GitHub Enterprise has a convenient script to see if a GitHub replica is in sync with its primary.
$ ghe-repl-status OK: mysql replication in sync OK: redis replication is in sync OK: elasticsearch cluster is in sync OK: git data is in sync (124 repos, 0 wikis, 0 gists)
I wanted to use this script to monitor the status of replication with Icinga. So I created a ssh key pair for the user ‘icinga’ on the Icinga server.
$ mkdir -m 0700 -p /etc/icinga2/.ssh $ chown icinga:icinga /etc/icinga2/.ssh $ ssh-keygen -t rsa -C "icinga@icinga-server" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/icinga2/.ssh/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/icinga2/.ssh/id_rsa. Your public key has been saved in /etc/icinga2/.ssh/id_rsa.pub. The key fingerprint is: ...
I then copied the contents of /etc/icinga2/.ssh/id_rsa.pub to /home/admin/.ssh/authorized_keys on the GitHub replica.
Now I can execute the script on the Icinga server:
$ ssh admin@172.31.14.196 -p 122 -i /etc/icinga2/.ssh/id_rsa ghe-repl-status OK: mysql replication in sync OK: redis replication is in sync OK: elasticsearch cluster is in sync OK: git data is in sync (124 repos, 0 wikis, 0 gists) OK: pages data is in sync
The problem is that every other command can be executed as admin user as well which is something I don’t like.
I originally had implemented a much more complicated solution creating some more keys, configuring sudoers and changing one of the scripts of GitHub Enterprise. I posted a request to the GitHub support. They pointed out that the changes I made to the script would be overwritten with each upgrade.
They also pointed me to a nice blog post: Restricting public keys
This blog post describes how to limit what can be executed using a ssh key. So I prepended the key with some options:
command="ghe-repl-status",from="<ip_of_replica>",no-pty,no-agent-forwarding,no-port-forwarding ssh-rsa ...
Now it doesn’t matter which command is executed. The added options makes sure that only ‘ghe-repl-status’ is executed:
$ ssh admin@172.31.14.196 -p 122 -i /etc/icinga2/.ssh/id_rsa ls /tmp OK: mysql replication in sync OK: redis replication is in sync OK: elasticsearch cluster is in sync OK: git data is in sync (124 repos, 0 wikis, 0 gists) OK: pages data is in sync