|
|
# Onion Services Site Reliability Engineering - Kickstart Meeting - 2022-02-08
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
## Participants
|
|
|
|
|
|
* Anarcat
|
|
|
* David
|
|
|
* Hiro
|
|
|
* Rhatto
|
|
|
|
|
|
## Agenda
|
|
|
|
|
|
See initial version of the [OnionSRE page](https://gitlab.torproject.org/tpo/onion-support/-/wikis/onion-service-sre).
|
|
|
|
|
|
## Discussion
|
|
|
|
|
|
(Free note taking, don't necessarily/precisely represents what people said)
|
|
|
|
|
|
Rhatto:
|
|
|
|
|
|
* Short intro, summarizing stuff above.
|
|
|
|
|
|
Hiro:
|
|
|
|
|
|
* When talking last year with one of the media partners: something that helps on the community side:
|
|
|
someone that does a course (bootcamp) on devops, applying stuff like
|
|
|
Terraform, Ansible etc.
|
|
|
|
|
|
* What would be easier to rhatto to do (script, Ansible).
|
|
|
|
|
|
Anarcat:
|
|
|
|
|
|
* Puppet/agent:
|
|
|
* TPA is a big puppet shop. But don't think it's the good tool for the job:
|
|
|
too central, like having a central puppet server.
|
|
|
* Also Ansible is more popular.
|
|
|
* Ansible has little requirements, easier to deploy and to reuse.
|
|
|
* Not sure about Terraform, issues provisioning to Hetzner or Ganeti.
|
|
|
|
|
|
Rhatto:
|
|
|
|
|
|
* Maybe something to deploy node instances and atop of that using stuff like ansible to provision the services?
|
|
|
* How TPA provision nodes at Hetzner and Ganeti?
|
|
|
* Shall we look at Kubernetes?
|
|
|
|
|
|
Anarcat:
|
|
|
|
|
|
* Before joining Tor: what kind of a mess and shell scripts.
|
|
|
* Wrote a kind of a debian installer with python + fabric.
|
|
|
* The installer makes a machine configured up to be added do LDAP/Puppet.
|
|
|
* Maybe a MVP that uses ansible (services setup) and then another using Terraform (node setup).
|
|
|
|
|
|
Hiro:
|
|
|
|
|
|
* Docker Swarm using Terraform.
|
|
|
* Likes ansible (because of python+ssh only requirement).
|
|
|
* About Kubernetes: same issue with puppet: have to run a centralized set of control nodes.
|
|
|
* Ansible: lots of recipes available to harden the machine.
|
|
|
* Puppet is complicated I think because it works for your own infrastructure.
|
|
|
* It works for companies because it is tailored to providers.
|
|
|
|
|
|
David:
|
|
|
|
|
|
* There are lots of recipes and blog posts about ansible for Tor.
|
|
|
|
|
|
Anarcat:
|
|
|
|
|
|
* Docker: does provide some standard environment.
|
|
|
* Like what rhatto did at his skill test.
|
|
|
* Question with Docker: what to do? Swawm, Kubernets, Compose? Irony with Docker, with is not obvious in how to use at production.
|
|
|
* Docker might be interesting for use to produce docker containers.
|
|
|
* Part of the job is to do that evaluation.
|
|
|
|
|
|
Rhatto:
|
|
|
|
|
|
* Could do all this research.
|
|
|
|
|
|
Anarcat:
|
|
|
|
|
|
* About stopping using NGINX: having troubles with the blog, upstream charging a lot for the traffic.
|
|
|
* NGINX: generic webserver, had heard lots of good things about.
|
|
|
* Setup 2 VMs caching the blog, but them retired as the caching is not.
|
|
|
* NGINX as an opencore, specially tricking when you want to do monitoring.
|
|
|
* OpenResty is very interesting.
|
|
|
|
|
|
Hiro:
|
|
|
|
|
|
* OpenResty: similar opencore model like NGINX.
|
|
|
|
|
|
Rhatto:
|
|
|
|
|
|
* How to connect the sollution and the endpoint.
|
|
|
* Questions:
|
|
|
* Local .onion keypair generation is a good approach?
|
|
|
* Could offline .onion keys support be in the roadmap?
|
|
|
* Are backend keys disposable?
|
|
|
|
|
|
David:
|
|
|
|
|
|
* Offline key is very unlikely to have it until the Rust rewrite.
|
|
|
* Would not bet on that to come for this project.
|
|
|
* Local key generation and deployment: there will be a need for this.
|
|
|
* Would not bet that we could rotate the Onionbalance keys.
|
|
|
|
|
|
## Next
|
|
|
|
|
|
See "Possible next tasks" from the initial version of the [OnionSRE page](https://gitlab.torproject.org/tpo/onion-support/-/wikis/onion-services-sre). |