TPA team issueshttps://gitlab.torproject.org/tpo/tpa/team/-/issues2020-09-28T18:27:03Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/30673Ask holder of torproject.is to stop serving the zone2020-09-28T18:27:03ZLinus Nordberglinus@torproject.orgAsk holder of torproject.is to stop serving the zoneI think Tor Project is the holder of torproject.is.
I'll figure out who to talk to in order to stop serving it.I think Tor Project is the holder of torproject.is.
I'll figure out who to talk to in order to stop serving it.Linus Nordberglinus@torproject.orgLinus Nordberglinus@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/30670Ask holder of torproject.se to stop serving the zone2020-09-28T18:27:03ZLinus Nordberglinus@torproject.orgAsk holder of torproject.se to stop serving the zoneThis happens to be me.
I'll deal with it.This happens to be me.
I'll deal with it.Linus Nordberglinus@torproject.orgLinus Nordberglinus@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34371make db.torproject.org a real debian archive2020-09-28T16:13:49Zanarcatmake db.torproject.org a real debian archiveI often have trouble uploading packages following our procedure here:
https://help.torproject.org/tsa/howto/build_and_upload_debs/#Uploading_admin_packages
For example, just now I have stumbled upon this:
```
Failed to upload userdir-...I often have trouble uploading packages following our procedure here:
https://help.torproject.org/tsa/howto/build_and_upload_debs/#Uploading_admin_packages
For example, just now I have stumbled upon this:
```
Failed to upload userdir-ldap-cgi_0.3.43~x.tpo.8.dsc to anarcat@alberti.torproject.org:/srv/db.torproject.org/ftp-archive/archive/pool/tpo-all/userdir-ldap-cgi_0.3.43~x.tpo.8.dsc: scp: /srv/db.torproject.org/ftp-archive/archive/pool/tpo-all/userdir-ldap-cgi_0.3.43~x.tpo.8.dsc: Permission denied
```
That was because there was already a `.8.dsc` file from a previous ("UNRELEASED") upload. (I feel it was a mistake to upload such a package in the first place, but that's besides the point: this is only one of many ways this procedure can fail on upload.)
The archive also manually handles OpenPGP certifications and rotations, which is sub-optimal, to say the least, from a security perspective.
Instead, we should use well-known software like reprepro or else to manage the repository, with a proper "incoming" queue.https://gitlab.torproject.org/tpo/tpa/team/-/issues/34424backport invoke and fabric to debian buster and update invoke in debian testing2020-09-14T16:21:43Zanarcatbackport invoke and fabric to debian buster and update invoke in debian testingWe rely on newer features of Fabric in our configuration that are not present in Debian buster. upload a backport to the official Debian backports.We rely on newer features of Fabric in our configuration that are not present in Debian buster. upload a backport to the official Debian backports.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29412Find co-maintainers for hiro2020-08-04T13:59:40ZLinus Nordberglinus@torproject.orgFind co-maintainers for hiroBeing the only service owner is never good, and especially not for someone who's also in the sysadmin team.
This ticket tracks the progress of identifying services where hiro is the sole maintainer, and fixing them.Being the only service owner is never good, and especially not for someone who's also in the sysadmin team.
This ticket tracks the progress of identifying services where hiro is the sole maintainer, and fixing them.https://gitlab.torproject.org/tpo/tpa/team/-/issues/32283fix up /etc/aliases with puppet2020-07-07T21:10:36Zweasel (Peter Palfrader)fix up /etc/aliases with puppetour new-machine checklist includes
```
* fix `/etc/aliases`:
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.or...our new-machine checklist includes
```
* fix `/etc/aliases`:
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
```
This should probably just move into puppet.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/33785ganeti allocator fails to allocate new instances2020-07-06T22:29:07Zanarcatganeti allocator fails to allocate new instancesfor some reason, I can't create new instances in the ganeti cluster:
```
root@fsn-node-01:~# gnt-instance add -o debootstrap+buster -t drbd --no-wait-for-sync --disk 0:size=10G --disk 1:size=2G,name=swap --backend-parameters mem...for some reason, I can't create new instances in the ganeti cluster:
```
root@fsn-node-01:~# gnt-instance add -o debootstrap+buster -t drbd --no-wait-for-sync --disk 0:size=10G --disk 1:size=2G,name=swap --backend-parameters memory=2g,vcpus=2 --net 0:ip=pool,network=gnt-fsn --no-name-check --no-ip-check test-01.torproject.org
Failure: prerequisites not met for this operation:
error type: insufficient_resources, error details:
Can't compute nodes using iallocator 'hail': Request failed: Group default (preferred): No valid allocation solutions, failure reasons: FailMem: 8, FailN1: 12
```
The `gnt-fsn` network is getting full, but it had one spare IP when that command was run. I see the same behavior with `gnt-fsn13-02`, the new network created to cover the new IP allocation from hetzner which has plenty of room as well.
The nodes do have plenty of disk and memory space to respond to the demand:
```
root@fsn-node-01:~# gnt-node list
Node DTotal DFree MTotal MNode MFree Pinst Sinst
fsn-node-01.torproject.org 893.1G 451.9G 62.8G 38.5G 23.7G 7 14
fsn-node-02.torproject.org 893.1G 561.9G 62.8G 22.8G 39.6G 6 15
fsn-node-03.torproject.org 893.6G 151.4G 62.8G 18.2G 43.6G 5 22
fsn-node-04.torproject.org 893.6G 450.2G 62.8G 24.0G 38.4G 6 12
fsn-node-05.torproject.org 893.6G 232.1G 62.8G 832M 60.8G 3 6
```
It's not clear to me why the allocator is failing.
Note that I've been *adopting* new instances without problems for the past few weeks, so this could be specifically about *creating* new disks.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34304new gnt-fsn node (fsn-node-07)2020-07-02T13:54:27Zanarcatnew gnt-fsn node (fsn-node-07)need to create one last ganeti node to replace kvm5 (legacy/trac#33084)need to create one last ganeti node to replace kvm5 (legacy/trac#33084)HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29402New VM for gitlab2020-07-01T14:59:03ZLinus Nordberglinus@torproject.orgNew VM for gitlabCreate a test VM. similar to godard.debian.org (the host running salsa).
It should definitely have apache2 and likely have postfix and dovecot installed and configured. These services are run by tpa.
Ping the gitlab team once the VM is...Create a test VM. similar to godard.debian.org (the host running salsa).
It should definitely have apache2 and likely have postfix and dovecot installed and configured. These services are run by tpa.
Ping the gitlab team once the VM is up and running, due week 7 (March 17).https://gitlab.torproject.org/tpo/tpa/team/-/issues/29401New group for gitlab2020-07-01T14:59:02ZLinus Nordberglinus@torproject.orgNew group for gitlab- ahf
- dgoulet
- hiro- ahf
- dgoulet
- hirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/33084decomission kvm5, 9 VMs to migrate2020-06-30T14:39:51Zanarcatdecomission kvm5, 9 VMs to migrate * [x] build-x86-08.torproject.org (buildbox; can be retired any time; but ideally keep while we have kvm5)
* [x] #34415: carinatum.torproject.org (DocTor Host)
* [x] #34418: colchicifolium.torproject.org (collector.torproject.org)
* ... * [x] build-x86-08.torproject.org (buildbox; can be retired any time; but ideally keep while we have kvm5)
* [x] #34415: carinatum.torproject.org (DocTor Host)
* [x] #34418: colchicifolium.torproject.org (collector.torproject.org)
* [x] gitlab-01.torproject.org (dip.torproject.org; retired, replaced with gitlab-02)
* [x] #34417: henryi.torproject.org (consensus-health.torproject.org)
* [x] #34416: materculae.torproject.org (exonerator.torproject.org)
* [x] palmeri.torproject.org (deb.tpo master)
* [x] perdulce.torproject.org (people.torproject.org)
* [x] #34419: staticiforme.torproject.org (static-master.torproject.org)
Remaining work:
* [x] wiping disks (in progress)
* [x] schedule cancel with H.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/30026move grafana in a docker container2020-06-30T14:04:03Zanarcatmove grafana in a docker containerthe summary of the "do we use grafana" and "docker vs debian" discussion held in legacy/trac#29684 is basically: "deploy grafana using Docker". We currently deploy it using Debian packages, so we need to flip that over to the container w...the summary of the "do we use grafana" and "docker vs debian" discussion held in legacy/trac#29684 is basically: "deploy grafana using Docker". We currently deploy it using Debian packages, so we need to flip that over to the container world.
Because things are working well now and I'd like to finish the deployment, I'm splitting that out into a separate ticket for now.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/30929Need a new vm for snowflake monitoring2020-06-30T13:55:13ZHiroNeed a new vm for snowflake monitoringI need a new VM to setup snowflake monitoring. In the past for a similar setup (prometheus + graphana) we have used a CX21 instance from Hetzner (5€/mth, 2vCPU, 4GB RAM, 40GB disk, 20TB traffic). Budget for this machine has been approved...I need a new VM to setup snowflake monitoring. In the past for a similar setup (prometheus + graphana) we have used a CX21 instance from Hetzner (5€/mth, 2vCPU, 4GB RAM, 40GB disk, 20TB traffic). Budget for this machine has been approved in the parent ticket.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/34420enable Gitlab backups2020-06-30T13:10:27ZHiroenable Gitlab backupsI am configuring gitlab backups via cron and the puppet module.
Here is a MR:
https://share.riseup.net/#P2Yu4rpQubidQ0V5r7QM1Q
This does the following:
Configure gitlab backups via the puppet module.
Will create a backup file every ni...I am configuring gitlab backups via cron and the puppet module.
Here is a MR:
https://share.riseup.net/#P2Yu4rpQubidQ0V5r7QM1Q
This does the following:
Configure gitlab backups via the puppet module.
Will create a backup file every night at 2 am on /srv/backups
It will use Gitlab backup command which is a wrapper of the rake task within gitlab rails.
More information on: https://docs.gitlab.com/ee/raketasks/backup_restore.html#back-up-gitlab
It also set a cron job to backup gitlab secrets every night at 2 am and place it on /srv/backups.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29901Point www.tp.o to tpo repository2020-06-30T11:06:05ZHiroPoint www.tp.o to tpo repositoryHi,
We would like to switch www.tp.o to the new website.
Could you please point it to the following repository:
https://gitweb.torproject.org/project/web/tpo.git/
I will need to have htaccess overrides enabled.Hi,
We would like to switch www.tp.o to the new website.
Could you please point it to the following repository:
https://gitweb.torproject.org/project/web/tpo.git/
I will need to have htaccess overrides enabled.HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/29407Get search.tpo going2020-06-30T11:04:50ZLinus Nordberglinus@torproject.orgGet search.tpo goingRefresh the email thread from November 2018 with the options from the [Brussels meeting outcome](https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Search).Refresh the email thread from November 2018 with the options from the [Brussels meeting outcome](https://trac.torproject.org/projects/tor/wiki/org/meetings/2019BrusselsAdminTeamMinutes#Search).HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/23574Don't allow text injection in our 404 page2020-06-30T10:29:09ZGeorg KoppenDon't allow text injection in our 404 pageWe got a report on HackerOne by sumitthehacker:
```
i want to report a text injection and a misconfiguration of the 404 page
the bug exists at :
https://www.torproject.org/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20htt...We got a report on HackerOne by sumitthehacker:
```
i want to report a text injection and a misconfiguration of the 404 page
the bug exists at :
https://www.torproject.org/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.Attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
as you can see attacker text is included
"It has been changed by a new one https://www.attacker.com so go to the new one since this one was not found on this server."
```HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/4342move gettor to a tpo machine2020-06-27T14:21:15ZErinn Clarkmove gettor to a tpo machineWould it be possible to migrate the existing gettor service to a tpo machine, possibly on our new machine? I don't know if that has all its VMs pre-provisioned, but if it doesn't, it would be awesome if we could put gettor on it, since k...Would it be possible to migrate the existing gettor service to a tpo machine, possibly on our new machine? I don't know if that has all its VMs pre-provisioned, but if it doesn't, it would be awesome if we could put gettor on it, since kaner is having issues with diskspace and bandwidth (i.e., TBBs take up a lot of room and take a long time to transfer.) Adding him to Cc since he can more clearly explain what kinds of resources it needs better than I can.Christian FrommeChristian Frommehttps://gitlab.torproject.org/tpo/tpa/team/-/issues/4867interact with rt.torproject.org via email2020-06-27T14:21:14ZAndrew Lewmaninteract with rt.torproject.org via emailI find the rt web interface a huge impediment to doing anything with tickets. Is there a way I can interact with rt via email only?
I have basically ignored rt because the web interface gets in the way of doing any with the system.I find the rt web interface a huge impediment to doing anything with tickets. Is there a way I can interact with rt via email only?
I have basically ignored rt because the web interface gets in the way of doing any with the system.Andrew LewmanAndrew Lewmanhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/4941migrate the various vhosts on vescum into the mirroring system2020-06-27T14:21:13ZAndrew Lewmanmigrate the various vhosts on vescum into the mirroring systemIn order to better utilize our mirrors and get our content less censored (or conversely to spread the censorship around) we need to stop hosting various vhosts on a single webserver.
Currently the following vhosts are not mirrored anywh...In order to better utilize our mirrors and get our content less censored (or conversely to spread the censorship around) we need to stop hosting various vhosts on a single webserver.
Currently the following vhosts are not mirrored anywhere, including tor's three webservers:
cloud.tpo, doxygen.tpo, pkgwrt.tpo, thandy.tpo, and torrouter.tpo.
The rough steps are:
1. change the apache disk structure to create a top-level www-master.
2. move cloud, doxygen, pkgwrt, thandy, and torrouter under www-master/sitename/htdocs structure
3. update puppet to include all of these hosts in the standard apache config and push to all webservers.
4. update dns for cloud, doxygen, pkgwrt, thandy, and torrouter to include all three webservers.Andrew LewmanAndrew Lewman