Heartbleed and Automation

Well, by now we have all heard of and had to deal with the recent ramifications of HeartBleed on the impact it has had on our servers and services.

Lets step away from HeartBleed for a moment though, and consider how many people have chosen to solve this critical issue. Anyone following @puppetlabs on twitter has seen:

package { 'openssl': ensure => latest, }

Now, it is absolutely awesome that people are using tools to solve problems. What I am about to point out is that the people touting this are damaging the reputation of puppet, and other automation tools because they are not being completely thorough/honest.

Take a person who has no knowledge of puppet what so ever, but they have their agents installed, they have the manifests built up, etc. They add that above stanza, it gets deployed... WOOHOO!!!! Im done! That was easy!

Unfortunately, it wasn’t. Not a single solitary one of the posts talking about this method have addressed one simple and real fact. Updating the package does not restart the service unless you have done more on the backend already.

What does that tell us? Either all of these people already did the groundwork, or — and potentially scarier: None of them understand that their systems are still vulnerable until the services are restarted in order to load the new files, officially replacing the old and vulnerable components.

Even with ansible, the tool that I use by choice these days, it is not as simple as:

ansible -i inventory/invfile hostset -m yum -a "name=openssl state=latest" -u root

It’s pretty close though... at a very minimum you would need one more command:

ansible -i inventory/invfile hostset -m service -a "name=affected,services,list state=restarted" -u root

The other option of course is to build it into a playbook, and make sure that when you do, you tie in an appropriate handler and notify to your playbook.

If you are going to start automating things, please ensure you have a complete and thorough understanding of the details you are automating, or you expose yourself, and anyone else that happens to hear your cheering and thinks you're an expert — thus following your lead, to exposure.

Together we have the power to share knowledge. I would love to see @puppetlabs ensure that people know exactly what is necessary for their users to properly, safely, and completely update their systems to the openssl vulnerability.



villains-lab forums