From: Luca Filipozzi <lfilipoz@emyr.net>
Date: Mon, 27 Jan 2014 04:25:46 +0000 (+0000)
Subject: Merge branch 'proposed'
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f1d1d77ca9e36a1559a3639a3beac60c603fc9be;hp=56782ec1a950492b2ef041fc69c9777af5f6a62d;p=mirror%2Fdsa-wiki.git

Merge branch 'proposed'
Signed-off-by: Luca Filipozzi <lfilipoz@emyr.net>
---

diff --git a/input/Pics/blog/2014/debian-dns.dia b/input/Pics/blog/2014/debian-dns.dia
new file mode 100644
index 0000000..4defa20
Binary files /dev/null and b/input/Pics/blog/2014/debian-dns.dia differ
diff --git a/input/Pics/blog/2014/debian-dns.png b/input/Pics/blog/2014/debian-dns.png
new file mode 100644
index 0000000..dc9014b
Binary files /dev/null and b/input/Pics/blog/2014/debian-dns.png differ
diff --git a/input/doc/guest-account.creole b/input/doc/guest-account.creole
index 30efc9d..d79e3ea 100644
--- a/input/doc/guest-account.creole
+++ b/input/doc/guest-account.creole
@@ -1,6 +1,6 @@
 = Guest Access to porter machines =
 
-People who are not DDs but are working on software in Debian are can request
+People who are not DDs but are working on software in Debian can request
 access to porter machines for short term (1-2 months) in order to resolve port
 issues and the like.
 
diff --git a/input/doc/mq.mdwn b/input/doc/mq.mdwn
new file mode 100644
index 0000000..529e96d
--- /dev/null
+++ b/input/doc/mq.mdwn
@@ -0,0 +1,65 @@
+# MQ admin notes
+
+## The design is resilient
+* There are two hosts, rapoport and rainier.
+* The service will stay up if either is up.
+* Individual connections will break, but the clients know how to reconnect
+* All queues and exchanges configured to be created as durable by default
+
+## The design is reasonably secure
+* All connections are over SSL, using the autoca host certs
+* The default guest account has been removed
+* All d.o machines have autogenerated passwords
+
+## Admin tools
+* Web consoles
+  * https://rainier.debian.org:15672
+  * https://rapoport.debian.org:15672
+* CLI tool
+  * go to either
+    * https://rainier.debian.org:15672/cli/
+    * https://rapoport.debian.org:15672/cli/
+  * Download the rabbitmqadmin tool and put in ~/bin
+  * set up ~/.rabbitmqadmin.conf.  Passwords on handel
+
+Sample `.rabbitmqadmin.conf`:
+
+    [rainier]
+    hostname = rainier.debian.org
+    port = 15672
+    username = admin
+    password = XXX
+    ssl = True
+
+    [rapoport]
+    hostname = rapoport.debian.org
+    port = 15672
+    username = admin
+    password = XX
+    ssl = True
+
+## A word about terminology:
+pubsub messaging involves a sender and a receiver.
+
+The sender connects to an exchange, and publishes a message.  The sender
+may or may not create the exchange during the course of that action.
+During message sending, the sender declares a topic for the message.
+
+Topics are just '.' separated strings, eg dsa.git.mail,
+ftpteam.package.upload.clamav, etc.  They allow for two types of
+wildcards.  dsa.git.* matches any single git repo but not
+dsa.git.mail.commit.  #.clamav match anything ending in clamav, no
+matter how many separators.
+
+The receiver connects to a queue, binds it to an exchange with a topic
+binding for a specific topic, and waits for a message.  If a message
+submitted to the exchange matches the topic, it is routed to the
+receiver queue, and the receiver gets it.
+
+The tcp connection from a client to the MQ server is called a channel.
+The protocol layer on top of the TCP connection is called a connection
+(I know, good, right?).  The connection between a queue and an exchange
+is called a binding.
+
+---
+Sun, 26 Jan 2014 17:24:28 +0000
diff --git a/input/doc/subdomains.mdwn b/input/doc/subdomains.mdwn
index e497a43..97c410f 100644
--- a/input/doc/subdomains.mdwn
+++ b/input/doc/subdomains.mdwn
@@ -41,6 +41,8 @@ antispam measures of each email address:
   have callout sender verification applied.
 * **grey_users**: a simple list of local parts that should have
   greylisting applied.
+* **localonly**: a simple list of local parts that should only accept mail
+  from debian.org hosts.
 * **neversenders**: a simple list of local parts (of the virtual domain) that
   should never appear as senders of mails.
 * **whitelist**: a colon separated list starting with "localpart:" of hosts
diff --git a/input/dsablog/2014/The_Debian_DNS_universe.mdwn b/input/dsablog/2014/The_Debian_DNS_universe.mdwn
index bf2657c..85513aa 100644
--- a/input/dsablog/2014/The_Debian_DNS_universe.mdwn
+++ b/input/dsablog/2014/The_Debian_DNS_universe.mdwn
@@ -94,7 +94,7 @@ The auto-dns system produces two kinds of output:
 
 # Tying it all together
 
-![The Debian DNS Rube Goldberg Machine.](../debian-dns.png)
+![The Debian DNS Rube Goldberg Machine.](/Pics/blog/2014/debian-dns.png)
 
 Figure 1: The Debian DNS Rube Goldberg Machine.
 
@@ -124,13 +124,14 @@ only will it warn us if an expiring key is still in the DSset, it can
 also prevent it from getting expired by issuing timly updates of the
 keys metadata.
 
-# Relevant Git repositories:
+# Relevant Git repositories
 
 * [domains]
 * [auto-dns]
 * [mini-nag]
 * [dns-helpers]
 * [puppet]
+* [nagioschecks]
 
 [^ldap]: `ldapsearch -h db.debian.org -x -ZZ -b dc=debian,dc=org -LLL 'host=master'`
 
@@ -152,5 +153,6 @@ keys metadata.
 [mini-nag]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-mini-nag.git;a=tree
 [dns-helpers]: http://anonscm.debian.org/gitweb/?p=mirror/dns-helpers.git;a=tree
 [static]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-auto-dns.git;a=blob;f=services/static.debian.org.service;hb=HEAD
+[nagioschecks]: http://anonscm.debian.org/gitweb/?p=mirror/dsa-nagios.git;a=tree;f=dsa-nagios-checks/checks;hb=HEAD
 
 -- Peter Palfrader
diff --git a/input/dsablog/2014/debian-dns.dia b/input/dsablog/2014/debian-dns.dia
deleted file mode 100644
index 4defa20..0000000
Binary files a/input/dsablog/2014/debian-dns.dia and /dev/null differ
diff --git a/input/dsablog/2014/debian-dns.png b/input/dsablog/2014/debian-dns.png
deleted file mode 100644
index d2c6d6d..0000000
Binary files a/input/dsablog/2014/debian-dns.png and /dev/null differ
diff --git a/input/howto/decomission.mdwn b/input/howto/decomission.mdwn
index db66aa6..c432580 100644
--- a/input/howto/decomission.mdwn
+++ b/input/howto/decomission.mdwn
@@ -18,6 +18,13 @@
  * Remove any references from puppet configuration
  * Remove references to the host from DNS files, including reverse DNS
  * Get rid of the HW (tell the hoster to get rid of it or other as appropriate)
+ * Remove MQ queues related to machine (see [[doc/mq]] for details)
+
+    for queue in $(rabbitmqadmin -N rainier list queues name | \
+    grep unger.debian.org | \
+    awk '{print $2}') ; do
+    rabbitmqadmin -N rainier -V dsa delete queue name=$queue
+    done
 
 Three months after decomissioning:
 
diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole
index cd5bbe8..ec3c8a2 100644
--- a/input/howto/new-machine.creole
+++ b/input/howto/new-machine.creole
@@ -23,7 +23,7 @@ Note: this has recently been changed to rely more on [[puppet|howto/puppet-setup
 * run generate, or wait until cron runs it for you.  Update DNS.
 {{{
     : :: draghi :: && sudo -u sshdist ud-generate && sudo -H ud-replicate && sudo -H puppetd -t
-    : :: orff :: && sudo -H ud-replicate
+    : :: denis :: && sudo -H ud-replicate
 }}}
 
 * setup [[puppet|howto/puppet-setup]]  (run the puppet client two or three times until things converge.)