1b85bfd07d3bfd6c350c189563b4e2a7c84ba621
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_jandd`
26 * Secondary: :ref:`people_dirk`
27
28 Application Administration
29 --------------------------
30
31 +----------------------+--------------------------------------------+
32 | Application | Administrator(s) |
33 +======================+============================================+
34 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
35 | | :ref:`people_dirk`, :ref:`people_jandd`, |
36 | | :ref:`people_ted`, :ref:`people_philipp` |
37 +----------------------+--------------------------------------------+
38 | Mantis Manager | |
39 +----------------------+--------------------------------------------+
40
41 Contact
42 -------
43
44 * bugs-admin@cacert.org
45
46 Additional People
47 -----------------
48
49 :ref:`people_mario` and :ref:`people_wytze` have :program:`sudo` access on that
50 machine too.
51
52 Basics
53 ======
54
55 Physical Location
56 -----------------
57
58 This system is located in an :term:`LXC` container on physical machine
59 :doc:`infra02`.
60
61 Logical Location
62 ----------------
63
64 :IP Internet: :ip:v4:`213.154.225.232`
65 :IP Intranet: :ip:v4:`172.16.2.16`
66 :IP Internal: :ip:v4:`10.0.0.16`
67 :IPv6: :ip:v6:`2001:7b8:616:162:2::16`
68 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 Monitoring
75 ----------
76
77 :internal checks: :monitor:`bugs.infra.cacert.org`
78
79 DNS
80 ---
81
82 .. index::
83 single: DNS records; Bugs
84
85 ======================== ======== ====================================================================
86 Name Type Content
87 ======================== ======== ====================================================================
88 bugs.cacert.org. IN A 213.154.225.232
89 bugs.cacert.org. IN AAAA 2001:7b8:616:162:2::16
90 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
91 bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
92 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
93 bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
94 bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
95 bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
96 bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
97 bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
98 bugs.intra.cacert.org. IN A 172.16.2.16
99 ======================== ======== ====================================================================
100
101 .. seealso::
102
103 See :wiki:`SystemAdministration/Procedures/DNSChanges`
104
105 Operating System
106 ----------------
107
108 .. index::
109 single: Debian GNU/Linux; Stretch
110 single: Debian GNU/Linux; 9.9
111
112 * Debian GNU/Linux 9.9
113
114 Applicable Documentation
115 ------------------------
116
117 That's it
118
119 Services
120 ========
121
122 Listening services
123 ------------------
124
125 +----------+---------+---------+--------------------------------+
126 | Port | Service | Origin | Purpose |
127 +==========+=========+=========+================================+
128 | 22/tcp | ssh | ANY | admin console access |
129 +----------+---------+---------+--------------------------------+
130 | 25/tcp | smtp | local | mail delivery to local MTA |
131 +----------+---------+---------+--------------------------------+
132 | 80/tcp | http | ANY | web server for bug tracker |
133 +----------+---------+---------+--------------------------------+
134 | 443/tcp | https | ANY | web server for bug tracker |
135 +----------+---------+---------+--------------------------------+
136 | 5665/tcp | icinga2 | monitor | remote monitoring service |
137 +----------+---------+---------+--------------------------------+
138 | 3306/tcp | mysql | local | MySQL database for bug tracker |
139 +----------+---------+---------+--------------------------------+
140
141 Running services
142 ----------------
143
144 .. index::
145 single: apache httpd
146 single: cron
147 single: dbus
148 single: icinga2
149 single: mariadb
150 single: openssh
151 single: postfix
152 single: puppet agent
153 single: rsyslog
154
155 +----------------+--------------------------+----------------------------------+
156 | Service | Usage | Start mechanism |
157 +================+==========================+==================================+
158 | Apache httpd | Webserver for bug | systemd unit ``apache2.service`` |
159 | | tracker | |
160 +----------------+--------------------------+----------------------------------+
161 | cron | job scheduler | systemd unit ``cron.service`` |
162 +----------------+--------------------------+----------------------------------+
163 | dbus-daemon | System message bus | systemd unit ``dbus.service`` |
164 | | daemon | |
165 +----------------+--------------------------+----------------------------------+
166 | icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
167 +----------------+--------------------------+----------------------------------+
168 | MariaDB | MariaDB database | systemd unit ``mariadb.service`` |
169 | | server for bug | |
170 | | tracker | |
171 +----------------+--------------------------+----------------------------------+
172 | openssh server | ssh daemon for | systemd unit ``ssh.service`` |
173 | | remote | |
174 | | administration | |
175 +----------------+--------------------------+----------------------------------+
176 | Postfix | SMTP server for | systemd unit ``postfix.service`` |
177 | | local mail | |
178 | | submission | |
179 +----------------+--------------------------+----------------------------------+
180 | Puppet agent | configuration | systemd unit ``puppet.service`` |
181 | | management agent | |
182 +----------------+--------------------------+----------------------------------+
183 | rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
184 | | | |
185 +----------------+--------------------------+----------------------------------+
186
187 Databases
188 ---------
189
190 .. index::
191 pair: MySQL database; mantis
192
193 +---------+--------+--------------------+
194 | RDBMS | Name | Used for |
195 +=========+========+====================+
196 | MariaDB | mantis | Mantis bug tracker |
197 +---------+--------+--------------------+
198
199 Connected Systems
200 -----------------
201
202 * :doc:`monitor`
203
204 Outbound network connections
205 ----------------------------
206
207 * :doc:`infra02` as resolving nameserver
208 * :doc:`emailout` as SMTP relay
209 * :doc:`puppet` (tcp/8140) as Puppet master
210 * :doc:`proxyout` as HTTP proxy for APT
211 * crl.cacert.org (rsync) for getting CRLs
212 * HTTP (80/tcp) to :doc:`git`
213
214 Security
215 ========
216
217 .. sshkeys::
218 :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
219 :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
220 :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
221 :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
222
223 Non-distribution packages and modifications
224 -------------------------------------------
225
226 The Puppet agent package and a few dependencies are installed from the official
227 Puppet APT repository because the versions in Debian are too old to use modern
228 Puppet features.
229
230 .. index::
231 pair: non-distribution package; Mantis
232
233 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
234 * custom built `certificate authentication`-plugin by :ref:`people_dirk`
235 https://github.com/dastrath/CertificateAuthentication_Mantis
236 * For client certificate authentication a Class-3 client certificate issued by
237 CAcert is needed, 1st email-adress in certificate has to match email-adress in
238 account
239
240 .. _mantis: https://www.mantisbt.org/
241
242 Risk assessments on critical packages
243 -------------------------------------
244
245 Mantis as a PHP application is vulnerable to common PHP problems. The system
246 has to be kept up-to-date with OS patches. The custom built mantis package has
247 to be updated when new releases are provided upstream.
248
249 Administrators for this system should subscribe to the
250 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
251 released.
252
253 The system uses third party packages with a good security track record and
254 regular updates. The attack surface is small due to the tightly restricted
255 access to the system. The puppet agent is not exposed for access from outside
256 the system.
257
258 Critical Configuration items
259 ============================
260
261 The system configuration is managed via Puppet profiles. There should be no
262 configuration items outside of the Puppet repository.
263
264 .. todo:: move configuration of :doc:`bugs` to Puppet code
265
266 Keys and X.509 certificates
267 ---------------------------
268
269 .. sslcert:: bugs.cacert.org
270 :altnames: DNS:bugs.cacert.org
271 :certfile: /etc/ssl/public/bugs.c.o.crt
272 :keyfile: /etc/ssl/private/bugs.c.o.key
273 :serial: 02BEFD
274 :expiration: Mar 03 13:08:19 2020 GMT
275 :sha1fp: DB:16:71:13:60:38:AD:21:A7:36:CA:5A:D2:65:75:4D:C5:3C:C8:15
276 :issuer: CAcert Class 3 Root
277
278 .. index::
279 pair: Mantis; configuration
280
281 Mantis configuration
282 --------------------
283
284 The Mantis bug tracker configuration is stored in the directory
285 :file:`/etc/mantis/`.
286
287 * :file:`config_inc.php` contains the database settings for Mantis
288 * :file:`config_local.php` the main configuration file, including custom bug states
289 * :file:`custom_constants_inc.php` defines custom constants. Required for the
290 non-default bug states
291 * :file:`custom_strings_inc.php` defines custom string definitions. Required
292 for the non-default bug states
293
294 .. note::
295
296 Localisation for these could go here but currently I would avoid that so all
297 developers have the same vocabulary.
298
299 -- :ref:`people_neo` 2011-07-04 02:44:45
300
301 .. index::
302 pair: Apache httpd; configuration
303
304 Apache httpd configuration
305 --------------------------
306
307 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
308 changed to add some additional headers to improve client security:
309
310 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
311 :language: diff
312
313 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
314 configured in :file:`/etc/apache2/sites-available/mantis` (shared
315 configuration) that includes configuration from the mantis package provided
316 :file:`/etc/apache2/conf.d/mantis` file,
317 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
318 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
319
320 .. index::
321 pair: MySQL; configuration
322
323 MySQL configuration
324 -------------------
325
326 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
327
328 .. index::
329 pair: rsyslog; configuration
330
331 Rsyslog configuration
332 ---------------------
333
334 Rsyslog has been configured to disable draining the kernel log:
335
336 .. code-block:: diff
337
338 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
339 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
340 @@ -9,7 +9,7 @@
341 #################
342
343 $ModLoad imuxsock # provides support for local system logging
344 -$ModLoad imklog # provides kernel logging support
345 +#$ModLoad imklog # provides kernel logging support
346 #$ModLoad immark # provides --MARK-- message capability
347
348 # provides UDP syslog reception
349
350 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
351 add an additional logging socket in the Postfix chroot.
352
353
354 Tasks
355 =====
356
357 .. todo:: upgrade to Debian 10 (when Puppet is available)
358
359 Planned
360 -------
361
362 Changes
363 =======
364
365 System Future
366 -------------
367
368 * No plans
369
370 Additional documentation
371 ========================
372
373 .. seealso::
374
375 * :wiki:`PostfixConfiguration`
376
377 References
378 ----------
379
380 Mantis Bugtracker documentation
381 https://www.mantisbt.org/documentation.php
382 Apache httpd documentation
383 https://httpd.apache.org/docs/2.4/