Category Archives: Monitoring

Monitor the status of a GitHub Enterprise replica

Posted on by

GitHub Enterprise has a convenient script to see if a GitHub replica is in sync with its primary.

$ ghe-repl-status
OK: mysql replication in sync 
OK: redis replication is in sync 
OK: elasticsearch cluster is in sync 
OK: git data is in sync (124 repos, 0 wikis, 0 gists)

I wanted to use this script to monitor the status of replication with Icinga. So I created a ssh key pair for the user ‘icinga’ on the Icinga server.

$ mkdir -m 0700 -p /etc/icinga2/.ssh
$ chown icinga:icinga /etc/icinga2/.ssh
$ ssh-keygen -t rsa -C "icinga@icinga-server"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /etc/icinga2/.ssh/id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /etc/icinga2/.ssh/id_rsa.
Your public key has been saved in /etc/icinga2/.ssh/id_rsa.pub.
The key fingerprint is:
...

I then copied the contents of /etc/icinga2/.ssh/id_rsa.pub to /home/admin/.ssh/authorized_keys on the GitHub replica.

Now I can execute the script on the Icinga server:

$ ssh admin@172.31.14.196 -p 122 -i /etc/icinga2/.ssh/id_rsa ghe-repl-status
OK: mysql replication in sync
OK: redis replication is in sync
OK: elasticsearch cluster is in sync
OK: git data is in sync (124 repos, 0 wikis, 0 gists)
OK: pages data is in sync

The problem is that every other command can be executed as admin user as well which is something I don’t like.

I originally had implemented a much more complicated solution creating some more keys, configuring sudoers and changing one of the scripts of GitHub Enterprise. I posted a request to the GitHub support. They pointed out that the changes I made to the script would be overwritten with each upgrade.
They also pointed me to a nice blog post: Restricting public keys

This blog post describes how to limit what can be executed using a ssh key. So I prepended the key with some options:

command="ghe-repl-status",from="<ip_of_replica>",no-pty,no-agent-forwarding,no-port-forwarding  ssh-rsa ...

Now it doesn’t matter which command is executed. The added options makes sure that only ‘ghe-repl-status’ is executed:

$ ssh admin@172.31.14.196 -p 122 -i /etc/icinga2/.ssh/id_rsa ls /tmp
OK: mysql replication in sync
OK: redis replication is in sync
OK: elasticsearch cluster is in sync
OK: git data is in sync (124 repos, 0 wikis, 0 gists)
OK: pages data is in sync