1491387ba235740fae9437f9a89f9f365f3b3990
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_neo`
26 * Secondary: :ref:`people_jandd`
27 * Secondary: :ref:`people_dirk`
28
29 Application Administration
30 --------------------------
31
32 +----------------------+--------------------------------------------+
33 | Application | Administrator(s) |
34 +======================+============================================+
35 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
36 | | :ref:`people_dirk`, :ref:`people_jandd`, |
37 | | :ref:`people_ted`, :ref:`people_philipp` |
38 +----------------------+--------------------------------------------+
39 | Mantis Manager | |
40 +----------------------+--------------------------------------------+
41
42 Contact
43 -------
44
45 * bugs-admin@cacert.org
46
47 Additional People
48 -----------------
49
50 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
51 machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: :ip:v4:`213.154.225.232`
66 :IP Intranet: :ip:v4:`172.16.2.16`
67 :IP Internal: :ip:v4:`10.0.0.16`
68 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 DNS
75 ---
76
77 .. index::
78 single: DNS records; Bugs
79
80 ======================== ======== ====================================================================
81 Name Type Content
82 ======================== ======== ====================================================================
83 bugs.cacert.org. IN A 213.154.225.232
84 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
85 bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
86 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
87 bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
88 bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
89 bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
90 bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
91 bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
92 bugs.intra.cacert.org. IN A 172.16.2.16
93 ======================== ======== ====================================================================
94
95 .. seealso::
96
97 See :wiki:`SystemAdministration/Procedures/DNSChanges`
98
99 Operating System
100 ----------------
101
102 .. index::
103 single: Debian GNU/Linux; Stretch
104 single: Debian GNU/Linux; 9.4
105
106 * Debian GNU/Linux 9.4
107
108 Applicable Documentation
109 ------------------------
110
111 That's it
112
113 Services
114 ========
115
116 Listening services
117 ------------------
118
119 +----------+---------+---------+--------------------------------+
120 | Port | Service | Origin | Purpose |
121 +==========+=========+=========+================================+
122 | 22/tcp | ssh | ANY | admin console access |
123 +----------+---------+---------+--------------------------------+
124 | 25/tcp | smtp | local | mail delivery to local MTA |
125 +----------+---------+---------+--------------------------------+
126 | 80/tcp | http | ANY | web server for bug tracker |
127 +----------+---------+---------+--------------------------------+
128 | 443/tcp | https | ANY | web server for bug tracker |
129 +----------+---------+---------+--------------------------------+
130 | 5666/tcp | nrpe | monitor | remote monitoring service |
131 +----------+---------+---------+--------------------------------+
132 | 3306/tcp | mysql | local | MySQL database for bug tracker |
133 +----------+---------+---------+--------------------------------+
134
135 Running services
136 ----------------
137
138 .. index::
139 single: apache httpd
140 single: cron
141 single: mariadb
142 single: nrpe
143 single: openssh
144 single: postfix
145 single: puppet agent
146 single: rsyslog
147
148 +--------------------+--------------------+----------------------------------------+
149 | Service | Usage | Start mechanism |
150 +====================+====================+========================================+
151 | Apache httpd | Webserver for bug | init script |
152 | | tracker | :file:`/etc/init.d/apache2` |
153 +--------------------+--------------------+----------------------------------------+
154 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
155 +--------------------+--------------------+----------------------------------------+
156 | MariaDB | MariaDB database | init script |
157 | | server for bug | :file:`/etc/init.d/mysql` |
158 | | tracker | |
159 +--------------------+--------------------+----------------------------------------+
160 | Nagios NRPE server | remote monitoring | init script |
161 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
162 | | :doc:`monitor` | |
163 +--------------------+--------------------+----------------------------------------+
164 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
165 | | remote | |
166 | | administration | |
167 +--------------------+--------------------+----------------------------------------+
168 | Postfix | SMTP server for | init script |
169 | | local mail | :file:`/etc/init.d/postfix` |
170 | | submission | |
171 +--------------------+--------------------+----------------------------------------+
172 | Puppet agent | configuration | init script |
173 | | management agent | :file:`/etc/init.d/puppet` |
174 +--------------------+--------------------+----------------------------------------+
175 | rsyslog | syslog daemon | init script |
176 | | | :file:`/etc/init.d/syslog` |
177 +--------------------+--------------------+----------------------------------------+
178
179 Databases
180 ---------
181
182 .. index::
183 pair: MySQL database; mantis
184
185 +---------+--------+--------------------+
186 | RDBMS | Name | Used for |
187 +=========+========+====================+
188 | MariaDB | mantis | Mantis bug tracker |
189 +---------+--------+--------------------+
190
191 Connected Systems
192 -----------------
193
194 * :doc:`monitor`
195
196 Outbound network connections
197 ----------------------------
198
199 * :doc:`infra02` as resolving nameserver
200 * :doc:`emailout` as SMTP relay
201 * :doc:`puppet` (tcp/8140) as Puppet master
202 * :doc:`proxyout` as HTTP proxy for APT
203 * crl.cacert.org (rsync) for getting CRLs
204 * HTTP (80/tcp) to :doc:`git`
205
206 Security
207 ========
208
209 .. sshkeys::
210 :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
211 :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
212 :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
213 :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
214
215 Non-distribution packages and modifications
216 -------------------------------------------
217
218 The Puppet agent package and a few dependencies are installed from the official
219 Puppet APT repository because the versions in Debian are too old to use modern
220 Puppet features.
221
222 .. index::
223 pair: non-distribution package; Mantis
224
225 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
226 * custom built `certificate authentication`-plugin by :ref:`people_dirk`
227 https://github.com/dastrath/CertificateAuthentication_Mantis
228 * For client certificate authentication a Class-3 client certificate issued by
229 CAcert is needed, 1st email-adress in certificate has to match email-adress in
230 account
231
232 .. _mantis: https://www.mantisbt.org/
233
234 Risk assessments on critical packages
235 -------------------------------------
236
237 Mantis as a PHP application is vulnerable to common PHP problems. The system
238 has to be kept up-to-date with OS patches. The custom built mantis package has
239 to be updated when new releases are provided upstream.
240
241 Administrators for this system should subscribe to the
242 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
243 released.
244
245 The system uses third party packages with a good security track record and
246 regular updates. The attack surface is small due to the tightly restricted
247 access to the system. The puppet agent is not exposed for access from outside
248 the system.
249
250 Critical Configuration items
251 ============================
252
253 The system configuration is managed via Puppet profiles. There should be no
254 configuration items outside of the Puppet repository.
255
256 .. todo:: move configuration of :doc:`bugs` to Puppet code
257
258 Keys and X.509 certificates
259 ---------------------------
260
261 .. sslcert:: bugs.cacert.org
262 :altnames: DNS:bugs.cacert.org
263 :certfile: /etc/ssl/public/bugs.c.o.crt
264 :keyfile: /etc/ssl/private/bugs.c.o.key
265 :serial: 02BEFD
266 :expiration: Mar 03 13:08:19 2020 GMT
267 :sha1fp: DB:16:71:13:60:38:AD:21:A7:36:CA:5A:D2:65:75:4D:C5:3C:C8:15
268 :issuer: CAcert Class 3 Root
269
270 .. index::
271 pair: Mantis; configuration
272
273 Mantis configuration
274 --------------------
275
276 The Mantis bug tracker configuration is stored in the directory
277 :file:`/etc/mantis/`.
278
279 * :file:`config_inc.php` contains the database settings for Mantis
280 * :file:`config_local.php` the main configuration file, including custom bug states
281 * :file:`custom_constants_inc.php` defines custom constants. Required for the
282 non-default bug states
283 * :file:`custom_strings_inc.php` defines custom string definitions. Required
284 for the non-default bug states
285
286 .. note::
287
288 Localisation for these could go here but currently I would avoid that so all
289 developers have the same vocabulary.
290
291 -- :ref:`people_neo` 2011-07-04 02:44:45
292
293 .. index::
294 pair: Apache httpd; configuration
295
296 Apache httpd configuration
297 --------------------------
298
299 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
300 changed to add some additional headers to improve client security:
301
302 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
303 :language: diff
304
305 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
306 configured in :file:`/etc/apache2/sites-available/mantis` (shared
307 configuration) that includes configuration from the mantis package provided
308 :file:`/etc/apache2/conf.d/mantis` file,
309 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
310 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
311
312 .. index::
313 pair: MySQL; configuration
314
315 MySQL configuration
316 -------------------
317
318 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
319
320 .. index::
321 pair: rsyslog; configuration
322
323 Rsyslog configuration
324 ---------------------
325
326 Rsyslog has been configured to disable draining the kernel log:
327
328 .. code-block:: diff
329
330 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
331 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
332 @@ -9,7 +9,7 @@
333 #################
334
335 $ModLoad imuxsock # provides support for local system logging
336 -$ModLoad imklog # provides kernel logging support
337 +#$ModLoad imklog # provides kernel logging support
338 #$ModLoad immark # provides --MARK-- message capability
339
340 # provides UDP syslog reception
341
342 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
343 add an additional logging socket in the Postfix chroot.
344
345
346 Tasks
347 =====
348
349 Planned
350 -------
351
352 .. todo:: setup IPv6
353
354 Changes
355 =======
356
357 System Future
358 -------------
359
360 * No plans
361
362 Additional documentation
363 ========================
364
365 .. seealso::
366
367 * :wiki:`PostfixConfiguration`
368
369 References
370 ----------
371
372 Mantis Bugtracker documentation
373 https://www.mantisbt.org/documentation.php
374 Apache httpd documentation
375 https://httpd.apache.org/docs/2.4/