This guide describes how to retire a developer properly from all of our services.
Our developers use several different services that we need to ensure get taken care of when they retire.
This process officially starts when Developer Relations CCes firstname.lastname@example.org on the retirement bug and tells us to retire the developer. Robin Johnsonis the present infra retirement processor, but this document is intended to allow other infra staff with suitable access to retire as needed.
You should have access to the following services in case something goes wrong.
|duck||ldap1.gentoo.org||shell access AND infra-ldapadmin.group in LDAP gentooAccess attribute|
|gannet or godwit||forums.gentoo.org||Forums admin|
|kookaburra||blogs.gentoo.org||Blogs super admin|
|hornbill||overlays.gentoo.org||Access to gitolite-admin and planet-gentoo git repos|
Manual Retiring Procedures
Retire from dev.gentoo.org
The first step is to remove a developer from our shell box. Infrastructure has created a shell script that should take care of all the tasks. Login as root to dev.gentoo.org and run the following:
This script will do the following:
- Remove the user from all local groups
- Remove the user from all mail aliases
- If they have a mail forward, copy it to the retired-devs alias directory
- If they don't have a mail forward, create a mbox that their mail will go to for 30 days in case they need something.
- Move their home directory to /home/RETIRED/username
- Index the contents of their home directory with permission details
- Change the ownership of their homedir to root
- Tar up their homedir
- Remove the homedir while leaving the tarball of homedir
Here's what it will look like:
Since our shell box uses LDAP, actual user deletion will happen on the LDAP server. We cannot just lock the user in LDAP, as OpenSSH may still consult the authorized_keys file, hence the retiring of the home directory as well.
Retire from cvs.gentoo.org
Retiring a developer from the CVS server works the same way as the shell retirement process (stopping proceses, and removing from groups). The only difference is that the script only moves the developer's home directory to the RETIRED folder. Log into cvs.gentoo.org and run the following:
Retire in LDAP
In order to remove the user totally from our system, you need to login to our primary LDAP server (ldap1.gentoo.org). You cannot retire a developer from any other box. ramerethcreated a script that does the following:
- Removes any attribute with
- Sets the developer's
- Setting the gentooRetire attribute.
This script lives in /usr/local/sbin/retire-dev-ldap.
Special cases: other machine access
Now you need to check every other Gentoo machine that the developer previously had local-account access to, such as any other *.gentoo.org boxes, or the various arch team machines like *.amd64.gentoo.org. You need to disable any local accounts that still exist. If the box is connected to LDAP, cleaning up the home directory is nice, but not required.
Retire from mailing lists
Now we need to remove the developer from all our mailing lists so that we don't have to deal with extra mail and the bounce to timeout. The following script on our mailserver will comb through the lists and remove the email address from that list properly. It will check for regular subscribers, digest subscribers and nomail subscribers.
Retire Bugzilla account
Now we need to retire and disable their Bugzilla account. Please SSH to bugs-db1.gentoo.org , sudo up, and run: ./retire.sh $USERNAME . This automated script performs the following tasks:
- Add the disabled text to say: "Retired on 12-08-2005 as per retirement bug #12345." Retiring developers are responsible for creating a new bugzilla account, and configuring watches for all bugzilla accounts that they are interested in.
- Append (RETIRED) to the real name field
- Remove them from any Bugzilla groups they may have been added to
Update forums account
Contact any forums administrator, or CC their Bugzilla account ( email@example.com) on the bug.
Retire from Planet/Universe and Blogs
CC their bugzilla account ( firstname.lastname@example.org) on the retirement bug. They will remove the planet/universe configs which are in g.o.g.o/proj/planet-gentoo git repo, and reset the password for blogs. Final step is to disable comments from all posts, for which they will ping infra on IRC to run the following command:
Update overlays (gitolite groups and email)
Final step is to move the user from devs to exdevs group in gitolite.conf, and update his email address in keydir/user.pub. CC overlays bugzilla account ( email@example.com) in the retirement bug to take care of it.
We would like to thank the following authors and editors for their contributions to this guide:
- Robin H. Johnson
- Lance Albertson
- Theo Chatzimichos
- Joshua Saddler