new-machine.md

• How to
  • Burn-in
  • Installation
  • Post-install configuration
    • Pre-requisites
    • Main procedure
• Reference
  • Design
  • Issues
• Discussion
  • Overview
  • Goals
    • Must have
    • Nice to have
    • Non-Goals
  • Approvals required
  • Proposed Solution
  • Cost
  • Alternatives considered

How to

Burn-in

Before we even install the machine, we should do some sort of stress-testing or burn-in so that we don't go through the lengthy install process and put into production fautly hardware.

This implies testing the various components to see if they support a moderate to high load. A tool like stressant can be used for that purpose, but a full procedure still needs to be established.

Example stressant run:

apt install stressant
stressant --email torproject-admin@torproject.org --overwrite --writeSize 10% --diskRuntime 120m --logfile fsn-node-04-sda.log --diskDevice /dev/sda

This will wipe parts of /dev/sda, so be careful. If instead you want to test inside a directory, use this:

stressant --email torproject-admin@torproject.org  --diskRuntime 120m --logfile fsn-node-05-home-test.log --directory /home/test --writeSize 1024M

Stressant is still in development and currently has serious limitations (e.g. it tests one disk at a time and clunky UI) but should be a good way to get started.

Installation

This document assumes the machine is already installed with a Debian operating system. We preferably install stable or, when close to the release, testing. Here are site-specific installs:

• Hetnzer Cloud
• Hetzner Robot
• Ganeti clusters:
  • new virtual machine: new instance procedure
  • new nodes (which host virtual machines) new node procedure, normally done as a post-install configuration
• Linaro and OSUOSL: howto/openstack
• Cymru

The following sites are not documented yet:

• sunet: possible like Linaro's howto/openstack, each TPA admin has their own account there
• eclips.is: our account is marked as "suspended" but oddly enough we have 200 credits which would give us (roughly) 32GB of RAM and 8 vCPUs (yearly? monthly? how knows). it is (separately) used by the metrics team for onionperf, that said

The following sites are deprecated:

• howto/KVM/libvirt (really at Hetzner) - replaced by Ganeti
• scaleway - see ticket 32920

Post-install configuration

The post-install configuration mostly takes care of bootstrapping Puppet and everything else follows from there. There are, however, still some unrelated manual steps but those should eventually all be automated (see ticket #31239 for details of that work).

Pre-requisites

The procedure below assumes the following steps have already been taken by the installer:

0. partitions have been correctly setup, including some (>=1GB) swap space (or at least a swap file) and a tmpfs in /tmp

1. a minimal Debian install with security updates has been booted (see also ticket #31957 for upgrade automation)

2. a hostname has been set, picked from the doc/naming-scheme and the short hostname (e.g. test) resolves to a fully qualified domain name (e.g. test.torproject.org) in the torproject.org domain (i.e. /etc/hosts is correctly configured). this can be fixed with:

   fab -H root@38.229.82.108 host.rewrite-hosts chi-node-05.torproject.org 38.229.82.108

   WARNING: The short hostname (e.g. foo in foo.example.com) MUST NOT be longer than 21 characters, as that will crash the backup server because its label will be too long:

   Sep 24 17:14:45 bacula-director-01 bacula-dir[1467]: Config error: name torproject-static-gitlab-shim-source.torproject.org-full.${Year}-${Month:p/2/0/r}-${Day:p/2/0/r}_${Hour:p/2/0/r}:${Minute:p/2/0/r} length 130 too long, max is 127

3. a public IP address has been set and the host is available over SSH on that IP address. this can be fixed with:

   fab -H root@88.99.194.57 host.rewrite-interfaces 88.99.194.57 26 88.99.194.1 2a01:4f8:221:2193::2 64 fe80::1

   If the IPv6 address is not known, it might be guessable from the MAC address. Try this:

   ipv6calc --action prefixmac2ipv6 --in prefix+mac --out ipv6 $SUBNET $MAC

   ... where $SUBNET is the (known) subnet from the upstream provider and $MAC is the MAC address as found in ip link show up.

4. ensure reverse DNS is set for the machine. this can be done either in the upstream configuration dashboard (e.g. Hetzner) or in our zone files, in the dns/domains.git repository.

   Pro tip: dig -x will show you an SOA record pointing at the authoritative DNS server for the relevant zone, and will even show you the right record to create. Since IPv6 records are particularly painful to create, you should use this all the time.

   For example, the IP addresses of chi-node-01 are 38.229.82.104 and 2604:8800:5000:82:baca:3aff:fe5d:8774, so the records to create are:

   $ dig -x 2604:8800:5000:82:baca:3aff:fe5d:8774 38.229.82.104
   [...]
   ;; QUESTION SECTION:
   ;4.7.7.8.d.5.e.f.f.f.a.3.a.c.a.b.2.8.0.0.0.0.0.5.0.0.8.8.4.0.6.2.ip6.arpa. IN PTR
   
   ;; AUTHORITY SECTION:
   2.8.0.0.0.0.0.5.0.0.8.8.4.0.6.2.ip6.arpa. 3552 IN SOA nevii.torproject.org. hostmaster.torproject.org. 2021020201 10800 3600 1814400 3601
   
   [...]
   
   ;; QUESTION SECTION:
   ;104.82.229.38.in-addr.arpa.	IN	PTR
   
   ;; AUTHORITY SECTION:
   82.229.38.in-addr.arpa.	2991	IN	SOA	ns1.cymru.com. noc.cymru.com. 2020110201 21600 3600 604800 7200
   
   [...]

   In this case, you should add this record to 82.229.38.in-addr.arpa.:

   104.82.229.38.in-addr.arpa.	IN	PTR chi-node-01.torproject.org.

   And this to 2.8.0.0.0.0.0.5.0.0.8.8.4.0.6.2.ip6.arpa.:

   4.7.7.8.d.5.e.f.f.f.a.3.a.c.a.b.2.8.0.0.0.0.0.5.0.0.8.8.4.0.6.2.ip6.arpa. IN PTR chi-node-01.torproject.org.

   Inversely, say you need to add an IP address for Hetzner (e.g. 88.198.8.180), they will already have a dummy PTR allocated:

   180.8.198.88.in-addr.arpa. 86400 IN	PTR	static.88-198-8-180.clients.your-server.de.

   The your-server.de domain is owned by Hetzner, so you should update that record in their control panel.

5. DNS works on the machine (i.e. /etc/resolv.conf is configured to talk to a working resolver, but not necessarily ours, which Puppet will handle)

6. a strong root password has been set in the password manager, this implies resetting the password for Ganeti instance installs the installed password was written to disk (TODO: move to trocla? #33332)

7. grub-pc/install_devices debconf parameter is correctly set, to allow unattended upgrades of grub-pc to function. The command below can be used to bring up an interactive prompt in case it needs to be fixed:

    debconf-show grub-pc | grep -qoP "grub-pc/install_devices: \K.*" || dpkg-reconfigure grub-pc

Main procedure

All commands to be run as root unless otherwise noted.

IMPORTANT: make sure you follow the pre-requisites checklist above! Some installers cover all of those steps, but most do not.

1. if the machine is not inside a ganeti cluster (which has its own inventory), allocate and document the machine in the Nextcloud spreadsheet, and the services page, if it's a new service

2. clone the tsa-misc git repository on the machine:

   git clone https://git.torproject.org/admin/tsa-misc.git

   Make sure the repo matches a known good copy. You can check the current head with:

   git -C tsa-misc show-ref

   You can then make sure it matches your local copy with something like:

   git -C tsa-misc show-ref master | grep 4879545cda75c44a1cf9efcf377d2c7e45683ac9

   TODO: just ship the parts below as part of the installer so we don't need that checkout

3. bootstrap puppet:

   • on the new machine run the installer/puppet-bootstrap-client from the tsa-misc git repo cloned earlier. copy-paste the generated checksum literally (including the filename) into the script waiting on the Puppetmaster above.

   • This will tell you to add the host into LDAP, this should be done on the LDAP server (db.torproject.org), with:

     ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D "uid=$USER,ou=users,dc=torproject,dc=org"

     Make sure you review all fields, in particular location (l), physicalHost, description and purpose which do not have good defaults.

     See the howto/upgrades section for information about the rebootPolicy field. See also the ldapvi manual for more information.

   • This will also tell you to run the bootstrap script (tpa-puppet-sign-client) on the Puppet server (currently pauli), which will prompt you for a checksum that will be generated by the script above, eventually. It is necessary to run the script to unblock the firewall so the client can connect and generate its certificate.

4. while Puppet is bootstrapping, you can add the node to howto/nagios, in tor-nagios/config/nagios-master.cfg (TODO: puppetize, in ticket #32901)

5. ... and if the machine is handling mail, add it to dnswl.org (password in tor-passwords, hosts-extra-info)

6. you will probably want to create a /srv filesystem to hole service files and data unless this is a very minimal system. Typically, installers may create the partition, but will not create the filesystem and configure it in /etc/fstab:

   mkfs -t ext4 -j /dev/sdc &&
   printf 'UUID=%s\t/srv\text4\tdefaults\t1\t2\n' $(blkid --match-tag UUID --output value /dev/sdc) >> /etc/fstab  &&
   mount /srv

7. once everything is done, reboot the new machine to make sure that still works:

   reboot

At this point, the machine has a basic TPA setup. You will probably need to assign it a "role" in Puppet to get it to do anything.

Reference

Design

If you want to understand better the different installation procedures there is a install flowchart that was made on Draw.io.

There are also per-site install graphs:

• install-hetzner-cloud.png
• install-hetzner-robot.png
• install-ganeti.png

To edit those graphics, head to the https://draw.io website (or install their Electron desktop app) and load the install.drawio file.

Those diagrams were created as part of the redesign of the install process, to better understand the various steps of the process and see how they could be refactored. They should not be considered an authoritative version of how the process should be followed.

The text representation in this wiki remains the reference copy.

Issues

Issues regarding installation on new machines are far ranging and do not have a specific component.

The install system is manual and not completely documented for all sites. It needs to be automated, which is discussed below and in ticket 31239: automate installs.

A good example of the problems that can come up with variations in the install process is ticket 31781: ping fails as a regular user on new VMs.

Discussion

This section discusses background and implementation details of installation of machines in the project. It shouldn't be necessary for day to day operation.

Overview

The current install procedures work, but have only recently been formalized, mostly because we rarely setup machines. We do expect, however, to setup a significant number of machines in 2019, or at least significant enough to warrant automating the install process better.

Automating installs is also critical according to Tom Limoncelli, the author of the Practice of System and Network Administration. In their Ops report card, question 20 explains:

If OS installation is automated then all machines start out the same. Fighting entropy is difficult enough. If each machine is hand-crafted, it is impossible.

If you install the OS manually, you are wasting your time twice: Once when doing the installation and again every time you debug an issue that would have been prevented by having consistently configured machines.

If two people install OSs manually, half are wrong but you don't know which half. Both may claim they use the same procedure but I assure you they are not. Put each in a different room and have them write down their procedure. Now show each sysadmin the other person's list. There will be a fistfight.

In that context, it's critical to automate a reproducible install process. This gives us a consistent platform that Puppet runs on top of, with no manual configuration.

Goals

The project of automating the install is documented in ticket 31239.

Must have

• unattended installation
• reproducible results
• post-installer configuration (ie. not full installer, see below)
• support for running in our different environments (Hetzner Cloud, Robot, bare metal, Ganeti...)

Nice to have

• packaged in Debian
• full installer support:
  • RAID, LUKS, etc filesystem configuration
  • debootstrap, users, etc

Non-Goals

• full configuration management stack - that's done by howto/puppet

Approvals required

TBD.

Proposed Solution

The solution being explored right now is assume the existence of a rescue shell (SSH) of some sort and use fabric to deploy everything on top of it, up to puppet. Then everything should be "puppetized" to remove manual configuration steps. See also ticket 31239 for the discussion of alternatives, which are also detailed below.

Cost

TBD.

Alternatives considered

• Ansible - configuration management that duplicates howto/puppet but which we may want to use to bootstrap machines instead of yet another custom thing that operators would need to learn.
• cloud-init - builtin to many cloud images (e.g. Amazon), can do rudimentary filesystem setup (no RAID/LUKS/etc but ext4 and disk partitionning is okay), config can be fetched over HTTPS, assumes it runs on first boot, but could be coerced to run manually (e.g. fgrep -r cloud-init /lib/systemd/ | grep Exec), ganeti-os-interface backend
• cobbler - takes care of PXE and boot, delegates to kickstart the autoinstall, more relevant to RPM-based distros
• curtin - "a "fast path" installer designed to install Ubuntu quickly. It is blunt, brief, snappish, snippety and unceremonious." ubuntu-specific, not in Debian, but has strong partitionning support with ZFS, LVM, LUKS, etc support. part of the larger MAAS project
• FAI - built by a debian developer, used to build live images since buster, might require complex setup (e.g. an NFS server), setup-storage(8) might be reusable on its own. uses Tar-based images created by FAI itself, requires network control or custom ISO boot, requires a "server" (the fai-server package), not directly supported by Ganeti, although there are hacks to make it work and there is a ganeti-os-interface backend now
• himblick has some interesting post-install configure bits in Python, along with pyparted bridges
• list of debian setup tools, see also AutomatedInstallation
• livewrapper is also one of those installers, in a way
• vmdb2 - a rewrite of vmdeboostrap, which uses a YAML file to describe a set of "steps" to take to install Debian, should work on VM images but also disks, no RAID support and a significant number of bugs might affect reliability in production
• bdebstrap - yet another one of those tools, built on top of mmdebstrap, YAML
• MAAS - PXE-based, assumes network control which we don't have and has all sorts of features we don't want
• howto/puppet - Puppet could bootstrap itself, with puppet apply ran from a clone of the git repo. could be extended as deep as we want.
• terraform - config management for the cloud kind of thing, supports Hetzner Cloud, but not Hetzner Robot or Ganeti (update: there is a Hetzner robot plugin now)

Unfortuantely, I ruled out the official debian-installer because of the complexity of the preseeding system and partman. It also wouldn't work for installs on Hetzner Cloud or Ganeti.