Version 9 (modified by 11 years ago) ( diff ) | ,
---|
This page documents the steps to take in decommissioning a kvm guest.
Make sure any needed data is backed up.
The steps below assume that nothing needs to be preserved from the server. If something does need to be preserved, copy the data to another location before following these steps.
Revoke all Known Published Host keys
TODO: cleanup steps for doing so
Instructions from irc
10:55 <@jamie> in terms of key re-vocation, it should be two steps: 10:56 <@jamie> monkeysphere-host revoke-key 10:56 <@jamie> that revokes the server's ssh monkeysphere key 10:56 <@jamie> and then, to revoke the root@server.mayfirst.org's key: 10:57 <@jamie> gpg --list-secret-key to get the secret key id for the root user. 10:58 <@jamie> followed by gpg --edit-key <gpgid> 10:58 <@jamie> then: revkey 10:58 <@jamie> then save 10:58 <@jamie> then gpg --send-key <gpgid>
Shutting down the guest
We need the machine to be out of service so that we can wipe any sensitive data from the disks. In order to shutdown a guest so that it will not reboot, you'll need to be root@HOSTNAME.mayfirst.org
. From the host, issue the command:
# update-service --remove /etc/sv/kvm/GUESTNAME
This command will shutdown the virtual machine. We need the machine to be out of service so that we can wipe any sensitive data from the disks.
Removing the guest directory
To ensure that the guest will not come back online, ever, you should remove the guest kvm directory with the following command as root@HOSTNAME.mayfirst.org
:
# rm -rf /etc/sv/kvm/GUESTNAME
Ensure all sensitive data is overwritten
For this step, login as GUESTNAME@HOSTNAME.mayfirst.org
to ensure that you do not overwrite data for other guests. We want to zero out all bytes on the logic volume to avoid this. However, be careful: doing this at full-speed can cause guests on the hosts to stop responding. Use the pv command to limit the IO rate. You may need to use apt-get to install pv on the host. The command is:
$ pv --rate-limit=1m < /dev/zero > /dev/mapper/VOLUMEGROUPNAME-LOGICALVOLUMENAME
A real world example would be:
TODO: new example that uses pv rather than dd
Once this command finishes running, you can return the logical volume to the volume group.
Removing a Logical Volume
From root@HOSTNAME.mayfirst.org
check the volume group with:
# vgs
This should give output that looks like this:
0 ken:/dev# vgs VG #PV #LV #SN Attr VSize VFree vg_ken0 1 15 0 wz--n- 1.82t 1.10t 0 ken:/dev#
Now you can remove the logical volume with the following command:
# lvremove VOLUMEGROUPNAME/LOGICALVOLUMENAME
Real world example:
0 ken:/dev# lvremove vg_ken0/bataille Do you really want to remove active logical volume bataille? [y/n]: y Logical volume "bataille" successfully removed 0 ken:/dev#
Now run 'vgs' again and make sure the new disk space has been added back to the volume group. You should see an increase in the 'VFree' column of the output of the 'vgs' command.
Removing the guest user
# deluser --remove-home GUESTNAME
Clean up on helper servers
On jojobe.mayfirst.org (nagios server), check for and delete:
/etc/nagios3/conf.d/nodes/GUESTNAME.cfg
On the designated backup servers (should be designated in puppet file if it exists):
deluser --remove-home GUESTNAME-sync
On your own workstation in the MFPL puppet git repo:
git rm manifests/nodes/production/GUESTNAME.pp git commit -m "decomissioning GUESTNAME"
Delete node from http://servers.mayfirst.org/
Other system cleanup
On the host, you might also want to:
- remove the guest user account
- remove the associated
/etc/udev/rules.d/92-kvm_creator-GUEST.rules
You've now decommissioned a server!