December 2019 - Arch-devops - lists.archlinux.org

[arch-devops] cloud-images
by Christian Rebischke 02 May '20

02 May '20

Dear devops team, Recently I have pushed cloud-init back to [community][1], one Arch Linux user did some improvements on the cloud-init codebase as well and they are going to officially support arch linux with version 19.3[2]. Therefore I have added support for cloud-images to the arch-boxes project[3]. These images are qcow2 images and are expected to be installed in cloud-environments like Openstack. The only thing what is missing is a way to distribute the images and release them. My current plan has been that I build and sign them locally and then upload them to a web directory (This is the most secure way as possible right now). For this I need answers for a few questions: 1. Can I have a web-directory, where only I have access to? 2. Which key should I use to sign them? A new cloud-image signing key or my personal key? (I think latter should be enough). 3. I expect to build them monthly like the ISOs, how many images do you want to keep? My current assumption is that 1 year of image backup of cloud-images (qcow2) only would cost us around 30-50GB. 4. Do we want to mirror the images? Best greetings Chris [1] https://www.archlinux.org/packages/community/any/cloud-init/ [2] https://git.launchpad.net/cloud-init/commit/?id=5d5a32e039782ce3e1c0843082f… [3] https://github.com/archlinux/arch-boxes/commit/9d9f04f9618367e2af8d92bef2d5…

2 3

[arch-devops] soyuz (pkgbuild.com) server move to homedir.archlinux.org
by Sven-Hendrik Haase 01 Jan '20

01 Jan '20

Hi all, I set up a new Hetzner VPS that is going to become our new homedir/public_html server available to all TUs and Devs like soyuz was. We decided to decommission soyuz and put the public_html stuff on its own server for security reasons, to cut costs, and so that we can compartmentalize further. The server uses a Hetzner Cloud Volume which we can scale if we want but for now, it's 100GiB of zstd-compressed btrfs. If possible, we'd like to keep it at this size for the time being. You can host your own repos there if you want and that's fine. Please talk to us beforehand if you see yourself exhausting the volume with what you want to do. If you had stuff hosted in the public_html of soyuz, I'd ask you to transfer stuff over to the new box which is already reachable at the names pkgbuild.com (you'll get an SSH error because of this) and homedir.archlinux.org. Please check if you can throw away some old stuff/junk that you might not necessarily need on the new server. This new box is *not for building*. That's what dragon is for. Please only put documents/files onto the new pkgbuild.com that you actually want people to be able to access publicly. The box has no building facilities and you get no sudo'd commands. soyuz is going to be decommissioned no sooner than 2020-01-01 but do not expect it to hang around for long after that. We will not transfer any files for you from soyuz. In other words: All data not explicitly transferred by you will be destroyed after 2020-01-01. Please bring up any problems you might have with this new server on the arch-devops list or IRC (#archlinux-devops). Enjoy, Sven

2 3

[arch-devops] Linux lockdown mode deployed
by Jelle van der Waa 23 Dec '19

23 Dec '19

Hi All, I've deployed a new Linux hardening setting on all our VPS'es which is available since 5.4. Which makes it harder for root to modify the running kernel by shielding off some functionality for userland. [1] No application should rely on this features so everything should still work as normal. Currently it is deployed as tmpfiles.d file which is suboptimal but adding it to our bootloader seems to be hard since we currently already enable btrfs via lineinfile. Maybe the grub configuration should live in our ansible repository? [1] https://git.archlinux.org/infrastructure.git/commit/?id=2c7538040f6353633ad… Greetings, Jelle

3 2

[arch-devops] Meeting tommorow 20:30 UTC
by Jelle van der Waa 20 Dec '19

20 Dec '19

Hi, Tommorow we have another devops meeting, I am not sure if I will attend since I have a diner tommorow night. But the agenda is: - discuss progress of previous agenda points - luna - AUR - cgit - IPXE - Backups homedir -- Jelle van der Waa

1 1