summaryrefslogtreecommitdiff
path: root/docs/systems/board.rst
blob: eace2020cfbda035e10684dea1c8ffa9e0192f47 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
.. index::
   single: Systems; Board

=====
Board
=====

Purpose
=======

This systems hosts an OpenERP instance available at board.cacert.org.

Administration
==============

System Administration
---------------------

* Primary: `Gero Treuner`_
* Secondary: None

.. todo:: find an additional admin

.. _Gero Treuner: gero.treuner@cacert.org

Application Administration
--------------------------

* OpenERP: `Gero Treuner`_, `Michael Tänzer`_, Treasurer

.. note:: use personalized accounts only

Contact
-------

* board-admin@cacert.org

Additional People
-----------------

`Jan Dittberner`_, `Mario Lipinski`_ and `Michael Tänzer`_ have :program:`sudo`
access on that machine too.

.. _Jan Dittberner: jandd@cacert.org
.. _Mario Lipinski: mario@cacert.org
.. _Michael Tänzer: michael.taenzer@cacert.org

Basics
======

Physical Location
-----------------

This system is located in an :term:`LXC` container on physical machine
:doc:`infra02`.

Logical Location
----------------

:IP Internet: :ip:v4:`213.154.225.252`
:IP Intranet: :ip:v4:`172.16.2.34`
:IP Internal: :ip:v4:`10.0.0.34`
:MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)

.. seealso::

   See :doc:`../network`

DNS
---

.. index::
   single: DNS records; Board

====================== ======== ============================================
Name                   Type     Content
====================== ======== ============================================
board.cacert.org.      IN A     213.154.225.252
board.cacert.org.      IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
board.cacert.org.      IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
board.intra.cacert.org IN A     172.16.2.34
====================== ======== ============================================

.. seealso::

   See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges

Operating System
----------------

.. index::
   single: Debian GNU/Linux; Wheezy
   single: Debian GNU/Linux; 7.10

* Debian GNU/Linux 7.10

Applicable Documentation
------------------------

This is it :-)

Services
========

Listening services
------------------

+----------+---------+---------+---------------------------------+
| Port     | Service | Origin  | Purpose                         |
+==========+=========+=========+=================================+
| 22/tcp   | ssh     | ANY     | admin console access            |
+----------+---------+---------+---------------------------------+
| 25/tcp   | smtp    | local   | mail delivery to local MTA      |
+----------+---------+---------+---------------------------------+
| 80/tcp   | http    | ANY     | Webserver redirecting to HTTPS  |
+----------+---------+---------+---------------------------------+
| 443/tcp  | https   | ANY     | Webserver for OpenERP           |
+----------+---------+---------+---------------------------------+
| 5666/tcp | nrpe    | monitor | remote monitoring service       |
+----------+---------+---------+---------------------------------+
| 5432/tcp | pgsql   | local   | PostgreSQL database for OpenERP |
+----------+---------+---------+---------------------------------+
| 8069/tcp | xmlrpc  | local   | OpenERP XML-RPC service         |
+----------+---------+---------+---------------------------------+

Running services
----------------

.. index::
   single: openssh
   single: Apache
   single: cron
   single: PostgreSQL
   single: OpenERP
   single: Postfix
   single: nrpe

+--------------------+--------------------+----------------------------------------+
| Service            | Usage              | Start mechanism                        |
+====================+====================+========================================+
| openssh server     | ssh daemon for     | init script :file:`/etc/init.d/ssh`    |
|                    | remote             |                                        |
|                    | administration     |                                        |
+--------------------+--------------------+----------------------------------------+
| Apache httpd       | Webserver for      | init script                            |
|                    | OpenERP            | :file:`/etc/init.d/apache2`            |
+--------------------+--------------------+----------------------------------------+
| cron               | job scheduler      | init script :file:`/etc/init.d/cron`   |
+--------------------+--------------------+----------------------------------------+
| rsyslog            | syslog daemon      | init script                            |
|                    |                    | :file:`/etc/init.d/syslog`             |
+--------------------+--------------------+----------------------------------------+
| PostgreSQL         | PostgreSQL         | init script                            |
|                    | database server    | :file:`/etc/init.d/postgresql`         |
|                    | for OpenERP        |                                        |
+--------------------+--------------------+----------------------------------------+
| Postfix            | SMTP server for    | init script                            |
|                    | local mail         | :file:`/etc/init.d/postfix`            |
|                    | submission         |                                        |
+--------------------+--------------------+----------------------------------------+
| Nagios NRPE server | remote monitoring  | init script                            |
|                    | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
|                    | :doc:`monitor`     |                                        |
+--------------------+--------------------+----------------------------------------+
| OpenERP server     | OpenERP WSGI       | init script                            |
|                    | application        | :file:`/etc/init.d/openerp`            |
+--------------------+--------------------+----------------------------------------+

Databases
---------

+------------+---------+----------+
| RDBMS      | Name    | Used for |
+============+=========+==========+
| PostgreSQL | openerp | OpenERP  |
+------------+---------+----------+

Connected Systems
-----------------

* :doc:`monitor`

Outbound network connections
----------------------------

* HTTP (80/tcp) to nightly.openerp.com
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
* :doc:`emailout` as SMTP relay
* ftp.nl.debian.org as Debian mirror
* security.debian.org for Debian security updates
* crl.cacert.org (rsync) for getting CRLs

Security
========

SSH host keys
-------------

+-----------+-----------------------------------------------------+
| Algorithm | Fingerprint                                         |
+===========+=====================================================+
| RSA       | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
+-----------+-----------------------------------------------------+
| DSA       | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
+-----------+-----------------------------------------------------+
| ECDSA     | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
+-----------+-----------------------------------------------------+
| ED25519   | \-                                                  |
+-----------+-----------------------------------------------------+

.. todo:: setup ED25519 host key

.. seealso::

   See :doc:`../sshkeys`

Non-distribution packages and modifications
-------------------------------------------

:program:`OpenERP` is installed from non-distribution packages from
http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
:file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
cause damage to the customization.

Local modifications to OpenERP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
following line added to the :func:`do_start()` function to make a request to
the OpenERP daemon that causes that daemon to load its configuration and start
regular cleanup tasks (like sending scheduled mails):

.. code:: bash

   sleep 1; curl --silent localhost:8069 > /dev/null

Some files have been patched to either fix bugs in the upstream OpenERP code or
to add customizations for CAcert's needs.

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`

.. literalinclude:: ../patches/openerp/py.js.patch
   :language: diff

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`

.. literalinclude:: ../patches/openerp/account.py.patch
   :language: diff

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`

.. literalinclude:: ../patches/openerp/invoice.py.patch
   :language: diff

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`

This patch includes a Paypal link in payment reminders.

.. literalinclude:: ../patches/openerp/account_followup_paypal.patch
   :language: diff

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`

This patch causes OpenERP to include non-overdue but open payments in reminders.

.. literalinclude:: ../patches/openerp/account_followup_print.patch
   :language: diff

:file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`

Fix form display.

.. todo:: check whether the form display issue has been fixed upstream

.. literalinclude:: ../patches/openerp/view_form.js.patch
   :language: diff

Risk assessments on critical packages
-------------------------------------

Using a customized OpenERP version that is not updated causes a small risk to
miss upstream security updates. The risk is mitigated by restricting the access
to the system to a very small group of users that are authenticated using
personalized client certificates.

Critical Configuration items
============================

Keys and X.509 certificates
---------------------------

.. index::
   single: Certificate; Board

* :file:`/etc/ssl/certs/board.crt` server certificate
* :file:`/etc/ssl/private/board.key` server key
* :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
  certificates (allowed CA certificates for client certificates)

.. seealso::

   * :ref:`cert_board_cacert_org` in :doc:`../certlist`
   * https://wiki.cacert.org/SystemAdministration/CertificateList

Apache configuration files
--------------------------

* :file:`/etc/apache2/conf.d/openerp-httpd.conf`

  Defines the WSGI setup for OpenERP

* :file:`/etc/apache2/sites-available/default`

  Defines the HTTP to HTTPS redirection

* :file:`/etc/apache2/sites-available/default-ssl`

  Defines the HTTPS and client authentication configuration

* :file:`/var/local/ssl/http_fake_auth.passwd`

  Defines the authorized users based on the DN in their client certificate

CRL update job
--------------

:file:`/etc/cron.hourly/update-crls`

OpenERP configuration
---------------------

:file:`/etc/openerp/openerp-server.conf`

This file configures the database that is used by OpenERP and the interface
that the XML-RPC service binds to.

Tasks
=====

Planned
-------

.. todo:: disable unneeded Apache modules

.. todo:: setup IPv6

.. todo:: consider using a centralized PostgreSQL instance

Changes
=======

System Future
-------------

.. todo:: system should be updated to Debian 8

Additional documentation
========================

.. seealso::

   * https://wiki.cacert.org/PostfixConfiguration

References
----------

OpenERP URL
   https://board.cacert.org/