[metrics-bugs] #33733 [Internal Services/Tor Sysadmin Team]: How do home directories work?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Mar 26 14:53:36 UTC 2020
#33733: How do home directories work?
-------------------------------------------------+-------------------------
Reporter: irl | Owner: tpa
Type: task | Status:
| needs_review
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: #33715 | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
> How does the above puppet compare to the Onionoo setup in Puppet?
This is the onionoo_backend class, for example:
{{{
# onionoo.torproject.org backend host
class roles::onionoo_backend {
package { [
'libcommons-codec-java',
'libcommons-compress-java',
'libcommons-lang3-java',
'libgoogle-gson-java',
'liblogback-java',
'libservlet3.1-java',
'libslf4j-java',
'libjetty9-java',
'default-jdk-headless',
]:
ensure => installed,
}
file { '/srv/onionoo.torproject.org':
ensure => directory,
mode => '0755',
owner => 'onionoo',
group => 'onionoo',
}
file { '/srv/onionoo.torproject.org/home':
ensure => directory,
mode => '0755',
owner => 'onionoo',
group => 'onionoo',
}
file {'/home/onionoo':
ensure => link,
target => '/srv/onionoo.torproject.org/home',
}
file { '/srv/onionoo.torproject.org/home-unpriv':
ensure => directory,
mode => '0755',
owner => 'onionoo-unpriv',
group => 'onionoo-unpriv',
}
file {'/home/onionoo-unpriv':
ensure => link,
target => '/srv/onionoo.torproject.org/home-unpriv',
}
file { '/srv/onionoo.torproject.org/onionoo':
ensure => directory,
mode => '0755',
owner => 'onionoo',
group => 'onionoo',
}
file { '/etc/sudoers.d/onionoo':
mode => '0440',
source => 'puppet:///modules/roles/onionoo_backend/sudoers-onionoo',
}
dsa_systemd::linger { 'onionoo': }
dsa_systemd::linger { 'onionoo-unpriv': }
# varnish
class { 'varnish':
vcl_config => '/etc/varnish/onionoo.vcl',
vcl_content => template('roles/onionoo/varnish-onionoo-
backend.vcl.erb'),
memory => '1g',
}
# ipsec tunnels between each frontend and each backend (1:1 tunnels)
$query = 'nodes[certname] { resources { type = "Class" and title =
"Roles::Onionoo_frontend" } }'
$peer_names = sort(puppetdb_query($query).map |$value| {
$value["certname"] })
$peer_names.each |$peer_name| {
$network_tag = [$::fqdn, $peer_name].sort().join('::')
ipsec::network { "ipsec::${network_tag}":
peer_networks => $base::public_addresses,
}
}
# allow access to varnish from ipsec peers
ferm::rule { 'ipsec-service-chain':
domain => '(ip ip6)',
description => 'Move incoming ipsec processed packets to a dedicated
ipsec chain',
rule => 'mod policy dir in pol ipsec goto ipsec',
}
ferm::rule::simple { 'ipsec-varnish':
chain => 'ipsec',
port => 6081,
}
}
}}}
It's similar, but not exactly the same, as you can see.
> Can we make that use the same "standardization" as the check stuff
before we deploy the new backends (#32268) there?
weasel has been taking care of this so far, so I can't speak for him.
i think that would be a great idea.
> I think there may be a case not covered by it where we have the onionoo
and onionoo-unpriv users, but they both share the same service directory.
I see, yes, that's something that needs to be considered.
> I am confused by the difference between the /home/$user and
/srv/$service/home directories. For the exit scanner the home directory is
linked into /srv/$service and not into /srv/$service/home but for Onionoo:
>
> {{{
> ssh onionoo-backend-01.torproject.org ls -l '/home/onionoo*'
> lrwxrwxrwx 1 root root 32 Sep 6 2019 /home/onionoo ->
/srv/onionoo.torproject.org/home
> lrwxrwxrwx 1 root root 39 Sep 6 2019 /home/onionoo-unpriv ->
/srv/onionoo.torproject.org/home-unpriv
> }}}
That could be an oversight on my part, when i setup the check service. Do
you want this fixed?
> Is the /home path only there to keep LDAP happy?
That might be so yes.
> Perhaps I need to add a key to users for the "real" home directory path
as we can't guess it from some pattern, and then always link /home/$user
to that specified path.
I think you can assume /home/$user is valid, although it can be a symlink
pointing somewhere else.
> Regarding where to look for documentation, I had no idea. I guess
help.tpo would have been the place to look. For this though I don't so
much need a list of steps that you take to do something, or examples of
the Puppet usage, but more an understanding of the rationale and intention
of doing it in this way so that I'm not making incorrect assumptions when
I recreate it for the dev environments.
Yeah, that's what's missing I guess. To be honest, I don't quite know what
the rationale is here either, I just got here. ;)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33733#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the metrics-bugs
mailing list