fe09d5a9d99e198d39e446ed93105b389a11aad5
[cacert-infradocs.git] / docs / systems / bugs.rst
1 .. index::
2 single: Systems; Bugs
3
4 ====
5 Bugs
6 ====
7
8 Purpose
9 =======
10
11 This system provides the public bug tracker for the CAcert community.
12
13 .. note:: There currently seems to be a problem for users signing up themselves
14 for new accounts. Unless this is fixed by Debian, new accounts must be
15 created by administrators. For more details ask the `support mailing list
16 <cacert-support@lists.cacert.org>`_.
17
18 Application Links
19 -----------------
20
21 Bugtracker
22 https://bugs.cacert.org/
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_neo`
31 * Secondary: :ref:`people_jandd`
32
33 Application Administration
34 --------------------------
35
36 +----------------------+--------------------------------------------+
37 | Application | Administrator(s) |
38 +======================+============================================+
39 | Mantis Administrator | :ref:`people_benbe`, :ref:`people_neo`, |
40 | | :ref:`people_dirk`, :ref:`people_jandd`, |
41 | | :ref:`people_ted`, :ref:`people_mario`, |
42 | | :ref:`people_philipp` |
43 +----------------------+--------------------------------------------+
44 | Mantis Manager | :ref:`people_marcus`, :ref:`people_ulrich` |
45 +----------------------+--------------------------------------------+
46
47 Contact
48 -------
49
50 * bugs-admin@cacert.org
51
52 Additional People
53 -----------------
54
55 :ref:`people_mario` and :ref:`people_dirk` have :program:`sudo` access on that
56 machine too.
57
58 Basics
59 ======
60
61 Physical Location
62 -----------------
63
64 This system is located in an :term:`LXC` container on physical machine
65 :doc:`infra02`.
66
67 Logical Location
68 ----------------
69
70 :IP Internet: :ip:v4:`213.154.225.232`
71 :IP Intranet: :ip:v4:`172.16.2.16`
72 :IP Internal: :ip:v4:`10.0.0.16`
73 :MAC address: :mac:`00:ff:fe:13:14:7a` (eth0)
74
75 .. seealso::
76
77 See :doc:`../network`
78
79 DNS
80 ---
81
82 .. index::
83 single: DNS records; Bugs
84
85 ======================== ======== ============================================
86 Name Type Content
87 ======================== ======== ============================================
88 bugs.cacert.org. IN A 213.154.225.232
89 bugs.cacert.org. IN SSHFP 1 1 4B4BC32C4E655559B43A370B77CAD4983E8C24F8
90 bugs.cacert.org. IN SSHFP 2 1 7916E317983D8BC85D719BB793E5E46A6B4976B2
91 bugs.intra.cacert.org. IN A 172.16.2.16
92 ======================== ======== ============================================
93
94 .. seealso::
95
96 See :wiki:`SystemAdministration/Procedures/DNSChanges`
97
98 Operating System
99 ----------------
100
101 .. index::
102 single: Debian GNU/Linux; Jessie
103 single: Debian GNU/Linux; 8.4
104
105 * Debian GNU/Linux 8.4
106
107 Applicable Documentation
108 ------------------------
109
110 This is it :-)
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+---------+--------------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+=========+================================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+---------+--------------------------------+
123 | 25/tcp | smtp | local | mail delivery to local MTA |
124 +----------+---------+---------+--------------------------------+
125 | 80/tcp | http | ANY | web server for bug tracker |
126 +----------+---------+---------+--------------------------------+
127 | 443/tcp | https | ANY | web server for bug tracker |
128 +----------+---------+---------+--------------------------------+
129 | 5666/tcp | nrpe | monitor | remote monitoring service |
130 +----------+---------+---------+--------------------------------+
131 | 3306/tcp | mysql | local | MySQL database for bug tracker |
132 +----------+---------+---------+--------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: MySQL
140 single: Postfix
141 single: cron
142 single: nrpe
143 single: openssh
144 single: rsyslog
145
146 +--------------------+--------------------+----------------------------------------+
147 | Service | Usage | Start mechanism |
148 +====================+====================+========================================+
149 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
150 | | remote | |
151 | | administration | |
152 +--------------------+--------------------+----------------------------------------+
153 | Apache httpd | Webserver for bug | init script |
154 | | tracker | :file:`/etc/init.d/apache2` |
155 +--------------------+--------------------+----------------------------------------+
156 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
157 +--------------------+--------------------+----------------------------------------+
158 | rsyslog | syslog daemon | init script |
159 | | | :file:`/etc/init.d/syslog` |
160 +--------------------+--------------------+----------------------------------------+
161 | MySQL | MySQL database | init script |
162 | | server for bug | :file:`/etc/init.d/mysql` |
163 | | tracker | |
164 +--------------------+--------------------+----------------------------------------+
165 | Postfix | SMTP server for | init script |
166 | | local mail | :file:`/etc/init.d/postfix` |
167 | | submission | |
168 +--------------------+--------------------+----------------------------------------+
169 | Nagios NRPE server | remote monitoring | init script |
170 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
171 | | :doc:`monitor` | |
172 +--------------------+--------------------+----------------------------------------+
173
174 Databases
175 ---------
176
177 .. index::
178 pair: MySQL database; mantis
179
180 +-------+--------+--------------------+
181 | RDBMS | Name | Used for |
182 +=======+========+====================+
183 | MySQL | mantis | Mantis bug tracker |
184 +-------+--------+--------------------+
185
186 Connected Systems
187 -----------------
188
189 * :doc:`monitor`
190
191 Outbound network connections
192 ----------------------------
193
194 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
195 * :doc:`emailout` as SMTP relay
196 * ftp.nl.debian.org as Debian mirror
197 * security.debian.org for Debian security updates
198 * crl.cacert.org (rsync) for getting CRLs
199 * HTTP (80/tcp) to :doc:`git`
200
201 Security
202 ========
203
204 .. sshkeys::
205 :RSA: 59:41:a6:da:9f:64:87:85:76:6f:ad:d5:5f:a8:50:45
206 :DSA: 17:ef:36:49:60:6e:bb:36:fd:ef:d9:77:90:59:00:a9
207 :ECDSA: a2:ee:46:14:c0:31:53:2a:b3:d1:34:82:02:df:ab:bc
208
209 Non-distribution packages and modifications
210 -------------------------------------------
211
212 .. index::
213 pair: non-distribution package; Mantis
214
215 * custom built `mantis`_ package by :ref:`people_benbe`
216
217 .. _mantis: https://www.mantisbt.org/
218
219 Risk assessments on critical packages
220 -------------------------------------
221
222 Mantis as a PHP application is vulnerable to common PHP problems. The system
223 has to be kept up-to-date with OS patches. The custom built mantis package has
224 to be updated when new releases are provided upstream.
225
226 Administrators for this system should subscribe to the
227 mantisbt-announce@lists.sourceforge.net list to get notified when updates are
228 released.
229
230 Critical Configuration items
231 ============================
232
233 Keys and X.509 certificates
234 ---------------------------
235
236 .. sslcert:: bugs.cacert.org
237 :certfile: /etc/ssl/public/bugs.c.o.20160314.crt
238 :keyfile: /etc/ssl/private/bugs.c.o.20160314.key
239 :serial: 028A72
240 :expiration: Mar 14 13:12:13 2018 GMT
241 :sha1fp: 4D:1F:14:B2:BB:C8:59:68:D0:CF:86:36:DA:2F:B2:58:A7:90:E5:85
242 :issuer: CAcert.org Class 3 Root
243
244 * :file:`/etc/ssl/public/bugs.c.o.20160314.crt.chain` contains the server
245 certificate and the Class 3 CA certificate
246
247 * :file:`/etc/mantis/config_inc.php` contains the database settings for Mantis
248
249 .. index::
250 pair: Mantis; configuration
251
252 Mantis configuration
253 --------------------
254
255 The Mantis bug tracker configuration is stored in the directory
256 :file:`/etc/mantis/`.
257
258 * :file:`config_local.php` the main configuration file, including custom bug states
259 * :file:`custom_constants_inc.php` defines custom constants. Required for the
260 non-default bug states
261 * :file:`custom_strings_inc.php` defines custom string definitions. Required
262 for the non-default bug states
263
264 .. note::
265
266 Localisation for these could go here but currently I would avoid that so all
267 developers have the same vocabulary.
268
269 -- :ref:`people_neo` 2011-07-04 02:44:45
270
271 .. index::
272 pair: Apache httpd; configuration
273
274 Apache httpd configuration
275 --------------------------
276
277 The Apache httpd configuration in the directory :file:`/etc/apache2/` has been
278 changed to add some additional headers to improve client security:
279
280 .. literalinclude:: ../configdiff/bugs/apache/bugs-apache-config.diff
281 :language: diff
282
283 The :index:`Mantis VirtualHost <pair: bugs.cacert.org; VirtualHost>` is
284 configured in :file:`/etc/apache2/sites-available/mantis` (shared
285 configuration) that includes configuration from the mantis package provided
286 :file:`/etc/apache2/conf.d/mantis` file,
287 :file:`/etc/apache2/sites-available/mantis-nossl.conf` (HTTP VirtualHost) and
288 :file:`/etc/apache2/sites-available/mantis-ssl.conf` (HTTPS VirtualHost).
289
290 .. index::
291 pair: MySQL; configuration
292
293 MySQL configuration
294 -------------------
295
296 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
297
298 .. index::
299 pair: rsyslog; configuration
300
301 Rsyslog configuration
302 ---------------------
303
304 Rsyslog has been configured to disable draining the kernel log:
305
306 .. code-block:: diff
307
308 --- orig/etc/rsyslog.conf 2015-12-14 13:34:27.000000000 +0100
309 +++ bugs/etc/rsyslog.conf 2015-03-03 22:22:44.385835152 +0100
310 @@ -9,7 +9,7 @@
311 #################
312
313 $ModLoad imuxsock # provides support for local system logging
314 -$ModLoad imklog # provides kernel logging support
315 +#$ModLoad imklog # provides kernel logging support
316 #$ModLoad immark # provides --MARK-- message capability
317
318 # provides UDP syslog reception
319
320 The :program:`postfix` package installed :file:`/etc/rsyslog.d/postfix.conf` to
321 add an additional logging socket in the Postfix chroot.
322
323
324 Tasks
325 =====
326
327 Planned
328 -------
329
330 .. todo:: provide the custom mantis package from a infrastructure Debian
331 package repository
332 .. todo:: setup IPv6
333 .. todo:: setup X.509 authentication if possible :bug:`678`
334
335 Changes
336 =======
337
338 System Future
339 -------------
340
341 * No plans
342
343 Additional documentation
344 ========================
345
346 .. seealso::
347
348 * :wiki:`PostfixConfiguration`
349
350 References
351 ----------
352
353 Mantis Bugtracker documentation
354 https://www.mantisbt.org/documentation.php
355 Apache httpd documentation
356 https://httpd.apache.org/docs/2.4/