111c685d2f9a009bef7a5aa53c74126688fa4043
[cacert-infradocs.git] / docs / systems / issue.rst
1 .. index::
2 single: Systems; Issue
3
4 =====
5 Issue
6 =====
7
8 Purpose
9 =======
10
11 The purpose of the issue server is to serve the issue tracking system,
12 implemented with _`OTRS <https://www.otrs.com/>` used by :wiki:`Triage` and
13 :wiki:`Support` for handling requests going to the support@cacert.org mail
14 address. Usage for other teams e.g. Arbitration (currently used occasionally),
15 Organisation Assurance is planned in future.
16
17 Application Links
18 -----------------
19
20 OTRS URL
21 https://issue.cacert.org/
22
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_mario`
31 * Secondary: :ref:`people_neo`
32
33 Application Administration
34 --------------------------
35
36 +-------------+----------------------+
37 | Application | Administrator(s) |
38 +=============+======================+
39 | OTRS | :ref:`people_mario`, |
40 | | :ref:`people_nick`, |
41 | | :ref:`people_ian`, |
42 | | :ref:`people_neo` |
43 +-------------+----------------------+
44
45 Contact
46 -------
47
48 * issue-admin@cacert.org
49
50 Additional People
51 -----------------
52
53 :ref:`people_jandd` and :ref:`people_dirk` have :program:`sudo` access on that
54 machine too.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: :ip:v4:`213.154.225.244`
69 :IP Intranet: :ip:v4:`172.16.2.28`
70 :IP Internal: :ip:v4:`10.0.0.28`
71 :MAC address: :mac:`00:ff:8c:94:e1:c8` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; Issue
82
83 ======================= ======== ============================================
84 Name Type Content
85 ======================= ======== ============================================
86 issue.cacert.org. IN A 213.154.225.244
87 issue.intra.cacert.org. IN A 172.16.2.28
88 issue.cacert.org. IN SSHFP 2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB
89 issue.cacert.org. IN SSHFP 1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E
90 ======================= ======== ============================================
91
92 .. seealso::
93
94 See :wiki:`SystemAdministration/Procedures/DNSChanges`
95
96 Operating System
97 ----------------
98
99 .. index::
100 single: Debian GNU/Linux; Wheezy
101 single: Debian GNU/Linux; 7.11
102
103 * Debian GNU/Linux 7.11
104
105 .. todo:: upgrade to Debian Jessie
106
107 Applicable Documentation
108 ------------------------
109
110 This is it :-)
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+----------+--------------------------------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+==========+==================================================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+----------+--------------------------------------------------+
123 | 25/tcp | smtp | localnet | local mail pickup in order to send out |
124 | | | | notifications via |
125 | | | | :doc:`emailout`, incoming mail from :doc:`email` |
126 +----------+---------+----------+--------------------------------------------------+
127 | 80/tcp | http | ANY | HTTP access to issue, redirects to HTTPS |
128 +----------+---------+----------+--------------------------------------------------+
129 | 443/tcp | https | ANY | HTTPS access to issue |
130 +----------+---------+----------+--------------------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+---------+----------+--------------------------------------------------+
133 | 3306/tcp | mysql | local | MySQL database for OTRS |
134 +----------+---------+----------+--------------------------------------------------+
135
136 Running services
137 ----------------
138
139 .. index::
140 single: Apache
141 single: MySQL
142 single: Postfix
143 single: cron
144 single: nrpe
145 single: openssh
146 single: puppet agent
147 single: rsyslog
148
149 +--------------------+-----------------------------------+----------------------------------------+
150 | Service | Usage | Start mechanism |
151 +====================+===================================+========================================+
152 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
153 | | remote | |
154 | | administration | |
155 +--------------------+-----------------------------------+----------------------------------------+
156 | Apache httpd | Webserver for OTRS | init script |
157 | | | :file:`/etc/init.d/apache2` |
158 +--------------------+-----------------------------------+----------------------------------------+
159 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
160 +--------------------+-----------------------------------+----------------------------------------+
161 | rsyslog | syslog daemon | init script |
162 | | | :file:`/etc/init.d/syslog` |
163 +--------------------+-----------------------------------+----------------------------------------+
164 | MySQL | MySQL database | init script |
165 | | server for OTRS | :file:`/etc/init.d/mysql` |
166 +--------------------+-----------------------------------+----------------------------------------+
167 | Postfix | SMTP server for | init script |
168 | | local mail | :file:`/etc/init.d/postfix` |
169 | | submission and for receiving mail | |
170 | | directed to OTRS addresses | |
171 +--------------------+-----------------------------------+----------------------------------------+
172 | Puppet agent | configuration management agent | init script :file:`/etc/init.d/puppet` |
173 +--------------------+-----------------------------------+----------------------------------------+
174 | Nagios NRPE server | remote monitoring | init script |
175 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
176 | | :doc:`monitor` | |
177 +--------------------+-----------------------------------+----------------------------------------+
178
179 Databases
180 ---------
181
182 +-------+------+-------------------+
183 | RDBMS | Name | Used for |
184 +=======+======+===================+
185 | MySQL | otrs | database for OTRS |
186 +-------+------+-------------------+
187
188 Connected Systems
189 -----------------
190
191 * :doc:`monitor`
192 * :doc:`email`
193
194 Outbound network connections
195 ----------------------------
196
197 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
198 * :doc:`emailout` as SMTP relay
199 * :doc:`email` as SMTP submission relay (587, tcp) for specific addresses (see
200 :ref:`postfix_configuration` below)
201 * :doc:`puppet` (tcp/8140) as Puppet master
202 * :doc:`proxyout` as HTTP proxy for APT
203 * crl.cacert.org (rsync) for getting CRLs
204
205 Security
206 ========
207
208 .. add the MD5 fingerprints of the SSH host keys
209
210 .. sshkeys::
211 :RSA: 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47
212 :DSA: a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e
213 :ECDSA: f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82
214
215 .. todo:: setup ED25519 host key
216
217 Non-distribution packages and modifications
218 -------------------------------------------
219
220 :program:`OTRS` is installed from Debian packages but has been patched. The
221 OTRS packages must not be updated from Debian packages without reapplying the
222 patch.
223
224 :file:`/usr/share/otrs/Kernel/Output/HTML/Layout.pm`
225
226 .. literalinclude:: ../patches/otrs/Layout.pm.patch
227 :language: diff
228
229 Risk assessments on critical packages
230 -------------------------------------
231
232 Patching OTRS implies the danger of delayed security updates. The package is
233 set on hold via :command:`echo otrs hold | dpkg --set-selections` and must be
234 updated explicitly. OTRS 3.1 is not supported by upstream anymore.
235
236 The used Apache httpd has a good reputation. OTRS is integrated into Apache
237 httpd via mod_perl2.
238
239 Critical Configuration items
240 ============================
241
242 Keys and X.509 certificates
243 ---------------------------
244
245 The following certificate and its corresponding private key is used by Apache
246 httpd and Postfix:
247
248 .. sslcert:: issue.cacert.org
249 :altnames: DNS:issue.cacert.org
250 :certfile: /etc/ssl/certs/issue.cacert.org.pem
251 :keyfile: /etc/ssl/private/issue.cacert.org.key
252 :serial: 1381E9
253 :expiration: Mar 16 09:54:12 2020 GMT
254 :sha1fp: 90:67:C0:57:17:BD:98:66:B1:E2:62:A6:11:59:E4:C3:3E:E3:C0:E4
255 :issuer: CA Cert Signing Authority
256
257 .. seealso::
258
259 * :wiki:`SystemAdministration/CertificateList`
260
261 Apache httpd configuration
262 --------------------------
263
264 * :file:`/etc/apache2/sites-available/default`
265
266 HTTP virtualhost configuration that redirects to HTTPS
267
268 * :file:`/etc/apache2/sites-available/default-ssl`
269
270 HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/
271 which contains a symbolic link to the OTRS CGIs
272
273 OTRS configuration
274 ------------------
275
276 * :file:`/etc/otrs/`
277
278 OTRS configuration
279
280 * :file:`/etc/otrs/database.pm`
281
282 OTRS's database configuration
283
284
285 .. _postfix_configuration:
286
287 Postfix configuration
288 ---------------------
289
290 * :file:`/etc/postfix`
291
292 Postfix configuration
293
294 * :file:`/etc/postfix/sender_relay`
295
296 Defines a list of sender addresses that are relayed via :doc:`email`
297
298 * :file:`/etc/postfix/sender_rewrite`
299
300 Configures rewriting of all but a short list of addresses to
301 returns@cacert.org
302
303 Tasks
304 =====
305
306 Planned
307 -------
308
309 Ideas
310 -----
311
312 * The system should be upgraded to a newer Debian release.
313
314 * Deployment
315
316 * implement access for other teams
317
318 * OTRS
319
320 * change to CAcert corporate design (low priority)
321 * should be updated to a newer release that is supported by upstream
322
323 * Monitoring
324
325 * create a list of services to monitor
326
327 * Configuration management
328
329 * Implement :wiki:`SystemAdministration/Procedures/OperatingSystemPatches`,
330 see also
331 https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
332
333 * X.509 Authentication
334
335 * Use centralised logging
336
337
338 Changes
339 =======
340
341 System Future
342 -------------
343
344 * No plans
345
346 Additional documentation
347 ========================
348
349 Creating new OTRS user accounts
350 -------------------------------
351
352 * Go to Admin -> Users -> Add
353 * Fill out user details
354
355 * Use a securely random generated password (min. 12 chars, mixed of capital-
356 non-capital letters, numbers and special chars), send it to the user via
357 encrypted mail (also include URL of the issue tracking system, username and
358 some initial instructions or a link to documentation if available)
359 * Use CAcert email addresses only
360
361 * Set the preferences for the user. Good standards are:
362
363 * Show tickets: 25
364 * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
365 * Follow up notification: Yes
366 * Ticket lock timeout notification: Yes
367 * Move notification: Yes (or No if the queues for the user get many new tickets)
368 * Spelling Dictionary: English
369
370 * Submit
371 * Do NOT set any groups for the user.
372 * Go to Admin -> Users -> Roles <-> Users
373 * Choose the newly created user
374 * Set the roles the user has
375 * Submit
376 * Now you are done :)
377
378
379 .. seealso::
380
381 * :wiki:`PostfixConfiguration`
382
383 References
384 ----------
385
386 * http://doc.otrs.com/doc/manual/admin/3.2/en/html/index.html