c58a236d70
Implement remediation-aware health checks across all Doctor plugin modules (Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment, EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release, Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation, Authority, Core, Cryptography, Database, Docker, Integration, Notify, Observability, Security, ServiceGraph, Sources, Verification). Each check now emits structured remediation metadata (severity, category, runbook links, and fix suggestions) consumed by the Doctor dashboard remediation panel. Also adds: - docs/doctor/articles/ knowledge base for check explanations - Advisory AI search seed and allowlist updates for doctor content - Sprint plan for doctor checks documentation Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2.6 KiB
2.6 KiB
checkId, plugin, severity, tags
| checkId | plugin | severity | tags | ||||
|---|---|---|---|---|---|---|---|
| check.storage.evidencelocker | stellaops.doctor.storage | fail |
|
Evidence Locker Write Access
What It Checks
Verifies evidence locker write permissions and performance. The check:
- Reads the evidence locker path from
EvidenceLocker:PathorStorage:EvidencePath. - Creates the directory if it does not exist.
- Writes a test file, reads it back to verify content integrity, and measures latency.
- Fails if the directory cannot be created, writes are denied (
UnauthorizedAccessException), or content read-back does not match (storage corruption). - Warns if write latency exceeds 100ms (elevated I/O latency, e.g., slow NFS/CIFS backend).
- Cleans up the test file after the check.
The check only runs when an evidence locker path is configured.
Why It Matters
The evidence locker stores cryptographically signed release evidence -- attestations, SBOM snapshots, policy evaluation results, and audit trails. If the locker is not writable, releases cannot produce verifiable evidence, blocking policy-gated promotions and breaking auditability guarantees. This is a severity-fail check because evidence integrity is a core platform invariant.
Common Causes
- Insufficient file system permissions
- Directory owned by a different user
- SELinux/AppArmor blocking writes
- Disk full
- Filesystem mounted read-only
- Slow network-attached storage (NFS/CIFS) causing high latency
How to Fix
Docker Compose
environment:
EvidenceLocker__Path: "/var/lib/stellaops/evidence"
volumes:
- evidence-data:/var/lib/stellaops/evidence
# Check permissions inside container
docker exec <platform-container> ls -la /var/lib/stellaops/evidence
# Fix permissions
docker exec <platform-container> chown -R stellaops:stellaops /var/lib/stellaops/evidence
Bare Metal / systemd
# Create directory
mkdir -p /var/lib/stellaops/evidence
# Set ownership and permissions
chown -R stellaops:stellaops /var/lib/stellaops/evidence
chmod 750 /var/lib/stellaops/evidence
# Check disk space
df -h /var/lib/stellaops/evidence
# Check mount status
mount | grep $(df --output=source /var/lib/stellaops/evidence | tail -1)
Kubernetes / Helm
evidenceLocker:
path: "/var/lib/stellaops/evidence"
persistence:
enabled: true
size: 50Gi
storageClass: "fast-ssd" # use fast storage to avoid latency warnings
Verification
stella doctor run --check check.storage.evidencelocker
Related Checks
check.storage.diskspace— verifies sufficient disk space is availablecheck.storage.backup— verifies backup directory accessibility