Canary Deploy
by @lolaopenclaw
Safe system changes with automatic baseline capture, canary testing, and rollback for critical infrastructure modifications. Use when making changes to SSH c...
clawhub install canary-deployπ About This Skill
name: canary-deploy description: Safe system changes with automatic baseline capture, canary testing, and rollback for critical infrastructure modifications. Use when making changes to SSH config, firewall rules, network settings, systemd services, kernel parameters, or any system change that could break remote access. Prevents lockouts by validating connectivity before and after changes. Born from a real incident where AllowTcpForwarding=no killed VPN tunnel access.
Canary Deploy
Safe system changes with pre-flight checks, validation, and automatic rollback.
The Problem
System changes can lock you out:
Recovery without physical access is painful or impossible.
Quick Start
Before any critical change
# Capture baseline (connectivity, services, ports)
bash scripts/canary-test.sh baselineMake your change
sudo nano /etc/ssh/sshd_configValidate change didn't break anything
bash scripts/canary-test.sh validateIf validation fails:
bash scripts/canary-test.sh rollback
For automated changes
# Full pipeline: baseline β apply β validate β rollback-if-failed
bash scripts/critical-update.sh \
--name "SSH hardening" \
--backup "/etc/ssh/sshd_config" \
--command "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload sshd" \
--validate "ssh -o ConnectTimeout=5 localhost echo ok"
Protocol A+B (Manual Workflow)
For interactive sessions where you want human-in-the-loop:
Protocol A: Test interactively
1. Tell the human: "Open a second SSH session as backup" 2. Apply change in the first session 3. Ask: "Test connectivity from the second session" 4. If it works β confirm 5. If it fails β rollback from the backup session
Protocol B: Backup first
1. Run bash scripts/canary-test.sh baseline
2. Verify backup is valid
3. Apply change
4. Run bash scripts/canary-test.sh validate
5. If validation fails β bash scripts/canary-test.sh rollback
Always use both A + B together for maximum safety.
What Gets Checked
Baseline capture
Validation
Critical Change Categories
| Category | Risk | Example | Recovery | |----------|------|---------|----------| | SSH config | π΄ HIGH | sshd_config changes | Backup session | | Firewall | π΄ HIGH | UFW/iptables rules | Pre-change snapshot | | Network | π΄ HIGH | Interface/routing changes | Console access | | Services | π‘ MEDIUM | systemd unit changes | systemctl restart | | Kernel params | π‘ MEDIUM | sysctl changes | Reboot to defaults | | Packages | π’ LOW | apt install/upgrade | apt rollback |
References
See references/incident-report.md for the real incident that inspired this skill.
π‘ Examples
Before any critical change
# Capture baseline (connectivity, services, ports)
bash scripts/canary-test.sh baselineMake your change
sudo nano /etc/ssh/sshd_configValidate change didn't break anything
bash scripts/canary-test.sh validateIf validation fails:
bash scripts/canary-test.sh rollback
For automated changes
# Full pipeline: baseline β apply β validate β rollback-if-failed
bash scripts/critical-update.sh \
--name "SSH hardening" \
--backup "/etc/ssh/sshd_config" \
--command "sudo sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config && sudo systemctl reload sshd" \
--validate "ssh -o ConnectTimeout=5 localhost echo ok"