summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jan@dittberner.info>2016-05-03 15:11:57 +0200
committerJan Dittberner <jan@dittberner.info>2016-05-03 15:11:57 +0200
commit65e0f67ca1ffba005cbddb18f1f44ab3487275d1 (patch)
treecc8f87651955bd680d0f5a16c0462a98c5c80f01
parent7d7c8ba26bd434a5adf98ba83d1733d4ee795ec3 (diff)
downloadcacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.tar.gz
cacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.tar.xz
cacert-infradocs-65e0f67ca1ffba005cbddb18f1f44ab3487275d1.zip
Add board system documentation
This commit adds documentation for the board.cacert.org container. Documentation is based on the Wiki documentation at https://wiki.cacert.org/SystemAdministration/Systems/Board and information gathered from the running system. The patches to OpenERP are stored in separate files to allow using them on top of an unpacked OpenERP tree.
-rw-r--r--docs/certlist.rst25
-rw-r--r--docs/patches/openerp/account.py.patch27
-rw-r--r--docs/patches/openerp/account_followup_paypal.patch38
-rw-r--r--docs/patches/openerp/account_followup_print.patch10
-rw-r--r--docs/patches/openerp/invoice.py.patch10
-rw-r--r--docs/patches/openerp/py.js.patch18
-rw-r--r--docs/patches/openerp/view_form.js.patch15
-rw-r--r--docs/systems.rst1
-rw-r--r--docs/systems/board.rst368
9 files changed, 512 insertions, 0 deletions
diff --git a/docs/certlist.rst b/docs/certlist.rst
index e8c5fb2..754be42 100644
--- a/docs/certlist.rst
+++ b/docs/certlist.rst
@@ -25,3 +25,28 @@ blog.cacert.org
+------------------+------------------------------------------------------------------------+
| SHA1 Fingerprint | ``69:A5:5F:3E:1B:D8:2E:CB:B3:AB:0B:E9:81:A6:CF:31:DF:C8:A4:5F`` |
+------------------+------------------------------------------------------------------------+
+
+.. _cert_board_cacert_org:
+
+board.cacert.org
+================
+
+.. index::
+ ! single: Certificate; Board
+
++------------------+--------------------------------------------------------------------+
+| Common Name | board.cacert.org |
++==================+====================================================================+
+| Subject Altnames | none |
++------------------+--------------------------------------------------------------------+
+| Key kept at | :doc:`board <systems/board>`:file:`/etc/ssl/private/board.key.pem` |
++------------------+--------------------------------------------------------------------+
+| Cert kept at | :doc:`board <systems/board>`:file:`/etc/ssl/certs/board.crt` |
++------------------+--------------------------------------------------------------------+
+| Serial Number | 1173561 (0x11e839) |
++------------------+--------------------------------------------------------------------+
+| Expiration date | Mar 31 16:47:11 2018 GMT |
++------------------+--------------------------------------------------------------------+
+| SHA1 Fingerprint | ``2C:AC:8C:F8:D6:4A:9E:1D:B0:35:B8:E4:5E:24:B1:43:E3:69:98:46`` |
++------------------+--------------------------------------------------------------------+
+
diff --git a/docs/patches/openerp/account.py.patch b/docs/patches/openerp/account.py.patch
new file mode 100644
index 0000000..c0157fe
--- /dev/null
+++ b/docs/patches/openerp/account.py.patch
@@ -0,0 +1,27 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 22:56:20.528382003 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/account.py 2015-01-25 23:32:37.088302059 +0000
+@@ -234,7 +234,7 @@
+ pos = 0
+ while pos < len(domain):
+ if domain[pos][0] == 'code' and domain[pos][1] in ('like', 'ilike') and domain[pos][2]:
+- domain[pos] = ('code', '=like', tools.ustr(domain[pos][2].replace('%', '')) + '%')
++ domain[pos] = ('code', '=ilike', tools.ustr(domain[pos][2].replace('%', '')) + '%')
+ if domain[pos][0] == 'journal_id':
+ if not domain[pos][2]:
+ del domain[pos]
+@@ -583,13 +583,13 @@
+ pass
+ if name:
+ if operator not in expression.NEGATIVE_TERM_OPERATORS:
+- ids = self.search(cr, user, ['|', ('code', '=like', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['|', ('code', '=ilike', name+"%"), '|', ('shortcut', '=', name), ('name', operator, name)]+args, limit=limit)
+ if not ids and len(name.split()) >= 2:
+ #Separating code and name of account for searching
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
+ ids = self.search(cr, user, [('code', operator, operand1), ('name', operator, operand2)]+ args, limit=limit)
+ else:
+- ids = self.search(cr, user, ['&','!', ('code', '=like', name+"%"), ('name', operator, name)]+args, limit=limit)
++ ids = self.search(cr, user, ['&','!', ('code', '=ilike', name+"%"), ('name', operator, name)]+args, limit=limit)
+ # as negation want to restric, do if already have results
+ if ids and len(name.split()) >= 2:
+ operand1,operand2 = name.split(' ',1) #name can contain spaces e.g. OpenERP S.A.
diff --git a/docs/patches/openerp/account_followup_paypal.patch b/docs/patches/openerp/account_followup_paypal.patch
new file mode 100644
index 0000000..9ac9958
--- /dev/null
+++ b/docs/patches/openerp/account_followup_paypal.patch
@@ -0,0 +1,38 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:39:56.719266967 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py 2015-01-25 18:41:39.620003461 +0000
+@@ -21,6 +21,7 @@
+
+ from openerp.osv import fields, osv
+ from lxml import etree
++from urllib import urlencode
+
+ from openerp.tools.translate import _
+
+@@ -274,10 +275,25 @@
+ strbegin = "<TD><B>"
+ strend = "</B></TD>"
+ followup_table +="<TR>" + strbegin + str(aml['date']) + strend + strbegin + aml['name'] + strend + strbegin + (aml['ref'] or '') + strend + strbegin + str(date) + strend + strbegin + str(aml['balance']) + strend + strbegin + block + strend + "</TR>"
+- total = rml_parse.formatLang(total, dp='Account', currency_obj=currency)
+ followup_table += '''<tr> </tr>
+ </table>
+- <center>''' + _("Amount due") + ''' : %s </center>''' % (total)
++ <center>''' + _("Amount due") + ''' : %s </center>''' % (rml_parse.formatLang(total, dp='Account', currency_obj=currency))
++ # Add PayPal link if available to allow direct payment
++ if company.paypal_account:
++ params = {
++ "cmd": "_xclick",
++ "business": company.paypal_account,
++ "item_name": "%s Amount Due in %s" % (company.name, currency.name or ''),
++ "invoice": currency_dict['line'][0]['name'],
++ "amount": total,
++ "currency_code": currency.name,
++ "button_subtype": "services",
++ "bn": "OpenERP_Invoice_PayNow_" + currency.name,
++ }
++ followup_table += '''
++ <center><a href="%s">
++ <img class="oe_edi_paypal_button" src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif" alt="Pay directly with PayPal"/>
++ </a></center>''' % ("https://www.paypal.com/cgi-bin/webscr?" + urlencode(params))
+ return followup_table
+
+ def write(self, cr, uid, ids, vals, context=None):
diff --git a/docs/patches/openerp/account_followup_print.patch b/docs/patches/openerp/account_followup_print.patch
new file mode 100644
index 0000000..a0b83d0
--- /dev/null
+++ b/docs/patches/openerp/account_followup_print.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:07:31.357995387 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py 2015-04-20 01:09:21.314693739 +0000
+@@ -58,7 +58,6 @@
+ ('reconcile_id', '=', False),
+ ('state', '!=', 'draft'),
+ ('company_id', '=', company_id),
+- ('date_maturity', '<=', fields.date.context_today(self,self.cr,self.uid)),
+ ])
+
+ # lines_per_currency = {currency: [line data, ...], ...}
diff --git a/docs/patches/openerp/invoice.py.patch b/docs/patches/openerp/invoice.py.patch
new file mode 100644
index 0000000..93f1217
--- /dev/null
+++ b/docs/patches/openerp/invoice.py.patch
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:44:57.389199363 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py 2014-07-19 14:45:21.745410574 +0000
+@@ -271,7 +271,6 @@
+ "amount": inv.residual,
+ "currency_code": inv.currency_id.name,
+ "button_subtype": "services",
+- "no_note": "1",
+ "bn": "OpenERP_Invoice_PayNow_" + inv.currency_id.name,
+ }
+ res[inv.id] = "https://www.paypal.com/cgi-bin/webscr?" + url_encode(params)
diff --git a/docs/patches/openerp/py.js.patch b/docs/patches/openerp/py.js.patch
new file mode 100644
index 0000000..a172396
--- /dev/null
+++ b/docs/patches/openerp/py.js.patch
@@ -0,0 +1,18 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:26:30.660384152 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js 2013-06-16 23:30:02.035589446 +0000
+@@ -764,7 +764,14 @@
+
+ // Conversion
+ toJSON: function () {
+- throw new Error(this.constructor.name + ' can not be converted to JSON');
++ var out = {};
++ for(var k in this) {
++ if (this.hasOwnProperty(k) && !/^__/.test(k)) {
++ var val = this[k];
++ out[k] = val.toJSON ? val.toJSON() : val;
++ }
++ }
++ return out;
+ }
+ });
+ var NoneType = py.type('NoneType', null, {
diff --git a/docs/patches/openerp/view_form.js.patch b/docs/patches/openerp/view_form.js.patch
new file mode 100644
index 0000000..8628865
--- /dev/null
+++ b/docs/patches/openerp/view_form.js.patch
@@ -0,0 +1,15 @@
+--- /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:03:35.053098527 +0000
++++ /usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js 2013-01-29 15:08:27.372588389 +0000
+@@ -3176,7 +3176,11 @@
+ if (! no_recurse) {
+ var dataset = new instance.web.DataSetStatic(this, this.field.relation, self.build_context());
+ dataset.name_get([self.get("value")]).done(function(data) {
+- self.display_value["" + self.get("value")] = data[0][1];
++ var value = "";
++ if (data.length > 0 && data[0].length > 1) {
++ value = data[0][1];
++ }
++ self.display_value["" + self.get("value")] = value;
+ self.render_value(true);
+ });
+ }
diff --git a/docs/systems.rst b/docs/systems.rst
index fb2db35..6489a86 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -7,6 +7,7 @@ Systems
systems/infra02
systems/arbitration
systems/blog
+ systems/board
systems/emailout
systems/monitor
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
new file mode 100644
index 0000000..3fdbc3b
--- /dev/null
+++ b/docs/systems/board.rst
@@ -0,0 +1,368 @@
+.. index::
+ single: Systems; Board
+
+=====
+Board
+=====
+
+Purpose
+=======
+
+This systems hosts an OpenERP instance available at board.cacert.org.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: `Gero Treuner`_
+* Secondary: None
+
+.. todo:: find an additional admin
+
+.. _Gero Treuner: gero.treuner@cacert.org
+
+Application Administration
+--------------------------
+
+* OpenERP: `Gero Treuner`_, `Michael Tänzer`_, Treasurer
+
+.. note:: use personalized accounts only
+
+Contact
+-------
+
+* board-admin@cacert.org
+
+Additional People
+-----------------
+
+`Jan Dittberner`_, `Mario Lipinski`_ and `Michael Tänzer`_ have :program:`sudo`
+access on that machine too.
+
+.. _Jan Dittberner: jandd@cacert.org
+.. _Mario Lipinski: mario@cacert.org
+.. _Michael Tänzer: michael.taenzer@cacert.org
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.252`
+:IP Intranet: :ip:v4:`172.16.2.34`
+:IP Internal: :ip:v4:`10.0.0.34`
+:MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; <machine>
+
+====================== ======== ============================================
+Name Type Content
+====================== ======== ============================================
+board.cacert.org. IN A 213.154.225.252
+board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
+board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
+board.intra.cacert.org IN A 172.16.2.34
+====================== ======== ============================================
+
+.. seealso::
+
+ See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+---------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+=========+=================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+---------+---------------------------------+
+| 25/tcp | smtp | local | mail delivery to local MTA |
++----------+---------+---------+---------------------------------+
+| 80/tcp | http | ANY | Webserver redirecting to HTTPS |
++----------+---------+---------+---------------------------------+
+| 443/tcp | https | ANY | Webserver for OpenERP |
++----------+---------+---------+---------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+---------+---------------------------------+
+| 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
++----------+---------+---------+---------------------------------+
+| 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
++----------+---------+---------+---------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: openssh
+ single: Apache
+ single: cron
+ single: PostgreSQL
+ single: OpenERP
+ single: Postfix
+ single: nrpe
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| Apache httpd | Webserver for | init script |
+| | OpenERP | :file:`/etc/init.d/apache2` |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| PostgreSQL | PostgreSQL | init script |
+| | database server | :file:`/etc/init.d/postgresql` |
+| | for OpenERP | |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+| OpenERP server | OpenERP WSGI | init script |
+| | application | :file:`/etc/init.d/openerp` |
++--------------------+--------------------+----------------------------------------+
+
+Databases
+---------
+
++------------+---------+----------+
+| RDBMS | Name | Used for |
++============+=========+==========+
+| PostgreSQL | openerp | OpenERP |
++------------+---------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* HTTP (80/tcp) to nightly.openerp.com
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* crl.cacert.org (rsync) for getting CRLs
+
+Security
+========
+
+SSH host keys
+-------------
+
++-----------+-----------------------------------------------------+
+| Algorithm | Fingerprint |
++===========+=====================================================+
+| RSA | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
++-----------+-----------------------------------------------------+
+| DSA | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
++-----------+-----------------------------------------------------+
+| ECDSA | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
++-----------+-----------------------------------------------------+
+| ED25519 | \- |
++-----------+-----------------------------------------------------+
+
+.. todo:: setup ED25519 host key
+
+.. seealso::
+
+ See :doc:`../sshkeys`
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+:program:`OpenERP` is installed from non-distribution packages from
+http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
+:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
+cause damage to the customization.
+
+Local modifications to OpenERP
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
+following line added to the :func:`do_start()` function to make a request to
+the OpenERP daemon that causes that daemon to load its configuration and start
+regular cleanup tasks (like sending scheduled mails):
+
+.. code:: bash
+
+ sleep 1; curl --silent localhost:8069 > /dev/null
+
+Some files have been patched to either fix bugs in the upstream OpenERP code or
+to add customizations for CAcert's needs.
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
+
+.. literalinclude:: ../patches/openerp/py.js.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
+
+.. literalinclude:: ../patches/openerp/account.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
+
+.. literalinclude:: ../patches/openerp/invoice.py.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
+
+This patch includes a Paypal link in payment reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_paypal.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
+
+This patch causes OpenERP to include non-overdue but open payments in reminders.
+
+.. literalinclude:: ../patches/openerp/account_followup_print.patch
+ :language: diff
+
+:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
+
+Fix form display.
+
+.. todo:: check whether the form display issue has been fixed upstream
+
+.. literalinclude:: ../patches/openerp/view_form.js.patch
+ :language: diff
+
+Risk assessments on critical packages
+-------------------------------------
+
+Using a customized OpenERP version that is not updated causes a small risk to
+miss upstream security updates. The risk is mitigated by restricting the access
+to the system to a very small group of users that are authenticated using
+personalized client certificates.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. index::
+ single: Certificate; Board
+
+* :file:`/etc/ssl/certs/board.crt` server certificate
+* :file:`/etc/ssl/private/board.key` server key
+* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+
+.. seealso::
+
+ * :ref:`cert_board_cacert_org` in :doc:`../certlist`
+ * https://wiki.cacert.org/SystemAdministration/CertificateList
+
+Apache configuration files
+--------------------------
+
+* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
+
+ Defines the WSGI setup for OpenERP
+
+* :file:`/etc/apache2/sites-available/default`
+
+ Defines the HTTP to HTTPS redirection
+
+* :file:`/etc/apache2/sites-available/default-ssl`
+
+ Defines the HTTPS and client authentication configuration
+
+* :file:`/var/local/ssl/http_fake_auth.passwd`
+
+ Defines the authorized users based on the DN in their client certificate
+
+CRL update job
+--------------
+
+:file:`/etc/cron.hourly/update-crls`
+
+OpenERP configuration
+---------------------
+
+:file:`/etc/openerp/openerp-server.conf`
+
+This file configures the database that is used by OpenERP and the interface
+that the XML-RPC service binds to.
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: disable unneeded Apache modules
+
+.. todo:: setup IPv6
+
+.. todo:: consider using a centralized PostgreSQL instance
+
+Changes
+=======
+
+System Future
+-------------
+
+.. todo:: system should be updated to Debian 8
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * https://wiki.cacert.org/PostfixConfiguration
+
+References
+----------
+
+OpenERP URL
+ https://board.cacert.org/