Our developers use several different services that we need to ensure get taken care of when they retire.
This process officially starts when Developer Relations CCes infra-bugs@gentoo.org on the retirement bug and tells us to retire the developer. robbat2 is the present infra retirement processor, but this document is intended to allow other infra staff with suitable access to retire as needed.
You must have access to the following services:
| Server | Function | Access level |
| woodpecker | dev.gentoo.org | root |
| stork | cvs.gentoo.org | root |
| toucan | ldap1.gentoo.org | shell access AND infra-ldapadmin.group in LDAP gentooAccess attribute |
| pigeon | mail.gentoo.org | root |
| kite | bugs.gentoo.org | Bugzilla admin |
| dove | forums.gentoo.org | Forums admin |
| warbler | planet.gentoo.org | root or gplanet |
The first step is to remove a developer from our shell box. Infrastructure has created a shell script that should take care of all the tasks. Login as root to dev.gentoo.org and run the following:
Code Listing 2.1: Removal from dev.gentoo.org |
# /root/scripts/retire-dev username
|
This script will do the following:
Here's what it will look like:
Code Listing 2.2: Retiring a user on dev.gentoo.org |
# /root/scripts/retire-dev username Stop all processing belonging to username Removing username from groups (exp_x86,bsd) via gpasswd Removing username from aliases Removing from /var/mail/alias/misc/net-irc Removing from /var/mail/alias/misc/net-mail Forward not found, redirecting mail to /home/RETIRED/mail-backup/username.saved Moving home directory from /home/username to /home/RETIRED/username Indexing old content of /home/RETIRED/username Changing ownership to root on /home/RETIRED/username/* Tar'ing up /home/RETIRED/username Removing /home/RETIRED/username ** Remember to run these commands on ldap1: ** perl_ldap -b user -E gentooAccess username perl_ldap -b user -M gentooStatus retired username |
Since our shell box uses LDAP, actual user deletion will happen on the LDAP server. We cannot just lock the user in LDAP, as OpenSSH may still consult the authorized_keys file, hence the retiring of the home directory as well.
Retiring a developer from the CVS server works the same way as the shell retirement process (stopping proceses, and removing from groups). The only difference is that the script only moves the developer's home directory to the RETIRED folder. Log into cvs.gentoo.org and run the following:
Code Listing 2.3: Removal from cvs.gentoo.org |
# /root/scripts/retire-dev username Moving homedir from /home/username to /home/RETIRED/username Changing ownership to root on /home/RETIRED/username/ |
In order to remove the user totally from our system, you need to login to our primary LDAP server (ldap1.gentoo.org). You cannot retire a developer from any other box. ramereth created a script that does the following:
Currently, this script resides in a home directory on ldap1.gentoo.org: /home/robbat2/scripts/retire-dev-ldap. Copy this script to your homedir and use it, or run it directly. This is the second version of the script, that detects additional gentooAccess attributes correctly.
Code Listing 2.4: Retire developer in LDAP |
$ /home/robbat2/scripts/retire-dev-ldap username Enter LDAP Password: replace gentooStatus: retired delete gentooAccess: cvs.gentoo.org dev.gentoo.org stork.gentoo.org modifying entry "uid=username,ou=devs,dc=gentoo,dc=org" WARNING, extra gentooAccess detected: stork.gentoo.org |
Special cases: other machine access
Now you need to check every other Gentoo machine that the developer previously had local-account access to, such as any other *.gentoo.org boxes, or the various arch team machines like *.amd64.gentoo.org. You need to disable any local accounts that still exist. If the box is connected to LDAP, cleaning up the home directory is nice, but not required.
Note: Infra: do we have a nice retirement script for this? This would of course require that we track who has access to which machines better. ;-) |
Important: Retiring developers are responsible for re-subscribing to any lists that they are still interested in. |
Now we need to remove the developer from all our mailing lists so that we don't have to deal with extra mail and the bounce to timeout. The following script on our mailserver will comb through the lists and remove the email address from that list properly. It will check for regular subscribers, digest subscribers and nomail subscribers.
Code Listing 2.5: Unsubscribe the email address from all mailing lists |
# /usr/local/sbin/unsub-global.sh username@gentoo.org Removing username@gentoo.org from gentoo-core Removing username@gentoo.org from gentoo-dev Removing username@gentoo.org from gentoo-gwn |
Important:
Retiring developers must open a new Bugzilla account with their user email
address if they wish to continue using Bugzilla. If they are interested in mail
to the old account, they should explicitly configure watches for every address
and alias that they are interested in. |
Now we need to retire and disable their Bugzilla account. Please SSH to bugs-db1.gentoo.org, sudo up, and run: ./retire.sh $USERNAME. This automated script performs the following tasks:
Contact any forums administrator, or CC their Bugzilla account (forum-mods@gentoo.org) on the bug.
Finally, in order to remove the developer's blog from Gentoo Planet and Gentoo Universe, you can either CC planet@gentoo.org on the retirement bug, or login to planet.gentoo.org and change /var/www/planet.gentoo.org/base/planet/configs/*.ini.
Note: Infra: Contact beandog about automating it better. |
The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.