Skip to content

Sending Announcements

Various OSG teams need to send out announcement about various events (releases, security advisories, planned changes, etc). This page describes how to send announcements using the osg-notify tool.

Prerequisites

To send announcements, the following conditions must be met:

  • A host with an IP address listed in the SPF Record
  • A sufficiently modern Linux operating system. This procedure has been tested on a FermiCloud Scientific Linux 7 VM and a Linux Mint 18.3 laptop. It is known not to work on a FermiCloud Scientific Linux 6 VM.
  • A valid OSG user certificate to lookup contacts in the topology database
  • Local hostname matches DNS
  • DNS forward and reverse lookups in place
[[email protected] topology]$ hostname
submit-1.chtc.wisc.edu
[[email protected] topology]$ host submit-1.chtc.wisc.edu
submit-1.chtc.wisc.edu has address 128.105.244.191
[[email protected] topology]$ host 128.105.244.191
191.244.105.128.in-addr.arpa domain name pointer submit-1.chtc.wisc.edu.
  • (Required for security announcements) A GPG Key to sign the announcement

Installation

  1. Install the pre-requisites:

    • Enterprise Linux 7 (first, enable EPEL)

      yum install git python-requests python2-gnupg
      
    • Ubuntu

      apt install git python-requests python-gnupg
      
  2. Install the OSG tools:

    git clone https://github.com/opensciencegrid/topology.git
    
  3. If you are on a FermiCloud VM, update postfix to relay through FermiLab's official mail server:

    echo "transport_maps = hash:/etc/postfix/transport" >> /etc/postfix/main.cf
    echo "*   smtp:smtp.fnal.gov" >> /etc/postfix/transport
    postmap hash:/etc/postfix/transport
    postfix reload
    
  4. Ensure that you can lookup contacts in the topology database by using the osg-topology tool to list the contacts:

    cd topology
    bin/osg-topology --cert publicCert.pem \
        --key privateKey.pem list-resource-contacts
    

    If the contacts include email addresses, this is working properly. If you type your password incorrectly, the authentication will silently fail and you won't get email addresses

  5. Test this setup by sending a message to yourself only. Bonus points for using an email address that goes to a site with aggressive SPAM filtering.

Sending the announcement

Before using osg-notify, update your clone of the topology repo by running:

$ cd topology
$ git pull

Use the osg-notify tool to send the announcement using the relevant options from the following table:

Option Description
--dry-run Use this option until you are ready to actually send the message
--cert <FILE> File that contains your OSG User Certificate
--key <FILE> File that contains your Private Key for your OSG User Certificate
--no-sign Don't GPG sign the message (release only)
--type production Not a test message
--message <FILE> File containing your message
--subject <EMAIL SUBJECT> The subject of your message
--recipients <LIST OF EMAILS> List of recipient email addresses, must have at least one
--oim-recipients resources Select contact associated with resources
--oim-contact-type <TYPE> Replacing <TYPE> with administrative for release announcements or security for security announcements

Security requirements

Security announcements must be signed using the following options:

  • --sign: GPG sign the message
  • --sign-id <KEYID>: The ID of the key used for singing
  • --from security: The mail comes from the OSG Security Team

For release announcements use the following command:

bin/osg-notify --cert your-cert.pem --key your-key.pem \
    --no-sign --type production --message message-file \
    --subject '<EMAIL SUBJECT>' \
    --recipients "[email protected] [email protected] [email protected] [email protected]" \
    --oim-recipients resources --oim-contact-type administrative

Replacing <EMAIL SUBJECT> with an appropriate subject for your announcement.