Improve system documentation
[cacert-infradocs.git] / docs / systems / board.rst
1 .. index::
2 single: Systems; Board
3
4 =====
5 Board
6 =====
7
8 Purpose
9 =======
10
11 This system hosts an OpenERP instance available at board.cacert.org.
12
13 Application Links
14 -----------------
15
16 OpenERP URL
17 https://board.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_gero`
26 * Secondary: None
27
28 .. todo:: find an additional admin
29
30 Application Administration
31 --------------------------
32
33 +-------------+--------------------------------------------------+
34 | Application | Administrator(s) |
35 +=============+==================================================+
36 | OpenERP | :ref:`people_gero`, :ref:`people_neo`, Treasurer |
37 +-------------+--------------------------------------------------+
38
39 .. note:: use personalized accounts only
40
41 Contact
42 -------
43
44 * board-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 :ref:`people_jandd` and :ref:`people_mario` have :program:`sudo` access on that
50 machine too.
51
52 Basics
53 ======
54
55 Physical Location
56 -----------------
57
58 This system is located in an :term:`LXC` container on physical machine
59 :doc:`infra02`.
60
61 Logical Location
62 ----------------
63
64 :IP Internet: :ip:v4:`213.154.225.252`
65 :IP Intranet: :ip:v4:`172.16.2.34`
66 :IP Internal: :ip:v4:`10.0.0.34`
67 :MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 .. index::
74 single: Monitoring; Board
75
76 Monitoring
77 ----------
78
79 :internal checks: :monitor:`board.infra.cacert.org`
80
81 DNS
82 ---
83
84 .. index::
85 single: DNS records; Board
86
87 ====================== ======== ============================================
88 Name Type Content
89 ====================== ======== ============================================
90 board.cacert.org. IN A 213.154.225.252
91 board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
92 board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
93 board.intra.cacert.org IN A 172.16.2.34
94 ====================== ======== ============================================
95
96 .. seealso::
97
98 See :wiki:`SystemAdministration/Procedures/DNSChanges`
99
100 Operating System
101 ----------------
102
103 .. index::
104 single: Debian GNU/Linux; Wheezy
105 single: Debian GNU/Linux; 7.11
106
107 * Debian GNU/Linux 7.11
108
109 Applicable Documentation
110 ------------------------
111
112 This is it :-)
113
114 Services
115 ========
116
117 Listening services
118 ------------------
119
120 +----------+---------+---------+---------------------------------+
121 | Port | Service | Origin | Purpose |
122 +==========+=========+=========+=================================+
123 | 22/tcp | ssh | ANY | admin console access |
124 +----------+---------+---------+---------------------------------+
125 | 25/tcp | smtp | local | mail delivery to local MTA |
126 +----------+---------+---------+---------------------------------+
127 | 80/tcp | http | ANY | Webserver redirecting to HTTPS |
128 +----------+---------+---------+---------------------------------+
129 | 443/tcp | https | ANY | Webserver for OpenERP |
130 +----------+---------+---------+---------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+---------+---------+---------------------------------+
133 | 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
134 +----------+---------+---------+---------------------------------+
135 | 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
136 +----------+---------+---------+---------------------------------+
137
138 Running services
139 ----------------
140
141 .. index::
142 single: openssh
143 single: Apache
144 single: cron
145 single: PostgreSQL
146 single: OpenERP
147 single: Postfix
148 single: nrpe
149
150 +--------------------+--------------------+----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+====================+========================================+
153 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
154 | | remote | |
155 | | administration | |
156 +--------------------+--------------------+----------------------------------------+
157 | Apache httpd | Webserver for | init script |
158 | | OpenERP | :file:`/etc/init.d/apache2` |
159 +--------------------+--------------------+----------------------------------------+
160 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
161 +--------------------+--------------------+----------------------------------------+
162 | rsyslog | syslog daemon | init script |
163 | | | :file:`/etc/init.d/syslog` |
164 +--------------------+--------------------+----------------------------------------+
165 | PostgreSQL | PostgreSQL | init script |
166 | | database server | :file:`/etc/init.d/postgresql` |
167 | | for OpenERP | |
168 +--------------------+--------------------+----------------------------------------+
169 | Postfix | SMTP server for | init script |
170 | | local mail | :file:`/etc/init.d/postfix` |
171 | | submission | |
172 +--------------------+--------------------+----------------------------------------+
173 | Nagios NRPE server | remote monitoring | init script |
174 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
175 | | :doc:`monitor` | |
176 +--------------------+--------------------+----------------------------------------+
177 | OpenERP server | OpenERP WSGI | init script |
178 | | application | :file:`/etc/init.d/openerp` |
179 +--------------------+--------------------+----------------------------------------+
180
181 Databases
182 ---------
183
184 +------------+---------+----------+
185 | RDBMS | Name | Used for |
186 +============+=========+==========+
187 | PostgreSQL | openerp | OpenERP |
188 +------------+---------+----------+
189
190 Connected Systems
191 -----------------
192
193 * :doc:`monitor`
194
195 Outbound network connections
196 ----------------------------
197
198 * HTTP (80/tcp) to nightly.openerp.com
199 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
200 * :doc:`emailout` as SMTP relay
201 * :doc:`proxyout` as HTTP proxy for APT
202 * crl.cacert.org (rsync) for getting CRLs
203
204 Security
205 ========
206
207 .. sshkeys::
208 :RSA: SHA256:j20Xl83ZK90nYXuIxOMJTcQH75rBcAWIfRnzoPs1qr4 MD5:c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
209 :DSA: SHA256:If2oWICT8sA7I+n0kyr+e6oTKa4oKaDFs/kSOQu3UwU MD5:f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
210 :ECDSA: SHA256:bAsIi9uHC2lm5HSho3EtdltumBmNPUvHIcFJo0UXj7A MD5:0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
211
212 .. todo:: setup ED25519 host key (needs update to Jessie)
213
214 Non-distribution packages and modifications
215 -------------------------------------------
216
217 :program:`OpenERP` is installed from non-distribution packages from
218 http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
219 :file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
220 cause damage to the customization.
221
222 .. todo:: update to Odoo (OpenERP successor)
223
224 Local modifications to OpenERP
225 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
226
227 OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
228 following line added to the :func:`do_start()` function to make a request to
229 the OpenERP daemon that causes that daemon to load its configuration and start
230 regular cleanup tasks (like sending scheduled mails):
231
232 .. code:: bash
233
234 sleep 1; curl --silent localhost:8069 > /dev/null
235
236 Some files have been patched to either fix bugs in the upstream OpenERP code or
237 to add customizations for CAcert's needs.
238
239 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
240
241 .. literalinclude:: ../patches/openerp/py.js.patch
242 :language: diff
243
244 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
245
246 .. literalinclude:: ../patches/openerp/account.py.patch
247 :language: diff
248
249 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
250
251 .. literalinclude:: ../patches/openerp/invoice.py.patch
252 :language: diff
253
254 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
255
256 This patch includes a Paypal link in payment reminders.
257
258 .. literalinclude:: ../patches/openerp/account_followup_paypal.patch
259 :language: diff
260
261 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
262
263 This patch causes OpenERP to include non-overdue but open payments in reminders.
264
265 .. literalinclude:: ../patches/openerp/account_followup_print.patch
266 :language: diff
267
268 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
269
270 Fix form display.
271
272 .. todo:: check whether the form display issue has been fixed upstream
273
274 .. literalinclude:: ../patches/openerp/view_form.js.patch
275 :language: diff
276
277 Risk assessments on critical packages
278 -------------------------------------
279
280 Using a customized OpenERP version that is not updated causes a small risk to
281 miss upstream security updates. The risk is mitigated by restricting the access
282 to the system to a very small group of users that are authenticated using
283 personalized client certificates.
284
285 Critical Configuration items
286 ============================
287
288 Keys and X.509 certificates
289 ---------------------------
290
291 .. sslcert:: board.cacert.org
292 :altnames: DNS:board.cacert.org
293 :certfile: /etc/ssl/certs/board.crt
294 :keyfile: /etc/ssl/private/board.key
295 :serial: 1381F6
296 :expiration: Mar 16 10:53:47 2020 GMT
297 :sha1fp: 3B:BF:06:89:BC:79:3F:FD:B7:CB:02:FD:97:82:26:C4:0E:6A:F8:DB
298 :issuer: CA Cert Signing Authority
299
300 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
301 certificates (allowed CA certificates for client certificates)
302
303 .. seealso::
304
305 * :wiki:`SystemAdministration/CertificateList`
306
307 .. index::
308 pair: Apache httpd; configuration
309
310 Apache httpd configuration
311 --------------------------
312
313 * :file:`/etc/apache2/conf.d/openerp-httpd.conf`
314
315 Defines the WSGI setup for OpenERP
316
317 * :file:`/etc/apache2/sites-available/default`
318
319 Defines the HTTP to HTTPS redirection
320
321 * :file:`/etc/apache2/sites-available/default-ssl`
322
323 Defines the HTTPS and client authentication configuration
324
325 * :file:`/var/local/ssl/http_fake_auth.passwd`
326
327 Defines the authorized users based on the DN in their client certificate
328
329 .. index::
330 single: cron; CRL
331 single: CRL
332
333 CRL update job
334 --------------
335
336 :file:`/etc/cron.hourly/update-crls`
337
338 .. index::
339 pair: OpenERP; configuration
340
341 OpenERP configuration
342 ---------------------
343
344 :file:`/etc/openerp/openerp-server.conf`
345
346 This file configures the database that is used by OpenERP and the interface
347 that the XML-RPC service binds to.
348
349 Tasks
350 =====
351
352 .. todo:: add a section documenting how to add/remove openerp users
353
354 Changes
355 =======
356
357 Planned
358 -------
359
360 .. todo:: switch to Puppet management
361 .. todo:: replace nrpe with icinga2 agent
362 .. todo:: disable unneeded Apache modules
363 .. todo:: setup IPv6
364 .. todo:: update to Debian 8/9/10
365
366 System Future
367 -------------
368
369 * No plans
370
371 Additional documentation
372 ========================
373
374 .. seealso::
375
376 * :wiki:`PostfixConfiguration`
377
378 References
379 ----------
380
381 OpenERP 7.0 documentation
382 https://doc.odoo.com/