[tor-bugs] #30020 [Internal Services/Tor Sysadmin Team]: switch from our custom YAML implementation to Hiera
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Apr 19 20:57:36 UTC 2019
#30020: switch from our custom YAML implementation to Hiera
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: anarcat
Type: project | Status:
| assigned
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #29387 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
site.pp is now mostly empty. all the `has_role` constructs are gone from
there.
those two are gone as well:
{{{
HOST_ROLE_BACULA_DIRECTOR
HOST_ROLE_BACULA_STORAGE
}}}
the trickiest part, surprisingly, was the little warning added to the
motd. i've hacked something together using `update-motd.d` but i'm
actually quite unhappy about it, because it doesn't display the same way
that it did before. if the machines were all running buster, this wouldn't
be a problem anymore because there's /etc/motd.d there, but we're probably
stuck in stretch for a while.
since this is only for *three* machines, I think we can afford the little
ugliness for now.
{{{
Linux build-arm-02 4.19.0-0.bpo.4-arm64 #1 SMP Debian 4.19.28-2~bpo9+1
(2019-03-27) aarch64
Note that this host is _NOT_ being backed up. If you care about your
data, run your own backups.
This device is for authorized users only.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Welcome to build-arm-02.torproject.org, used for the following services:
buildbox
porterbox
If you use this as a porter/buildbox, you might find
https://dsa.debian.org/doc/schroot/ helpful.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Last login: Fri Apr 19 20:44:31 2019 from 95.216.141.241
}}}
I have also found HOST_TPO which is basically a list of the public IP of
all TPO hosts, as taken from LDAP
(`modules/puppetmaster/lib/puppet/parser/functions/allnodeinfo.rb`). So we
can keep that macro for now until we decide about the overlap between LDAP
and Hiera. The motd is similarly extracted mostly from stuff in LDAP and
would benefit from such a refactoring as well.
Anyways. Next up is the roles file, which has tons more fun stuff like
this to clear out. :)
Note that I've had answers to my earlier questions, somehow:
1. I don't think there's any serious security issues with exported
resources, they way they're setup. At worst a host might be able to push
different firewall holes than expected. If we want to fix that issue, we
can make new defines with hardcoded definitions that, when collected on
hosts, will only poke the holes that are expected.
2. it's just a copy-paste historical error, that I've made myself in
other occasions
3. no solution to the NRPE `allowed_hosts` problem just yet, but I'm
tempted to just use a hardcoded variable for now. this is what is used for
`bacula::bacula_director_address` for example: it's hardcoded to
`dictyotum.torproject.org` so there's prior art to hardcoding stuff like
that. of course it would be hardcoded into hiera, not the class name,
ideally...
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30020#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list