Project:Infrastructure/Developer retirement process
This guide describes how to retire a developer properly from all Gentoo hosted services.
Introduction
Our developers use several different services that we need to ensure get taken care of when they retire.
This process officially starts when Retirement team CCs infra-bugs@gentoo.org on the retirement bug and tells us to retire the developer. Robin Johnson is the present infra retirement processor, but this document is intended to allow other infra developers with suitable access to retire as needed.
You should have access to the following services in case something goes wrong.
Function | Access level |
---|---|
dev.gentoo.org | root |
cvs.gentoo.org AND access to gitolite-admin and planet-gentoo git repos | root |
ldap1.gentoo.org | shell access AND infra-ldapadmin.group in LDAP gentooAccess attribute |
lists.gentoo.org | root |
bugs.gentoo.org | Bugzilla admin |
forums.gentoo.org | Forums admin |
blogs.gentoo.org | Blogs super admin |
Automatic retiring procedures
How to retire a dev
- Login to ldap1 as your user.
- Run If there is no dev bug set in LDAP, the script will ask for it.
user $
/usr/local/sbin/retire-dev-ldap <DEV_NAME>
How it works
Dev-facing bits
In cfengine/files/usr/local/sbin/:
- auto-retire: A shell script called from cron every interval. The 'Driver' for all retirements.
- find_retired_devs.py: A python script that scans LDAP for developers marked for retirement.
- Eligible developers have 'gentooStatus=Retired' and 'gentooAutoRetire=..' is in the start-end window.
- You cannot retire developers who have gentooAccess: infra-ldapadmin.group.
- Eligible developers need to have a gentooDevBug attribute.
- find_retired_devs_test.py: A test for the above module.
- retire-dev-ldap: Takes a username and bugno, will 'retire' the user.
Background bits
The auto-retire script will search for developers who need to be retired. For each dev, it will call run-parts on /etc/retire.d on all infra-managed machines. For most machines, this is a no-op as that directory is empty. On machines that have services, each service will have a service-specific script in there. All messages are logged to a machine local file, and some of the messages are logged to bugzila. See https://bugs.gentoo.org/show_bug.cgi?id=70723 as an example.
These scripts are all managed in cfengine/cfengine/inputs, just grep for 'retire.d' to find each service specific script.
antarus@a01 ~/code/checkouts/cfengine/cfengine/inputs $ grep retire.d -R ./ - ./cf.smtp_lists: /etc/retire.d/retire-dev-list ->! /usr/local/sbin/lists/retire-dev-list - ./hosts/cf.yellowhammer: /etc/retire.d/bugzilla-retire ->! /usr/local/sbin/bugzilla-retire - ./cf.vcs: /etc/retire.d/retire-dev ->! /usr/local/sbin/retire-dev
These scripts all take a simple dev name (eg: 'antarus') as an argument. If you want to add another service (planet needs some automation for example) you can simple work on a service-specific retirement script. Test it out by hand first. All stdout that matches '^LOG:' will be sent to bugzilla, so do not write sensitive information in there (all bugs are public.)
Manual retiring procedures (non-automated part)
Update forums account
Contact any forums administrator, or CC their Bugzilla account ( forum-mods@gentoo.org) on the bug.
Retire from Planet/Universe and blogs
CC their bugzilla account ( planet@gentoo.org) on the retirement bug. They will remove the planet/universe configs which are in g.o.g.o/proj/planet-gentoo git repo, and reset the password for blogs. Final step is to disable comments from all posts, for which they will ping infra on IRC to run the following command:
UPDATE wp_ID_posts SET comment_status='closed', ping_status='closed' WHERE comment_status='open' OR ping_status='open';
# ID can be found under wp admin panel -> Super Admin -> Sites
Needs more automation
Update git.gentoo.org
Inside the gitolite-admin repository:
- move all keys for the developer to exdevs, i.e.:
user $
git mv keydir/devs/foo@gentoo.org* keydir/exdevs/
- run scripts/clean.pl to update groups:
user $
perl scripts/clean.pl
- remove developer from @ldap__repo__gentoo, manually or via script:
user $
perl scripts/ldap2groups.pl > conf/groups-ldap.conf
- commit and push ;-).
Manual retiring procedures (if not doing automated)
Retire from dev.gentoo.org
The first step is to remove a developer from our shell box. Infrastructure has created a shell script that should take care of all the tasks. Login as root to dev.gentoo.org and run the following:
# /root/scripts/retire-dev username
This script will do the following:
- Remove the user from all local groups
- Remove the user from all mail aliases
- If they have a mail forward, copy it to the retired-devs alias directory
- If they don't have a mail forward, create a mbox that their mail will go to for 30 days in case they need something.
- Move their home directory to /home/RETIRED/username
- Index the contents of their home directory with permission details
- Change the ownership of their homedir to root
- Tar up their homedir
- Remove the homedir while leaving the tarball of homedir
Here's what it will look like:
root #
/root/scripts/retire-dev username
Stop all processing belonging to username Removing username from groups (exp_x86,bsd) via gpasswd Removing username from aliases Removing from /var/mail/alias/misc/net-irc Removing from /var/mail/alias/misc/net-mail Forward not found, redirecting mail to /home/RETIRED/mail-backup/username.saved Moving home directory from /home/username to /home/RETIRED/username Indexing old content of /home/RETIRED/username Changing ownership to root on /home/RETIRED/username/* Tar'ing up /home/RETIRED/username Removing /home/RETIRED/username ** Remember to run these commands on ldap1: ** perl_ldap -b user -E gentooAccess username perl_ldap -b user -M gentooStatus retired username
Since our shell box uses LDAP, actual user deletion will happen on the LDAP server. We cannot just lock the user in LDAP, as OpenSSH may still consult the authorized_keys file, hence the retiring of the home directory as well.
Retire from cvs.gentoo.org
Retiring a developer from the CVS server works the same way as the shell retirement process (stopping proceses, and removing from groups). The only difference is that the script only moves the developer's home directory to the RETIRED folder. Log into cvs.gentoo.org and run the following:
# /root/scripts/retire-dev username
Moving homedir from /home/username to /home/RETIRED/username
Changing ownership to root on /home/RETIRED/username/
Retire in LDAP
In order to remove the user totally from our system, you need to login to our primary LDAP server (ldap1.gentoo.org). You cannot retire a developer from any other box. ramerethcreated a script that does the following:
- Removes any attribute with
gentooAccess
- Sets the developer's
gentooStatus
toretired
- Setting the gentooRetire attribute.
This script lives in /usr/local/sbin/retire-dev-ldap.
$ /usr/local/sbin/retire-dev-ldap username
Enter LDAP Password:
replace gentooStatus:
retired
delete gentooAccess:
cvs.gentoo.org
dev.gentoo.org
stork.gentoo.org
modifying entry "uid=username,ou=devs,dc=gentoo,dc=org"
WARNING, extra gentooAccess detected: stork.gentoo.org
Special cases: other machine access
Now you need to check every other Gentoo machine that the developer previously had local-account access to, such as any other *.gentoo.org boxes, or the various arch team machines like *.amd64.gentoo.org. You need to disable any local accounts that still exist. If the box is connected to LDAP, cleaning up the home directory is nice, but not required.
Infra: do we have a nice retirement script for this? This would of course require that we track who has access to which machines better. ;-)
Retire from mailing lists
Retiring developers are responsible for re-subscribing to any lists that they are still interested in.
Now we need to remove the developer from all our mailing lists so that we don't have to deal with extra mail and the bounce to timeout. The following script on our mailserver will comb through the lists and remove the email address from that list properly. It will check for regular subscribers, digest subscribers and nomail subscribers.
# /usr/local/sbin/unsub-global.sh username@gentoo.org
Removing username@gentoo.org from gentoo-core
Removing username@gentoo.org from gentoo-dev
Removing username@gentoo.org from gentoo-gwn
Retire Bugzilla account
Retiring developers must open a new Bugzilla account with their user email address if they wish to continue using Bugzilla. If they are interested in mail to the old account, they should explicitly configure watches for every address and alias that they are interested in.The reasoning behind this is threefold: allow future searches to find work by a given developer after he has retired, without having to know what his email address was renamed to; protect old private bugs; preserve the assignee information on old closed bugs.
Now we need to retire and disable their Bugzilla account. Please SSH to bugs-db1.gentoo.org , sudo up, and run: ./retire.sh $USERNAME . This automated script performs the following tasks:
- Add the disabled text to say: "Retired on 12-08-2005 as per retirement bug #12345." Retiring developers are responsible for creating a new bugzilla account, and configuring watches for all bugzilla accounts that they are interested in.
- Append (RETIRED) to the real name field
- Remove them from any Bugzilla groups they may have been added to
This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: Robin Johnson (robbat2) , Lance Albertson, Theo Chatzimichos,
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.