#33766: DNS renumbering procedure fails if git is untouched -------------------------------------------------+------------------------- Reporter: anarcat | Owner: tpa Type: defect | Status: | needs_revision Priority: High | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Major | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+------------------------- Changes (by anarcat):
* status: new => needs_revision Comment: here's what i found out so far. 1. `ud-generate` writes stuff in `/var/cache/userdir-ldap/hosts`, one directory per host 2. `ud-replicate` rsyncs that stuff to `/var/lib/misc` on all hosts 3. DNS servers (nevii and falax, at first glance) are special and have a precious little `dns-sshfp` file that gets generated with all those "automatic" records from the `ipHostNumber` field in LDAP 4. that file is therefore dropped in `/var/lib/misc/thishost/dns-sshfp` on nevii 5. the zone file used by bind is in `/srv/dns.torproject.org/var/generated/torproject.org` on nevii, but it doesn't include the file generated by `ud-replicate`, so it's generated by something else I'm about there in my investigation. It looks like the file is actually generated after a git hook, triggered from cupani, for example look at this push on the `dns/domains.git` repo: {{{ Push to g...@git-rw.torproject.org:admin/dns/domains [...] remote: via /srv/git.torproject.org/git-helpers/post-receive-diff remote: == 00-sync-to-mirror == remote: == commit-mail == remote: == github-push == remote: == gitlab-push == remote: == irc-message == remote: == per-repo-hook == remote: run-parts: executing /srv/git.torproject.org/git-helpers/post- receive-per-repo.d/admin%dns%domains/trigger-dns-server admin/dns/domains /tmp/tmp.1bfbXjedly remote: [/srv/git.torproject.org/git-helpers/post-receive-per- repo.d/admin%dns%domains/trigger-dns-server] Triggering update on dns master remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: ***** start of script ***** remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre flock remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre git pull remote: 2020-03-30 22:10:05 /srv/dns.torproject.org/bin/update: pre update-keys remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre build- services remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre for loop remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre write_zonefile for 0-26.72.229.38.in-addr.arpa remote: 2020-03-30 22:10:09 /srv/dns.torproject.org/bin/update: pre write_zonefile for 0.0.0.5.a.5.0.0.0.b.6.0.1.0.0.2.ip6.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for 1.0.0.0.5.0.0.0.0.0.5.8.7.0.6.2.ip6.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for 144-28.132.35.154.in-addr.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for 16-28.235.45.89.in-addr.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for 30.172.in-addr.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for 64-28.132.35.154.in-addr.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for b.0.0.0.0.b.6.0.0.0.0.0.0.2.6.2.ip6.arpa remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for onion-router.net remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for rev remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.com remote: 2020-03-30 22:10:10 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.net remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: pre write_zonefile for torproject.org remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: pre dns- update remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: done! remote: 2020-03-30 22:10:11 /srv/dns.torproject.org/bin/update: ***** end of script ***** remote: == xx-jenkins-trigger == remote: [hook[4791]] Triggering jenkins build for (https://git.torproject.org/admin/dns/domains.git, master, 2f5ed1f115f9a5aa6bad82ca7e1a6737fc8088f4). remote: No git jobs using repository: https://git.torproject.org/admin/dns/domains.git and branches: master remote: No Git consumers using SCM API plugin for: https://git.torproject.org/admin/dns/domains.git remote: [hook[4791]] Jenkins triggers done. To git-rw.torproject.org:admin/dns/domains bdd0d4e..2f5ed1f master -> master updating local tracking ref 'refs/remotes/origin/master' }}} Therefore, the script in `/srv/dns.torproject.org/bin/update` seems to have the magic sauce. I haven't dug any deeper as to why that's not done automatically or what actually takes content of `dns-sshfp`, or how this could be done by hand, but it's definitely something that we should document. This affects the [https://help.torproject.org/tsa/howto/ganeti/ ganeti import procedure], but also the [https://help.torproject.org/tsa/howto/new-machine new- machine procedure]. It is also be important to figure out where exactly the TTL gets extracted from LDAP, and how to change it immediately, for the ganeti procedures. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33766#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs