[tor-bugs] #31239 [Internal Services/Tor Sysadmin Team]: automate installs

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jan 10 16:33:59 UTC 2020 

#31239: automate installs
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  enhancement                          |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 in #32902, hiro and I played with draw.io to draw diagrams of what the
 current install process looks like. it was a fun exercise, and showed a
 few interesting things:

  * too much duplication between the two disk formatters, which should be
 resolved
  * duplication between the disk formatters and luks-setup
  * inconsistencies between sites: hrobot writes authorized-keys in
 /root/.ssh, hcloud in /etc/ssh/userkeys/, one uses grml-debootstrap, the
 other debootstrap

 I'm leaning towards scrapping the current install process and converging
 towards a simpler process that would be basically:

  1. pick IP address, hostname and other static parameters
  2. create metal/cloud upstream
  3. get a console (ssh, web console, whatever)
  4. use [https://manpages.debian.org/setup-storage setup-storage] to
 partition the disk, based on well-defined templates
  5. mount everything
  6. run debootstrap
  7. setup network, including hostname (maybe reusing gnt-network stuff?)
  8. populate LDAP
  9. bootstrap Puppet in the chroot
  10. reboot

 Every remaining manual step can then be done in Puppet, as it runs before
 the first boot. Those steps, currently done manually, are already done by
 Puppet so automating this is just a matter of ordering:

  * SSH daemon and keys configuration
  * automated upgrades (part of the larger #31957)
  * /etc/hosts management?

 Those would need some coding work in Puppet:

  * root password management (trocla? abandon?)
  * swapfile (move to setup-storage?)
  * kernel and grub setup?
  * mdadm.conf, fstab and crypttab config (setup-storage?)
  * dropbear-initramfs setup
  * mandos setup
  * net.ifnames=0

 Those steps would stay manual until they are configured in Puppet.

 So the next step seems to be to experiment with changing the order of the
 install process to bootstrap Puppet earlier and see what happens. We
 should also experiment with a different partionning tool, probably setup-
 storage.

 TL;DR: next steps:

  1. test setup-storage
  2. bootstrap Puppet earlier

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31239#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list