Joshua Hoblitt added a comment - 07/Aug/17 10:54 AM The yum-cron package is supposed to be apply security updates to {ci,squash,bokeh} .lsst.codes but it appears to no be working. The systemd service file seems to do nothing... [Unit] Description=Run automatic yum updates as a cron job   [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/touch /var/lock/subsys/yum-cron ExecStop=/bin/rm -f /var/lock/subsys/yum-cron   [Install] WantedBy=multi-user.target

Joshua Hoblitt added a comment - 07/Aug/17 10:55 AM Manually updating openssl and restarting nginx change the ssllabs rating (as of this moment to an A) https://www.ssllabs.com/ssltest/analyze.html?d=ci.lsst.codes https://www.ssllabs.com/ssltest/analyze.html?d=squash.lsst.codes https://www.ssllabs.com/ssltest/analyze.html?d=bokeh.lsst.codes

Joshua Hoblitt added a comment - 08/Aug/17 11:43 AM - edited These k8s deployements, sandbox-eups, deploy-eups-redirect, ltd-keeper , were using gcr.io/cloud-solutions-images/nginx-ssl-proxy:master-9979ee3 , which dates from 2015 and google has never updated (there are no other tags in the docker registry). I looked at updating the version of openssl in that image but decided against it as it was so old that the gpg keys for the nginx apt repo were no longer valid and the base image had since rebased onto a newer version of debian. I eventually identified the Dockerfile used to build that image: https://github.com/GoogleCloudPlatform/nginx-ssl-proxy . The repo has been updated, despite no images being published, and the Dockerfile was able to build an image without the openssl issue without modification. This has been forked as https://github.com/lsst-sqre/nginx-ssl-proxy and a jenkins build created that will build + push an image as docker.io/lsstsqre/nginx-ssl-proxy:latest . TLS cert expiration, missing hosts, and an ssllabs.com check were added to nagios ( status.lsst.codes ). Additionally, work was done to streamline the deployment of nagios configuration changes. This included setting up travis-ci syntax checking of nagios config changes. The nagios streamlining/CI was the majority of the effort on this ticket.