TPA issueshttps://gitlab.torproject.org/groups/tpo/tpa/-/issues2022-04-07T16:00:21Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/33786establish the "standard" virtual machine / instance size in Ganeti2022-04-07T16:00:21Zanarcatestablish the "standard" virtual machine / instance size in GanetiGaneti clusters can define parameters for minimum, maximum and "standard" instance sizes. This is currently:
```
# gnt-cluster info
[...]
Instance policy - limits for instances:
bounds specs:
- max/0:
cpu-count: 8
...Ganeti clusters can define parameters for minimum, maximum and "standard" instance sizes. This is currently:
```
# gnt-cluster info
[...]
Instance policy - limits for instances:
bounds specs:
- max/0:
cpu-count: 8
disk-count: 16
disk-size: 1048576
memory-size: 32768
nic-count: 8
spindle-use: 12
min/0:
cpu-count: 1
disk-count: 1
disk-size: 1024
memory-size: 128
nic-count: 1
spindle-use: 1
std:
cpu-count: 1
disk-count: 1
disk-size: 1024
memory-size: 128
nic-count: 1
spindle-use: 1
allowed disk templates: drbd, plain
vcpu-ratio: 4
spindle-ratio: 32
[...]
```
We should at least define some sort of "standard" here and define what the minimum and maximums should be.
for what it's worth, the average memory size right now is around 5GB
```
root@fsn-node-01:~# echo \($(gnt-instance list | awk '{ print $NF }' | grep G'$' | sed 's/G$/+/')0\) / $(gnt-instance list | awk '{ print $NF }' | grep G'$' | wc -l) | bc -l
4.80769230769230769230
```
more investigation would be required to evaluate standard disk and CPU sizes.https://gitlab.torproject.org/tpo/tpa/team/-/issues/33332move root passwords to trocla?2022-04-07T15:58:50Zanarcatmove root passwords to trocla?one manual step of our install process is to initialize the root password and set it in the password manager. that manual step could be completely skipped if we just set the root password in trocla.one manual step of our install process is to initialize the root password and set it in the password manager. that manual step could be completely skipped if we just set the root password in trocla.https://gitlab.torproject.org/tpo/tpa/team/-/issues/33062investigate kreb's advice on DNS hijacking2022-06-03T23:47:50Zanarcatinvestigate kreb's advice on DNS hijackingAfter reviewing [this article about recent DNS hijacking incidents](https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/), I think it might be worth reviewing the recommendations given in the ar...After reviewing [this article about recent DNS hijacking incidents](https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/), I think it might be worth reviewing the recommendations given in the article, which are basically:
1. [x] use DNSSEC
2. [ ] Use registration features like Registry Lock that can help protect domain names records from being changed
3. [ ] Use access control lists for applications, Internet traffic and monitoring
4. [ ] Use 2-factor authentication, and require it to be used by all relevant users and subcontractors
5. [x] In cases where passwords are used, pick unique passwords and consider password managers
6. [ ] Review accounts with registrars and other providers
7. [ ] Monitor certificates by monitoring, for example, Certificate Transparency Logs (#40677)
Some of those are impractical: for example 2FA will not work for us if we have one shared account with a provider.
Others have already been done: we have a good DNSSEC deployment and manage passwords properly.
Mainly, I'm curious about investigating Registry lock and CT logs monitoring, the latter which could be added as a Nagios thing, maybe.https://gitlab.torproject.org/tpo/tpa/team/-/issues/30672Ask holder of torproject.be to stop serving the zone2022-04-07T16:05:57ZLinus Nordberglinus@torproject.orgAsk holder of torproject.be to stop serving the zoneWe've asked the holder of torproject.be to stop serving the zone in ticket legacy/trac#27951.
Tracking progress here.We've asked the holder of torproject.be to stop serving the zone in ticket legacy/trac#27951.
Tracking progress here.https://gitlab.torproject.org/tpo/tpa/team/-/issues/30671Ask holder of torproject.fr to stop serving the zone2022-04-07T16:05:55ZLinus Nordberglinus@torproject.orgAsk holder of torproject.fr to stop serving the zoneWe've asked the holder of torproject.fr to stop serving the zone in legacy/trac#27951.
Tracking progress here.We've asked the holder of torproject.fr to stop serving the zone in legacy/trac#27951.
Tracking progress here.https://gitlab.torproject.org/tpo/tpa/team/-/issues/30268Write down a policy for dist.tpo2020-09-28T16:05:45ZboklmWrite down a policy for dist.tpoAs discussed in legacy/trac#30204, we should have a policy of what stays on dist, and what gets deleted.
We can put this policy on https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/dist.torproject.org.As discussed in legacy/trac#30204, we should have a policy of what stays on dist, and what gets deleted.
We can put this policy on https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/dist.torproject.org.https://gitlab.torproject.org/tpo/tpa/team/-/issues/29419Implement something resembling uploading to Debian2021-03-29T14:44:32ZLinus Nordberglinus@torproject.orgImplement something resembling uploading to Debiancf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Cleaningunusedpackagesondist.tpocf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Cleaningunusedpackagesondist.tpohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29418Clean up dist.tpo once2021-03-29T14:37:15ZLinus Nordberglinus@torproject.orgClean up dist.tpo oncecf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Cleaningunusedpackagesondist.tpocf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Cleaningunusedpackagesondist.tpohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29409Host-alive checks (ping) on IPv62022-04-07T16:05:28ZLinus Nordberglinus@torproject.orgHost-alive checks (ping) on IPv6https://gitlab.torproject.org/tpo/tpa/team/-/issues/29394Find another authoritative DNS provider2022-04-07T16:00:27ZLinus Nordberglinus@torproject.orgFind another authoritative DNS provider"Shop around and figure out prices"
cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#DNSproviders"Shop around and figure out prices"
cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#DNSprovidershttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29386Implement and deploy script for spamming people about account, group and host...2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgImplement and deploy script for spamming people about account, group and host expirationweasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/29385Adapt LDAP scripts to honour expiration dates2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgAdapt LDAP scripts to honour expiration datesweasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/29384Add to LDAP, for each group, an expiration date2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgAdd to LDAP, for each group, an expiration dateweasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/29383Add to LDAP, for each user account, an expiration date2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgAdd to LDAP, for each user account, an expiration dateweasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/29382Add to LDAP, for each host, expiration date and list of "stakeholders"2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgAdd to LDAP, for each host, expiration date and list of "stakeholders"https://gitlab.torproject.org/tpo/tpa/team/-/issues/29381Add to LDAP expiration date and list of "stakeholders"2022-05-03T17:45:37ZLinus Nordberglinus@torproject.orgAdd to LDAP expiration date and list of "stakeholders"cf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutescf https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinuteshttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29380Link to db.tpo from infrastructure page, for service expiration dates2022-05-03T17:45:36ZLinus Nordberglinus@torproject.orgLink to db.tpo from infrastructure page, for service expiration datesInformation about when a system expires will be present in LDAP.
Add appropriate links to db.tpo on https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure, per service, making it easy to figure out when a service is...Information about when a system expires will be present in LDAP.
Add appropriate links to db.tpo on https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure, per service, making it easy to figure out when a service is about to expire.https://gitlab.torproject.org/tpo/tpa/team/-/issues/29306Write a script to mail people informing them about expiration of their service2022-05-03T17:45:36ZJens KubiezielWrite a script to mail people informing them about expiration of their serviceWe agreed that machines should have an expiration date (see legacy/trac#29304). For this we need a script which looks at the expiration date, sends a mail out to service people informing them about it and suggesting possible actions. wea...We agreed that machines should have an expiration date (see legacy/trac#29304). For this we need a script which looks at the expiration date, sends a mail out to service people informing them about it and suggesting possible actions. weasel agreed to write it.weasel (Peter Palfrader)weasel (Peter Palfrader)https://gitlab.torproject.org/tpo/tpa/team/-/issues/29305Adapt LDAP to have expiration date and unix groups2022-05-03T17:45:36ZJens KubiezielAdapt LDAP to have expiration date and unix groupsLDAP needs more fields which track the expiration time and has the unix groups for stakeholders. weasel agreed to extend LDAP.
Furthermore someone needs to go over LDAP and add information about the stakeholders plus an expiration date.LDAP needs more fields which track the expiration time and has the unix groups for stakeholders. weasel agreed to extend LDAP.
Furthermore someone needs to go over LDAP and add information about the stakeholders plus an expiration date.https://gitlab.torproject.org/tpo/tpa/team/-/issues/27008Remove ooniprobe and dependencies2020-09-28T16:03:42ZirlRemove ooniprobe and dependenciesIt is not time efficient to maintain the ooniprobe package in a way that is Debian policy compliant. The packages on deb.tpo have fallen out of date and are of limited utility. As such, I proposed that we remove them, and I will do this ...It is not time efficient to maintain the ooniprobe package in a way that is Debian policy compliant. The packages on deb.tpo have fallen out of date and are of limited utility. As such, I proposed that we remove them, and I will do this if there are no objections. This would include the following source packages:
* klein
* ooniprobe
* python-certifi
* python-ipaddress
* txtorcon
All binaries built from these packages would be removed.
I had originally included txtorcon in deb.tpo as a dependency for ooniprobe in older suites. I believe that users can get later versions easily enough from stable-backports on Debian.Arturo FilastòArturo Filastò