25300b60e45ffc5f0ac9dd59b70a35a0efc60236
[cacert-infradocs.git] / docs / systems / issue.rst
1 .. index::
2 single: Systems; Issue
3
4 =====
5 Issue
6 =====
7
8 Purpose
9 =======
10
11 The purpose of the issue server is to serve the issue tracking system,
12 implemented with _`OTRS <https://www.otrs.com/>` used by :wiki:`Triage` and
13 :wiki:`Support` for handling requests going to the support@cacert.org mail
14 address. Usage for other teams e.g. Arbitration (currently used occasionally),
15 Organisation Assurance is planned in future.
16
17 Application Links
18 -----------------
19
20 OTRS URL
21 https://issue.cacert.org/
22
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_mario`
31 * Secondary: :ref:`people_neo`
32
33 Application Administration
34 --------------------------
35
36 +-------------+---------------------+
37 | Application | Administrator(s) |
38 +=============+=====================+
39 | OTRS | :ref:`people_mario` |
40 | | :ref:`people_nick` |
41 | | :ref:`people_ian` |
42 | | :ref:`people_neo` |
43 +-------------+---------------------+
44
45 Contact
46 -------
47
48 * issue-admin@cacert.org
49
50 Additional People
51 -----------------
52
53 :ref:`people_jandd` and :ref:`people_dirk` have :program:`sudo` access on that
54 machine too.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: :ip:v4:`213.154.225.244`
69 :IP Intranet: :ip:v4:`172.16.2.28`
70 :IP Internal: :ip:v4:`10.0.0.28`
71 :MAC address: :mac:`00:ff:8c:94:e1:c8` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 DNS
78 ---
79
80 .. index::
81 single: DNS records; Issue
82
83 ======================= ======== ============================================
84 Name Type Content
85 ======================= ======== ============================================
86 issue.cacert.org. IN A 213.154.225.244
87 issue.intra.cacert.org. IN A 172.16.2.28
88 issue.cacert.org. IN SSHFP 2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB
89 issue.cacert.org. IN SSHFP 1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E
90 ======================= ======== ============================================
91
92 .. seealso::
93
94 See :wiki:`SystemAdministration/Procedures/DNSChanges`
95
96 Operating System
97 ----------------
98
99 .. index::
100 single: Debian GNU/Linux; Wheezy
101 single: Debian GNU/Linux; 7.11
102
103 * Debian GNU/Linux 7.11
104
105 .. todo:: upgrade to Debian Jessie
106
107 Applicable Documentation
108 ------------------------
109
110 This is it :-)
111
112 Services
113 ========
114
115 Listening services
116 ------------------
117
118 +----------+---------+----------+--------------------------------------------------+
119 | Port | Service | Origin | Purpose |
120 +==========+=========+==========+==================================================+
121 | 22/tcp | ssh | ANY | admin console access |
122 +----------+---------+----------+--------------------------------------------------+
123 | 25/tcp | smtp | localnet | local mail pickup in order to send out |
124 | | | | notifications via |
125 | | | | :doc:`emailout`, incoming mail from :doc:`email` |
126 +----------+---------+----------+--------------------------------------------------+
127 | 80/tcp | http | ANY | HTTP access to issue, redirects to HTTPS |
128 +----------+---------+----------+--------------------------------------------------+
129 | 443/tcp | https | ANY | HTTPS access to issue |
130 +----------+---------+----------+--------------------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+---------+----------+--------------------------------------------------+
133 | 3306/tcp | mysql | local | MySQL database for OTRS |
134 +----------+---------+----------+--------------------------------------------------+
135
136 Running services
137 ----------------
138
139 .. index::
140 single: Apache
141 single: MySQL
142 single: Postfix
143 single: cron
144 single: nrpe
145 single: openssh
146 single: rsyslog
147
148 +--------------------+-----------------------------------+----------------------------------------+
149 | Service | Usage | Start mechanism |
150 +====================+===================================+========================================+
151 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
152 | | remote | |
153 | | administration | |
154 +--------------------+-----------------------------------+----------------------------------------+
155 | Apache httpd | Webserver for OTRS | init script |
156 | | | :file:`/etc/init.d/apache2` |
157 +--------------------+-----------------------------------+----------------------------------------+
158 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
159 +--------------------+-----------------------------------+----------------------------------------+
160 | rsyslog | syslog daemon | init script |
161 | | | :file:`/etc/init.d/syslog` |
162 +--------------------+-----------------------------------+----------------------------------------+
163 | MySQL | MySQL database | init script |
164 | | server for OTRS | :file:`/etc/init.d/mysql` |
165 +--------------------+-----------------------------------+----------------------------------------+
166 | Postfix | SMTP server for | init script |
167 | | local mail | :file:`/etc/init.d/postfix` |
168 | | submission and for receiving mail | |
169 | | directed to OTRS addresses | |
170 +--------------------+-----------------------------------+----------------------------------------+
171 | Nagios NRPE server | remote monitoring | init script |
172 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
173 | | :doc:`monitor` | |
174 +--------------------+-----------------------------------+----------------------------------------+
175
176 Databases
177 ---------
178
179 +-------+------+-------------------+
180 | RDBMS | Name | Used for |
181 +=======+======+===================+
182 | MySQL | otrs | database for OTRS |
183 +-------+------+-------------------+
184
185 Connected Systems
186 -----------------
187
188 * :doc:`monitor`
189 * :doc:`email`
190
191 Outbound network connections
192 ----------------------------
193
194 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
195 * :doc:`emailout` as SMTP relay
196 * :doc:`email` as SMTP submission relay (587, tcp) for specific addresses (see
197 :ref:`postfix_configuration` below)
198 * ftp.nl.debian.org as Debian mirror* security.debian.org for Debian security updates
199 * crl.cacert.org (rsync) for getting CRLs
200
201 Security
202 ========
203
204 .. add the MD5 fingerprints of the SSH host keys
205
206 .. sshkeys::
207 :RSA: 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47
208 :DSA: a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e
209 :ECDSA: f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82
210
211 .. todo:: setup ED25519 host key
212
213 Non-distribution packages and modifications
214 -------------------------------------------
215
216 :program:`OTRS` is installed from Debian packages but has been patched. The
217 OTRS packages must not be updated from Debian packages without reapplying the
218 patch.
219
220 :file:`/usr/share/otrs/Kernel/Output/HTML/Layout.pm`
221
222 .. literalinclude:: ../patches/otrs/Layout.pm.patch
223 :language: diff
224
225 Risk assessments on critical packages
226 -------------------------------------
227
228 Patching OTRS implies the danger of delayed security updates. The package is
229 set on hold via :command:`echo otrs hold | dpkg --set-selections` and must be
230 updated explicitly. OTRS 3.1 is not supported by upstream anymore.
231
232 The used Apache httpd has a good reputation. OTRS is integrated into Apache
233 httpd via mod_perl2.
234
235 Critical Configuration items
236 ============================
237
238 Keys and X.509 certificates
239 ---------------------------
240
241 The following certificate and its corresponding private key is used by Apache
242 httpd and Postfix:
243
244 .. sslcert:: issue.cacert.org
245 :altnames: DNS:issue.cacert.org
246 :certfile: /etc/ssl/certs/issue.cacert.org.pem
247 :keyfile: /etc/ssl/private/issue.cacert.org.key
248 :serial: 11E87C
249 :expiration: Mar 31 20:51:43 18 GMT
250 :sha1fp: 03:78:A8:C2:2C:53:00:29:41:A2:94:34:3D:3B:53:F2:43:2E:1E:03
251 :issuer: CA Cert Signing Authority
252
253 .. seealso::
254
255 * :wiki:`SystemAdministration/CertificateList`
256
257 Apache httpd configuration
258 --------------------------
259
260 * :file:`/etc/apache2/sites-available/default`
261
262 HTTP virtualhost configuration that redirects to HTTPS
263
264 * :file:`/etc/apache2/sites-available/default-ssl`
265
266 HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/
267 which contains a symbolic link to the OTRS CGIs
268
269 OTRS configuration
270 ------------------
271
272 * :file:`/etc/otrs/`
273
274 OTRS configuration
275
276 * :file:`/etc/otrs/database.pm`
277
278 OTRS's database configuration
279
280
281 .. _postfix_configuration:
282
283 Postfix configuration
284 ---------------------
285
286 * :file:`/etc/postfix`
287
288 Postfix configuration
289
290 * :file:`/etc/postfix/sender_relay`
291
292 Defines a list of sender addresses that are relayed via :doc:`email`
293
294 * :file:`/etc/postfix/sender_rewrite`
295
296 Configures rewriting of all but a short list of addresses to
297 returns@cacert.org
298
299 Tasks
300 =====
301
302 Planned
303 -------
304
305 Ideas
306 -----
307
308 * The system should be upgraded to a newer Debian release.
309
310 * Deployment
311
312 * implement access for other teams
313
314 * OTRS
315
316 * change to CAcert corporate design (low priority)
317 * should be updated to a newer release that is supported by upstream
318
319 * Monitoring
320
321 * create a list of services to monitor
322
323 * Configuration management
324
325 * Implement :wiki:`SystemAdministration/Procedures/OperatingSystemPatches`,
326 see also
327 https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
328
329 * X.509 Authentication
330
331 * Use centralised logging
332
333
334 Changes
335 =======
336
337 System Future
338 -------------
339
340 * No plans
341
342 Additional documentation
343 ========================
344
345 Creating new OTRS user accounts
346 -------------------------------
347
348 * Go to Admin -> Users -> Add
349 * Fill out user details
350
351 * Use a securely random generated password (min. 12 chars, mixed of capital-
352 non-capital letters, numbers and special chars), send it to the user via
353 encrypted mail (also include URL of the issue tracking system, username and
354 some initial instructions or a link to documentation if available)
355 * Use CAcert email addresses only
356
357 * Set the preferences for the user. Good standards are:
358
359 * Show tickets: 25
360 * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
361 * Follow up notification: Yes
362 * Ticket lock timeout notification: Yes
363 * Move notification: Yes (or No if the queues for the user get many new tickets)
364 * Spelling Dictionary: English
365
366 * Submit
367 * Do NOT set any groups for the user.
368 * Go to Admin -> Users -> Roles <-> Users
369 * Choose the newly created user
370 * Set the roles the user has
371 * Submit
372 * Now you are done :)
373
374
375 .. seealso::
376
377 * :wiki:`PostfixConfiguration`
378
379 References
380 ----------
381
382 * http://doc.otrs.com/doc/manual/admin/3.2/en/html/index.html