54e9db720b41586e2d4eec1d962b8e1d4d2c25c4
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_neo`
26 * Secondary: :ref:`people_jandd`
27 * Secondary: :ref:`people_dirk`
28
29 Application Administration
30 --------------------------
31
32 +----------------------+--------------------------------------------+
33 | Application | Administrator(s) |
34 +======================+============================================+
35 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
36 | | :ref:`people_dirk`, :ref:`people_jandd`, |
37 | | :ref:`people_ted`, :ref:`people_philipp` |
38 +----------------------+--------------------------------------------+
39 | Mantis Manager | |
40 +----------------------+--------------------------------------------+
41
42 Contact
43 -------
44
45 * bugs-admin@cacert.org
46
47 Additional People
48 -----------------
49
50 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
51 machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: :ip:v4:`213.154.225.232`
66 :IP Intranet: :ip:v4:`172.16.2.16`
67 :IP Internal: :ip:v4:`10.0.0.16`
68 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 DNS
75 ---
76
77 .. index::
78 single: DNS records; Bugs
79
80 ======================== ======== ============================================
81 Name Type Content
82 ======================== ======== ============================================
83 bugs.cacert.org. IN A 213.154.225.232
84 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
85 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
86 bugs.intra.cacert.org. IN A 172.16.2.16
87 ======================== ======== ============================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Jessie
98 single: Debian GNU/Linux; 8.8
99
100 * Debian GNU/Linux 8.8
101
102 Applicable Documentation
103 ------------------------
104
105 That's it
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+---------+---------+--------------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+=========+=========+================================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+---------+---------+--------------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+---------+---------+--------------------------------+
120 | 80/tcp | http | ANY | web server for bug tracker |
121 +----------+---------+---------+--------------------------------+
122 | 443/tcp | https | ANY | web server for bug tracker |
123 +----------+---------+---------+--------------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+---------+---------+--------------------------------+
126 | 3306/tcp | mysql | local | MySQL database for bug tracker |
127 +----------+---------+---------+--------------------------------+
128
129 Running services
130 ----------------
131
132 .. index::
133 single: Apache
134 single: MySQL
135 single: Postfix
136 single: cron
137 single: nrpe
138 single: openssh
139 single: rsyslog
140
141 +--------------------+--------------------+----------------------------------------+
142 | Service | Usage | Start mechanism |
143 +====================+====================+========================================+
144 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
145 | | remote | |
146 | | administration | |
147 +--------------------+--------------------+----------------------------------------+
148 | Apache httpd | Webserver for bug | init script |
149 | | tracker | :file:`/etc/init.d/apache2` |
150 +--------------------+--------------------+----------------------------------------+
151 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
152 +--------------------+--------------------+----------------------------------------+
153 | rsyslog | syslog daemon | init script |
154 | | | :file:`/etc/init.d/syslog` |
155 +--------------------+--------------------+----------------------------------------+
156 | MySQL | MySQL database | init script |
157 | | server for bug | :file:`/etc/init.d/mysql` |
158 | | tracker | |
159 +--------------------+--------------------+----------------------------------------+
160 | Postfix | SMTP server for | init script |
161 | | local mail | :file:`/etc/init.d/postfix` |
162 | | submission | |
163 +--------------------+--------------------+----------------------------------------+
164 | Nagios NRPE server | remote monitoring | init script |
165 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
166 | | :doc:`monitor` | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 .. index::
173 pair: MySQL database; mantis
174
175 +-------+--------+--------------------+
176 | RDBMS | Name | Used for |
177 +=======+========+====================+
178 | MySQL | mantis | Mantis bug tracker |
179 +-------+--------+--------------------+
180
181 Connected Systems
182 -----------------
183
184 * :doc:`monitor`
185
186 Outbound network connections
187 ----------------------------
188
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * ftp.nl.debian.org as Debian mirror
192 * security.debian.org for Debian security updates
193 * crl.cacert.org (rsync) for getting CRLs
194 * HTTP (80/tcp) to :doc:`git`
195
196 Security
197 ========
198
199 .. sshkeys::
200 :RSA: 59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
201 :DSA: 17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
202 :ECDSA: a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
203
204 Non-distribution packages and modifications
205 -------------------------------------------
206
207 .. index::
208 pair: non-distribution package; Mantis
209
210 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
211 * custom built `certificate authentication`-plugin by :ref:`people_dirk` https://github.com/dastrath/CertificateAuthentication_Mantis
212 * For client certificate authentication a Class-3 client certificate issued by CAcert is needed, 1st email-adress in certificate has to match email-adress in account
213
214 .. _mantis: https://www.mantisbt.org/
215
216 Risk assessments on critical packages
217 -------------------------------------
218
219 Mantis as a PHP application is vulnerable to common PHP problems. The system
220 has to be kept up-to-date with OS patches. The custom built mantis package has
221 to be updated when new releases are provided upstream.
222
223 Administrators for this system should subscribe to the
224 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
225 released.
226
227 Critical Configuration items
228 ============================
229
230 Keys and X.509 certificates
231 ---------------------------
232
233 .. sslcert:: bugs.cacert.org
234 :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
235 :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
236 :serial: 028A72
237 :expiration: Mar 14 13:12:13 2018 GMT
238 :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
239 :issuer: CAcert.org Class 3 Root
240
241 * :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
242 certificate and the Class 3 CA certificate
243
244 * :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
245
246 .. index::
247 pair: Mantis; configuration
248
249 Mantis configuration
250 --------------------
251
252 The Mantis bug tracker configuration is stored in the directory
253 :file:`/etc/mantis/`.
254
255 * :file:`config_local.php` the main configuration file, including custom bug states
256 * :file:`custom_constants_inc.php` defines custom constants. Required for the
257 non-default bug states
258 * :file:`custom_strings_inc.php` defines custom string definitions. Required
259 for the non-default bug states
260
261 .. note::
262
263 Localisation for these could go here but currently I would avoid that so all
264 developers have the same vocabulary.
265
266 -- :ref:`people_neo` 2011-07-04 02:44:45
267
268 .. index::
269 pair: Apache httpd; configuration
270
271 Apache httpd configuration
272 --------------------------
273
274 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
275 changed to add some additional headers to improve client security:
276
277 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
278 :language: diff
279
280 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
281 configured in :file:`/etc/apache2/sites-available/mantis` (shared
282 configuration) that includes configuration from the mantis package provided
283 :file:`/etc/apache2/conf.d/mantis` file,
284 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
285 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
286
287 .. index::
288 pair: MySQL; configuration
289
290 MySQL configuration
291 -------------------
292
293 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
294
295 .. index::
296 pair: rsyslog; configuration
297
298 Rsyslog configuration
299 ---------------------
300
301 Rsyslog has been configured to disable draining the kernel log:
302
303 .. code-block:: diff
304
305 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
306 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
307 @@ -9,7 +9,7 @@
308 #################
309
310 $ModLoad imuxsock # provides support for local system logging
311 -$ModLoad imklog # provides kernel logging support
312 +#$ModLoad imklog # provides kernel logging support
313 #$ModLoad immark # provides --MARK-- message capability
314
315 # provides UDP syslog reception
316
317 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
318 add an additional logging socket in the Postfix chroot.
319
320
321 Tasks
322 =====
323
324 Planned
325 -------
326
327 .. todo:: setup IPv6
328
329 Changes
330 =======
331
332 System Future
333 -------------
334
335 * No plans
336
337 Additional documentation
338 ========================
339
340 .. seealso::
341
342 * :wiki:`PostfixConfiguration`
343
344 References
345 ----------
346
347 Mantis Bugtracker documentation
348 https://www.mantisbt.org/documentation.php
349 Apache httpd documentation
350 https://httpd.apache.org/docs/2.4/