Retirement Process Guide
Our developers use several different services that we need to ensure get taken
care of when they retire.
This process officially starts when Developer Relations CCes
firstname.lastname@example.org on the retirement bug and tells us to retire the
developer. robbat2 is the present infra
retirement processor, but this document is intended to allow other infra staff
with suitable access to retire as needed.
You should have access to the following services in case something goes wrong.
||shell access AND infra-ldapadmin.group in LDAP gentooAccess attribute
|gannet or godwit
||Blogs super admin
||Access to gitolite-admin and planet-gentoo git repos
Manual Retiring Procedures
Retire from dev.gentoo.org
The first step is to remove a developer from our shell box. Infrastructure has
created a shell script that should take care of all the tasks. Login as
root to dev.gentoo.org and run the following:
Code Listing 2.1: Removal from dev.gentoo.org
This script will do the following:
- Remove the user from all local groups
- Remove the user from all mail aliases
If they have a mail forward, copy it to the retired-devs alias
If they don't have a mail forward, create a mbox that their mail will go to
for 30 days in case they need something.
- Move their home directory to /home/RETIRED/username
- Index the contents of their home directory with permission details
- Change the ownership of their homedir to root
- Tar up their homedir
- Remove the homedir while leaving the tarball of homedir
Here's what it will look like:
Code Listing 2.2: Retiring a user on dev.gentoo.org
Stop all processing belonging to
Removing from groups () via gpasswd
Removing from aliases
Removing from /var/mail/alias/misc/
Removing from /var/mail/alias/misc/
Forward not found, redirecting mail to /home/RETIRED/mail-backup/.saved
Moving home directory from /home/ to /home/RETIRED/
Indexing old content of /home/RETIRED/
Changing ownership to root on /home/RETIRED//*
Tar'ing up /home/RETIRED/
** Remember to run these commands on ldap1: **
perl_ldap -b user -E gentooAccess
perl_ldap -b user -M gentooStatus retired
Since our shell box uses LDAP, actual user deletion will happen on the LDAP
server. We cannot just lock the user in LDAP, as OpenSSH may still consult the
authorized_keys file, hence the retiring of the home directory as well.
Retire from cvs.gentoo.org
Retiring a developer from the CVS server works the same way as the shell
retirement process (stopping proceses, and removing from groups). The only
difference is that the script only moves the developer's home directory to the
RETIRED folder. Log into cvs.gentoo.org and run the following:
Code Listing 2.3: Removal from cvs.gentoo.org
Moving homedir from /home/ to /home/RETIRED/
Changing ownership to root on /home/RETIRED//
Retire in LDAP
In order to remove the user totally from our system, you need to login to our
primary LDAP server (ldap1.gentoo.org). You cannot retire a developer from any
other box. ramereth created a script that
does the following:
- Removes any attribute with gentooAccess
- Sets the developer's gentooStatus to retired
- Setting the gentooRetire attribute.
This script lives in /usr/local/sbin/retire-dev-ldap.
Code Listing 2.4: Retire developer in LDAP
Enter LDAP Password:
modifying entry "uid=,ou=devs,dc=gentoo,dc=org"
WARNING, extra gentooAccess detected: stork.gentoo.org
Special cases: other machine access
Now you need to check every other Gentoo machine that the developer previously
had local-account access to, such as any other *.gentoo.org boxes, or the
various arch team machines like *.amd64.gentoo.org. You need to disable any
local accounts that still exist. If the box is connected to LDAP, cleaning up
the home directory is nice, but not required.
Infra: do we have a nice retirement script for this? This would of course
require that we track who has access to which machines better. ;-)
Retire from mailing lists
Retiring developers are responsible for re-subscribing to any lists that they
are still interested in.
Now we need to remove the developer from all our mailing lists so that we don't
have to deal with extra mail and the bounce to timeout. The following script on
our mailserver will comb through the lists and remove the email address from
that list properly. It will check for regular subscribers, digest subscribers
and nomail subscribers.
Code Listing 2.5: Unsubscribe the email address from all mailing lists
# /usr/local/sbin/unsub-global.sh @gentoo.org
Removing @gentoo.org from gentoo-core
Removing @gentoo.org from gentoo-dev
Removing @gentoo.org from gentoo-gwn
Retire Bugzilla account
Retiring developers must open a new Bugzilla account with their user email
address if they wish to continue using Bugzilla. If they are interested in mail
to the old account, they should explicitly configure watches for every address
and alias that they are interested in.
The reasoning behind this is
threefold: allow future searches to find work by a given developer after he has
retired, without having to know what his email address was renamed to; protect
old private bugs; preserve the assignee information on old closed bugs.
Now we need to retire and disable their Bugzilla account. Please SSH to
bugs-db1.gentoo.org, sudo up, and run: ./retire.sh
$USERNAME. This automated script performs the following tasks:
Add the disabled text to say: "Retired on 12-08-2005 as per retirement bug
#12345." Retiring developers are responsible for creating a new bugzilla
account, and configuring watches for all bugzilla accounts that they are
- Append (RETIRED) to the real name field
- Remove them from any Bugzilla groups they may have been added to
Update forums account
Contact any forums administrator, or CC their Bugzilla account (email@example.com) on the bug.
Retire from Planet/Universe and Blogs
CC their bugzilla account (firstname.lastname@example.org)
on the retirement bug. They will remove the planet/universe configs which
are in g.o.g.o/proj/planet-gentoo git repo, and reset the password for
blogs. Final step is to disable comments from all posts, for which they
will ping infra on IRC to run the following command:
Code Listing 2.6: Disabling comments on all posts
UPDATE wp_ID_posts SET comment_status='closed', ping_status='closed' WHERE comment_status='open' OR ping_status='open';
# ID can be found under wp admin panel -> Super Admin -> Sites
Warning: Needs more automation
Update overlays (gitolite groups and email)
Final step is to move the user from devs to exdevs group in
gitolite.conf, and update his email address in keydir/user.pub.
CC overlays bugzilla account (
email@example.com) in the retirement bug to take care
The contents of this document, unless otherwise expressly stated, are licensed under the CC-BY-SA-2.5 license. The Gentoo Name and Logo Usage Guidelines apply.