Gentoo Logo

Retirement Process Guide

Content:

1.  Introduction

Our developers use several different services that we need to ensure get taken care of when they retire.

This process officially starts when Developer Relations CCes infra-bugs@gentoo.org on the retirement bug and tells us to retire the developer. robbat2 is the present infra retirement processor, but this document is intended to allow other infra staff with suitable access to retire as needed.

You must have access to the following services:

Server Function Access level
woodpecker dev.gentoo.org root
stork cvs.gentoo.org root
toucan ldap1.gentoo.org shell access AND infra-ldapadmin.group in LDAP gentooAccess attribute
pigeon mail.gentoo.org root
kite bugs.gentoo.org Bugzilla admin
dove forums.gentoo.org Forums admin
warbler planet.gentoo.org root or gplanet

2.  Retiring Procedures

Retire from dev.gentoo.org

The first step is to remove a developer from our shell box. Infrastructure has created a shell script that should take care of all the tasks. Login as root to dev.gentoo.org and run the following:

Code Listing 2.1: Removal from dev.gentoo.org

# /root/scripts/retire-dev username

This script will do the following:

  • Remove the user from all local groups
  • Remove the user from all mail aliases
  • If they have a mail forward, copy it to the retired-devs alias directory
  • If they don't have a mail forward, create a mbox that their mail will go to for 30 days in case they need something.
  • Move their home directory to /home/RETIRED/username
  • Index the contents of their home directory with permission details
  • Change the ownership of their homedir to root
  • Tar up their homedir
  • Remove the homedir while leaving the tarball of homedir

Here's what it will look like:

Code Listing 2.2: Retiring a user on dev.gentoo.org

# /root/scripts/retire-dev username
Stop all processing belonging to username
Removing username from groups (exp_x86,bsd) via gpasswd
Removing username from aliases
  Removing from /var/mail/alias/misc/net-irc
  Removing from /var/mail/alias/misc/net-mail
Forward not found, redirecting mail to /home/RETIRED/mail-backup/username.saved
Moving home directory from /home/username to /home/RETIRED/username
Indexing old content of /home/RETIRED/username
Changing ownership to root on /home/RETIRED/username/*
Tar'ing up /home/RETIRED/username
Removing /home/RETIRED/username

 ** Remember to run these commands on ldap1: **
  perl_ldap -b user -E gentooAccess username
  perl_ldap -b user -M gentooStatus retired username

Since our shell box uses LDAP, actual user deletion will happen on the LDAP server. We cannot just lock the user in LDAP, as OpenSSH may still consult the authorized_keys file, hence the retiring of the home directory as well.

Retire from cvs.gentoo.org

Retiring a developer from the CVS server works the same way as the shell retirement process (stopping proceses, and removing from groups). The only difference is that the script only moves the developer's home directory to the RETIRED folder. Log into cvs.gentoo.org and run the following:

Code Listing 2.3: Removal from cvs.gentoo.org

# /root/scripts/retire-dev username
Moving homedir from /home/username to /home/RETIRED/username
Changing ownership to root on /home/RETIRED/username/

Retire in LDAP

In order to remove the user totally from our system, you need to login to our primary LDAP server (ldap1.gentoo.org). You cannot retire a developer from any other box. ramereth created a script that does the following:

  • Removes any attribute with gentooAccess
  • Sets the developer's gentooStatus to retired
  • Setting the gentooRetire attribute.

Currently, this script resides in a home directory on ldap1.gentoo.org: /home/robbat2/scripts/retire-dev-ldap. Copy this script to your homedir and use it, or run it directly. This is the second version of the script, that detects additional gentooAccess attributes correctly.

Code Listing 2.4: Retire developer in LDAP

$ /home/robbat2/scripts/retire-dev-ldap username
Enter LDAP Password:
replace gentooStatus:
    retired
delete gentooAccess:
    cvs.gentoo.org
    dev.gentoo.org
    stork.gentoo.org
modifying entry "uid=username,ou=devs,dc=gentoo,dc=org"

WARNING, extra gentooAccess detected: stork.gentoo.org

Special cases: other machine access

Now you need to check every other Gentoo machine that the developer previously had local-account access to, such as any other *.gentoo.org boxes, or the various arch team machines like *.amd64.gentoo.org. You need to disable any local accounts that still exist. If the box is connected to LDAP, cleaning up the home directory is nice, but not required.

Note: Infra: do we have a nice retirement script for this? This would of course require that we track who has access to which machines better. ;-)

Retire from mailing lists

Important: Retiring developers are responsible for re-subscribing to any lists that they are still interested in.

Now we need to remove the developer from all our mailing lists so that we don't have to deal with extra mail and the bounce to timeout. The following script on our mailserver will comb through the lists and remove the email address from that list properly. It will check for regular subscribers, digest subscribers and nomail subscribers.

Code Listing 2.5: Unsubscribe the email address from all mailing lists

# /usr/local/sbin/unsub-global.sh username@gentoo.org
Removing username@gentoo.org from gentoo-core
Removing username@gentoo.org from gentoo-dev
Removing username@gentoo.org from gentoo-gwn

Retire Bugzilla account

Important: Retiring developers must open a new Bugzilla account with their user email address if they wish to continue using Bugzilla. If they are interested in mail to the old account, they should explicitly configure watches for every address and alias that they are interested in.
The reasoning behind this is threefold: allow future searches to find work by a given developer after he has retired, without having to know what his email address was renamed to; protect old private bugs; preserve the assignee information on old closed bugs.

Now we need to retire and disable their Bugzilla account. Please SSH to bugs-db1.gentoo.org, sudo up, and run: ./retire.sh $USERNAME. This automated script performs the following tasks:

  • Add the disabled text to say: "Retired on 12-08-2005 as per retirement bug #12345." Retiring developers are responsible for creating a new bugzilla account, and configuring watches for all bugzilla accounts that they are interested in.
  • Append (RETIRED) to the real name field
  • Remove them from any Bugzilla groups they may have been added to

Update forums account

Contact any forums administrator, or CC their Bugzilla account (forum-mods@gentoo.org) on the bug.

Retire from Planet/Universe

Finally, in order to remove the developer's blog from Gentoo Planet and Gentoo Universe, you can either CC planet@gentoo.org on the retirement bug, or login to planet.gentoo.org and change /var/www/planet.gentoo.org/base/planet/configs/*.ini.

Note: Infra: Contact beandog about automating it better.


The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.


Print

Updated June 29, 2008

Summary: This guide describes how to retire a developer properly from all of our services.

Robin H. Johnson
Author

Lance Albertson
Author

Joshua Saddler
Editor

Donate to support our development efforts.

Support OSL
Gentoo Centric Hosting: vr.org
Tek Alchemy
SevenL.net
Global Netoptex Inc.
Bytemark
Online Kredit Index
Copyright 2001-2009 Gentoo Foundation, Inc. Questions, Comments? Contact us.