Verified Commit fa5a5c14 authored by anarcat's avatar anarcat 💥
Browse files

notes about metrics, logging and PII in puppet

parent 9f0ad077
Loading
Loading
Loading
Loading
+19 −0
Original line number Original line Diff line number Diff line
@@ -1365,6 +1365,25 @@ code is directly pushed to the Puppet server without validation. Work
is being done to [implement automated checks](https://gitlab.torproject.org/tpo/tpa/team/-/issues/31226) but that is only
is being done to [implement automated checks](https://gitlab.torproject.org/tpo/tpa/team/-/issues/31226) but that is only
being deployed on some clients for now.
being deployed on some clients for now.


Note that PuppetDB itself holds performance information about the
Puppet agent runs, which are called "reports". Those reports contain
information about changes operated on each server, how long the agent
runs take and so on. Those metrics could be made more visible by using
a dashboard, but that has not been implemented yet (see [issue
31969][]).

[issue 31969]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/31969

The Puppet server, Puppet agents and PuppetDB keep logs of their
operations. The latter keeps its logs in `/var/log/puppetdb/` for a
maximum of 90 days or 1GB, whichever comes first (configured in
`/etc/puppetdb/request-logging.xml` and
`/etc/puppetdb/logback.xml`). The other logs are sent to `syslog`, and
usually end up in `daemon.log`.

Puppet should hold minimal personnally idenfiable information, like
user names, user public keys and project names.

# Discussion
# Discussion


This section goes more in depth into how Puppet is setup, why it was
This section goes more in depth into how Puppet is setup, why it was