6a5a3036f636639f1cc90d9413c815f3b50616de
[cacert-infradocs.git] / docs / systems / board.rst
1 .. index::
2 single: Systems; Board
3
4 =====
5 Board
6 =====
7
8 Purpose
9 =======
10
11 This system hosts an OpenERP instance available at board.cacert.org.
12
13 Application Links
14 -----------------
15
16 OpenERP URL
17 https://board.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_gero`
26 * Secondary: None
27
28 .. todo:: find an additional admin
29
30 Application Administration
31 --------------------------
32
33 +-------------+--------------------------------------------------+
34 | Application | Administrator(s) |
35 +=============+==================================================+
36 | OpenERP | :ref:`people_gero`, :ref:`people_neo`, Treasurer |
37 +-------------+--------------------------------------------------+
38
39 .. note:: use personalized accounts only
40
41 Contact
42 -------
43
44 * board-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 :ref:`people_jandd`, :ref:`people_mario` and :ref:`people_neo` have
50 :program:`sudo` access on that machine too.
51
52 Basics
53 ======
54
55 Physical Location
56 -----------------
57
58 This system is located in an :term:`LXC` container on physical machine
59 :doc:`infra02`.
60
61 Logical Location
62 ----------------
63
64 :IP Internet: :ip:v4:`213.154.225.252`
65 :IP Intranet: :ip:v4:`172.16.2.34`
66 :IP Internal: :ip:v4:`10.0.0.34`
67 :MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 DNS
74 ---
75
76 .. index::
77 single: DNS records; Board
78
79 ====================== ======== ============================================
80 Name Type Content
81 ====================== ======== ============================================
82 board.cacert.org. IN A 213.154.225.252
83 board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
84 board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
85 board.intra.cacert.org IN A 172.16.2.34
86 ====================== ======== ============================================
87
88 .. seealso::
89
90 See :wiki:`SystemAdministration/Procedures/DNSChanges`
91
92 Operating System
93 ----------------
94
95 .. index::
96 single: Debian GNU/Linux; Wheezy
97 single: Debian GNU/Linux; 7.11
98
99 * Debian GNU/Linux 7.11
100
101 Applicable Documentation
102 ------------------------
103
104 This is it :-)
105
106 Services
107 ========
108
109 Listening services
110 ------------------
111
112 +----------+---------+---------+---------------------------------+
113 | Port | Service | Origin | Purpose |
114 +==========+=========+=========+=================================+
115 | 22/tcp | ssh | ANY | admin console access |
116 +----------+---------+---------+---------------------------------+
117 | 25/tcp | smtp | local | mail delivery to local MTA |
118 +----------+---------+---------+---------------------------------+
119 | 80/tcp | http | ANY | Webserver redirecting to HTTPS |
120 +----------+---------+---------+---------------------------------+
121 | 443/tcp | https | ANY | Webserver for OpenERP |
122 +----------+---------+---------+---------------------------------+
123 | 5666/tcp | nrpe | monitor | remote monitoring service |
124 +----------+---------+---------+---------------------------------+
125 | 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
126 +----------+---------+---------+---------------------------------+
127 | 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
128 +----------+---------+---------+---------------------------------+
129
130 Running services
131 ----------------
132
133 .. index::
134 single: openssh
135 single: Apache
136 single: cron
137 single: PostgreSQL
138 single: OpenERP
139 single: Postfix
140 single: nrpe
141
142 +--------------------+--------------------+----------------------------------------+
143 | Service | Usage | Start mechanism |
144 +====================+====================+========================================+
145 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
146 | | remote | |
147 | | administration | |
148 +--------------------+--------------------+----------------------------------------+
149 | Apache httpd | Webserver for | init script |
150 | | OpenERP | :file:`/etc/init.d/apache2` |
151 +--------------------+--------------------+----------------------------------------+
152 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
153 +--------------------+--------------------+----------------------------------------+
154 | rsyslog | syslog daemon | init script |
155 | | | :file:`/etc/init.d/syslog` |
156 +--------------------+--------------------+----------------------------------------+
157 | PostgreSQL | PostgreSQL | init script |
158 | | database server | :file:`/etc/init.d/postgresql` |
159 | | for OpenERP | |
160 +--------------------+--------------------+----------------------------------------+
161 | Postfix | SMTP server for | init script |
162 | | local mail | :file:`/etc/init.d/postfix` |
163 | | submission | |
164 +--------------------+--------------------+----------------------------------------+
165 | Nagios NRPE server | remote monitoring | init script |
166 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
167 | | :doc:`monitor` | |
168 +--------------------+--------------------+----------------------------------------+
169 | OpenERP server | OpenERP WSGI | init script |
170 | | application | :file:`/etc/init.d/openerp` |
171 +--------------------+--------------------+----------------------------------------+
172
173 Databases
174 ---------
175
176 +------------+---------+----------+
177 | RDBMS | Name | Used for |
178 +============+=========+==========+
179 | PostgreSQL | openerp | OpenERP |
180 +------------+---------+----------+
181
182 Connected Systems
183 -----------------
184
185 * :doc:`monitor`
186
187 Outbound network connections
188 ----------------------------
189
190 * HTTP (80/tcp) to nightly.openerp.com
191 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
192 * :doc:`emailout` as SMTP relay
193 * ftp.nl.debian.org as Debian mirror
194 * security.debian.org for Debian security updates
195 * crl.cacert.org (rsync) for getting CRLs
196
197 Security
198 ========
199
200 .. sshkeys::
201 :RSA: c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1
202 :DSA: f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3
203 :ECDSA: 0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac
204
205 .. todo:: setup ED25519 host key
206
207 Non-distribution packages and modifications
208 -------------------------------------------
209
210 :program:`OpenERP` is installed from non-distribution packages from
211 http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
212 :file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
213 cause damage to the customization.
214
215 Local modifications to OpenERP
216 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
217
218 OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
219 following line added to the :func:`do_start()` function to make a request to
220 the OpenERP daemon that causes that daemon to load its configuration and start
221 regular cleanup tasks (like sending scheduled mails):
222
223 .. code:: bash
224
225 sleep 1; curl --silent localhost:8069 > /dev/null
226
227 Some files have been patched to either fix bugs in the upstream OpenERP code or
228 to add customizations for CAcert's needs.
229
230 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
231
232 .. literalinclude:: ../patches/openerp/py.js.patch
233 :language: diff
234
235 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
236
237 .. literalinclude:: ../patches/openerp/account.py.patch
238 :language: diff
239
240 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
241
242 .. literalinclude:: ../patches/openerp/invoice.py.patch
243 :language: diff
244
245 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
246
247 This patch includes a Paypal link in payment reminders.
248
249 .. literalinclude:: ../patches/openerp/account_followup_paypal.patch
250 :language: diff
251
252 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
253
254 This patch causes OpenERP to include non-overdue but open payments in reminders.
255
256 .. literalinclude:: ../patches/openerp/account_followup_print.patch
257 :language: diff
258
259 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
260
261 Fix form display.
262
263 .. todo:: check whether the form display issue has been fixed upstream
264
265 .. literalinclude:: ../patches/openerp/view_form.js.patch
266 :language: diff
267
268 Risk assessments on critical packages
269 -------------------------------------
270
271 Using a customized OpenERP version that is not updated causes a small risk to
272 miss upstream security updates. The risk is mitigated by restricting the access
273 to the system to a very small group of users that are authenticated using
274 personalized client certificates.
275
276 Critical Configuration items
277 ============================
278
279 Keys and X.509 certificates
280 ---------------------------
281
282 .. sslcert:: board.cacert.org
283 :certfile: /etc/ssl/certs/board.crt
284 :keyfile: /etc/ssl/private/board.key
285 :serial: 11e839
286 :expiration: Mar 31 16:47:11 2018 GMT
287 :sha1fp: 2C:AC:8C:F8:D6:4A:9E:1D:B0:35:B8:E4:5E:24:B1:43:E3:69:98:46
288 :issuer: CAcert.org Class 1 Root CA
289
290 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
291 certificates (allowed CA certificates for client certificates)
292
293 .. seealso::
294
295 * :wiki:`SystemAdministration/CertificateList`
296
297 .. index::
298 pair: Apache httpd; configuration
299
300 Apache httpd configuration
301 --------------------------
302
303 * :file:`/etc/apache2/conf.d/openerp-httpd.conf`
304
305 Defines the WSGI setup for OpenERP
306
307 * :file:`/etc/apache2/sites-available/default`
308
309 Defines the HTTP to HTTPS redirection
310
311 * :file:`/etc/apache2/sites-available/default-ssl`
312
313 Defines the HTTPS and client authentication configuration
314
315 * :file:`/var/local/ssl/http_fake_auth.passwd`
316
317 Defines the authorized users based on the DN in their client certificate
318
319 .. index::
320 single: cron; CRL
321 single: CRL
322
323 CRL update job
324 --------------
325
326 :file:`/etc/cron.hourly/update-crls`
327
328 .. index::
329 pair: OpenERP; configuration
330
331 OpenERP configuration
332 ---------------------
333
334 :file:`/etc/openerp/openerp-server.conf`
335
336 This file configures the database that is used by OpenERP and the interface
337 that the XML-RPC service binds to.
338
339 Tasks
340 =====
341
342 Planned
343 -------
344
345 .. todo:: disable unneeded Apache modules
346
347 .. todo:: setup IPv6
348
349 .. todo:: consider using a centralized PostgreSQL instance
350
351 Changes
352 =======
353
354 System Future
355 -------------
356
357 .. todo:: system should be updated to Debian 8
358
359 Additional documentation
360 ========================
361
362 .. seealso::
363
364 * :wiki:`PostfixConfiguration`
365
366 References
367 ----------
368
369 OpenERP 7.0 documentation
370 https://doc.odoo.com/