Dear devops team,
Recently I have pushed cloud-init back to [community], one Arch Linux
user did some improvements on the cloud-init codebase as well and they
are going to officially support arch linux with version 19.3.
Therefore I have added support for cloud-images to the arch-boxes
project. These images are qcow2 images and are expected to be
installed in cloud-environments like Openstack.
The only thing what is missing is a way to distribute the images and
My current plan has been that I build and sign them locally and then
upload them to a web directory (This is the most secure way as
possible right now).
For this I need answers for a few questions:
1. Can I have a web-directory, where only I have access to?
2. Which key should I use to sign them? A new cloud-image signing key or
my personal key? (I think latter should be enough).
3. I expect to build them monthly like the ISOs, how many images do you
want to keep? My current assumption is that 1 year of image backup of
cloud-images (qcow2) only would cost us around 30-50GB.
4. Do we want to mirror the images?
I set up a new Hetzner VPS that is going to become our new
homedir/public_html server available to all TUs and Devs like soyuz was. We
decided to decommission soyuz and put the public_html stuff on its own
server for security reasons, to cut costs, and so that we can
The server uses a Hetzner Cloud Volume which we can scale if we want but
for now, it's 100GiB of zstd-compressed btrfs. If possible, we'd like to
keep it at this size for the time being. You can host your own repos there
if you want and that's fine. Please talk to us beforehand if you see
yourself exhausting the volume with what you want to do.
If you had stuff hosted in the public_html of soyuz, I'd ask you to
transfer stuff over to the new box which is already reachable at the names
pkgbuild.com (you'll get an SSH error because of this) and
homedir.archlinux.org. Please check if you can throw away some old
stuff/junk that you might not necessarily need on the new server.
This new box is *not for building*. That's what dragon is for. Please only
put documents/files onto the new pkgbuild.com that you actually want people
to be able to access publicly. The box has no building facilities and you
get no sudo'd commands.
soyuz is going to be decommissioned no sooner than 2020-01-01 but do not
expect it to hang around for long after that. We will not transfer any
files for you from soyuz. In other words: All data not explicitly
transferred by you will be destroyed after 2020-01-01.
Please bring up any problems you might have with this new server on the
arch-devops list or IRC (#archlinux-devops).
I've deployed a new Linux hardening setting on all our VPS'es which is
available since 5.4. Which makes it harder for root to modify the
running kernel by shielding off some functionality for userland. 
No application should rely on this features so everything should still
work as normal.
Currently it is deployed as tmpfiles.d file which is suboptimal but
adding it to our bootloader seems to be hard since we currently already
enable btrfs via lineinfile. Maybe the grub configuration should live in
our ansible repository?
Tommorow we have another devops meeting, I am not sure if I will attend
since I have a diner tommorow night. But the agenda is:
- discuss progress of previous agenda points
- Backups homedir
Jelle van der Waa