9504fc4dc61039b6c8c4b745a2292b6e1de8efab
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_neo`
26 * Secondary: :ref:`people_jandd`
27 * Secondary: :ref:`people_dirk`
28
29 Application Administration
30 --------------------------
31
32 +----------------------+--------------------------------------------+
33 | Application | Administrator(s) |
34 +======================+============================================+
35 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
36 | | :ref:`people_dirk`, :ref:`people_jandd`, |
37 | | :ref:`people_ted`, :ref:`people_philipp` |
38 +----------------------+--------------------------------------------+
39 | Mantis Manager | |
40 +----------------------+--------------------------------------------+
41
42 Contact
43 -------
44
45 * bugs-admin@cacert.org
46
47 Additional People
48 -----------------
49
50 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
51 machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: :ip:v4:`213.154.225.232`
66 :IP Intranet: :ip:v4:`172.16.2.16`
67 :IP Internal: :ip:v4:`10.0.0.16`
68 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
69
70 .. seealso::
71
72 See :doc:`../network`
73
74 DNS
75 ---
76
77 .. index::
78 single: DNS records; Bugs
79
80 ======================== ======== ============================================
81 Name Type Content
82 ======================== ======== ============================================
83 bugs.cacert.org. IN A 213.154.225.232
84 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
85 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
86 bugs.intra.cacert.org. IN A 172.16.2.16
87 ======================== ======== ============================================
88
89 .. seealso::
90
91 See :wiki:`SystemAdministration/Procedures/DNSChanges`
92
93 Operating System
94 ----------------
95
96 .. index::
97 single: Debian GNU/Linux; Stretch
98 single: Debian GNU/Linux; 9.3
99
100 * Debian GNU/Linux 9.3
101
102 Applicable Documentation
103 ------------------------
104
105 That's it
106
107 Services
108 ========
109
110 Listening services
111 ------------------
112
113 +----------+---------+---------+--------------------------------+
114 | Port | Service | Origin | Purpose |
115 +==========+=========+=========+================================+
116 | 22/tcp | ssh | ANY | admin console access |
117 +----------+---------+---------+--------------------------------+
118 | 25/tcp | smtp | local | mail delivery to local MTA |
119 +----------+---------+---------+--------------------------------+
120 | 80/tcp | http | ANY | web server for bug tracker |
121 +----------+---------+---------+--------------------------------+
122 | 443/tcp | https | ANY | web server for bug tracker |
123 +----------+---------+---------+--------------------------------+
124 | 5666/tcp | nrpe | monitor | remote monitoring service |
125 +----------+---------+---------+--------------------------------+
126 | 3306/tcp | mysql | local | MySQL database for bug tracker |
127 +----------+---------+---------+--------------------------------+
128
129 Running services
130 ----------------
131
132 .. index::
133 single: Apache
134 single: MySQL
135 single: Postfix
136 single: cron
137 single: nrpe
138 single: openssh
139 single: rsyslog
140
141 +--------------------+--------------------+----------------------------------------+
142 | Service | Usage | Start mechanism |
143 +====================+====================+========================================+
144 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
145 | | remote | |
146 | | administration | |
147 +--------------------+--------------------+----------------------------------------+
148 | Apache httpd | Webserver for bug | init script |
149 | | tracker | :file:`/etc/init.d/apache2` |
150 +--------------------+--------------------+----------------------------------------+
151 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
152 +--------------------+--------------------+----------------------------------------+
153 | rsyslog | syslog daemon | init script |
154 | | | :file:`/etc/init.d/syslog` |
155 +--------------------+--------------------+----------------------------------------+
156 | MySQL | MySQL database | init script |
157 | | server for bug | :file:`/etc/init.d/mysql` |
158 | | tracker | |
159 +--------------------+--------------------+----------------------------------------+
160 | Postfix | SMTP server for | init script |
161 | | local mail | :file:`/etc/init.d/postfix` |
162 | | submission | |
163 +--------------------+--------------------+----------------------------------------+
164 | Nagios NRPE server | remote monitoring | init script |
165 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
166 | | :doc:`monitor` | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Databases
170 ---------
171
172 .. index::
173 pair: MySQL database; mantis
174
175 +-------+--------+--------------------+
176 | RDBMS | Name | Used for |
177 +=======+========+====================+
178 | MySQL | mantis | Mantis bug tracker |
179 +-------+--------+--------------------+
180
181 Connected Systems
182 -----------------
183
184 * :doc:`monitor`
185
186 Outbound network connections
187 ----------------------------
188
189 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
190 * :doc:`emailout` as SMTP relay
191 * :doc:`proxyout` as HTTP proxy for APT
192 * crl.cacert.org (rsync) for getting CRLs
193 * HTTP (80/tcp) to :doc:`git`
194
195 Security
196 ========
197
198 .. sshkeys::
199 :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
200 :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
201 :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
202 :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
203
204 Non-distribution packages and modifications
205 -------------------------------------------
206
207 .. index::
208 pair: non-distribution package; Mantis
209
210 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
211 * custom built `certificate authentication`-plugin by :ref:`people_dirk`
212 https://github.com/dastrath/CertificateAuthentication_Mantis
213 * For client certificate authentication a Class-3 client certificate issued by
214 CAcert is needed, 1st email-adress in certificate has to match email-adress in
215 account
216
217 .. _mantis: https://www.mantisbt.org/
218
219 Risk assessments on critical packages
220 -------------------------------------
221
222 Mantis as a PHP application is vulnerable to common PHP problems. The system
223 has to be kept up-to-date with OS patches. The custom built mantis package has
224 to be updated when new releases are provided upstream.
225
226 Administrators for this system should subscribe to the
227 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
228 released.
229
230 Critical Configuration items
231 ============================
232
233 Keys and X.509 certificates
234 ---------------------------
235
236 .. sslcert:: bugs.cacert.org
237 :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
238 :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
239 :serial: 028A72
240 :expiration: Mar 14 13:12:13 2018 GMT
241 :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
242 :issuer: CAcert.org Class 3 Root
243
244 * :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
245 certificate and the Class 3 CA certificate
246
247 * :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
248
249 .. index::
250 pair: Mantis; configuration
251
252 Mantis configuration
253 --------------------
254
255 The Mantis bug tracker configuration is stored in the directory
256 :file:`/etc/mantis/`.
257
258 * :file:`config_local.php` the main configuration file, including custom bug states
259 * :file:`custom_constants_inc.php` defines custom constants. Required for the
260 non-default bug states
261 * :file:`custom_strings_inc.php` defines custom string definitions. Required
262 for the non-default bug states
263
264 .. note::
265
266 Localisation for these could go here but currently I would avoid that so all
267 developers have the same vocabulary.
268
269 -- :ref:`people_neo` 2011-07-04 02:44:45
270
271 .. index::
272 pair: Apache httpd; configuration
273
274 Apache httpd configuration
275 --------------------------
276
277 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
278 changed to add some additional headers to improve client security:
279
280 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
281 :language: diff
282
283 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
284 configured in :file:`/etc/apache2/sites-available/mantis` (shared
285 configuration) that includes configuration from the mantis package provided
286 :file:`/etc/apache2/conf.d/mantis` file,
287 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
288 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
289
290 .. index::
291 pair: MySQL; configuration
292
293 MySQL configuration
294 -------------------
295
296 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
297
298 .. index::
299 pair: rsyslog; configuration
300
301 Rsyslog configuration
302 ---------------------
303
304 Rsyslog has been configured to disable draining the kernel log:
305
306 .. code-block:: diff
307
308 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
309 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
310 @@ -9,7 +9,7 @@
311 #################
312
313 $ModLoad imuxsock # provides support for local system logging
314 -$ModLoad imklog # provides kernel logging support
315 +#$ModLoad imklog # provides kernel logging support
316 #$ModLoad immark # provides --MARK-- message capability
317
318 # provides UDP syslog reception
319
320 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
321 add an additional logging socket in the Postfix chroot.
322
323
324 Tasks
325 =====
326
327 Planned
328 -------
329
330 .. todo:: setup IPv6
331
332 Changes
333 =======
334
335 System Future
336 -------------
337
338 * No plans
339
340 Additional documentation
341 ========================
342
343 .. seealso::
344
345 * :wiki:`PostfixConfiguration`
346
347 References
348 ----------
349
350 Mantis Bugtracker documentation
351 https://www.mantisbt.org/documentation.php
352 Apache httpd documentation
353 https://httpd.apache.org/docs/2.4/