Dave and Bryan, below is my latest attempt at the how to information for sysadmins.

Can one of you please take on incorporating this into the wiki?


Apache SpamAssassin SysAdmin How-To

NOTE: This was written in April of 2017 to help modernize our system records

- Other records: See https://wiki.apache.org/spamassassin/DevelopmentStuff - This document will likely be used to replace that page.

- Wiki Access:

Write access to the wiki is to anyone who has created a login name on the wiki
whose name has been added to the page
https://wiki.apache.org/spamassassin/ContributorsGroup

Write access to that page is to anyone whose wiki login name has been added to
https://wiki.apache.org/spamassassin/AdminGroup

- Members of SA SysAdmins (SASA):
Dave Jones -  [email protected]
Kevin A. McGrail - 703-798-0171 - [email protected]
Bryan Vest - [email protected]

- Who's in Charge?
The PMC.  There is no leadership hierarchy in the SpamAssassin SysAdmins.

NOTE: As with any ASF role, if you follow The Apache Way, you should feel empowered to Just Do It (TM Nike)

For a SysAdmin, your solution works (Merit), it's well documented (Open) and supports the project (Community), you're good to go though as a SysAdmin you need to realize we have control over private data. All SASA members have been asked to follow the LISA Code of Ethics.

Tenants we Follow:
- The Apache Way, Shane Curcuru's post on this are a good point: http://theapacheway.com/ - LISA/Sage Code of Ethics, https://www.pccc.com/base.cgim?template=sage_code_of_ethics

Important Resources:

The ASF Infrastructure (Infra) Jira: https://issues.apache.org/jira/secure/Dashboard.jspa - Sign up at Jira isn't single sign on enabled.

  SpamAssassin Bugzilla: https://bz.apache.org/SpamAssassin/

Short-hand Notes:
There are a lot of acronyms, even those that might be basic that will be defined here if we find there is confusion to make it easier to bring new sysadmin's onboard to make many hands make light work.

    Apache Software Foundation (ASF)
    Bugzilla (BZ)
    Apache SpamAssassin (SA)
    PMC (Project Management Committee)
    SVN (SubVersioN)

Mailing Lists:
- There is a dedicated SASA Mailing list [email protected]. Additionally, our machines largely support the Rule QA process so [email protected] should be subscribed to.


Credentials:
- There are legacy shared credentials. These must be encrypted and stored in SVN.

OPIE:
- To sudo to root, you need to use OPIE - See https://reference.apache.org/committer/opie

DNS for SpamAssassin.org:
- The server creates DNS entries on the fly so we do not use the ASF infrastructure for DNS. We have a hidden master that pushes to Hyperreal and Sonic
  Contact for HyperReal is Brian Behlendorf
  Contact for Sonic is [email protected]

The information located here:
https://wiki.sonic.net/wiki/Secondary_DNS_Service is the current
configuration information you will need.



- Project Machines

This is a short description of the machines involved including those that USED to exist and why.

OLD:
- Hyperion.Apache.org - ftp://ftp.ist.utl.pt/apache/dev/machines.html#hyperion shows this was likely a solaris box that I had access to when zones died and I had to recover data.
- SpamAssassin.zones.apache.org - DIED - was replaced with spamassassin-vm
- SpamAssassin.zones2.apache.org - deprecated by Infra
- spamassassin-vm.apache.org - deprecated by Infra

CURRENT:
- incoming.apache.org - Donated by Sonic
- sa-vm1.apache.org - Ubuntu box to replace spamassassin-vm and zones2

- Other Aliases: buildbot, ruleqa (there might be more).

Also, this is an ASF box for all committers:

- Minotaur.apache.org aka People - This used to handle various build and devel related tasks. Minotaur.apache.org for ssh (It appears that minotaur is not the proper server anymore. I used home.apache.org per some links that Sidney sent. (Home.apache.org and people.apache.org resolve to the same IP.)



- Backups:

There are no backups of these machines save what is stored in SVN or that KAM has made.

Specifically, what backups does KAM have as of 2017/05/08:

  - Hyperion.apache.org - N/A
  - Incoming.apache.org aka colo - Backup on KAM's Crashplan
  - minotaur.apache.org (NOTE: Aka People) - N/A
  - sa-vm1.apache.org - Backup on KAM's Crashplan
- Spamassassin-vm.apache.org - Backup on KAM's Crashplan - Mar 15, 2017 - There is also a backup on sa-vm1 in /x1. - spamassassin2.zones.apache.org - Backup on KAM's Crashplan from Approximately Jun 2015 last backup. Also have an Rsync copy from June 3, 2015 on PCCC TalonJR machine - And there is also a copy on sa-vm1 in /x1

- Ubuntu?

Ubuntu is the ASF Infrastructures OS of choice. Supporting others is not an option at this time.

- How to get access to each machine:

sa-vm1.apache.org (current as of 4/28/17)
- Open a Jira ticket with the availid of the person(s) you want to have access. Note if they need sudo access or not.
  - User self maintains their ssh-key at id.apache.org
  - NOTE: if sudo access was requested, run and sets up 'ortpasswd'

- Why all the boxes?

The resources for Masscheck can be very intensive on CPU, Ram and disk I/O intensive. Over the years, many boxes have been consolidated, donated, lost, replaced, moved under ASF Infrastructure or just fell over and sank into the swamp.

- Some boxes are just names for other boxes
trap-proc.spamassassin.org. Sonic has scripts set up to archive collected spam to that server.



KAM Goals for SysAdmin:

- For KAM, Apache SpamAssassin is a framework for writing goals. I deliver goals to prove the code works but I don't view that the project has to provide rules. Others may disagree but I don't see the value in masscheck, ruleqa, etc. when there is not enough people using the data.

- Once you have an account on Minotaur/Home/People, goto people.apache.org/~kmcgrail and make a duplicate for you. NOTE: This is documented SOMEWHERE but no idea where.

GOAL: Get it so I have your PGP key and put the signature for your PGP key into id.apache.org

SVN:
- You need access to https://svn.apache.org/repos/asf/spamassassin/ for sysadmin, dns and site. - In the ASF, we use http for read-only access to a repo and https for read-write. So if you are trying to checkout and modify a repo, make sure you are using https://

Encrypted SVN:
- If you can, document things in the Wiki at https://wiki.apache.org/spamassassin/DevelopmentStuff. If something is sensitive, encrypt it and store it on the https://svn.apache.org/repos/asf/spamassassin/sysadmins repo and reference it on the Wiki.

SSH:
The systems use One Password In Everything (OPIE) to elevate your access via sudo. Some resources: https://reference.apache.org/committer/opie and https://reference.apache.org/committer/otp-md5




How to Onboard someone as a SysAdmin:

- A PMC Member nominates a new SASA member as a committer since we store items in SVN for configs NOTE: If they later produce code, they should request that permission from the PMC.

- If the vote is successful, they then follow all the normal committer guidelines to get them an Apache ID including an appropriate committer license: https://www.apache.org/dev/new-committers-guide.html

- Once they have an Apache ID, they should:

- SASA Member signs up for an Infra Jira account at https://issues.apache.org/jira/secure/Signup!default.jspa?
  - SASA Member adds an SSH public key to id.apache.org
  - Add your PGP public key.  http://people.apache.org/~kmcgrail/
  - Create an account on our Wiki
  - Email [email protected]
- Email [email protected] and ask for karma to access sa-vm1 with sudo access - Email [email protected] and ask for your account to be added to https://wiki.apache.org/spamassassin/ContributorsGroup and https://wiki.apache.org/spamassassin/AdminGroup - Start looking at https://wiki.apache.org/spamassassin/DevelopmentStuff under infrastruction

- Someone with Karma needs to:
  - Approve request to sysadmins mailing list
  - Add them to ContributorsGroup and AdminGroup on Wikki
- Open a JIRA ticket at issues.apache.org similar to INFRA-14045 to get them access to our box

--
Kevin A. McGrail
Asst. Treasurer, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project      

Reply via email to