[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #32383 [Internal Services/Tor Sysadmin Team]: retire build-arm-* raspi boxes
#32383: retire build-arm-* raspi boxes
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: weasel
Type: task | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* owner: anarcat => weasel
Old description:
> there are three boxes in our infra that are just too slow to provide the
> service they were designed for. they are the build-
> arm-0[123].torproject.org boxes and should be retired.
New description:
there are three boxes in our infra that are just too slow to provide the
service they were designed for. they are the `build-
arm-0[123].torproject.org` boxes and should be retired.
--
Comment:
retirement checklist:
1. hosts have long been unusable, ack'd (requested, even) by weasel
2. N/A - will leave running so weasel can wipe the machines if needed
3. N/A - not a VM
4. N/A - will let weasel wipe the machine or destroy the hardware
5. removed the hosts from ldap
6. remove the records from the 172.30.0.0/16 zone (30.172.in-addr.arpa)
and associated sbg namespace (commit 593b1a6 in tor/dns)
7. remove the three hosts from puppet (`for host in build-arm-01 build-
arm-02 build-arm-03; do puppet node clean $host.torproject.org && puppet
node deactivate $host.torproject.org; done`)
8. removed build-arm* traces from the puppet repo (2dcfd012 and
da0b4daf])
9. removed from tor-passwords
10. removed from the spreadsheet and slight fix in wiki
11. removed from nagios
12. N/A hosts not on the backup server
13. nothing in letsencrypt
14. ping'd weasel for physical retirement and deletion
15. not handling mail
those are the LDAP records removed in step 5, in case that's important:
{{{
419 host=build-arm-01,ou=hosts,dc=torproject,dc=org
host: build-arm-01
hostname: build-arm-01.torproject.org
objectClass: top
objectClass: debianServer
l: weasel's, Austria
access: restricted
admin: torproject-admin@xxxxxxxxxxxxxx
description: arm build system
ipHostNumber: 172.30.115.11
distribution: Debian
architecture: arm64
purpose: buildbox
purpose: porterbox
sshRSAHostKey: ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC0nCJTls+EUO2I68O2PkHprbeNeTN0BNY3HJa1OEywsLs3/VaTKQmTaJRuVagvu6yaZqEivxa5Uu5I5zSF6PqE+pQeYhH13UGIcuz4UMaPIDozBjsxAf3YgOWxsWMEmGp/VTT/UGajicsdbf2EvU+eAmxAIJ2O2GeC100+9QkcEy5ztaqjb0NrpnDWZEq5Y7h9KZcJm6TKwTvVnSLxW62nwMMlMEtD0UlOfGpvv+eB/g4zBAZ78lYo6m4tBXkjNCIcw8VgxDtpFNSMD+CrxUQyA8mTXY3SB4n60OV7cWHrw2ERIY15/uO8wSdMuesrhEasO1pdxQGY6jofE0M7cZxZ
root@build-arm-01
sshRSAHostKey: ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIA52bCa08CAPN2ud7TRY1XPFZFsqvwppFUh3PVk95I7e root
@build-arm-01
machine: Raspberry Pi 3 Model B
allowedGroups: jenkins
420 host=build-arm-02,ou=hosts,dc=torproject,dc=org
host: build-arm-02
hostname: build-arm-02.torproject.org
objectClass: top
objectClass: debianServer
l: weasel's, Austria
access: restricted
admin: torproject-admin@xxxxxxxxxxxxxx
description: arm build system
ipHostNumber: 172.30.115.12
distribution: Debian
architecture: arm64
purpose: buildbox
purpose: porterbox
sshRSAHostKey: ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCXuRZZPgwbYm82jSZvyQAz+0RtrrYZGYzdn/aX5r76GnM7Oq98/QwaKYl0oOdmn1ZASc+7XLJpNyB2acUpPLn9vhl6xh9WqBkN79dBJo6sHObSAooWn2LaXfWSPBer4njrnHHT6cGqb8iD8wQBXTctF9Smu8rSRuA7XxVfe6sFeoLDz3wz3IfmIdFB+x0h1xA/BFoLgntJb9mdZv30KUEObOb2yKVO2944gCcFyzO21z285mghFoQkyHeQDNotjXmKmDuf402/XKkBeY8IZ9v2HJhjp9wMtpifaNBH8WWhbbqACAjvq6ZszOR1rm00HojT5NjuT45RFK11JfKYdGy5
root@build-arm-02
sshRSAHostKey: ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAINzK47M11Ls4bTbBqsBPf71fwradRT7yg4QmblBTbnPe root
@build-arm-02
machine: Raspberry Pi 3 Model B
allowedGroups: jenkins
421 host=build-arm-03,ou=hosts,dc=torproject,dc=org
host: build-arm-03
hostname: build-arm-03.torproject.org
objectClass: top
objectClass: debianServer
l: weasel's, Austria
access: restricted
admin: torproject-admin@xxxxxxxxxxxxxx
description: arm build system
ipHostNumber: 172.30.115.13
distribution: Debian
architecture: arm64
purpose: buildbox
purpose: porterbox
sshRSAHostKey: ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDDtGwC+Z1nxg43HHJGKUnkcyM1yU6HIaS8f0aSdEC/t3S26U30svMaS/PqXTNaqP3s6j3st8mAq/75X053/Qtin5Xv3Ye44IjiorKNu+s6TSOHl9Ra7l73VqPp6lu7QLQas1pexNkF8damAlM1UglS4jZ6KXM0bsXPMbqd/mHi/0udlgywdJJq0C0cDUT2wt1NXkoiupKub9AMjsr2ysknm32dvjMNiFz258Ro/ymYCksy7Ap3PEp6wFTizQAu9Gn/JhIgiC51ReaBtArxiLr7Sd5AAqM0ZfUx6ozfuseOzU9AtmX2iwlI57htEt/d1T0oEsUB4lKs9S2xy+TL3SSh
root@build-arm-03
sshRSAHostKey: ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIHr61yI85pa4wxH7dOui75IhyCZMRjrh+tx9FKQUJxXo root
@build-arm-03
machine: Raspberry Pi 3 Model B
allowedGroups: jenkins
}}}
step 5 also involved removing the subgroup here as well:
{{{
91 gid=buildusers,ou=users,dc=torproject,dc=org
gid: buildusers
objectClass: top
objectClass: debianGroup
gidNumber: 1523
subGroup: sbuild@xxxxxxxxxxxxxxxxxxxxxxxxxxx
subGroup: sbuild@xxxxxxxxxxxxxxxxxxxxxxxxxxx
subGroup: sbuild@xxxxxxxxxxxxxxxxxxxxxxxxxxx
}}}
there are still some traces of the sbg network left which I haven't
removed in case we still need to access the mikrotik for whatever reason:
{{{
tor-puppet/modules/torproject_org/misc/hoster.yaml:torsbg:
tor-puppet/modules/ipsec/templates/ferm.erb:peers << "141"+".201.12.0/23"
# sbg mikrotik
}}}
There's also the hardcoded ipsec config everywhere that should probably be
cleaned up (or just left to rot). It's not in puppet, so that requires
manual intervention.
the sbg mikrotik host is still present in tor-passwords `hosts-extra-
info`.
so, next steps:
1. destroying or scrubbing data on the build-arm-* disks
2. removing torsbg from `hoster.yaml`
3. removing sbg from `ferm.erb`
4. removing sbg from `hosts-extra-info`
5. removing ipsec configuration from other peers (that is *basically* `20
-local-peers.conf` everywhere)
i'm hesitant in doing the latter 4 steps myself as I am worried i would
cut off access to the machine if weasel needed it for the scrubbing or
else.
weasel, this ticket yours now, so that you deal with the physical machines
themselves. if you want me to scrub the disks myself, i can do so as well,
but I figured it would be much easier for you to do that process.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32383#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs