... | @@ -4,7 +4,7 @@ Warning: this procedure is difficult to follow and error-prone. A new |
... | @@ -4,7 +4,7 @@ Warning: this procedure is difficult to follow and error-prone. A new |
|
procedure is being established in Fabric, below. It should still work,
|
|
procedure is being established in Fabric, below. It should still work,
|
|
provided you follow the warnings.
|
|
provided you follow the warnings.
|
|
|
|
|
|
1. long before (weeks or months) the machine is decomissioned, make
|
|
1. long before (weeks or months) the machine is retired, make
|
|
sure users are aware it will go away and of its replacement services
|
|
sure users are aware it will go away and of its replacement services
|
|
2. remove the host from `tor-nagios/config/nagios-master.cfg`
|
|
2. remove the host from `tor-nagios/config/nagios-master.cfg`
|
|
3. if applicable, stop the VM in advance:
|
|
3. if applicable, stop the VM in advance:
|
... | @@ -36,7 +36,7 @@ provided you follow the warnings. |
... | @@ -36,7 +36,7 @@ provided you follow the warnings. |
|
* for a normal machine or a machine we do not own the parent host
|
|
* for a normal machine or a machine we do not own the parent host
|
|
for, wipe the disks using the method described below
|
|
for, wipe the disks using the method described below
|
|
|
|
|
|
6. remove it from ud-ldap: the host entry and any `@<host>` group memberships there might be as well as any `sudo` passwords users might have configured for that host
|
|
6. remove it from LDAP: the host entry and any `@<host>` group memberships there might be as well as any `sudo` passwords users might have configured for that host
|
|
7. if it has any associated records in `tor-dns/domains` or
|
|
7. if it has any associated records in `tor-dns/domains` or
|
|
`auto-dns`, or upstream's reverse dns thing, remove it from there
|
|
`auto-dns`, or upstream's reverse dns thing, remove it from there
|
|
too. e.g.
|
|
too. e.g.
|
... | @@ -44,16 +44,16 @@ provided you follow the warnings. |
... | @@ -44,16 +44,16 @@ provided you follow the warnings. |
|
grep -r -e build-x86-07 -e 78.47.38.230 -e 2a01:4f8:211:6e8:0:823:6:1
|
|
grep -r -e build-x86-07 -e 78.47.38.230 -e 2a01:4f8:211:6e8:0:823:6:1
|
|
|
|
|
|
... and check upstream reverse DNS.
|
|
... and check upstream reverse DNS.
|
|
8. on pauli: `read host ; puppet node clean $host.torproject.org &&
|
|
8. on the puppet server (`pauli`): `read host ; puppet node clean $host.torproject.org &&
|
|
puppet node deactivate $host.torproject.org`
|
|
puppet node deactivate $host.torproject.org`
|
|
TODO: That procedure is incomplete, use the `retire.revoke-puppet`
|
|
TODO: That procedure is incomplete, use the `retire.revoke-puppet`
|
|
job in fabric instead.
|
|
job in fabric instead.
|
|
9. grep the `tor-puppet` repo for the host (and maybe its IP
|
|
9. grep the `tor-puppet` repository for the host (and maybe its IP
|
|
addresses) and clean up; also look for files with hostname in
|
|
addresses) and clean up; also look for files with hostname in
|
|
their name
|
|
their name
|
|
10. clean host from `tor-passwords`
|
|
10. clean host from `tor-passwords`
|
|
11. remove any certs and backup keys from letsencrypt-domains and
|
|
11. remove any certs and backup keys from `letsencrypt-domains.git` and
|
|
letsencrypt-domains/backup-keys git repositories that are no
|
|
`letsencrypt-domains/backup-keys.git` repositories that are no
|
|
longer relevant:
|
|
longer relevant:
|
|
|
|
|
|
git -C letsencrypt-domains grep -e $host -e storm.torproject.org
|
|
git -C letsencrypt-domains grep -e $host -e storm.torproject.org
|
... | @@ -115,7 +115,7 @@ offline and writing garbage: |
... | @@ -115,7 +115,7 @@ offline and writing garbage: |
|
|
|
|
|
This will take a long time. Note that it will start a GUI which is
|
|
This will take a long time. Note that it will start a GUI which is
|
|
useful because it will give you timing estimates, which the
|
|
useful because it will give you timing estimates, which the
|
|
commandline version [does not provide](https://github.com/martijnvanbrummelen/nwipe/issues/196).
|
|
command-line version [does not provide](https://github.com/martijnvanbrummelen/nwipe/issues/196).
|
|
|
|
|
|
WARNING: this procedure doesn't cover the case where the disk is an
|
|
WARNING: this procedure doesn't cover the case where the disk is an
|
|
SSD. See [this paper](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.187.3062&rep=rep1&type=pdf) for details on how classic data scrubbing
|
|
SSD. See [this paper](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.187.3062&rep=rep1&type=pdf) for details on how classic data scrubbing
|
... | @@ -142,7 +142,7 @@ When you return: |
... | @@ -142,7 +142,7 @@ When you return: |
|
/tmp/root/sh` next time, although that is only [available in buster
|
|
/tmp/root/sh` next time, although that is only [available in buster
|
|
and later](https://tracker.debian.org/pkg/vmtouch).
|
|
and later](https://tracker.debian.org/pkg/vmtouch).
|
|
|
|
|
|
2. kill all processes but the SSH daemon, your SSH connexion and
|
|
2. kill all processes but the SSH daemon, your SSH connection and
|
|
shell. this will vary from machine to machine, but a good way is
|
|
shell. this will vary from machine to machine, but a good way is
|
|
to list all processes with `systemctl status` and `systemctl stop`
|
|
to list all processes with `systemctl status` and `systemctl stop`
|
|
the services one by one. Hint: multiple services can be passed on
|
|
the services one by one. Hint: multiple services can be passed on
|
... | @@ -154,11 +154,11 @@ When you return: |
... | @@ -154,11 +154,11 @@ When you return: |
|
|
|
|
|
swapoff -a
|
|
swapoff -a
|
|
|
|
|
|
4. unmount everything that can be unmounted (except `/proc`):
|
|
4. un-mount everything that can be unmounted (except `/proc`):
|
|
|
|
|
|
umount -a
|
|
umount -a
|
|
|
|
|
|
5. remount everything else readonly:
|
|
5. remount everything else read-only:
|
|
|
|
|
|
mount -o remount,ro /
|
|
mount -o remount,ro /
|
|
|
|
|
... | @@ -182,7 +182,7 @@ of an emergency: |
... | @@ -182,7 +182,7 @@ of an emergency: |
|
|
|
|
|
## Alternate, fabric-based procedure
|
|
## Alternate, fabric-based procedure
|
|
|
|
|
|
1. long before (weeks or months) the machine is decomissioned, make
|
|
1. long before (weeks or months) the machine is retired, make
|
|
sure users are aware it will go away and of its replacement services
|
|
sure users are aware it will go away and of its replacement services
|
|
2. remove the host from `tor-nagios/config/nagios-master.cfg`
|
|
2. remove the host from `tor-nagios/config/nagios-master.cfg`
|
|
3. if applicable, stop the VM in advance:
|
|
3. if applicable, stop the VM in advance:
|
... | | ... | |