Juju Lint

[wishlist] check for required application options

Bug #1811709 reported by Drew Freiberger
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juju Lint
Fix Released
High
Unassigned

Bug Description

The ability to check for required options to have been set or not set would be an excellent way to ensure that all of the bootstack best-practices settings have been applied. For instance, checking for nova-compute (must check charm, not app name) options cpu-mode=custom and cpu-model=/.+/ are set, and on nagios, check for option enable_livestatus=true as required by thruk-agent.

The ability to also check that certain options are not set could help with ensuring security, such as ensuring there's no rootpassword options set on keystone/mysql/etc.

Revision history for this message
Drew Freiberger (afreiberger) wrote :

This should include a check for ceph-mon customize-failure-domain=true to ensure that ceph utilizes AZs from MAAS.

Revision history for this message
James Hebden (ec0) wrote :

The current code base now caters for this. If you have suggestions for rule updates please submit an MR against the contributed Canonical rules - these are forming a "good practice" list for folks to check their cloud deployments against. We already have example rules for nova-compute, but any extras would be very welcome additions.

The thruk-agent requiring livestatus is a trickier use case, as thruk-agent is an optional operations charm, that doesn't see wide use, and the setting being checked is on another charm. Livestatus is also not specifically required. It may be best to handle this outside of the juju-lint codebase, if that check is required, as I don't think it has wide applicability to clouds deploying using Canonical OpenStack or Charmed Kubernetes.

Changed in juju-lint:
status: New → Fix Released
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.