. The overall number of packages that got accepted was 457.

Debian LTS

This was my seventieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 28.75h. During that time I did LTS uploads of:

  • [DLA 2183-1] libgsf security update for one CVE
  • [DLA 2184-1] jsch security update for one CVE
  • [DLA 2185-1] eog security update for one CVE
  • [DLA 2187-1] radicale security update for one CVE
  • [DLA 2186-1] ncmpc security update for one CVE
  • [DLA 2188-1] php5 security update for three CVEs
  • [DLA 2189-1] rzip security update for one CVE
  • [DLA 2195-1] w3m security update for two CVEs
  • [DLA 2194-1] yodl security update for one CVE
  • [DLA 2197-1] miniupnpc security update for one CVE
  • [DLA 2196-1] pound security update for one CVE

As there have been lots of no-dsa-CVEs I continued my work on wireshark.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty second ELTS month.

During my small allocated time I only uploaded:

  • ELA-227-1 for php5 fixing four CVEs

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and I only got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ulfius

I uploaded the new package …

  • … puppet-module-cirrax-gitolite

On my Go challenge I uploaded:
golang-github-facebookgo-subset, golang-github-facebookgo-ensure, golang-github-shurcool-gopherjslib, golang-github-grafana-grafana-plugin-model, golang-github-crewjam-httperr, golang-github-hashicorp-terraform-svchost, golang-github-neelance-sourcemap, golang-github-neelance-astrewrite, golang-github-kisielk-gotool, golang-github-gopherjs-gopherjs, golang-github-yvasiyarov-newrelic-platform-go, golang-github-rhnvrm-simples3, golang-github-robfig-go-cache, golang-github-xorcare-pointer, golang-github-goburrow-serial

My Debian Activities in March 2020

FTP master

This month I accepted 156 packages and rejected 26. The overall number of packages that got accepted was 203.

Debian LTS

This was my sixty ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2156-1] e2fsprogs security update for one CVE
  • [DLA 2157-1] weechat security update for three CVEs
  • [DLA 2160-1] php5 security update for two CVEs
  • [DLA 2164-1] gst-plugins-bad0.10 security update for four CVEs
  • [DLA 2165-1] apng2gif security update for one CVE

Also my work on graphicsmagic was accepted which resulted in:

  • [DSA 4640-1] graphicsmagick security update in Buster and Strech for 16 CVEs

Further I sent debdiffs of weechat/stretch, weechat/buster, e2fsprogs/stretch to the corresponding maintainers but got no feedback yet.

As there have been lots of no-dsa-CVEs accumulated for wireshark, I started to work on them but could not upload yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty first ELTS month.

During my really allocated time I uploaded:

  • ELA-218-1 for e2fsprogs
  • ELA-220-1 for php5
  • ELA-221-1 for nss

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and the discussions within Debian did not stop. Nonetheless I got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ocf-spec-core
  • … theme-d-gnome

Sorry to all people who also requested sponsoring, but sometimes things happen and your upload might be delayed.

I uploaded new upstream versions of …

On my Go challenge I uploaded:
golang-github-dreamitgetit-statuscake, golang-github-ensighten-udnssdk, golang-github-apparentlymart-go-dump, golang-github-suapapa-go-eddystone, golang-github-joyent-gosdc, golang-github-nrdcg-goinwx, golang-github-bmatcuk-doublestar, golang-github-go-xorm-core, golang-github-svanharmelen-jsonapi, golang-github-goji-httpauth, golang-github-phpdave11-gofpdi

My Debian Activities in January 2020

FTP master

This month I accepted 264 packages and rejected 56. The overall number of packages that got accepted was 291.

Debian LTS

This was my sixty seventh month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 23.75h. During that time I did LTS uploads of:

  • [DLA 2075-1] jsoup security update for one CVE
  • [DLA 2076-1] slirp security update for one CVE (only upload and bookkeeping, patch prepared by maintainer)
  • [DLA 2080-1] iperf3 security update for one CVE (only upload and bookkeeping, patch prepared by maintainer)
  • [DLA 2082-1] unzip security update for one CVE
  • [DLA 2084-1] graphicsmagick security update for three CVEs
  • [DLA 2085-1] zlib security update for four CVEs
  • [DLA 2086-1] wget security update for one CVE

I also prepared debdiffs for graphicsmagick in Buster (3 CVEs) and Stretch (16 CVEs) but got no review from the security team yet. I marked some CVEs of sqlite3 as not-affected in Jessie and the remaining open ones as no-dsa

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the nineteenth ELTS month.

During my allocated time I uploaded:

  • ELA-207-1 for jsoup
  • ELA-210-1 for unzip
  • ELA-211-1 for wget
  • ELA-212-1 for zlib

I also did some days of frontdesk duties.

Other stuff

This month was controlled by my vacation at the beginning of the year, so not much has happened here.

On my Go challenge I uploaded the new packages:
golang-github-hashicorp-go-gcp-common, golang-github-svanharmelen-jsonapi, golang-github-hashicorp-go-slug, golang-github-apparentlymart-go-dump, golang-github-linkedin-goavro, golang-github-ua-parser-uap-go

My Debian Activities in December 2019

FTP master

This month I accepted 450 packages and rejected 61. The overall number of packages that got accepted was 481.

Debian LTS

This was my sixty sixth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 16.5h. During that time I did LTS uploads of:

  • [DLA 2035-1] libpgf security update for one CVE
  • [DLA 2039-1] libvorbis security update for two CVEs
  • [DLA 2040-1] harfbuzz security update for one CVE
  • [DLA 2043-1] gdk-pixbuf security update for five CVEs
  • [DLA 2043-2] gdk-pixbuf regression update
  • [DLA 2047-1] cups security update for one CVE
  • [DLA 2050-1] php5 security update for four CVEs
  • [DLA 2052-1] libbsd security update for one CVE
  • [DLA 2055-1] igraph security update for one CVE

Last but not least I did some days of frontdesk duties and started to work on the sqlite3 package.

Debian ELTS

This month was the nineteenth ELTS month.

During my allocated time I uploaded:

  • ELA-202-1 for gdk-pixbuf
  • ELA-202-2 for gdk-pixbuf
  • ELA-204-1 for php5

I also did some days of frontdesk duties.

Other stuff

This month I uploaded new upstream versions of …

I improved packaging of …

As nobody really used them, I removed the lam4 and mpich2 version of meep. Now only the serial version, the openmpi- and the mpi-default-version are available. Please complain in case you need one of the other versions again.

I also uploaded all meep packages, libctl and mpb to unstable.

On my Go challenge I uploaded the source-only versions of golang-github-boj-redistore, golang-github-dchest-uniuri, golang-github-jackc-fake, golang-github-joyent-gocommon, golang-github-mattetti-filebuffer, golang-github-nrdcg-goinwx, golang-github-pearkes-dnsimple, golang-github-soniah-dnsmadeeasy, golang-github-vultr-govultr, golang-github-zorkian-go-datadog-api.
New Go packages I uploaded were: golang-github-hashicorp-terraform-svchost, golang-github-apparentlymart-go-cidr, golang-github-bmatcuk-doublestar, golang-github-cactus-go-statsd-client, golang-github-corpix-uarand, golang-github-cyberdelia-heroku-go

Debian-Med Bug Squashing

As it is again this time of the year, I would also like to draw some attention to the Debian Med Advent Calendar. Like the past years, the Debian Med team starts a bug squashing event from the December 1st to 24th. Every bug that is closed will be registered in the calendar. So instead of taking something from the calendar, this special one will be filled and at Christmas hopefully every Debian Med related bug is closed. Don’t hestitate, start to squash :-).

The announcement on the mailing list can be found here.