Page MenuHomeVyOS Platform

system integrity check
Closed, ResolvedPublicFEATURE REQUEST

Description

We need to add system integrity check
which should perform core system packages version checks and report if it not consistent
Main reason is to avoid supporting modified(in an unsupported way) installations
People messing up with packages via apt-get and then go to IRC/Chat/Forum and start asking help and as result after some hours spent
it becomes clear that issue is mostly related to that unsupported changes

Details

Difficulty level
Normal (likely a few hours)
Version
-

Related Objects

StatusSubtypeAssignedTask
In progressFEATURE REQUESTNone
On holdFEATURE REQUESTerkin
ResolvedFEATURE REQUESThagbard

Event Timeline

syncer raised the priority of this task from Low to High.Oct 13 2018, 6:39 PM
syncer moved this task from Needs Triage to Backlog on the VyOS 1.2 Crux (VyOS 1.2.0-rc4) board.
syncer changed the subtype of this task from "Task" to "Feature Request".Oct 18 2018, 5:47 AM
hagbard changed the task status from Open to In progress.Oct 20 2018, 6:10 PM

What about adding the package list of all installed packages to 'generate tech-support archive'?
It adds already:

vyos-tests.tech-support-archive.2018-10-20-200721/
vyos-tests.tech-support-archive.2018-10-20-200721/home.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/etc.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/var-log.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/config.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/core-dump.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/tmp.tgz
vyos-tests.tech-support-archive.2018-10-20-200721/root.tgz

And could be extended easily.

Any opinions?

@hagbardI like that idea
maybe it's time to rewrite show/generate tech-support to python

syncer changed the edit policy from "Task Author" to "Custom Policy".Oct 21 2018, 6:40 PM
syncer set Version to -.

Do we need show tech-support at all?
I changed a few things I would gather, I leave /home/user and /config/auth alone, since they can contain sensitive information like private keys.
In the archive I create files for each 'section. Like OS based information, network related information go to an extra file etc.
The idea is to make it easier for the one reading to all that stuff and giving the user the confidence we don't steal their ssh key or wireguard private keys by accident.
Also adding content to the report would be easier there too. I can upload to my github what I have so far since you would only need the script right now, I haven't it integrated in vyos-1x yet.

we need tech-support but need it reworked
on one hand, it must be human-friendly
on another hand, we need to have ability feed it into analytics platform later
we should skip all sensitive info

Yeah, I agree but what about the show tech-support which currently exists?
There is generate tech-support archive, which stores a tarball and/or you can upload it via scp/ftp to a destination.
Plus there is 'show tech-support' which shows the information to the screen, which I think won't make a lot if sense.
For the packages, I have the full dpkg -l in a file, that can be read and compared easily with the packages installed in the iso.
Do you have a system for automated checks in mind already? (I built something similar in the past on a normal webserver).

Current show tech-support can be nuked once we have a replacement
The on-screen output is useful if you debug onsite or have access to the machine
We mixing here stuff, integrity check bit different from show tech-support but can be part of it

ok, so what do you have in mind for integrity support? If someone installs from external sources or a different kernel for instance, you can only find out when you have the information somewhere, that's why I though to integrate it into the tech-support. So, if someone reports an issue, we can just receive that report and have all information in one tarball to check what's going going on. I'm getting a bit confused.

Yes,
that will be kind of the first step in troubleshooting workflow
i propose to make another ticket for show tech-support
and current one assign as a subtask

So that's what I have right now for checking the packages, if they are newer than the image build time, it would spit out the below:

The following packages don't fit the image creation time
build time: 2018-10-17 23:28:00
installed: 2018-10-26 22:43:24 vyos-1x
installed: 2018-10-26 22:31:03 vyatta-cfg-dhcp-relay
installed: 2018-10-22 16:00:52 vim
installed: 2018-10-22 02:13:35 wireguard-modules
installed: 2018-10-22 16:00:50 libgpm2:amd64
installed: 2018-10-22 16:00:52 vim-runtime
installed: 2018-10-26 18:56:47 vyatta-cfg-firewall

https://github.com/vyos/vyos-1x/commit/bf00172783447215a1be55caf7ea74b520798310

Currently only the check for additionally installed packages is implemented, but the script can be extended. Didn't push it to crux to have it properly tested first.