{"skill":{"slug":"canary-deploy","displayName":"Canary Deploy","summary":"Safe system changes with automatic baseline capture, canary testing, and rollback for critical infrastructure modifications. Use when making changes to SSH c...","description":"---\nname: canary-deploy\ndescription: Safe system changes with automatic baseline capture, canary testing, and rollback for critical infrastructure modifications. Use when making changes to SSH config, firewall rules, network settings, systemd services, kernel parameters, or any system change that could break remote access. Prevents lockouts by validating connectivity before and after changes. Born from a real incident where AllowTcpForwarding=no killed VPN tunnel access.\n---\n\n# Canary Deploy\n\nSafe system changes with pre-flight checks, validation, and automatic rollback.\n\n## The Problem\n\nSystem changes can lock you out:\n- SSH hardening breaks remote access\n- Firewall rules block needed ports\n- Kernel parameters cause instability\n- Service restarts break dependencies\n\nRecovery without physical access is painful or impossible.\n\n## Quick Start\n\n### Before any critical change\n\n```bash\n# Capture baseline (connectivity, services, ports)\nbash scripts/canary-test.sh baseline\n\n# Make your change\nsudo nano /etc/ssh/sshd_config\n\n# Validate change didn't break anything\nbash scripts/canary-test.sh validate\n\n# If validation fails:\nbash scripts/canary-test.sh rollback\n```\n\n### For automated changes\n\n```bash\n# Full pipeline: baseline → apply → validate → rollback-if-failed\nbash scripts/critical-update.sh \\\n  --name \"SSH hardening\" \\\n  --backup \"/etc/ssh/sshd_config\" \\\n  --command \"sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload sshd\" \\\n  --validate \"ssh -o ConnectTimeout=5 localhost echo ok\"\n```\n\n## Protocol A+B (Manual Workflow)\n\nFor interactive sessions where you want human-in-the-loop:\n\n### Protocol A: Test interactively\n\n1. Tell the human: \"Open a second SSH session as backup\"\n2. Apply change in the first session\n3. Ask: \"Test connectivity from the second session\"\n4. If it works → confirm\n5. If it fails → rollback from the backup session\n\n### Protocol B: Backup first\n\n1. Run `bash scripts/canary-test.sh baseline`\n2. Verify backup is valid\n3. Apply change\n4. Run `bash scripts/canary-test.sh validate`\n5. If validation fails → `bash scripts/canary-test.sh rollback`\n\n**Always use both A + B together for maximum safety.**\n\n## What Gets Checked\n\n### Baseline capture\n- SSH connectivity (local + remote)\n- Open ports (ss -tlnp)\n- Running services (systemctl)\n- Firewall rules (ufw/iptables)\n- Network routes\n- DNS resolution\n- Config file checksums\n\n### Validation\n- All baseline checks re-run\n- Diff against baseline\n- Any regression = FAIL\n\n## Critical Change Categories\n\n| Category | Risk | Example | Recovery |\n|----------|------|---------|----------|\n| SSH config | 🔴 HIGH | sshd_config changes | Backup session |\n| Firewall | 🔴 HIGH | UFW/iptables rules | Pre-change snapshot |\n| Network | 🔴 HIGH | Interface/routing changes | Console access |\n| Services | 🟡 MEDIUM | systemd unit changes | systemctl restart |\n| Kernel params | 🟡 MEDIUM | sysctl changes | Reboot to defaults |\n| Packages | 🟢 LOW | apt install/upgrade | apt rollback |\n\n## References\n\nSee `references/incident-report.md` for the real incident that inspired this skill.\n","topics":["Deploy"],"tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":733,"installsAllTime":28,"installsCurrent":0,"stars":0,"versions":1},"createdAt":1772550229672,"updatedAt":1779077687451},"latestVersion":{"version":"1.0.0","createdAt":1772550229672,"changelog":"Initial release: canary-test.sh + critical-update.sh for safe system changes with baseline capture, validation, and automatic rollback","license":null},"metadata":null,"owner":{"handle":"lolaopenclaw","userId":"s17an2jcaymgm7f3dzpdb36pt1885n4e","displayName":"lolaopenclaw","image":"https://avatars.githubusercontent.com/u/259362584?v=4"},"moderation":{"isSuspicious":false,"isMalwareBlocked":false,"verdict":"clean","reasonCodes":["review.llm_review"],"summary":"Review: review.llm_review","engineVersion":"v2.4.24","updatedAt":1780089744875}}