Skip to content
Snippets Groups Projects
Commit 140b0a4c authored by zen's avatar zen
Browse files

tpa-rfc-77: address clarifications raised by anarcat 

- be explicit about how to handle naming conflicts
- remove non-goals
- describe when and how to create tails- and tpa-specific profiles

refs team#41948
parent 8ebb1c27
Branches rfc-77-improv
No related tags found
1 merge request!68TPA-RFC-77: clarifications
Pipeline #247167 failed
Stage: build
Stage: test
Hide whitespace changes
Inline Side-by-side
policy/tpa-rfc-77-puppet-merge.md
+ 21
25
View file @ 140b0a4c
......@@ -47,28 +47,26 @@ This phase ensures that, once Tails code is copied to Tor's Puppet Control repo:
- Remove ENC configuration, Tails don't really use it and the Puppet server switch will implement Tor's instead
- Move node definitions under `manifests/nodes.pp` to roles
- Switch to the directory structure used by Tor:
- Move custom non-profile modules to `legacy/` (`monitoring`, `apache`, `passenger`), leave only 3rd party modules under `modules/`
- Move custom non-profile modules (`bitcoind`, `borgbackup`, `etckeeper`, `gitolite`, `rbac`, `reprepro`, `rss2email`, `tails`, `tirewall` and `yapgp`) to `legacy/`. Note: there are no naming conflicts in this case.
- Make sure to leave only 3rd party modules under `modules/`. There are 2 naming conflicts here (`unbound` and `network`): Tails uses these from voxpupuli and Tor uses custom ones in `legacy/`, so in these cases we deprecate the Tor ones in favor of voxpupuli's.
- Rename `hieradata` to `data`
- Rename `profiles` to `site`
TODO: how are naming conflicts handled here? e.g. TPA also has an
`apache` module in `legacy`
- Move default configuration to a new `profile::tails` class and include it in all nodes
### Converge in substance
- Tails:
- Refactor the legacy `apache` and `passenger` modules out of existence
- Rename all profiles from `tails::profile` to `profile::tails`
- Ensure all exported resources' tags are prefixed with tails_
- Upgrade 3rdparty modules to match TPA versions
- Tor:
- Install all `3rdparty` modules that are used by Tails but not by Tor
- Isolate all exported resources and collectors using tags
- Ensure there is a parameter to disable all 'base' functionality (i.e., nothing gets installed on a puppet node that is not explicitly included in the role)
- Move default configuration to a new `profile::tpa` class and include it in all nodes
- Enforce signed commits
- Ensure all private data is moved to Trocla and publish the repo ([tpo/tpa/team#29387](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29387))
- Install EYAML, copy the EYAML keys from the Tails to the Tor puppet server, and adapt `hiera.yaml` to use them
- Tor and Tails:
- Import the `tails::profile::puppet::eyaml profile into TPA's `profile::puppet::server`
- Copy the EYAML keys from the Tails to the Tor puppet server, and adapt `hiera.yaml` to use them
- Upgrade 3rdparty modules to match Tails versions
When we say "upgrade", we don't mean to upgrade to the latest upstream
......@@ -86,8 +84,9 @@ considering the Tails codebase is generally tidier.
This phase moves all nodes from one Puppet server to the other:
- Copy `legacy` modules from Tails to Tor
- Copy roles and profiles from Tails to Tor
- Assign nodes to roles using the ENC
- Copy profiles from Tails to Tor
- Create a flag that determines whether a node is Tails or TPA and which base class it should include
- Assign nodes to their corresponding base class using the flag above
- Point Tails nodes to the Tor Puppet server
- Retire the Tails' Puppet server
......@@ -95,15 +94,19 @@ This phase moves all nodes from one Puppet server to the other:
This phase paves the way towards a cleaner future:
- One by one, for each profile in `profile::tails`
- Move the profile to `profile` (without `::tails`), or
- Merge the profile with an existing one in `profile`
- Deduplicate, refactor, cleanup, etc.
- Defining code standards (documentation, linting, pre-commit hooks, etc)
- Remove all `tails::profile::puppet` profiles
- Merge the 8 conflicting Tails and TPA profiles:
- `grub`
- `limesurvey`
- `mta`
- `nginx`
- `podman`
- `rspamd`
- `sudo`
- `sysctl`
- Move the remaining 114 non-conflicting Tails profiles to `profile` (without `::tails`)
TODO: the last two feel like "non-goals" above.. I wonder if it's
worth just removing those? In any case, they feel oddly vague and out
of place.
At this point, we'll have 244 profiles.
## Next steps
......@@ -113,13 +116,6 @@ and nodes from both fleets (Tails and TPA) use the same environment.
The code base is not, however, fully merged just yet, of course. A
possible way forward to merge services might be like this:
- There's a Hiera parameter that determines whether a node is "Tails"
or "TPA", let's call it the "flag"
- The "flag" determines which base profile (`profile::tails` or
`profile::tpa` maybe?) gets included
- The profiles start fully divergent: they include different profiles
and classes, but can also have the same classes included (say
`unattended_upgrades`, assuming it's used by both)
- To "merge" a service, a class existing in one profile (say
`profile::prometheus` from `profile::tpa`) is progressively added to
all nodes on the other side, and eventually to the other profile
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment