Add new SSHFP DNS records for blog and bugs
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_neo`
26 * Secondary: :ref:`people_jandd`
27 * Secondary: :ref:`people_dirk`
28
29 Application Administration
30 --------------------------
31
32 +----------------------+--------------------------------------------+
33 | Application | Administrator(s) |
34 +======================+============================================+
35 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
36 | | :ref:`people_dirk`, :ref:`people_jandd`, |
37 | | :ref:`people_ted`, :ref:`people_philipp` |
38 +----------------------+--------------------------------------------+
39 | Mantis Manager | |
40 +----------------------+--------------------------------------------+
41
42 Contact
43 -------
44
45 * bugs-admin@cacert.org
46
47 Additional People
48 -----------------
49
50 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
51 machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: :ip:v4:`213.154.225.232`
66 :IP Intranet: :ip:v4:`172.16.2.16`
67 :IP Internal: :ip:v4:`10.0.0.16`
68 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 DNS
75 ---
76
77 .. index::
78 single: DNS records; Bugs
79
80 ======================== ======== ====================================================================
81 Name Type Content
82 ======================== ======== ====================================================================
83 bugs.cacert.org. IN A 213.154.225.232
84 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
85 bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
86 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
87 bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
88 bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
89 bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
90 bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
91 bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
92 bugs.intra.cacert.org. IN A 172.16.2.16
93 ======================== ======== ====================================================================
94
95 .. seealso::
96
97 See :wiki:`SystemAdministration/Procedures/DNSChanges`
98
99 Operating System
100 ----------------
101
102 .. index::
103 single: Debian GNU/Linux; Stretch
104 single: Debian GNU/Linux; 9.3
105
106 * Debian GNU/Linux 9.3
107
108 Applicable Documentation
109 ------------------------
110
111 That's it
112
113 Services
114 ========
115
116 Listening services
117 ------------------
118
119 +----------+---------+---------+--------------------------------+
120 | Port | Service | Origin | Purpose |
121 +==========+=========+=========+================================+
122 | 22/tcp | ssh | ANY | admin console access |
123 +----------+---------+---------+--------------------------------+
124 | 25/tcp | smtp | local | mail delivery to local MTA |
125 +----------+---------+---------+--------------------------------+
126 | 80/tcp | http | ANY | web server for bug tracker |
127 +----------+---------+---------+--------------------------------+
128 | 443/tcp | https | ANY | web server for bug tracker |
129 +----------+---------+---------+--------------------------------+
130 | 5666/tcp | nrpe | monitor | remote monitoring service |
131 +----------+---------+---------+--------------------------------+
132 | 3306/tcp | mysql | local | MySQL database for bug tracker |
133 +----------+---------+---------+--------------------------------+
134
135 Running services
136 ----------------
137
138 .. index::
139 single: Apache
140 single: MySQL
141 single: Postfix
142 single: cron
143 single: nrpe
144 single: openssh
145 single: rsyslog
146
147 +--------------------+--------------------+----------------------------------------+
148 | Service | Usage | Start mechanism |
149 +====================+====================+========================================+
150 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
151 | | remote | |
152 | | administration | |
153 +--------------------+--------------------+----------------------------------------+
154 | Apache httpd | Webserver for bug | init script |
155 | | tracker | :file:`/etc/init.d/apache2` |
156 +--------------------+--------------------+----------------------------------------+
157 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
158 +--------------------+--------------------+----------------------------------------+
159 | rsyslog | syslog daemon | init script |
160 | | | :file:`/etc/init.d/syslog` |
161 +--------------------+--------------------+----------------------------------------+
162 | MySQL | MySQL database | init script |
163 | | server for bug | :file:`/etc/init.d/mysql` |
164 | | tracker | |
165 +--------------------+--------------------+----------------------------------------+
166 | Postfix | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/postfix` |
168 | | submission | |
169 +--------------------+--------------------+----------------------------------------+
170 | Nagios NRPE server | remote monitoring | init script |
171 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
172 | | :doc:`monitor` | |
173 +--------------------+--------------------+----------------------------------------+
174
175 Databases
176 ---------
177
178 .. index::
179 pair: MySQL database; mantis
180
181 +-------+--------+--------------------+
182 | RDBMS | Name | Used for |
183 +=======+========+====================+
184 | MySQL | mantis | Mantis bug tracker |
185 +-------+--------+--------------------+
186
187 Connected Systems
188 -----------------
189
190 * :doc:`monitor`
191
192 Outbound network connections
193 ----------------------------
194
195 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
196 * :doc:`emailout` as SMTP relay
197 * :doc:`proxyout` as HTTP proxy for APT
198 * crl.cacert.org (rsync) for getting CRLs
199 * HTTP (80/tcp) to :doc:`git`
200
201 Security
202 ========
203
204 .. sshkeys::
205 :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
206 :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
207 :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
208 :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
209
210 Non-distribution packages and modifications
211 -------------------------------------------
212
213 .. index::
214 pair: non-distribution package; Mantis
215
216 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
217 * custom built `certificate authentication`-plugin by :ref:`people_dirk`
218 https://github.com/dastrath/CertificateAuthentication_Mantis
219 * For client certificate authentication a Class-3 client certificate issued by
220 CAcert is needed, 1st email-adress in certificate has to match email-adress in
221 account
222
223 .. _mantis: https://www.mantisbt.org/
224
225 Risk assessments on critical packages
226 -------------------------------------
227
228 Mantis as a PHP application is vulnerable to common PHP problems. The system
229 has to be kept up-to-date with OS patches. The custom built mantis package has
230 to be updated when new releases are provided upstream.
231
232 Administrators for this system should subscribe to the
233 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
234 released.
235
236 Critical Configuration items
237 ============================
238
239 Keys and X.509 certificates
240 ---------------------------
241
242 .. sslcert:: bugs.cacert.org
243 :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
244 :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
245 :serial: 028A72
246 :expiration: Mar 14 13:12:13 2018 GMT
247 :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
248 :issuer: CAcert.org Class 3 Root
249
250 * :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
251 certificate and the Class 3 CA certificate
252
253 * :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
254
255 .. index::
256 pair: Mantis; configuration
257
258 Mantis configuration
259 --------------------
260
261 The Mantis bug tracker configuration is stored in the directory
262 :file:`/etc/mantis/`.
263
264 * :file:`config_local.php` the main configuration file, including custom bug states
265 * :file:`custom_constants_inc.php` defines custom constants. Required for the
266 non-default bug states
267 * :file:`custom_strings_inc.php` defines custom string definitions. Required
268 for the non-default bug states
269
270 .. note::
271
272 Localisation for these could go here but currently I would avoid that so all
273 developers have the same vocabulary.
274
275 -- :ref:`people_neo` 2011-07-04 02:44:45
276
277 .. index::
278 pair: Apache httpd; configuration
279
280 Apache httpd configuration
281 --------------------------
282
283 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
284 changed to add some additional headers to improve client security:
285
286 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
287 :language: diff
288
289 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
290 configured in :file:`/etc/apache2/sites-available/mantis` (shared
291 configuration) that includes configuration from the mantis package provided
292 :file:`/etc/apache2/conf.d/mantis` file,
293 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
294 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
295
296 .. index::
297 pair: MySQL; configuration
298
299 MySQL configuration
300 -------------------
301
302 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
303
304 .. index::
305 pair: rsyslog; configuration
306
307 Rsyslog configuration
308 ---------------------
309
310 Rsyslog has been configured to disable draining the kernel log:
311
312 .. code-block:: diff
313
314 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
315 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
316 @@ -9,7 +9,7 @@
317 #################
318
319 $ModLoad imuxsock # provides support for local system logging
320 -$ModLoad imklog # provides kernel logging support
321 +#$ModLoad imklog # provides kernel logging support
322 #$ModLoad immark # provides --MARK-- message capability
323
324 # provides UDP syslog reception
325
326 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
327 add an additional logging socket in the Postfix chroot.
328
329
330 Tasks
331 =====
332
333 Planned
334 -------
335
336 .. todo:: setup IPv6
337
338 Changes
339 =======
340
341 System Future
342 -------------
343
344 * No plans
345
346 Additional documentation
347 ========================
348
349 .. seealso::
350
351 * :wiki:`PostfixConfiguration`
352
353 References
354 ----------
355
356 Mantis Bugtracker documentation
357 https://www.mantisbt.org/documentation.php
358 Apache httpd documentation
359 https://httpd.apache.org/docs/2.4/