retire cupani

Once all lagacy Git repositories have been migrated to GitLab (#41215 (closed)), retire cupani.

1. announcement (TPA-RFC-36 and tpo/web/blog#40071 (closed) coming up)
2. nagios
3. retire the host in fabric
4. remove from LDAP with ldapvi
5. power-grep
6. remove from tor-passwords
7. remove from DNSwl
8. remove from docs
9. remove from racks (destruction scheduled for +90 days)
10. remove from reverse DNS

marked this issue as related to #40012 (closed)

marked this issue as related to #41180 (closed)

marked this issue as related to #41215 (closed)

changed due date to June 08, 2024

changed milestone to %old service retirement 2023

added Git Icebox labels

changed milestone to %legacy Git infrastructure retirement (TPA-RFC-36)

marked this issue as related to #41248 (closed)

marked this issue as related to #41218 (closed)

marked this issue as related to #41213 (closed)

changed due date to April 24, 2024

in #41213 (closed), the gitolite server (cupani) was locked down by disabling the SSH command completely. if there are no complaints on April 24th, shutdown the server.

added Backlog label and removed Icebox label

assigned to @anarcat

note that i've migrated the gitolite-admin repository to gitlab, as it's used to keep track of migrations and we want to keep updating it. it's not archived, but will be as part of #41215 (closed) once the migration is over.

that said, i've pushed an earlier version of the repo to cupani which was probably the last thing we needed to do here at all, before the retirement, although we might want to double-check the private repositories listed in #41215 (closed) are available on vineale before shutting down cupani.

mentioned in issue #41215 (closed)

i believe everything on cupani is done now, so i am starting the retirement procedure.

added Doing label and removed Backlog label

marked the checklist item announcement (TPA-RFC-36 and tpo/web/blog#40071 (closed) coming up) as completed

changed the description

marked the checklist item retire the host in fabric as completed

marked the checklist item nagios as completed

mentioned in commit tor-nagios@8a5df5ca

messed up the retirement, because i didn't make the right schedules:

anarcat@angela:fabric-tasks[1]$ ./retire -H cupani.torproject.org retire-all --parent-host=fsn-node-01.torproject.org
starting tasks at 2024-04-26 05:13:53.439705+00:00
checking for ganeti master on host fsn-node-01.torproject.org
ganeti node detected with master fsn-node-01.torproject.org
checking on fsn-node-01.torproject.org if instance cupani.torproject.org is running
stopping instance cupani.torproject.org on fsn-node-01.torproject.org
Waiting for job 945564 for cupani.torproject.org ...
scheduling cupani.torproject.org instance removal on host fsn-node-01.torproject.org
scheduling gnt-instance remove --force cupani.torproject.org to run on fsn-node-01.torproject.org in 7 days
warning: commands will be executed using /bin/sh
job 33 at Fri May  3 05:14:00 2024
scheduling cupani.torproject.org backup disks removal on host bungei.torproject.org and director bacula-director-01.torproject.org
checking for path "/srv/backups/bacula/cupani.torproject.org/" on bungei.torproject.org
scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on bungei.torproject.org in 30 days
warning: commands will be executed using /bin/sh
job 122 at Sun May 26 05:14:00 2024
checking for path "/srv/backups/pg/cupani/" on bungei.torproject.org
path /srv/backups/pg/cupani/ not found: [Errno 2] No such file
scheduling echo delete client=cupani.torproject.org-fd yes | bconsole to run on bacula-director-01.torproject.org in 30 days
warning: commands will be executed using /bin/sh
job 65 at Sun May 26 05:14:00 2024
Notice: Revoked certificate with serial 103
Notice: Removing file Puppet::SSL::Certificate cupani.torproject.org at '/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem'
cupani.torproject.org
Submitted 'deactivate node' for cupani.torproject.org with UUID f281de40-8419-43f2-9812-46021e173d64
completed tasks, elasped: 0:00:33.910417 (user 6.71 system 0.19 chlduser 0.09 chldsystem 0.1 RSS 56.3 MB)

i canceled the erroneous at jobs by hand and again properly retired the host:

anarcat@angela:fabric-tasks$ ./retire -H cupani.torproject.org retire-all --parent-host=fsn-node-01.torproject.org
starting tasks at 2024-04-26 05:19:50.855775+00:00
checking for ganeti master on host fsn-node-01.torproject.org
ganeti node detected with master fsn-node-01.torproject.org
checking on fsn-node-01.torproject.org if instance cupani.torproject.org is running
instance cupani.torproject.org not running, no stop required
scheduling cupani.torproject.org instance removal on host fsn-node-01.torproject.org
scheduling gnt-instance remove --force cupani.torproject.org to run on fsn-node-01.torproject.org in 90 days
warning: commands will be executed using /bin/sh
job 34 at Thu Jul 25 05:19:00 2024
scheduling cupani.torproject.org backup disks removal on host bungei.torproject.org and director bacula-director-01.torproject.org
checking for path "/srv/backups/bacula/cupani.torproject.org/" on bungei.torproject.org
scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on bungei.torproject.org in 365 days
warning: commands will be executed using /bin/sh
job 123 at Sat Apr 26 05:20:00 2025
checking for path "/srv/backups/pg/cupani/" on bungei.torproject.org
path /srv/backups/pg/cupani/ not found: [Errno 2] No such file
scheduling echo delete client=cupani.torproject.org-fd yes | bconsole to run on bacula-director-01.torproject.org in 365 days
warning: commands will be executed using /bin/sh
job 66 at Sat Apr 26 05:20:00 2025
Notice: Revoked certificate with serial 30
Notice: Revoked certificate with serial 103
cupani.torproject.org
Submitted 'deactivate node' for cupani.torproject.org with UUID 7a26d96f-98a8-4b80-9468-9b01d791f217
completed tasks, elasped: 0:00:20.790689 (user 5.97 system 0.14 chlduser 0.08 chldsystem 0.12 RSS 56.2 MB)

VM destroyed in 90 days, backups in a year.

i re-read the RFC again, and the procedure is to retire the backups 12 months after the VM, so that's not 365 days, it's 455 (one year and 3 months) days from now. so, again, canceled by hand and reissued:

anarcat@angela:fabric-tasks$ ./retire -H cupani.torproject.org remove-backups 
starting tasks at 2024-04-26 05:25:07.781589+00:00
checking for path "/srv/backups/bacula/cupani.torproject.org/" on bungei.torproject.org
scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on bungei.torproject.org in 455 days
warning: commands will be executed using /bin/sh
job 124 at Fri Jul 25 05:25:00 2025
checking for path "/srv/backups/pg/cupani/" on bungei.torproject.org
path /srv/backups/pg/cupani/ not found: [Errno 2] No such file
scheduling echo delete client=cupani.torproject.org-fd yes | bconsole to run on bacula-director-01.torproject.org in 455 days
warning: commands will be executed using /bin/sh
job 67 at Fri Jul 25 05:25:00 2025
completed tasks, elasped: 0:00:07.918059 (user 1.75 system 0.07 chlduser 0.05 chldsystem 0.06 RSS 55.2 MB)

12 host=cupani,ou=hosts,dc=torproject,dc=org
objectClass: top
objectClass: debianServer
architecture: amd64
host: cupani
hostname: cupani.torproject.org
access: restricted
admin: torproject-admin@torproject.org
distribution: Debian
sshRSAHostKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqKk7DdcughgnjqwLCQBtd5vJueu0xPXONvYFfMAWJYvSLylV7CEAqkCmDN1PUXffH76PGG+X9LrTtQGtG9WrV6Y1lGyYMkR82fkYeXPL3nLdLE+IvSkxKUg3r4qgQ/CsaFKmz8DpfdOqipnKwamncZVemplUDxaC750hCJhacGFtGaM5TbEG+B6Ykx5PXlFPjXJQ8i0tNdwhIq5nfxrUizJzWioTA8LSJ8zb+VrC9/8HaaRnOEIugDC1DJth6pjODmAO+M2aQjbpzBu0CtegIUcW/T76Tt+X3GBFV4uYR+YNA7VKaoI/xxqWku85Tx9G/6E6FUOMhD8QxdIuc968T root@cupani
sshRSAHostKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIVn+MFJptnxYAGSBSmD06c8Aj2h0zSdde+HK7wHN3Rq root@cupani
allowedGroups: git-tor
allowedGroups: gitolite
exportOptions: GITOLITE
l: Falkenstein, Saxony, Germany
ipHostNumber: 116.202.120.182
ipHostNumber: 2a01:4f8:fff0:4f:266:37ff:fe32:cfb2
physicalHost: gnt-fsn
rebootPolicy: justdoit
description: Developers' git host
purpose: [[-git-rw.torproject.org]]

also retired the groups:

366 gid=git-tor,ou=users,dc=torproject,dc=org
gid: git-tor
objectClass: top
objectClass: debianGroup
gidNumber: 1503

435 gid=gitolite,ou=users,dc=torproject,dc=org
objectClass: top
objectClass: debianGroup
gidNumber: 1504
gid: gitolite

and user:

131 uid=git,ou=users,dc=torproject,dc=org
uid: git
objectClass: top
objectClass: debianAccount
objectClass: shadowAccount
objectClass: debianRoleAccount
gidNumber: 1504
shadowLastChange: 14619
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
userPassword: {crypt}*
uidNumber: 1504
emailForward: torproject-admin@torproject.org
loginShell: /bin/dash
gecos: gitolite role,,,,
cn: gitolite role

marked the checklist item remove from LDAP with ldapvi as completed

marked the checklist item remove from tor-passwords as completed

marked the checklist item power-grep as completed

marked the checklist item remove from docs as completed

marked the checklist item remove from DNSwl as completed

marked the checklist item remove from racks as completed

changed the description

marked the checklist item remove from reverse DNS as completed

all done, good bye gitolite! only cgit left!

closed

mentioned in commit wiki-replica@006527c8

mentioned in commit fabric-tasks@6145fb63