Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
tpa-rfc-3-tools.md 4.15 KiB 
title: TPA-RFC-3: tools

Summary: we try to restrict the number of tools users and sysadmins need to learn to operate in our environment. This policy documents which tools we use.

Background

A proliferation of tools can easily creep up into an organisation. By limiting the number of tools in use, we can keep training and documentation to a more reasonable size. There's also the off chance that someone might already know all or a large proportion the tools currently in use if the set is smaller and standard.

Proposal

This proposal formally defines which tools are used and offered by TPA for various things inside of TPO.

We try to have one and only one tool for certain services, but sometimes we have many. In that case, we try to deprecate one of the tools in favor of the other.

Scope

This applies to services provided by TPA, but not necessarily to all services available inside TPO. Service admins, for example, might make different decisions than the ones described here for practical reasons.

Tools list

This list consists of the known policies we currently have established.

  1. version control: git, gitolite
  2. operating system: Debian packages (official, backports, third-party and TPA)
  3. host installation: debootstrap, FAI
  4. ad-hoc tools: SSH, Cumin
  5. directory servers: OpenLDAP, BIND, ud-ldap, Hiera
  6. authentication servers: OpenLDAP, ud-ldap
  7. time synchronisation: NTP (ntp Debian package, from ntp.org)
  8. Network File Servers: DRBD
  9. File Replication Servers: static mirror system
  10. Client File Access: N/A
  11. Client OS Update: unattended-upgrades, needrestart, dsa nagios checks, multiple reboot tools (ticket #33406)
  12. Client Configuration Management: Puppet
  13. Client Application Management: Debian packages, systemd lingering, cron @reboot targets (deprecated)
  14. Mail: SMTP/Postfix, Mailman, ud-ldap, dovecot (on gitlab)
  15. Printing: N/A
  16. Monitoring: syslog-ng central host, Nagios, Prometheus, Grafana, no paging
  17. password management: pwstore
  18. help desk: Trac, email, IRC
  19. backup services: bacula, postgresql hot sync
  20. web services: Apache, Nginx, Varnish (deprecated), haproxy (deprecated)
  21. documentation: ikiwiki, Trac wiki
  22. datacenters: Hetzner cloud, Hetzner robot, Cymru, Sunet, Linaro, Scaleway (deprecated)
  23. Programming languages: Python, Perl (deprecated), shell (for short programs)

TODO

  1. figure out scope... list has grown big already
  2. are server specs part of this list?
  3. software raid?
  4. add Gitlab issues to help desk, deprecate Trac
  5. add Fabric to host installs and ad-hoc tools
  6. consider Gitlab wiki as a ikiwiki replacement?
  7. add RT to help desk?

Examples

  • all changes to servers should be performed through Puppet, as much as possible...
  • ... except for services not managed by TPA ("service admin stuff"), which can be deployed by hand, Ansible, or any other tool

Deadline

No deadline set yet, still drafting.

Status

This proposal is currently in the draft state.

References

Drafting this policy was inspired by the limiting tool dev choices blog post from Chris Siebenmann from the University of Toronto Computer Science department.

The tool classification is a variation of the infastructures.org checklist, with item 2 changed from "Gold Server" to "Operating System". The naming change is rather dubious, but I felt that "Gold Server" didn't really apply anymore in the context of configuration management tools like Puppet (which is documented in item 13). Debian is a fundamental tool at Tor and it feels critical to put it first and ahead of everything else, because it's one thing that we rely on heavily. It also does somewhat acts as a "Gold Server" in that it's a static repository of binary code. We also do not have uniform "Client file access" (item 10) and "Printing" (item 16). Item 18 ("Password management") was also added.