From cda3a4b4be07bfd251e4d15a2cf11c2b3e0ca361 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Fri, 13 Mar 2020 15:41:43 -0400
Subject: [PATCH] expand on the destruction procedures
---
tsa/howto/retire-a-host.mdwn | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/tsa/howto/retire-a-host.mdwn b/tsa/howto/retire-a-host.mdwn
index 9f85ba2c..de7e481d 100644
--- a/tsa/howto/retire-a-host.mdwn
+++ b/tsa/howto/retire-a-host.mdwn
@@ -92,13 +92,17 @@ interface, you need to be a little more creative. We do this with the
apt install nwipe
+Run in a screen:
+
+ screen
+
If there's a RAID array, first wipe one of the disks by taking it
offline and writing garbage:
mdadm --fail /dev/md0 /dev/sdb1 &&
mdadm --remove /dev/md0 /dev/sdb1 &&
- mdadm --fail /dev/md1 /dev/sdb3 &&
- mdadm --remove /dev/md1 /dev/sdb3 &&
+ mdadm --fail /dev/md1 /dev/sdb2 &&
+ mdadm --remove /dev/md1 /dev/sdb2 &&
: etc, for the other RAID elements in /proc/mdstat &&
nwipe --autonuke --method=random --verify=off /dev/sdb
@@ -112,19 +116,26 @@ When you return:
that will survive disk wiping:
# make sure /tmp is on a tmpfs first!
- cp -av /root /tmp/root
- mount -o bind /tmp/root /root
- cp /bin/busybox /tmp/root/sh
- export SHELL=/tmp/root/sh
+ cp -av /root /tmp/root &&
+ mount -o bind /tmp/root /root &&
+ cp /bin/busybox /tmp/root/sh &&
+ export SHELL=/tmp/root/sh &&
exec screen -s $SHELL
+ TODO: the above eventually failed to make busybox survive the
+ destruction, probably because it got evicted from RAM and couldn't
+ be found in swap again (as *that* was destroyed too). We should
+ try using [vmtouch](https://hoytech.com/vmtouch/) with something like `vmtouch -dl
+ /tmp/root/sh` next time, although that is only [available in buster
+ and later](https://tracker.debian.org/pkg/vmtouch).
+
2. kill all processes but the SSH daemon, your SSH connexion and
shell. this will vary from machine to machine, but a good way is
to list all processes with `systemctl status` and `systemctl stop`
the services one by one. Hint: multiple services can be passed on
the same `stop` command, for example:
- systemctl stop acpid atd bacula-fd bind9 cron dbus dbus.socket fail2ban haveged irqbalance libvirtd lvm2-lvmetad.service mdmonitor nagios-nrpe-server ntp openvswitch-switch postfix prometheus-bind-exporter prometheus-node-exporter smartd strongswan syslog-ng.service systemd-journald systemd-journald-audit.socket systemd-journald-dev-log.socket systemd-journald.socket systemd-logind.service systemd-udevd systemd-udevd systemd-udevd-control.socket systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-kernel.socket ulogd2 unbound virtlogd virtlogd.socket
+ systemctl stop acpid acpid.socket acpid.path atd bacula-fd bind9 cron dbus dbus.socket fail2ban haveged irqbalance libvirtd lvm2-lvmetad.service lvm2-lvmetad.socket mdmonitor nagios-nrpe-server ntp openvswitch-switch postfix prometheus-bind-exporter prometheus-node-exporter smartd strongswan syslog-ng.service systemd-journald systemd-journald-audit.socket systemd-journald-dev-log.socket systemd-journald.socket systemd-logind.service systemd-udevd systemd-udevd systemd-udevd-control.socket systemd-udevd-control.socket systemd-udevd-kernel.socket systemd-udevd-kernel.socket ulogd2 unbound virtlogd virtlogd.socket
3. disable swap:
--
GitLab