The sentry-raven gem ought to be changed to the sentry-ruby.

The former gem is outdated.

Definition of Done

• Gem updated
• Test functionality still works as expected

Steps:

• API Endpoint implementation: #524
• API basic auth credentials - ministryofjustice/staff-device-dns-dhcp-infrastructure#198
• Add reservations counter_cache to subnets to speed up the api: #527
• Add production like data in development to further testing: #528
• Enabled container insights - ministryofjustice/staff-device-dns-dhcp-infrastructure#199
• Add more resources to api server (CPU and memory) - ministryofjustice/staff-device-dns-dhcp-infrastructure#200 (not merged yet)

"Hi Ministry of Justice,
As you may have seen, Sentry is planning to retire support for TLS 1.0 and 1.1.
Our records show that your organization has some projects using TLS 1.0.
We encourage you to upgrade some of your systems to support TLS 1.2+. We know that in some situations, it may not be possible to switch to newer TLS versions, so alternatively, we ask that you update your Sentry SDK configuration to allow TLS 1.0 usage.
If you are using the domain oXXX.ingest.sentry.io in your Sentry SDK configuration, then you can update it to oXXX.insecure.sentry.io to continue using TLS 1.0.
If you have any questions, please feel free to reply directly to this email.
The Sentry Team"

After the rails been upgraded to version 7.0.1, we are getting the below warnings when running RSpec tests locally:

/usr/local/lib/ruby/2.7.0/net/protocol.rb:66: warning: already initialized constant Net::ProtocRetryError
/usr/local/bundle/gems/net-protocol-0.1.2/lib/net/protocol.rb:68: warning: previous definition of ProtocRetryError was here
/usr/local/lib/ruby/2.7.0/net/protocol.rb:206: warning: already initialized constant Net::BufferedIO::BUFSIZE
/usr/local/bundle/gems/net-protocol-0.1.2/lib/net/protocol.rb:208: warning: previous definition of BUFSIZE was here
/usr/local/lib/ruby/2.7.0/net/protocol.rb:503: warning: already initialized constant Net::NetPrivate::Socket
/usr/local/bundle/gems/net-protocol-0.1.2/lib/net/protocol.rb:504: warning: previous definition of Socket was here

In order to avoid those errors, we need to upgrade ruby to 3.0.2.

Created new subnets as per the request from the Non Res Wifi rollout team.

Site Site allocation Staff Wireless Subnet FITS ID Domain Name Router IP Subnet Mask Exclusion Range Notes
Cookham Wood 10.154.32.0/21 10.154.32.0/23 FITS_4175 a03-COO-1.a03.wp360g.svcs.hp.com 10.154.32.1 255.255.254.0 10.154.32.1 - 5 Exclusion amended 26/1/23
Erlestoke 10.154.48.0/21 10.154.48.0/23 FITS_0990 " a03-ERL-1.a03.wp360g.svcs.hp.com" 10.154.48.1 255.255.254.0 10.154.48.1 - 5 Exclusion amended 26/1/23
Feltham 10.154.64.0/21 10.154.64.0/23 FITS_0879 " a03-YFE-1.a03.wp360g.svcs.hp.com" 10.154.64.1 255.255.254.0 10.154.64.1 - 5 Exclusion amended 26/1/23
Garth 10.154.80.0/21 10.154.80.0/23 FITS_1032 a03-GAR-1.a03.wp360g.svcs.hp.com 10.154.80.1 255.255.254.0 10.154.80.1 - 5 Exclusion amended 26/1/23
Lindholme 10.154.96.0/21 10.154.96.0/23 FITS_0897 a03-LIH-1.a03.wp360g.svcs.hp.com 10.154.96.1 255.255.254.0 10.154.96.1 - 5 Exclusion amended 26/1/23
Newhall 10.154.112.0/21 10.154.112.0/23 FITS_0877 " a03-NEW-1.a03.wp360g.svcs.hp.com" 10.154.112.1 255.255.254.0 10.154.112.1 - 5 Exclusion amended 26/1/23
Ranby 10.154.128.0/21 10.154.128.0/23 FITS_0921 a03-RAN-1.a03.wp360g.svcs.hp.com 10.154.128.1 255.255.254.0 10.154.128.1 - 5 Exclusion amended 26/1/23
Stoke Heath 10.154.144.0/21 10.154.144.0/23 FITS_1033 " a03-YST-1.a03.wp360g.svcs.hp.com" 10.154.144.1 255.255.254.0 10.154.144.1 - 5 Exclusion amended 26/1/23
Styal 10.154.16.0/21 10.154.16.0/23 FITS_0862 " a03-YSY-1.a03.wp360g.svcs.hp.com" 10.154.16.1/23 255.255.254.0 10.154.16.1 - 5 Exclusion amended 26/1/23
Swaleside 10.154.160.0/21 10.154.160.0/23 FITS_2201 a03-SWA-1.a03.wp360g.svcs.hp.com 10.154.160.1/23 255.255.254.0 10.154.160.1 - 5 Exclusion amended 26/1/23
The Mount 10.154.176.0/21 10.154.176.0/23 FITS_1039 " a03-THM-1.a03.wp360g.svcs.hp.com" 10.154.176.1/23 255.255.254.0 10.154.176.1 - 5 Exclusion amended 26/1/23
Werrington 10.154.0.0/21 10.154.0.0/23 FITS_0959 None currently configured 10.154.0.1/23 255.255.254.0 10.154.0.1 - 5 Exclusion amended 26/1/23
Wetherby 10.154.192.0/21 10.154.192.0/23 " FITS_0890" " a03-WET-1.a03.wp360g.svcs.hp.com" 10.154.192.0/23 255.255.254.0 10.154.192.1 - 5 Exclusion amended 26/1/23

User Story

As a…
I need/want/expect to…
So that…

Value / Purpose

No response

Useful Contacts

No response

Additional Information

No response

Definition of Done

Example

• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

User Story

As a… Cloud Ops Engineer
I need/want/expect to… understand how many users have logged into the portal in the last day/week/month/year
So that… we can better understand the use of the portal / liaise with the rest of the business with this information

Value / Purpose

As per the recent road shows the business expects teams / products to be data driven, this metric will tie in with that.

Useful Contacts

NA

Additional Information

NA

Definition of Done (DoD)

As part of refinement it should be decided if the metrics should appear on the port under a new route e.g. /metrics or /stats OR the data should appear in a Grafana dashboard. It should also be decided if this should be viewable by all users or just the admin if added to a route.

Checklist for definition of done and acceptance criteria, example below (optional).

User Story

As a…
I need/want/expect to…
So that…

Value / Purpose

No response

Useful Contacts

No response

Additional Information

No response

Definition of Done

Example

• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

User Story

As a… User of the Portal
I need/want/expect to… see a branded 404 page when I navigate to an incorrect url
So that…

Value / Purpose

No response

Useful Contacts

No response

Additional Information

No response

Definition of Done

No response

Describe the bug.

Makefile needs to be updated post our move from AWS ECR to Docker Hub.

To Reproduce

1. Pull main.
2. run make authenticate-docker.
3. Receive unbound variable error.

Expected Behaviour

No response

Environment

No response

Additional context

No response

Hi there

The user @richrace has its access for this repository maintained in code here:
https://github.com/ministryofjustice/github-collaborators/blob/main/README.md#github-external-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

Describe the bug.

Investigate possible command injection
https://github.com/ministryofjustice/staff-device-dns-dhcp-admin/security/code-scanning/17

To Reproduce

N/A

Expected Behaviour

N/A

Environment

All

Definition of Done:

• To be added to risk register on Google doc and ticket and findings to be added

Hi there

The user @emileswarts has its access for this repository maintained in code here: https://github.com/ministryofjustice/github-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

Failure to update the review_date will result in the collaborator being removed from the repository via our automation.

Hi there

The user emileswarts had Direct Member access to this repository and access via a team.

Access is now only via a team.

You may have less access it is dependant upon the teams access to the repo.

If you have any questions, please post in #ask-operations-engineering on Slack.

This issue can be closed.

Based on the request received from Tariq Mahmood and from the attached doc https://app.zenhub.com/files/285252478/59f6c3ec-3bd6-4730-9a14-c4c73ae61427/download, following scopes are required for Newbold Revel site:

• 10.150.200.0/22
• 10.150.204.0/22

User Story

As a user of the DHCP admin interface
I want to easily locate a subnet's site
So that I don't waste time manually looking at every site to find a given subnet

Value / Purpose

No response

Useful Contacts

No response

Additional Information

No response

Definition of Done

Example

• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

User Story

As a CloudOps Engineer
I want an alert when a DHCP pool reaches 90% capacity
So that we can be more proactive with issues on MoJo sites

Value / Purpose

To increase productivity regarding DHCP issues on MoJO sites

Useful Contacts

[Please add any useful contacts, these may include: Stakeholders, SME’s or 3rd Parties]

Additional Information

[Please add any useful links or additional information that would be beneficial to anyone working on this ticket]

Definition of Done (DoD)

AlertManager sends alerts to a Slack channel when any subnet reaches 90% capacity

User Story

As a… Developer
I want Admin Portal app to… add custom DHCP option 234 def and data in the config file for Kea
So that… Whenever a new config gets generated, the new custom DHCP option is always present for all subnets

Value / Purpose

This new feature enables the MoJ OFFICIAL EUC devices to better share application and Windows Update payloads across the local site network without going out to the WAN and Internet.

Useful Contacts

Matt White, Chandra Singh, Charlie Coverdale

Additional Information

No response

Definition of Done

Example

• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

MOJ WiFi rollout requires new DHCP scopes in various site.

User Story

As a… cloud ops engineer
I need/want/expect to… be alerted when the rate metrics in this dashboard have no data.
So that… I am aware of issues relating to the rate metrics not being picked up.

Value / Purpose

Post an incident we noted that these metrics were no data and we had not been alerted. This is not acceptable and this ticket should resolve this.

Definition of Done (DoD)

Alerts are triggered when the following metrics provide no data.

Hi there

The user @emileswarts has its access for this repository maintained in code here: https://github.com/ministryofjustice/github-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

Failure to update the review_date will result in the collaborator being removed from the repository via our automation.

Hi there

The user emileswarts had Direct Member access to this repository and access via a team.

Access is now only via a team.

You may have less access it is dependant upon the teams access to the repo.

If you have any questions, please post in #ask-operations-engineering on Slack.

This issue can be closed.

User Story

Due to DXC exit infrastructure had been decommissioned and resulted azure.hmpp.root unresolvable. As a part of the major incident response we have been asked to add below record urgently in order to direct DNS queries to Azure Landing Zone

Value / Purpose

Useful Contacts

Matt White

Additional Information

Major incident ref INC2105932

Definition of Done

• Zone created and infrastructure redeployed
• Another team member has reviewed
• Tests are green

Hi there

The user @emileswarts has its access for this repository maintained in code here: https://github.com/ministryofjustice/github-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

Failure to update the review_date will result in the collaborator being removed from the repository via our automation.

**** This ticket serves for information purposes only. ****

The devops team were approached by the EUC team with regards to issues with clients obtaining dhcp option 234. After some testing it became apparent that windows clients first obtained an ip address via a normal discover, offer, request, ack (DORA) flow, however sometime afterwards the client would request parameter 234 via a dhcp inform message. The difference with inform messages is that the response from the dhcp server is sent back directly to the client rather than via the dhcp relay ip. It was suspected that responses from the server were being dropped somewhere as the client never received it. After testing and validating the policies and logs in the 10sc model office environment it was found that there were no firewall rules permitting responses from the dhcp server subnets back to client subnets and the responses were therefore being denied.

Describe the bug.

/usr/local/bundle/gems/mysql2-0.5.3/lib/mysql2/client.rb:51: warning: Your mysql client library does not support ssl_mode as expected.

To Reproduce

Look at the DHCP Admin pipeline. This error occurs at the start of every run in each environment.

Expected Behaviour

Error should not occur, needs to be investigated.

Environment

No response

Additional context

No response

User Story

As a CloudOps engineer I expect our code to pull variables from the terraform outputs rather than being hardcoded in scripts so that any changes to names and or id's are automatically handled.

Value / Purpose

By removing hardcoded dependencies in our code we can simplify and future proof our systems going forward.

Useful Contacts

Mitch Dawson

Additional Information

/scripts/bootstrap.sh
/scripts/migrate.sh
/scripts/seed.sh

Example:

cluster_name="staff-device-${ENV}-dhcp-admin-cluster"
service_name="staff-device-${ENV}-dhcp-admin"
task_definition="staff-device-${ENV}-dhcp-admin-task"

Definition of Done

Example

• Affected scripts have been reviewed and updated
• Documentation has been written / updated
• Another team member has reviewed
• Tests are green

User Story

As a Sentry.io user
I want to limit the rate of errors reported to sentry.io
So that we as a team do not use up the transaction quota for MoJ

Value / Purpose

Sentry.io is a shared service across many projects and due to one team not having configured rate limiting a single project has used up the monthly error transaction quota (about 90% in a single day). - let's not be that team.

Useful Contacts

Aaron Robinson

Additional Information

original slack message: https://mojdt.slack.com/archives/C02D2NEF9CJ/p1657787053509449

Sentry.io rate limiting

Cloud Platform guidance.

Definition of Done

Rate limiting correctly configured on Sentry.io for our projects:

• staff-device-dns-dhcp-admin
• staff-device-dhcp-metrics-agent
• staff-device-dns-metrics-agent

User Story

As a… Cloud Ops Engineer
I want to… ensure MySQL dependency upgrades are successfully tested locally before being pushed through the pipeline.
So that… i can be confident that no downtime will arise from such upgrades.

Value / Purpose

The purpose of this ticket is to review testing & documentation for Dependabot (MySQL) upgrades. The following PR (499) passed all local development testing but failed to deploy successfully to Dev / Pre-Prod through the pipeline.

There are any...

• Additional tests that could be written
• Database upgrade documentation

Useful Contacts

Aaron Robinson (Cloud Ops Team)

Additional Information

#499

https://sentry.io/organizations/ministryofjustice/issues/3247582520/?project=5458370&referrer=slack

Definition of Done

• Documentation has been written / updated
• Another team member has reviewed
• Tests are green

Hi there

We now have a process to manage github collaborators in code:
https://github.com/ministryofjustice/github-collaborators/blob/main/README.md#github-external-collaborators

Please follow the procedure described there to grant @elcorbs access to this repository.

If you have any questions, please post in #ask-operations-engineering on Slack.

User Story

As a…
I need/want/expect to…
So that…

Value / Purpose

No response

Useful Contacts

No response

Additional Information

No response

Definition of Done

Example

• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

Updating omniauth-oauth2 from 1.7.0 to 1.7.2 broke the cognito authentication passthru.

User Story

As a Cloud Ops engineer
I expect to be using the latest SDKs (software development kit)
So that our platforms/applications arent' missing important fixes and features.

Value / Purpose

Purpose:
You have 1 project using a deprecated version of the Sentry client. Any SDK that has the package name ‘raven’ may be missing data. Migrate to the latest SDK version.

Value:
Benefits
Unified Interfaces With Other SDKs: The design of sentry-raven is outdated compared with our modern Sentry SDKs. If you also use other Sentry SDKs, such as Sentry's JavaScript SDK for your frontend application, you'll notice that their interfaces are quite different from the one provided for sentry-raven. The new sentry-ruby SDK provides a more consistent user experience across all different platforms.

Performance Monitoring: The Sentry Ruby SDK includes performance monitoring, which you can enable if you haven't already as (discussed here).

Future Support: sentry-raven has entered maintenance mode, which means it won't receive any new feature supports or aggressive bug fixes.

Better Extensibility: Unlike sentry-raven, sentry-ruby is built with extensibility in mind and will allow the community to build extensions for different integrations/features

Useful Contacts

Aaron Robinson

Additional Information

Migration Guide: https://docs.sentry.io/platforms/ruby/migration/

Definition of Done

staff-device-dns-dhcp-admin is migrated from 'sentry-raven' to 'sentry-ruby' and the reminder for the update is no longer present on sentry.io

• Tests are green

Hi there

The user @richrace has its access for this repository maintained in code here:
https://github.com/ministryofjustice/github-collaborators/blob/main/README.md#github-external-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

• Create a deploy branch through which the pipeline will be created
• Pipeline should only have build, test and deploy to Development stages

User Story
As a… Cloud Ops Engineer
I need/want/expect to… provide metrics relating to the portal to the business
So that… we can better understand the use of the portal / liaise with the rest of the business with this information

Value / Purpose
As per the recent road shows the business expects teams / products to be data driven, this metric will tie in with that. This spike will allow us to think of all the metrics we would like to have in future stories.

Definition of Done (DoD)
Provide a list of metrics which later stories can be made from.