[metrics-bugs] #33733 [Internal Services/Tor Sysadmin Team]: How do home directories work?

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 26 14:53:36 UTC 2020

#33733: How do home directories work?
 Reporter:  irl                                  |          Owner:  tpa
     Type:  task                                 |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:  #33715                               |         Points:
 Reviewer:                                       |        Sponsor:

Comment (by anarcat):

 >  How does the above puppet compare to the Onionoo setup in Puppet?

 This is the onionoo_backend class, for example:

 # onionoo.torproject.org backend host
 class roles::onionoo_backend {
   package { [
     ensure => installed,

   file { '/srv/onionoo.torproject.org':
     ensure => directory,
     mode   => '0755',
     owner  => 'onionoo',
     group  => 'onionoo',
   file { '/srv/onionoo.torproject.org/home':
     ensure => directory,
     mode   => '0755',
     owner  => 'onionoo',
     group  => 'onionoo',
   file {'/home/onionoo':
     ensure => link,
     target => '/srv/onionoo.torproject.org/home',
   file { '/srv/onionoo.torproject.org/home-unpriv':
     ensure => directory,
     mode   => '0755',
     owner  => 'onionoo-unpriv',
     group  => 'onionoo-unpriv',
   file {'/home/onionoo-unpriv':
     ensure => link,
     target => '/srv/onionoo.torproject.org/home-unpriv',
   file { '/srv/onionoo.torproject.org/onionoo':
     ensure => directory,
     mode   => '0755',
     owner  => 'onionoo',
     group  => 'onionoo',
   file { '/etc/sudoers.d/onionoo':
     mode   => '0440',
     source => 'puppet:///modules/roles/onionoo_backend/sudoers-onionoo',

   dsa_systemd::linger { 'onionoo': }
   dsa_systemd::linger { 'onionoo-unpriv': }

   # varnish
   class { 'varnish':
     vcl_config  => '/etc/varnish/onionoo.vcl',
     vcl_content => template('roles/onionoo/varnish-onionoo-
     memory      => '1g',

   # ipsec tunnels between each frontend and each backend (1:1 tunnels)
   $query = 'nodes[certname] { resources { type = "Class" and title =
 "Roles::Onionoo_frontend" } }'
   $peer_names = sort(puppetdb_query($query).map |$value| {
 $value["certname"] })
   $peer_names.each |$peer_name| {
     $network_tag = [$::fqdn, $peer_name].sort().join('::')
     ipsec::network { "ipsec::${network_tag}":
       peer_networks => $base::public_addresses,

   # allow access to varnish from ipsec peers
   ferm::rule { 'ipsec-service-chain':
     domain      => '(ip ip6)',
     description => 'Move incoming ipsec processed packets to a dedicated
 ipsec chain',
     rule        => 'mod policy dir in pol ipsec goto ipsec',
   ferm::rule::simple { 'ipsec-varnish':
     chain => 'ipsec',
     port  => 6081,

 It's similar, but not exactly the same, as you can see.

 > Can we make that use the same "standardization" as the check stuff
 before we deploy the new backends (#32268) there?

 weasel has been taking care of this so far, so I can't speak for him.

 i think that would be a great idea.

 >  I think there may be a case not covered by it where we have the onionoo
 and onionoo-unpriv users, but they both share the same service directory.

 I see, yes, that's something that needs to be considered.

 >  I am confused by the difference between the /home/$user and
 /srv/$service/home directories. For the exit scanner the home directory is
 linked into /srv/$service and not into /srv/$service/home but for Onionoo:
 > {{{
 > ssh onionoo-backend-01.torproject.org ls -l '/home/onionoo*'
 > lrwxrwxrwx 1 root root 32 Sep  6  2019 /home/onionoo ->
 > lrwxrwxrwx 1 root root 39 Sep  6  2019 /home/onionoo-unpriv ->
 > }}}

 That could be an oversight on my part, when i setup the check service. Do
 you want this fixed?

 > Is the /home path only there to keep LDAP happy?

 That might be so yes.

 > Perhaps I need to add a key to users for the "real" home directory path
 as we can't guess it from some pattern, and then always link /home/$user
 to that specified path.

 I think you can assume /home/$user is valid, although it can be a symlink
 pointing somewhere else.

 >  Regarding where to look for documentation, I had no idea. I guess
 help.tpo would have been the place to look. For this though I don't so
 much need a list of steps that you take to do something, or examples of
 the Puppet usage, but more an understanding of the rationale and intention
 of doing it in this way so that I'm not making incorrect assumptions when
 I recreate it for the dev environments.

 Yeah, that's what's missing I guess. To be honest, I don't quite know what
 the rationale is here either, I just got here. ;)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33733#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the metrics-bugs mailing list