Dave and Bryan, below is my latest attempt at the how to information for
sysadmins.
Can one of you please take on incorporating this into the wiki?
Apache SpamAssassin SysAdmin How-To
NOTE: This was written in April of 2017 to help modernize our system records
- Other records: See
https://wiki.apache.org/spamassassin/DevelopmentStuff - This document
will likely be used to replace that page.
- Wiki Access:
Write access to the wiki is to anyone who has created a login name on
the wiki
whose name has been added to the page
https://wiki.apache.org/spamassassin/ContributorsGroup
Write access to that page is to anyone whose wiki login name has been
added to
https://wiki.apache.org/spamassassin/AdminGroup
- Members of SA SysAdmins (SASA):
Dave Jones - [email protected]
Kevin A. McGrail - 703-798-0171 - [email protected]
Bryan Vest - [email protected]
- Who's in Charge?
The PMC. There is no leadership hierarchy in the SpamAssassin SysAdmins.
NOTE: As with any ASF role, if you follow The Apache Way, you should
feel empowered to Just Do It (TM Nike)
For a SysAdmin, your solution works (Merit), it's well documented (Open)
and supports the project (Community), you're good to go though as a
SysAdmin you need to realize we have control over private data. All
SASA members have been asked to follow the LISA Code of Ethics.
Tenants we Follow:
- The Apache Way, Shane Curcuru's post on this are a good point:
http://theapacheway.com/
- LISA/Sage Code of Ethics,
https://www.pccc.com/base.cgim?template=sage_code_of_ethics
Important Resources:
The ASF Infrastructure (Infra) Jira:
https://issues.apache.org/jira/secure/Dashboard.jspa - Sign up at Jira
isn't single sign on enabled.
SpamAssassin Bugzilla: https://bz.apache.org/SpamAssassin/
Short-hand Notes:
There are a lot of acronyms, even those that might be basic that will
be defined here if we find there is confusion to make it easier to bring
new sysadmin's onboard to make many hands make light work.
Apache Software Foundation (ASF)
Bugzilla (BZ)
Apache SpamAssassin (SA)
PMC (Project Management Committee)
SVN (SubVersioN)
Mailing Lists:
- There is a dedicated SASA Mailing list
[email protected]. Additionally, our machines largely
support the Rule QA process so [email protected] should be
subscribed to.
Credentials:
- There are legacy shared credentials. These must be encrypted and
stored in SVN.
OPIE:
- To sudo to root, you need to use OPIE - See
https://reference.apache.org/committer/opie
DNS for SpamAssassin.org:
- The server creates DNS entries on the fly so we do not use the ASF
infrastructure for DNS. We have a hidden master that pushes to
Hyperreal and Sonic
Contact for HyperReal is Brian Behlendorf
Contact for Sonic is [email protected]
The information located here:
https://wiki.sonic.net/wiki/Secondary_DNS_Service is the current
configuration information you will need.
- Project Machines
This is a short description of the machines involved including those
that USED to exist and why.
OLD:
- Hyperion.Apache.org -
ftp://ftp.ist.utl.pt/apache/dev/machines.html#hyperion shows this was
likely a solaris box that I had access to when zones died and I had to
recover data.
- SpamAssassin.zones.apache.org - DIED - was replaced with spamassassin-vm
- SpamAssassin.zones2.apache.org - deprecated by Infra
- spamassassin-vm.apache.org - deprecated by Infra
CURRENT:
- incoming.apache.org - Donated by Sonic
- sa-vm1.apache.org - Ubuntu box to replace spamassassin-vm and zones2
- Other Aliases: buildbot, ruleqa (there might be more).
Also, this is an ASF box for all committers:
- Minotaur.apache.org aka People - This used to handle various build and
devel related tasks. Minotaur.apache.org for ssh (It appears that
minotaur is not the proper server anymore. I used home.apache.org per
some links that Sidney sent. (Home.apache.org and people.apache.org
resolve to the same IP.)
- Backups:
There are no backups of these machines save what is stored in SVN or
that KAM has made.
Specifically, what backups does KAM have as of 2017/05/08:
- Hyperion.apache.org - N/A
- Incoming.apache.org aka colo - Backup on KAM's Crashplan
- minotaur.apache.org (NOTE: Aka People) - N/A
- sa-vm1.apache.org - Backup on KAM's Crashplan
- Spamassassin-vm.apache.org - Backup on KAM's Crashplan - Mar 15,
2017 - There is also a backup on sa-vm1 in /x1.
- spamassassin2.zones.apache.org - Backup on KAM's Crashplan from
Approximately Jun 2015 last backup. Also have an Rsync copy from June
3, 2015 on PCCC TalonJR machine - And there is also a copy on sa-vm1 in /x1
- Ubuntu?
Ubuntu is the ASF Infrastructures OS of choice. Supporting others is
not an option at this time.
- How to get access to each machine:
sa-vm1.apache.org (current as of 4/28/17)
- Open a Jira ticket with the availid of the person(s) you want to
have access. Note if they need sudo access or not.
- User self maintains their ssh-key at id.apache.org
- NOTE: if sudo access was requested, run and sets up 'ortpasswd'
- Why all the boxes?
The resources for Masscheck can be very intensive on CPU, Ram and disk
I/O intensive. Over the years, many boxes have been consolidated,
donated, lost, replaced, moved under ASF Infrastructure or just fell
over and sank into the swamp.
- Some boxes are just names for other boxes
trap-proc.spamassassin.org. Sonic has scripts set up to archive
collected spam to that server.
KAM Goals for SysAdmin:
- For KAM, Apache SpamAssassin is a framework for writing goals. I
deliver goals to prove the code works but I don't view that the project
has to provide rules. Others may disagree but I don't see the value in
masscheck, ruleqa, etc. when there is not enough people using the data.
- Once you have an account on Minotaur/Home/People, goto
people.apache.org/~kmcgrail and make a duplicate for you. NOTE: This is
documented SOMEWHERE but no idea where.
GOAL: Get it so I have your PGP key and put the signature for your PGP
key into id.apache.org
SVN:
- You need access to https://svn.apache.org/repos/asf/spamassassin/ for
sysadmin, dns and site.
- In the ASF, we use http for read-only access to a repo and https for
read-write. So if you are trying to checkout and modify a repo, make
sure you are using https://
Encrypted SVN:
- If you can, document things in the Wiki at
https://wiki.apache.org/spamassassin/DevelopmentStuff. If something is
sensitive, encrypt it and store it on the
https://svn.apache.org/repos/asf/spamassassin/sysadmins repo and
reference it on the Wiki.
SSH:
The systems use One Password In Everything (OPIE) to elevate your access
via sudo. Some resources: https://reference.apache.org/committer/opie
and https://reference.apache.org/committer/otp-md5
How to Onboard someone as a SysAdmin:
- A PMC Member nominates a new SASA member as a committer since we store
items in SVN for configs
NOTE: If they later produce code, they should request that permission
from the PMC.
- If the vote is successful, they then follow all the normal committer
guidelines to get them an Apache ID including an appropriate committer
license: https://www.apache.org/dev/new-committers-guide.html
- Once they have an Apache ID, they should:
- SASA Member signs up for an Infra Jira account at
https://issues.apache.org/jira/secure/Signup!default.jspa?
- SASA Member adds an SSH public key to id.apache.org
- Add your PGP public key. http://people.apache.org/~kmcgrail/
- Create an account on our Wiki
- Email [email protected]
- Email [email protected] and ask for karma to access
sa-vm1 with sudo access
- Email [email protected] and ask for your account to
be added to https://wiki.apache.org/spamassassin/ContributorsGroup and
https://wiki.apache.org/spamassassin/AdminGroup
- Start looking at
https://wiki.apache.org/spamassassin/DevelopmentStuff under infrastruction
- Someone with Karma needs to:
- Approve request to sysadmins mailing list
- Add them to ContributorsGroup and AdminGroup on Wikki
- Open a JIRA ticket at issues.apache.org similar to INFRA-14045 to
get them access to our box
--
Kevin A. McGrail
Asst. Treasurer, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project