updated status to latest mantis release
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 .. note:: There currently seems to be a problem for users signing up themselves
14 for new accounts. Unless this is fixed by Debian, new accounts must be
15 created by administrators. For more details ask the `support mailing list
16 <cacert-support@lists.cacert.org>`_.
17
18 Application Links
19 -----------------
20
21 Bugtracker
22 https://bugs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_neo`
31 * Secondary: :ref:`people_jandd`
32 * Secondary: :ref:`people_dirk`
33
34 Application Administration
35 --------------------------
36
37 +----------------------+--------------------------------------------+
38 | Application | Administrator(s) |
39 +======================+============================================+
40 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
41 | | :ref:`people_dirk`, :ref:`people_jandd`, |
42 | | :ref:`people_ted`, :ref:`people_philipp` |
43 +----------------------+--------------------------------------------+
44 | Mantis Manager | |
45 +----------------------+--------------------------------------------+
46
47 Contact
48 -------
49
50 * bugs-admin@cacert.org
51
52 Additional People
53 -----------------
54
55 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
56 machine too.
57
58 Basics
59 ======
60
61 Physical Location
62 -----------------
63
64 This system is located in an :term:`LXC` container on physical machine
65 :doc:`infra02`.
66
67 Logical Location
68 ----------------
69
70 :IP Internet: :ip:v4:`213.154.225.232`
71 :IP Intranet: :ip:v4:`172.16.2.16`
72 :IP Internal: :ip:v4:`10.0.0.16`
73 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
74
75 .. seealso::
76
77 See :doc:`../network`
78
79 DNS
80 ---
81
82 .. index::
83 single: DNS records; Bugs
84
85 ======================== ======== ============================================
86 Name Type Content
87 ======================== ======== ============================================
88 bugs.cacert.org. IN A 213.154.225.232
89 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
90 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
91 bugs.intra.cacert.org. IN A 172.16.2.16
92 ======================== ======== ============================================
93
94 .. seealso::
95
96 See :wiki:`SystemAdministration/Procedures/DNSChanges`
97
98 Operating System
99 ----------------
100
101 .. index::
102 single: Debian GNU/Linux; Jessie
103 single: Debian GNU/Linux; 8.8
104
105 * Debian GNU/Linux 8.8
106
107 Applicable Documentation
108 ------------------------
109
110 This is it :-)
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+---------+--------------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+=========+================================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+---------+--------------------------------+
123 | 25/tcp | smtp | local | mail delivery to local MTA |
124 +----------+---------+---------+--------------------------------+
125 | 80/tcp | http | ANY | web server for bug tracker |
126 +----------+---------+---------+--------------------------------+
127 | 443/tcp | https | ANY | web server for bug tracker |
128 +----------+---------+---------+--------------------------------+
129 | 5666/tcp | nrpe | monitor | remote monitoring service |
130 +----------+---------+---------+--------------------------------+
131 | 3306/tcp | mysql | local | MySQL database for bug tracker |
132 +----------+---------+---------+--------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: MySQL
140 single: Postfix
141 single: cron
142 single: nrpe
143 single: openssh
144 single: rsyslog
145
146 +--------------------+--------------------+----------------------------------------+
147 | Service | Usage | Start mechanism |
148 +====================+====================+========================================+
149 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
150 | | remote | |
151 | | administration | |
152 +--------------------+--------------------+----------------------------------------+
153 | Apache httpd | Webserver for bug | init script |
154 | | tracker | :file:`/etc/init.d/apache2` |
155 +--------------------+--------------------+----------------------------------------+
156 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
157 +--------------------+--------------------+----------------------------------------+
158 | rsyslog | syslog daemon | init script |
159 | | | :file:`/etc/init.d/syslog` |
160 +--------------------+--------------------+----------------------------------------+
161 | MySQL | MySQL database | init script |
162 | | server for bug | :file:`/etc/init.d/mysql` |
163 | | tracker | |
164 +--------------------+--------------------+----------------------------------------+
165 | Postfix | SMTP server for | init script |
166 | | local mail | :file:`/etc/init.d/postfix` |
167 | | submission | |
168 +--------------------+--------------------+----------------------------------------+
169 | Nagios NRPE server | remote monitoring | init script |
170 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
171 | | :doc:`monitor` | |
172 +--------------------+--------------------+----------------------------------------+
173
174 Databases
175 ---------
176
177 .. index::
178 pair: MySQL database; mantis
179
180 +-------+--------+--------------------+
181 | RDBMS | Name | Used for |
182 +=======+========+====================+
183 | MySQL | mantis | Mantis bug tracker |
184 +-------+--------+--------------------+
185
186 Connected Systems
187 -----------------
188
189 * :doc:`monitor`
190
191 Outbound network connections
192 ----------------------------
193
194 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
195 * :doc:`emailout` as SMTP relay
196 * ftp.nl.debian.org as Debian mirror
197 * security.debian.org for Debian security updates
198 * crl.cacert.org (rsync) for getting CRLs
199 * HTTP (80/tcp) to :doc:`git`
200
201 Security
202 ========
203
204 .. sshkeys::
205 :RSA: 59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
206 :DSA: 17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
207 :ECDSA: a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
208
209 Non-distribution packages and modifications
210 -------------------------------------------
211
212 .. index::
213 pair: non-distribution package; Mantis
214
215 * custom built `certificate authentication`-plugin by :ref:`people_dirk` https://github.com/dastrath/CertificateAuthentication_Mantis (not yet active)
216 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.0)
217
218 .. _mantis: https://www.mantisbt.org/
219
220 Risk assessments on critical packages
221 -------------------------------------
222
223 Mantis as a PHP application is vulnerable to common PHP problems. The system
224 has to be kept up-to-date with OS patches. The custom built mantis package has
225 to be updated when new releases are provided upstream.
226
227 Administrators for this system should subscribe to the
228 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
229 released.
230
231 Critical Configuration items
232 ============================
233
234 Keys and X.509 certificates
235 ---------------------------
236
237 .. sslcert:: bugs.cacert.org
238 :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
239 :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
240 :serial: 028A72
241 :expiration: Mar 14 13:12:13 2018 GMT
242 :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
243 :issuer: CAcert.org Class 3 Root
244
245 * :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
246 certificate and the Class 3 CA certificate
247
248 * :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
249
250 .. index::
251 pair: Mantis; configuration
252
253 Mantis configuration
254 --------------------
255
256 The Mantis bug tracker configuration is stored in the directory
257 :file:`/etc/mantis/`.
258
259 * :file:`config_local.php` the main configuration file, including custom bug states
260 * :file:`custom_constants_inc.php` defines custom constants. Required for the
261 non-default bug states
262 * :file:`custom_strings_inc.php` defines custom string definitions. Required
263 for the non-default bug states
264
265 .. note::
266
267 Localisation for these could go here but currently I would avoid that so all
268 developers have the same vocabulary.
269
270 -- :ref:`people_neo` 2011-07-04 02:44:45
271
272 .. index::
273 pair: Apache httpd; configuration
274
275 Apache httpd configuration
276 --------------------------
277
278 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
279 changed to add some additional headers to improve client security:
280
281 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
282 :language: diff
283
284 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
285 configured in :file:`/etc/apache2/sites-available/mantis` (shared
286 configuration) that includes configuration from the mantis package provided
287 :file:`/etc/apache2/conf.d/mantis` file,
288 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
289 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
290
291 .. index::
292 pair: MySQL; configuration
293
294 MySQL configuration
295 -------------------
296
297 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
298
299 .. index::
300 pair: rsyslog; configuration
301
302 Rsyslog configuration
303 ---------------------
304
305 Rsyslog has been configured to disable draining the kernel log:
306
307 .. code-block:: diff
308
309 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
310 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
311 @@ -9,7 +9,7 @@
312 #################
313
314 $ModLoad imuxsock # provides support for local system logging
315 -$ModLoad imklog # provides kernel logging support
316 +#$ModLoad imklog # provides kernel logging support
317 #$ModLoad immark # provides --MARK-- message capability
318
319 # provides UDP syslog reception
320
321 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
322 add an additional logging socket in the Postfix chroot.
323
324
325 Tasks
326 =====
327
328 Planned
329 -------
330
331 .. todo:: setup IPv6
332 .. todo:: acivate X.509 authentication if possible :bug:`678`
333
334 Changes
335 =======
336
337 System Future
338 -------------
339
340 * No plans
341
342 Additional documentation
343 ========================
344
345 .. seealso::
346
347 * :wiki:`PostfixConfiguration`
348
349 References
350 ----------
351
352 Mantis Bugtracker documentation
353 https://www.mantisbt.org/documentation.php
354 Apache httpd documentation
355 https://httpd.apache.org/docs/2.4/