[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #33766 [Internal Services/Tor Sysadmin Team]: DNS renumbering procedure fails if git is untouched
#33766: DNS renumbering procedure fails if git is untouched
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: tpa
Type: defect | Status:
| needs_revision
Priority: High | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* status: new => needs_revision
Comment:
here's what i found out so far.
1. `ud-generate` writes stuff in `/var/cache/userdir-ldap/hosts`, one
directory per host
2. `ud-replicate` rsyncs that stuff to `/var/lib/misc` on all hosts
3. DNS servers (nevii and falax, at first glance) are special and have a
precious little `dns-sshfp` file that gets generated with all those
"automatic" records from the `ipHostNumber` field in LDAP
4. that file is therefore dropped in `/var/lib/misc/thishost/dns-sshfp`
on nevii
5. the zone file used by bind is in
`/srv/dns.torproject.org/var/generated/torproject.org` on nevii, but it
doesn't include the file generated by `ud-replicate`, so it's generated by
something else
I'm about there in my investigation. It looks like the file is actually
generated after a git hook, triggered from cupani, for example look at
this push on the `dns/domains.git` repo:
{{{
Push to git@xxxxxxxxxxxxxxxxxxxxx:admin/dns/domains
[...]
remote: via /srv/git.torproject.org/git-helpers/post-receive-diff
remote: == 00-sync-to-mirror ==
remote: == commit-mail ==
remote: == github-push ==
remote: == gitlab-push ==
remote: == irc-message ==
remote: == per-repo-hook ==
remote: run-parts: executing /srv/git.torproject.org/git-helpers/post-
receive-per-repo.d/admin%dns%domains/trigger-dns-server admin/dns/domains
/tmp/tmp.1bfbXjedly
remote: [/srv/git.torproject.org/git-helpers/post-receive-per-
repo.d/admin%dns%domains/trigger-dns-server] Triggering update on dns
master
remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: *****
start of script *****
remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre flock
remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre git
pull
remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre
update-keys
remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre build-
services
remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre for
loop
remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 0-26.72.229.38.in-addr.arpa
remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 0.0.0.5.a.5.0.0.0.b.6.0.1.0.0.2.ip6.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 1.0.0.0.5.0.0.0.0.0.5.8.7.0.6.2.ip6.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 144-28.132.35.154.in-addr.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 16-28.235.45.89.in-addr.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 30.172.in-addr.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for 64-28.132.35.154.in-addr.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for b.0.0.0.0.b.6.0.0.0.0.0.0.2.6.2.ip6.arpa
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for onion-router.net
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for rev
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for torproject.com
remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre
write_zonefile for torproject.net
remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: pre
write_zonefile for torproject.org
remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: pre dns-
update
remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: done!
remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: ***** end
of script *****
remote: == xx-jenkins-trigger ==
remote: [hook[4791]] Triggering jenkins build for
(https://git.torproject.org/admin/dns/domains.git, master,
2f5ed1f115f9a5aa6bad82ca7e1a6737fc8088f4).
remote: No git jobs using repository:
https://git.torproject.org/admin/dns/domains.git and branches: master
remote: No Git consumers using SCM API plugin for:
https://git.torproject.org/admin/dns/domains.git
remote: [hook[4791]] Jenkins triggers done.
To git-rw.torproject.org:admin/dns/domains
bdd0d4e..2f5ed1f master -> master
updating local tracking ref 'refs/remotes/origin/master'
}}}
Therefore, the script in `/srv/dns.torproject.org/bin/update` seems to
have the magic sauce.
I haven't dug any deeper as to why that's not done automatically or what
actually takes content of `dns-sshfp`, or how this could be done by hand,
but it's definitely something that we should document. This affects the
[https://help.torproject.org/tsa/howto/ganeti/ ganeti import procedure],
but also the [https://help.torproject.org/tsa/howto/new-machine new-
machine procedure].
It is also be important to figure out where exactly the TTL gets extracted
from LDAP, and how to change it immediately, for the ganeti procedures.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33766#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs