The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-03-15T16:32:18Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31758upgrade postfix configurations to stretch/buster2022-03-15T16:32:18Zanarcatupgrade postfix configurations to stretch/busterour postfix configuration as delivered by puppet is pretty old, probably pre-stretch. it's generally not a problem until some upgrade breaks certain assertions. buster seems to have at least broken one, as described in legacy/trac#31743,...our postfix configuration as delivered by puppet is pretty old, probably pre-stretch. it's generally not a problem until some upgrade breaks certain assertions. buster seems to have at least broken one, as described in legacy/trac#31743, so it seems it would be a good idea to upgrade our configs everywhere.
first I'll look on all hosts to see if we have this problem elsewhere and then I'll cleanup the configs to port to the brave new world...anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31746Ticket application keeps hanging2020-06-27T14:17:07ZTracTicket application keeps hangingI submitted two tickets for the same issue because it said that my ticket was not submitted so I apologize for the redundancy
**Trac**:
**Username**: MagikI submitted two tickets for the same issue because it said that my ticket was not submitted so I apologize for the redundancy
**Trac**:
**Username**: MagikJens KubiezielJens Kubiezielhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31743SMTP on carinatum2020-06-27T14:17:07ZDamian JohnsonSMTP on carinatumHi lovely sysadmins. DocTor's last [successfully sent notification](https://lists.torproject.org/pipermail/tor-consensus-health/) was on July 8th.
Iirc we performed server upgrades of some sort around this time, and it seems we no longe...Hi lovely sysadmins. DocTor's last [successfully sent notification](https://lists.torproject.org/pipermail/tor-consensus-health/) was on July 8th.
Iirc we performed server upgrades of some sort around this time, and it seems we no longer have an SMTP daemon listening on localhost port 25...
```
09/07/2019 20:52:32 [ERROR] consensus_health_checker.py failed with:
Traceback (most recent call last):
File "/srv/doctor.torproject.org/doctor/consensus_health_checker.py", line 995, in <module>
main()
File "/srv/doctor.torproject.org/doctor/consensus_health_checker.py", line 292, in main
util.send(EMAIL_SUBJECT, body = body, cc = cc, bcc = bcc)
File "/srv/doctor.torproject.org/doctor/util.py", line 145, in send
server = smtplib.SMTP('localhost')
File "/usr/lib/python2.7/smtplib.py", line 256, in __init__
(code, msg) = self.connect(host, port)
File "/usr/lib/python2.7/smtplib.py", line 318, in connect
(code, msg) = self.getreply()
File "/usr/lib/python2.7/smtplib.py", line 366, in getreply
+ str(e))
SMTPServerDisconnected: Connection unexpectedly closed: [Errno 104] Connection reset by peer
```
Mind if we re-enable that daemon?
Thanks! -Damiananarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31733Add gus@tpo as moderator for community team mailing list2020-06-27T14:17:08ZGusAdd gus@tpo as moderator for community team mailing listJens KubiezielJens Kubiezielhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31718Update DNS records for .ooni.torproject.org domains2020-06-27T14:17:08ZArturo FilastòUpdate DNS records for .ooni.torproject.org domainsTo make it easier for us to manage where these domains point to it would be great if the records for the domain `explorer.ooni.torproject.org` were to point to `explorer.ooni.io` and the record for `ooni.torproject.org` pointed to `ooni....To make it easier for us to manage where these domains point to it would be great if the records for the domain `explorer.ooni.torproject.org` were to point to `explorer.ooni.io` and the record for `ooni.torproject.org` pointed to `ooni.io`.
The most high priority is the update of explorer.ooni.torproject.org as we are launching that today and we still have places where we link to explorer.ooni.torproject.org instead of explorer.ooni.io.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31703Downloading Tor Browser from 2620:0:6b0:b:225:dada:19:1 is painfully slow2020-06-27T14:17:08ZrichardDownloading Tor Browser from 2620:0:6b0:b:225:dada:19:1 is painfully slowChat
```
(2019-09-11 12:44:26 PM) pospeselr: this one i think: 2620:0:6b0:b:225:dada:19:1
(2019-09-11 12:47:30 PM) pospeselr: though if i wget it it does come down a bit faster
(2019-09-11 12:47:53 PM) arma1: that address is a team cymr...Chat
```
(2019-09-11 12:44:26 PM) pospeselr: this one i think: 2620:0:6b0:b:225:dada:19:1
(2019-09-11 12:47:30 PM) pospeselr: though if i wget it it does come down a bit faster
(2019-09-11 12:47:53 PM) arma1: that address is a team cymru address
(2019-09-11 12:48:03 PM) arma1: i wonder if its magic black box ddos defense thinks you're a bad person
(2019-09-11 12:48:21 PM) pospeselr: well i mean i am obviously, but i would still like to dl tor browser quickly >:[
(2019-09-11 12:48:52 PM) pospeselr: and i take it back, the wget dl is slowly slowing down, 80 kb/s now
(2019-09-11 12:49:23 PM) arma1: anarcat: ^ you any good at these topics? :)
(2019-09-11 12:49:43 PM) anarcat: arma1: i'm in a meeting, but i'll be here in 10min
(2019-09-11 12:49:47 PM) anarcat: arma1: what's the TL;DR
(2019-09-11 12:49:59 PM) pospeselr: server slow plz make fast
(2019-09-11 12:50:03 PM) arma1: one of the dist.tpo is being slow for pospeselr
(2019-09-11 12:50:14 PM) arma1: not critical
(2019-09-11 12:50:18 PM) anarcat: one of, which?
(2019-09-11 12:50:37 PM) anarcat: how to reproduce?
(2019-09-11 12:50:38 PM) arma1: dist.torproject.org aka 2620:0:6b0:b:225:dada:19:1
(2019-09-11 12:50:51 PM) anarcat: Host 1.0.0.0.9.1.0.0.a.d.a.d.5.2.2.0.b.0.0.0.0.b.6.0.0.0.0.0.0.2.6.2.ip6.arpa not found: 3(NXDOMAIN)
(2019-09-11 12:50:53 PM) anarcat: great
(2019-09-11 12:51:21 PM) anarcat: that's at cymru
(2019-09-11 12:52:25 PM) anarcat: it's web-cymru-01.torproject.org specifically
(2019-09-11 12:52:34 PM) anarcat: which file should i try to get?
(2019-09-11 12:53:03 PM) anarcat: ( i found the server through a search in ldap)
(2019-09-11 12:53:54 PM) pospeselr: https://dist.torproject.org/torbrowser/8.5.5/tor-browser-linux64-8.5.5_en-US.tar.xz
(2019-09-11 12:54:36 PM) anarcat: Connecting to dist.torproject.org (dist.torproject.org)|2620:0:6b0:b:225:dada:19:1|:443... failed: Network is unreachable.
(2019-09-11 12:54:37 PM) anarcat: duh
(2019-09-11 12:55:18 PM) anarcat: i'm getting 130KB/s there now
(2019-09-11 12:55:30 PM) pospeselr: yeah exactly
(2019-09-11 12:55:41 PM) pospeselr: and it'll slow down to tourghly 50 kb/s shortly
(2019-09-11 12:56:33 PM) anarcat: yeah, there might be saturation there
(2019-09-11 12:56:39 PM) anarcat: i'll take a look at the host (moly)
(2019-09-11 12:58:26 PM) anarcat: network's saturated on moly
(2019-09-11 12:58:28 PM) anarcat: 12MB/s
(2019-09-11 12:58:32 PM) anarcat: mbps
(2019-09-11 1:01:38 PM) arma1: anarcat: in the past, sometimes, cymru ran black box ddos resistance doohickeys on their network, and we discovered them (and bugs in them) by seeing anomalies like this
(2019-09-11 1:09:41 PM) anarcat: well it sure seems like the cymru web mirror is capped to 100mbps
```anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31700decomission jabber server2020-06-27T14:17:08Zanarcatdecomission jabber serverthe jabber server is not really used anymore, and we need the LDAP field for the new email service (in legacy/trac#30608).
decommission the server (chamaemoly) with a warning period for users to have time to migrate their rosters off th...the jabber server is not really used anymore, and we need the LDAP field for the new email service (in legacy/trac#30608).
decommission the server (chamaemoly) with a warning period for users to have time to migrate their rosters off the server.
roadmap:
1. T-30d (2019-09-16): warn users about impeding shutdown,
2. T (2019-10-16): shutdown the jabber service itself (`service prosody stop`)
3. T+7d (2019-10-23): start the server decommissioning process
* remove from nagios
* "undefine" the VM
* queue disk destruction in another +7d
* remove from LDAP
* remove from DNS
* remove from Puppet
* remove from tor-passwords
* remove from documentation
* schedule backup cleanup (+30d?)anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31697Please update gk's PGP public key (2019 edition)2020-06-27T14:17:08ZGeorg KoppenPlease update gk's PGP public key (2019 edition)Another year, another subkey update. Please fetch the new subkeys for LDAP.Another year, another subkey update. Please fetch the new subkeys for LDAP.https://gitlab.torproject.org/tpo/tpa/team/-/issues/31690study trac.torproject.org archival possibilities2020-06-27T14:17:08Zanarcatstudy trac.torproject.org archival possibilitiesthis is a split out of legacy/trac#30857 to discuss specifically the question of if/how to archive trac.torproject.org.
As mentioned in that ticket, there are a few options on how to deal with trac, provided we have another system we wa...this is a split out of legacy/trac#30857 to discuss specifically the question of if/how to archive trac.torproject.org.
As mentioned in that ticket, there are a few options on how to deal with trac, provided we have another system we want to use:
1. **the golden redirect set**: every migrated ticket and wiki page has a corresponding ticket/wiki page in GitLab and a gigantic set of redirection rules makes sure they are mapped correctly. probably impractical, but solves the maintenance problem possibly forever.
2. **read-only Trac**: user creation is disabled and existing users are locked from making any change to the site. only a temporary or intermediate measure.
3. **fossilization**: Trac is turned into a static HTML site that can be mirrored like any other site. can be a long term solution and a good compromise with a possibly impossible to design and therefore failing (because incomplete) set of redirection rules.
4. **destruction**: we hate the web and pretend link rot is not a problem and just get rid of the old site, assuming everything is migrated and people will find their stuff eventually. probably not an option.
5. **redirect to the wayback machine**: like **fossilization**, but delegate to the internet archive and hope for the best
== Archive team work
With my archive team hat, I was able to coordinate a first archival of the website during the summer of 2019, as documented in legacy/trac#30857. This is an attempt at doing "3. **fossilization**".
All those jobs end up populating the wayback machine at web.archive.org, but are also available as WARC files, an archival format for web pages.
A first archival of all tickets up to legacy/trac#30856 has been performed here:
https://archive.fart.website/archivebot/viewer/job/5vytc
It's about 600MB of compressed HTML (more or less).
Then a full archival job of the entire site was performed here:
https://archive.fart.website/archivebot/viewer/job/bpu6j
It created about 10GB of WARC files, crawled over 730,000 links (including external sites linked from Trac) and 105.34GiB of data. It took over 5 days:
```
2019-06-17 01:49:02,514 - wpull.application.tasks.stats - INFO - Duration: 5 days, 7:32:55. Speed: 0.0 B/s.
2019-06-17 01:49:02,514 - wpull.application.tasks.stats - INFO - Downloaded: 732488 files, 105.4 GiB.
```
== Other statistics
Archiving the server itself means dealing with:
* ~1GB of attachments
* 4GB PostgreSQL database
The actual server uses around 25GB of disk space because of random junk here and there but that's the very minimum it can be trimmed down to. naturally, we can keep *that* data forever, the problem is keeping the app running on top of that... That would be some incarnation of "4. **destruction**".Jens KubiezielJens Kubiezielhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31686retire textile2021-05-18T13:46:18Zanarcatretire textiletextile is one of the first machines in the KVM* series. weasel proposed we move all its VM into the new FSN cluster and retire the box to start saving some money, and eventually grow the cluster.textile is one of the first machines in the KVM* series. weasel proposed we move all its VM into the new FSN cluster and retire the box to start saving some money, and eventually grow the cluster.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31676decommission togashii2020-06-27T14:17:09Zweasel (Peter Palfrader)decommission togashiiI chatted with dgoulet, and we can retire togashii.
We can always set up a new VM for testnet services if they are useful again in the future. But for now, this setup is not in use.
This is part of the "retire textile" drive.I chatted with dgoulet, and we can retire togashii.
We can always set up a new VM for testnet services if they are useful again in the future. But for now, this setup is not in use.
This is part of the "retire textile" drive.weasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/31668Please, update my OpenPGP key in LDAP2020-06-27T14:17:09ZjugaPlease, update my OpenPGP key in LDAPI've changed the expiration date and added new userids.
My key is updated in the SKS servers and keys.openpgp.org.I've changed the expiration date and added new userids.
My key is updated in the SKS servers and keys.openpgp.org.https://gitlab.torproject.org/tpo/tpa/team/-/issues/31659new onionoo hosts2020-06-27T14:17:09Zweasel (Peter Palfrader)new onionoo hostsRight now we have two onionoo backends (that run the java stuff) and also serve users, and two additional frontend-only hosts (that only serve users and ask the backends if they don't have a cached answer). So we have 4 hosts in total, t...Right now we have two onionoo backends (that run the java stuff) and also serve users, and two additional frontend-only hosts (that only serve users and ask the backends if they don't have a cached answer). So we have 4 hosts in total, two of which serve a double role.
To make the setup easier to monitor, scale, and maintain we should split these roles. For communications between frontends and backends we'll switch to using ipsec rather than the stunnels.
As a first step, we'll set up a new backend-only host (on Debian 10/buster) and Iain will set up the service there.weasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/31633publish HTML documentation of our puppet source2022-04-06T20:54:12Zanarcatpublish HTML documentation of our puppet sourcethere are ways of generating HTML versions of Puppet source code, based on the docstrings littering the source code. i've done some tentative runs of this and it looks ... interesting. the utility of this is currently limited by the fact...there are ways of generating HTML versions of Puppet source code, based on the docstrings littering the source code. i've done some tentative runs of this and it looks ... interesting. the utility of this is currently limited by the fact that only 35% of the source is documented, according to `puppet strings`, but i figured I would document the efforts I've done so far already.
Koumbit uses the following Rakefile to generate the docs for their monorepo:
```
#require 'bundler/gem_tasks'
task :default do
# nothing
puts('no action')
end
task :doc do
require 'puppet-strings/tasks/generate'
# This doesn't seem to really process node files, but
# an exclude of manifests/ might be interesting.
Rake::Task['strings:generate'].invoke(
# This list of included files was taken from
# https://github.com/puppetlabs/puppet-strings#generating-documentation-with-puppet-strings
# and should correspond to what puppet-strings does by default, but spanned
# over all of the code directories in the control repos.
# It's possible that some directories might include .rb files that were not
# specified.. We'll have to fix this if we ever encounter such an issue.
'**/manifests/**/*.pp **/functions/**/*.pp **/types/**/*.pp **/tasks/**/*.pp **/lib/**/*.rb',
'false',
'false',
'markdown'
)
end
# Generate documentation only for manifests in site/
# This will help to verify if there's anything in our own code that's missing
# comments for documentation. The run will be faster and less noisy than when
# we generate everything.
# Note, though, that it will create an index only for things in site/
task :doc_site do
require 'puppet-strings/tasks/generate'
# This doesn't seem to really process node files, but
# an exclude of manifests/ might be interesting.
Rake::Task['strings:generate'].invoke(
'site/**/*.pp site/**/*.rb',
'false',
'false',
'markdown'
)
end
task :doc_clean do
system("rm -rf doc")
end
task :doc_upload, [:ftp_host, :ftp_port, :ftp_user, :ftp_pass, :ftp_dir] do |t, args|
puts "lftp -e \"mirror -R doc #{args[:ftp_dir]}\" -u #{args[:ftp_user]},#{args[:ftp_pass]} -p #{args[:ftp_port]} #{args[:ftp_host]}"
system("lftp -e \"mirror -R doc #{args[:ftp_dir]}; quit\" -u #{args[:ftp_user]},#{args[:ftp_pass]} -p #{args[:ftp_port]} #{args[:ftp_host]}")
end
```
Notice the two different jobs for `site` (private) and `modules` (public).https://gitlab.torproject.org/tpo/tpa/team/-/issues/31628please update the following alias2020-06-27T14:17:09ZIsabela Fernandesplease update the following aliasadd Al email on fundraising@torproject.org
email: smith@torproject.org
remove Maria from grants@torproject.org
email: maria@openobservatory.orgadd Al email on fundraising@torproject.org
email: smith@torproject.org
remove Maria from grants@torproject.org
email: maria@openobservatory.organarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31623add ahf to speaking@2020-06-27T14:17:09ZGabagaba@torproject.orgadd ahf to speaking@Alex has been giving more talks this year and is connected with several spaces/conferences/talks. We all would benefit of having him in the speaking@ alias, which is our internal alias to coordinate speaking requests (see legacy/trac#231...Alex has been giving more talks this year and is connected with several spaces/conferences/talks. We all would benefit of having him in the speaking@ alias, which is our internal alias to coordinate speaking requests (see legacy/trac#23162).
Please add him :)
Thanks!anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31622puppet: a static_mirror should not include static_mirror_source2020-06-27T14:17:09Zanarcatpuppet: a static_mirror should not include static_mirror_source```
02:54:39 <weasel> anarcat: conceptually, it makes no sense why a webmirror would include static_mirror_source. mirrors are not sources.
02:55:15 <weasel> it does that via static_mirror.
03:08:24 <nsa> tpo-admin: [tor-puppet/master] ...```
02:54:39 <weasel> anarcat: conceptually, it makes no sense why a webmirror would include static_mirror_source. mirrors are not sources.
02:55:15 <weasel> it does that via static_mirror.
03:08:24 <nsa> tpo-admin: [tor-puppet/master] 2019-09-04 07:03:59 Peter Palfrader <peter@palfrader.org>: Do not trust facter, the source of lies
03:25:19 <weasel> anarcat: why does puppet create an /etc/ssh/userkeys/mirroradm on colchicifolium
[...]
03:31:07 <weasel> I found your bug. I still don't understand half the things. for instance why collector defines /etc/ssh/userkeys/mirroradm
```anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31610Some cdn.torproject.org URLs are giving 404 errors2020-06-27T14:17:09ZboklmSome cdn.torproject.org URLs are giving 404 errorsI have uploaded the mar files for Tor Browser 8.5.5 on `staticiforme` in the directory `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/8.5.5`, and ran `static-update-component cdn.torproject.org`.
After this, some of the .mar fil...I have uploaded the mar files for Tor Browser 8.5.5 on `staticiforme` in the directory `/srv/cdn-master.torproject.org/htdocs/aus1/torbrowser/8.5.5`, and ran `static-update-component cdn.torproject.org`.
After this, some of the .mar files can be downloaded from https://cdn.torproject.org/ as expected, however for some of them we have a 404 error.
An example of URL returning a 404 error is: https://cdn.torproject.org/aus1/torbrowser/8.5.5/tor-browser-osx64-8.5.5_pl.mar
An example of working URL is: https://cdn.torproject.org/aus1/torbrowser/8.5.5/tor-browser-osx64-8.5.5_en-US.marhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31605monitor jenkin plugin updates2022-04-07T16:06:33Zweasel (Peter Palfrader)monitor jenkin plugin updatesmaybe using somethink like mikap -- https://gist.github.com/mika/a08cb109a601bea9e943aab9ada9691bmaybe using somethink like mikap -- https://gist.github.com/mika/a08cb109a601bea9e943aab9ada9691bhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/31603GitHub close Support, tpo, community issues2020-06-27T14:17:10ZGusGitHub close Support, tpo, community issuesHi, we don't want people reporting issues in GitHub.
We should follow our How To Report Bug/Feedback document:
https://trac.torproject.org/projects/tor/wiki/doc/community/HowToReportBugFeedbackHi, we don't want people reporting issues in GitHub.
We should follow our How To Report Bug/Feedback document:
https://trac.torproject.org/projects/tor/wiki/doc/community/HowToReportBugFeedbackHiroHiro