Use :wiki: role, streamline structure
[cacert-infradocs.git] / docs / systems / board.rst
1 .. index::
2 single: Systems; Board
3
4 =====
5 Board
6 =====
7
8 Purpose
9 =======
10
11 This system hosts an OpenERP instance available at board.cacert.org.
12
13 Application Links
14 -----------------
15
16 OpenERP URL
17 https://board.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_gero`
26 * Secondary: None
27
28 .. todo:: find an additional admin
29
30 Application Administration
31 --------------------------
32
33 +-------------+--------------------------------------------------+
34 | Application | Administrator(s) |
35 +=============+==================================================+
36 | OpenERP | :ref:`people_gero`, :ref:`people_neo`, Treasurer |
37 +-------------+--------------------------------------------------+
38
39 .. note:: use personalized accounts only
40
41 Contact
42 -------
43
44 * board-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 :ref:`people_jandd`, :ref:`people_mario` and :ref:`people_neo` have
50 :program:`sudo` access on that machine too.
51
52 Basics
53 ======
54
55 Physical Location
56 -----------------
57
58 This system is located in an :term:`LXC` container on physical machine
59 :doc:`infra02`.
60
61 Logical Location
62 ----------------
63
64 :IP Internet: :ip:v4:`213.154.225.252`
65 :IP Intranet: :ip:v4:`172.16.2.34`
66 :IP Internal: :ip:v4:`10.0.0.34`
67 :MAC address: :mac:`00:ff:80:a9:e8:4d` (eth0)
68
69 .. seealso::
70
71 See :doc:`../network`
72
73 DNS
74 ---
75
76 .. index::
77 single: DNS records; Board
78
79 ====================== ======== ============================================
80 Name Type Content
81 ====================== ======== ============================================
82 board.cacert.org. IN A 213.154.225.252
83 board.cacert.org. IN SSHFP 1 1 F5C02A860A1CC07AEEFBF802540680C7476BDE6E
84 board.cacert.org. IN SSHFP 2 1 7B6EEB0CCDFB2E2CFE479E0AECE36FF995FDD1F4
85 board.intra.cacert.org IN A 172.16.2.34
86 ====================== ======== ============================================
87
88 .. seealso::
89
90 See :wiki:`SystemAdministration/Procedures/DNSChanges`
91
92 Operating System
93 ----------------
94
95 .. index::
96 single: Debian GNU/Linux; Wheezy
97 single: Debian GNU/Linux; 7.10
98
99 * Debian GNU/Linux 7.10
100
101 Applicable Documentation
102 ------------------------
103
104 This is it :-)
105
106 Services
107 ========
108
109 Listening services
110 ------------------
111
112 +----------+---------+---------+---------------------------------+
113 | Port | Service | Origin | Purpose |
114 +==========+=========+=========+=================================+
115 | 22/tcp | ssh | ANY | admin console access |
116 +----------+---------+---------+---------------------------------+
117 | 25/tcp | smtp | local | mail delivery to local MTA |
118 +----------+---------+---------+---------------------------------+
119 | 80/tcp | http | ANY | Webserver redirecting to HTTPS |
120 +----------+---------+---------+---------------------------------+
121 | 443/tcp | https | ANY | Webserver for OpenERP |
122 +----------+---------+---------+---------------------------------+
123 | 5666/tcp | nrpe | monitor | remote monitoring service |
124 +----------+---------+---------+---------------------------------+
125 | 5432/tcp | pgsql | local | PostgreSQL database for OpenERP |
126 +----------+---------+---------+---------------------------------+
127 | 8069/tcp | xmlrpc | local | OpenERP XML-RPC service |
128 +----------+---------+---------+---------------------------------+
129
130 Running services
131 ----------------
132
133 .. index::
134 single: openssh
135 single: Apache
136 single: cron
137 single: PostgreSQL
138 single: OpenERP
139 single: Postfix
140 single: nrpe
141
142 +--------------------+--------------------+----------------------------------------+
143 | Service | Usage | Start mechanism |
144 +====================+====================+========================================+
145 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
146 | | remote | |
147 | | administration | |
148 +--------------------+--------------------+----------------------------------------+
149 | Apache httpd | Webserver for | init script |
150 | | OpenERP | :file:`/etc/init.d/apache2` |
151 +--------------------+--------------------+----------------------------------------+
152 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
153 +--------------------+--------------------+----------------------------------------+
154 | rsyslog | syslog daemon | init script |
155 | | | :file:`/etc/init.d/syslog` |
156 +--------------------+--------------------+----------------------------------------+
157 | PostgreSQL | PostgreSQL | init script |
158 | | database server | :file:`/etc/init.d/postgresql` |
159 | | for OpenERP | |
160 +--------------------+--------------------+----------------------------------------+
161 | Postfix | SMTP server for | init script |
162 | | local mail | :file:`/etc/init.d/postfix` |
163 | | submission | |
164 +--------------------+--------------------+----------------------------------------+
165 | Nagios NRPE server | remote monitoring | init script |
166 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
167 | | :doc:`monitor` | |
168 +--------------------+--------------------+----------------------------------------+
169 | OpenERP server | OpenERP WSGI | init script |
170 | | application | :file:`/etc/init.d/openerp` |
171 +--------------------+--------------------+----------------------------------------+
172
173 Databases
174 ---------
175
176 +------------+---------+----------+
177 | RDBMS | Name | Used for |
178 +============+=========+==========+
179 | PostgreSQL | openerp | OpenERP |
180 +------------+---------+----------+
181
182 Connected Systems
183 -----------------
184
185 * :doc:`monitor`
186
187 Outbound network connections
188 ----------------------------
189
190 * HTTP (80/tcp) to nightly.openerp.com
191 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
192 * :doc:`emailout` as SMTP relay
193 * ftp.nl.debian.org as Debian mirror
194 * security.debian.org for Debian security updates
195 * crl.cacert.org (rsync) for getting CRLs
196
197 Security
198 ========
199
200 SSH host keys
201 -------------
202
203 +-----------+-----------------------------------------------------+
204 | Algorithm | Fingerprint |
205 +===========+=====================================================+
206 | RSA | ``c7:a0:3f:63:a5:cb:9a:8f:1f:eb:55:63:46:c3:8d:f1`` |
207 +-----------+-----------------------------------------------------+
208 | DSA | ``f6:b7:e5:52:24:27:1e:ea:32:c8:f1:2e:45:f7:24:d3`` |
209 +-----------+-----------------------------------------------------+
210 | ECDSA | ``0f:fc:76:f8:24:99:95:f7:d2:28:59:6e:f0:1e:39:ac`` |
211 +-----------+-----------------------------------------------------+
212 | ED25519 | \- |
213 +-----------+-----------------------------------------------------+
214
215 .. todo:: setup ED25519 host key
216
217 .. seealso::
218
219 See :doc:`../sshkeys`
220
221 Non-distribution packages and modifications
222 -------------------------------------------
223
224 :program:`OpenERP` is installed from non-distribution packages from
225 http://nightly.openerp.com/7.0/nightly/deb/. The package source is disabled in
226 :file:`/etc/apt/sources.lists.d/openerp.list` to avoid accidential updates that
227 cause damage to the customization.
228
229 Local modifications to OpenERP
230 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
231
232 OpenERP has been modified. The init script :file:`/etc/init.d/openerp` has the
233 following line added to the :func:`do_start()` function to make a request to
234 the OpenERP daemon that causes that daemon to load its configuration and start
235 regular cleanup tasks (like sending scheduled mails):
236
237 .. code:: bash
238
239 sleep 1; curl --silent localhost:8069 > /dev/null
240
241 Some files have been patched to either fix bugs in the upstream OpenERP code or
242 to add customizations for CAcert's needs.
243
244 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/lib/py.js/lib/py.js`
245
246 .. literalinclude:: ../patches/openerp/py.js.patch
247 :language: diff
248
249 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/account.py`
250
251 .. literalinclude:: ../patches/openerp/account.py.patch
252 :language: diff
253
254 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account/edi/invoice.py`
255
256 .. literalinclude:: ../patches/openerp/invoice.py.patch
257 :language: diff
258
259 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/account_followup.py`
260
261 This patch includes a Paypal link in payment reminders.
262
263 .. literalinclude:: ../patches/openerp/account_followup_paypal.patch
264 :language: diff
265
266 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/account_followup/report/account_followup_print.py`
267
268 This patch causes OpenERP to include non-overdue but open payments in reminders.
269
270 .. literalinclude:: ../patches/openerp/account_followup_print.patch
271 :language: diff
272
273 :file:`/usr/lib/python2.7/dist-packages/openerp/addons/web/static/src/js/view_form.js`
274
275 Fix form display.
276
277 .. todo:: check whether the form display issue has been fixed upstream
278
279 .. literalinclude:: ../patches/openerp/view_form.js.patch
280 :language: diff
281
282 Risk assessments on critical packages
283 -------------------------------------
284
285 Using a customized OpenERP version that is not updated causes a small risk to
286 miss upstream security updates. The risk is mitigated by restricting the access
287 to the system to a very small group of users that are authenticated using
288 personalized client certificates.
289
290 Critical Configuration items
291 ============================
292
293 Keys and X.509 certificates
294 ---------------------------
295
296 .. index::
297 single: Certificate; Board
298
299 * :file:`/etc/ssl/certs/board.crt` server certificate
300 * :file:`/etc/ssl/private/board.key` server key
301 * :file:`/etc/ssl/certs/cacert.org.pem` CAcert.org Class 1 and Class 3 CA
302 certificates (allowed CA certificates for client certificates)
303
304 .. seealso::
305
306 * :ref:`cert_board_cacert_org` in :doc:`../certlist`
307 * :wiki:`SystemAdministration/CertificateList`
308
309 Apache configuration files
310 --------------------------
311
312 * :file:`/etc/apache2/conf.d/openerp-httpd.conf`
313
314 Defines the WSGI setup for OpenERP
315
316 * :file:`/etc/apache2/sites-available/default`
317
318 Defines the HTTP to HTTPS redirection
319
320 * :file:`/etc/apache2/sites-available/default-ssl`
321
322 Defines the HTTPS and client authentication configuration
323
324 * :file:`/var/local/ssl/http_fake_auth.passwd`
325
326 Defines the authorized users based on the DN in their client certificate
327
328 CRL update job
329 --------------
330
331 :file:`/etc/cron.hourly/update-crls`
332
333 OpenERP configuration
334 ---------------------
335
336 :file:`/etc/openerp/openerp-server.conf`
337
338 This file configures the database that is used by OpenERP and the interface
339 that the XML-RPC service binds to.
340
341 Tasks
342 =====
343
344 Planned
345 -------
346
347 .. todo:: disable unneeded Apache modules
348
349 .. todo:: setup IPv6
350
351 .. todo:: consider using a centralized PostgreSQL instance
352
353 Changes
354 =======
355
356 System Future
357 -------------
358
359 .. todo:: system should be updated to Debian 8
360
361 Additional documentation
362 ========================
363
364 .. seealso::
365
366 * :wiki:`PostfixConfiguration`
367
368 References
369 ----------
370
371 Wiki page for this system
372 :wiki:`SystemAdministration/Systems/Board`