Add IPv6 for bugs
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 Application Links
14 -----------------
15
16 Bugtracker
17 https://bugs.cacert.org/
18
19 Administration
20 ==============
21
22 System Administration
23 ---------------------
24
25 * Primary: :ref:`people_neo`
26 * Secondary: :ref:`people_jandd`
27 * Secondary: :ref:`people_dirk`
28
29 Application Administration
30 --------------------------
31
32 +----------------------+--------------------------------------------+
33 | Application | Administrator(s) |
34 +======================+============================================+
35 | Mantis Administrator | :ref:`people_neo`, :ref:`people_mario`, |
36 | | :ref:`people_dirk`, :ref:`people_jandd`, |
37 | | :ref:`people_ted`, :ref:`people_philipp` |
38 +----------------------+--------------------------------------------+
39 | Mantis Manager | |
40 +----------------------+--------------------------------------------+
41
42 Contact
43 -------
44
45 * bugs-admin@cacert.org
46
47 Additional People
48 -----------------
49
50 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
51 machine too.
52
53 Basics
54 ======
55
56 Physical Location
57 -----------------
58
59 This system is located in an :term:`LXC` container on physical machine
60 :doc:`infra02`.
61
62 Logical Location
63 ----------------
64
65 :IP Internet: :ip:v4:`213.154.225.232`
66 :IP Intranet: :ip:v4:`172.16.2.16`
67 :IP Internal: :ip:v4:`10.0.0.16`
68 :IPv6: :ip:v6:`2001:7b8:616:162:2::16`
69 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
70
71 .. seealso::
72
73 See :doc:`../network`
74
75 DNS
76 ---
77
78 .. index::
79 single: DNS records; Bugs
80
81 ======================== ======== ====================================================================
82 Name Type Content
83 ======================== ======== ====================================================================
84 bugs.cacert.org. IN A 213.154.225.232
85 bugs.cacert.org. IN AAAA 2001:7b8:616:162:2::16
86 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
87 bugs.cacert.org IN SSHFP 1 2 51f10258849d1194f282deb0da97009016423d5f0b28a0056a551c4f38c2870a
88 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
89 bugs.cacert.org IN SSHFP 2 2 7632a8a40f1534a3afa3c630d062062dd23c7b1fd24fc518334d82cfa4977892
90 bugs.cacert.org IN SSHFP 3 1 72737bd1240b446c2b8e0aad0acff889e3b72ec7
91 bugs.cacert.org IN SSHFP 3 2 152fc9f8d7d72979846757db7fa433bd3f6340cd0dcebcce5d681e60dc46ca44
92 bugs.cacert.org IN SSHFP 4 1 bb6b5f8599c3a93383392b80cc029a0d65ffc7f1
93 bugs.cacert.org IN SSHFP 4 2 caa52e4c5ddecc5ee144aa2b6965101961ff7e7518063b43908d133f1cdf6e15
94 bugs.intra.cacert.org. IN A 172.16.2.16
95 ======================== ======== ====================================================================
96
97 .. seealso::
98
99 See :wiki:`SystemAdministration/Procedures/DNSChanges`
100
101 Operating System
102 ----------------
103
104 .. index::
105 single: Debian GNU/Linux; Stretch
106 single: Debian GNU/Linux; 9.4
107
108 * Debian GNU/Linux 9.4
109
110 Applicable Documentation
111 ------------------------
112
113 That's it
114
115 Services
116 ========
117
118 Listening services
119 ------------------
120
121 +----------+---------+---------+--------------------------------+
122 | Port | Service | Origin | Purpose |
123 +==========+=========+=========+================================+
124 | 22/tcp | ssh | ANY | admin console access |
125 +----------+---------+---------+--------------------------------+
126 | 25/tcp | smtp | local | mail delivery to local MTA |
127 +----------+---------+---------+--------------------------------+
128 | 80/tcp | http | ANY | web server for bug tracker |
129 +----------+---------+---------+--------------------------------+
130 | 443/tcp | https | ANY | web server for bug tracker |
131 +----------+---------+---------+--------------------------------+
132 | 5666/tcp | nrpe | monitor | remote monitoring service |
133 +----------+---------+---------+--------------------------------+
134 | 3306/tcp | mysql | local | MySQL database for bug tracker |
135 +----------+---------+---------+--------------------------------+
136
137 Running services
138 ----------------
139
140 .. index::
141 single: apache httpd
142 single: cron
143 single: mariadb
144 single: nrpe
145 single: openssh
146 single: postfix
147 single: puppet agent
148 single: rsyslog
149
150 +--------------------+--------------------+----------------------------------------+
151 | Service | Usage | Start mechanism |
152 +====================+====================+========================================+
153 | Apache httpd | Webserver for bug | init script |
154 | | tracker | :file:`/etc/init.d/apache2` |
155 +--------------------+--------------------+----------------------------------------+
156 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
157 +--------------------+--------------------+----------------------------------------+
158 | MariaDB | MariaDB database | init script |
159 | | server for bug | :file:`/etc/init.d/mysql` |
160 | | tracker | |
161 +--------------------+--------------------+----------------------------------------+
162 | Nagios NRPE server | remote monitoring | init script |
163 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
164 | | :doc:`monitor` | |
165 +--------------------+--------------------+----------------------------------------+
166 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
167 | | remote | |
168 | | administration | |
169 +--------------------+--------------------+----------------------------------------+
170 | Postfix | SMTP server for | init script |
171 | | local mail | :file:`/etc/init.d/postfix` |
172 | | submission | |
173 +--------------------+--------------------+----------------------------------------+
174 | Puppet agent | configuration | init script |
175 | | management agent | :file:`/etc/init.d/puppet` |
176 +--------------------+--------------------+----------------------------------------+
177 | rsyslog | syslog daemon | init script |
178 | | | :file:`/etc/init.d/syslog` |
179 +--------------------+--------------------+----------------------------------------+
180
181 Databases
182 ---------
183
184 .. index::
185 pair: MySQL database; mantis
186
187 +---------+--------+--------------------+
188 | RDBMS | Name | Used for |
189 +=========+========+====================+
190 | MariaDB | mantis | Mantis bug tracker |
191 +---------+--------+--------------------+
192
193 Connected Systems
194 -----------------
195
196 * :doc:`monitor`
197
198 Outbound network connections
199 ----------------------------
200
201 * :doc:`infra02` as resolving nameserver
202 * :doc:`emailout` as SMTP relay
203 * :doc:`puppet` (tcp/8140) as Puppet master
204 * :doc:`proxyout` as HTTP proxy for APT
205 * crl.cacert.org (rsync) for getting CRLs
206 * HTTP (80/tcp) to :doc:`git`
207
208 Security
209 ========
210
211 .. sshkeys::
212 :RSA: SHA256:UfECWISdEZTygt6w2pcAkBZCPV8LKKAFalUcTzjChwo MD5:59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
213 :DSA: SHA256:djKopA8VNKOvo8Yw0GIGLdI8ex/ST8UYM02Cz6SXeJI MD5:17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
214 :ECDSA: SHA256:FS/J+NfXKXmEZ1fbf6QzvT9jQM0NzrzOXWgeYNxGykQ MD5:a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
215 :ED25519: SHA256:yqUuTF3ezF7hRKoraWUQGWH/fnUYBjtDkI0TPxzfbhU MD5:54:67:22:bf:2d:ae:35:1f:fd:13:98:ee:af:3a:f3:07
216
217 Non-distribution packages and modifications
218 -------------------------------------------
219
220 The Puppet agent package and a few dependencies are installed from the official
221 Puppet APT repository because the versions in Debian are too old to use modern
222 Puppet features.
223
224 .. index::
225 pair: non-distribution package; Mantis
226
227 * Mantis installed in /srv/mantis (linked to /srv/mantisbt-2.4.2)
228 * custom built `certificate authentication`-plugin by :ref:`people_dirk`
229 https://github.com/dastrath/CertificateAuthentication_Mantis
230 * For client certificate authentication a Class-3 client certificate issued by
231 CAcert is needed, 1st email-adress in certificate has to match email-adress in
232 account
233
234 .. _mantis: https://www.mantisbt.org/
235
236 Risk assessments on critical packages
237 -------------------------------------
238
239 Mantis as a PHP application is vulnerable to common PHP problems. The system
240 has to be kept up-to-date with OS patches. The custom built mantis package has
241 to be updated when new releases are provided upstream.
242
243 Administrators for this system should subscribe to the
244 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
245 released.
246
247 The system uses third party packages with a good security track record and
248 regular updates. The attack surface is small due to the tightly restricted
249 access to the system. The puppet agent is not exposed for access from outside
250 the system.
251
252 Critical Configuration items
253 ============================
254
255 The system configuration is managed via Puppet profiles. There should be no
256 configuration items outside of the Puppet repository.
257
258 .. todo:: move configuration of :doc:`bugs` to Puppet code
259
260 Keys and X.509 certificates
261 ---------------------------
262
263 .. sslcert:: bugs.cacert.org
264 :altnames: DNS:bugs.cacert.org
265 :certfile: /etc/ssl/public/bugs.c.o.crt
266 :keyfile: /etc/ssl/private/bugs.c.o.key
267 :serial: 02BEFD
268 :expiration: Mar 03 13:08:19 2020 GMT
269 :sha1fp: DB:16:71:13:60:38:AD:21:A7:36:CA:5A:D2:65:75:4D:C5:3C:C8:15
270 :issuer: CAcert Class 3 Root
271
272 .. index::
273 pair: Mantis; configuration
274
275 Mantis configuration
276 --------------------
277
278 The Mantis bug tracker configuration is stored in the directory
279 :file:`/etc/mantis/`.
280
281 * :file:`config_inc.php` contains the database settings for Mantis
282 * :file:`config_local.php` the main configuration file, including custom bug states
283 * :file:`custom_constants_inc.php` defines custom constants. Required for the
284 non-default bug states
285 * :file:`custom_strings_inc.php` defines custom string definitions. Required
286 for the non-default bug states
287
288 .. note::
289
290 Localisation for these could go here but currently I would avoid that so all
291 developers have the same vocabulary.
292
293 -- :ref:`people_neo` 2011-07-04 02:44:45
294
295 .. index::
296 pair: Apache httpd; configuration
297
298 Apache httpd configuration
299 --------------------------
300
301 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
302 changed to add some additional headers to improve client security:
303
304 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
305 :language: diff
306
307 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
308 configured in :file:`/etc/apache2/sites-available/mantis` (shared
309 configuration) that includes configuration from the mantis package provided
310 :file:`/etc/apache2/conf.d/mantis` file,
311 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
312 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
313
314 .. index::
315 pair: MySQL; configuration
316
317 MySQL configuration
318 -------------------
319
320 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
321
322 .. index::
323 pair: rsyslog; configuration
324
325 Rsyslog configuration
326 ---------------------
327
328 Rsyslog has been configured to disable draining the kernel log:
329
330 .. code-block:: diff
331
332 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
333 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
334 @@ -9,7 +9,7 @@
335 #################
336
337 $ModLoad imuxsock # provides support for local system logging
338 -$ModLoad imklog # provides kernel logging support
339 +#$ModLoad imklog # provides kernel logging support
340 #$ModLoad immark # provides --MARK-- message capability
341
342 # provides UDP syslog reception
343
344 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
345 add an additional logging socket in the Postfix chroot.
346
347
348 Tasks
349 =====
350
351 Planned
352 -------
353
354 Changes
355 =======
356
357 System Future
358 -------------
359
360 * No plans
361
362 Additional documentation
363 ========================
364
365 .. seealso::
366
367 * :wiki:`PostfixConfiguration`
368
369 References
370 ----------
371
372 Mantis Bugtracker documentation
373 https://www.mantisbt.org/documentation.php
374 Apache httpd documentation
375 https://httpd.apache.org/docs/2.4/