Improve system documentation
[cacert-infradocs.git] / docs / systems / issue.rst
1 .. index::
2 single: Systems; Issue
3
4 =====
5 Issue
6 =====
7
8 Purpose
9 =======
10
11 The purpose of the issue server is to serve the issue tracking system,
12 implemented with _`OTRS <https://www.otrs.com/>` used by :wiki:`Triage` and
13 :wiki:`Support` for handling requests going to the support@cacert.org mail
14 address. Usage for other teams e.g. Arbitration (currently used occasionally),
15 Organisation Assurance is planned in future.
16
17 Application Links
18 -----------------
19
20 OTRS URL
21 https://issue.cacert.org/
22
23
24 Administration
25 ==============
26
27 System Administration
28 ---------------------
29
30 * Primary: :ref:`people_mario`
31 * Secondary: :ref:`people_neo`
32
33 Application Administration
34 --------------------------
35
36 +-------------+----------------------+
37 | Application | Administrator(s) |
38 +=============+======================+
39 | OTRS | :ref:`people_mario`, |
40 | | :ref:`people_nick`, |
41 | | :ref:`people_ian`, |
42 | | :ref:`people_neo` |
43 +-------------+----------------------+
44
45 Contact
46 -------
47
48 * issue-admin@cacert.org
49
50 Additional People
51 -----------------
52
53 :ref:`people_jandd` and :ref:`people_dirk` have :program:`sudo` access on that
54 machine too.
55
56 Basics
57 ======
58
59 Physical Location
60 -----------------
61
62 This system is located in an :term:`LXC` container on physical machine
63 :doc:`infra02`.
64
65 Logical Location
66 ----------------
67
68 :IP Internet: :ip:v4:`213.154.225.244`
69 :IP Intranet: :ip:v4:`172.16.2.28`
70 :IP Internal: :ip:v4:`10.0.0.28`
71 :MAC address: :mac:`00:ff:8c:94:e1:c8` (eth0)
72
73 .. seealso::
74
75 See :doc:`../network`
76
77 .. index::
78 single: Monitoring; Issue
79
80 Monitoring
81 ----------
82
83 :internal checks: :monitor:`issue.infra.cacert.org`
84
85 DNS
86 ---
87
88 .. index::
89 single: DNS records; Issue
90
91 ======================= ======== ============================================
92 Name Type Content
93 ======================= ======== ============================================
94 issue.cacert.org. IN A 213.154.225.244
95 issue.intra.cacert.org. IN A 172.16.2.28
96 issue.cacert.org. IN SSHFP 2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB
97 issue.cacert.org. IN SSHFP 1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E
98 ======================= ======== ============================================
99
100 .. seealso::
101
102 See :wiki:`SystemAdministration/Procedures/DNSChanges`
103
104 Operating System
105 ----------------
106
107 .. index::
108 single: Debian GNU/Linux; Wheezy
109 single: Debian GNU/Linux; 7.11
110
111 * Debian GNU/Linux 7.11
112
113 .. todo:: upgrade to Debian Jessie
114
115 Applicable Documentation
116 ------------------------
117
118 This is it :-)
119
120 Services
121 ========
122
123 Listening services
124 ------------------
125
126 +----------+---------+----------+--------------------------------------------------+
127 | Port | Service | Origin | Purpose |
128 +==========+=========+==========+==================================================+
129 | 22/tcp | ssh | ANY | admin console access |
130 +----------+---------+----------+--------------------------------------------------+
131 | 25/tcp | smtp | localnet | local mail pickup in order to send out |
132 | | | | notifications via |
133 | | | | :doc:`emailout`, incoming mail from :doc:`email` |
134 +----------+---------+----------+--------------------------------------------------+
135 | 80/tcp | http | ANY | HTTP access to issue, redirects to HTTPS |
136 +----------+---------+----------+--------------------------------------------------+
137 | 443/tcp | https | ANY | HTTPS access to issue |
138 +----------+---------+----------+--------------------------------------------------+
139 | 5666/tcp | nrpe | monitor | remote monitoring service |
140 +----------+---------+----------+--------------------------------------------------+
141 | 3306/tcp | mysql | local | MySQL database for OTRS |
142 +----------+---------+----------+--------------------------------------------------+
143
144 Running services
145 ----------------
146
147 .. index::
148 single: Apache
149 single: MySQL
150 single: Postfix
151 single: cron
152 single: nrpe
153 single: openssh
154 single: puppet agent
155 single: rsyslog
156
157 +--------------------+-----------------------------------+----------------------------------------+
158 | Service | Usage | Start mechanism |
159 +====================+===================================+========================================+
160 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
161 | | remote | |
162 | | administration | |
163 +--------------------+-----------------------------------+----------------------------------------+
164 | Apache httpd | Webserver for OTRS | init script |
165 | | | :file:`/etc/init.d/apache2` |
166 +--------------------+-----------------------------------+----------------------------------------+
167 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
168 +--------------------+-----------------------------------+----------------------------------------+
169 | rsyslog | syslog daemon | init script |
170 | | | :file:`/etc/init.d/syslog` |
171 +--------------------+-----------------------------------+----------------------------------------+
172 | MySQL | MySQL database | init script |
173 | | server for OTRS | :file:`/etc/init.d/mysql` |
174 +--------------------+-----------------------------------+----------------------------------------+
175 | Postfix | SMTP server for | init script |
176 | | local mail | :file:`/etc/init.d/postfix` |
177 | | submission and for receiving mail | |
178 | | directed to OTRS addresses | |
179 +--------------------+-----------------------------------+----------------------------------------+
180 | Puppet agent | configuration management agent | init script :file:`/etc/init.d/puppet` |
181 +--------------------+-----------------------------------+----------------------------------------+
182 | Nagios NRPE server | remote monitoring | init script |
183 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
184 | | :doc:`monitor` | |
185 +--------------------+-----------------------------------+----------------------------------------+
186
187 Databases
188 ---------
189
190 +-------+------+-------------------+
191 | RDBMS | Name | Used for |
192 +=======+======+===================+
193 | MySQL | otrs | database for OTRS |
194 +-------+------+-------------------+
195
196 Connected Systems
197 -----------------
198
199 * :doc:`monitor`
200 * :doc:`email`
201
202 Outbound network connections
203 ----------------------------
204
205 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
206 * :doc:`emailout` as SMTP relay
207 * :doc:`email` as SMTP submission relay (587, tcp) for specific addresses (see
208 :ref:`postfix_configuration` below)
209 * :doc:`puppet` (tcp/8140) as Puppet master
210 * :doc:`proxyout` as HTTP proxy for APT
211 * crl.cacert.org (rsync) for getting CRLs
212
213 Security
214 ========
215
216 .. add the MD5 fingerprints of the SSH host keys
217
218 .. sshkeys::
219 :RSA: 61:32:04:12:e3:4f:0b:b7:14:2d:d1:8f:82:b2:c7:47
220 :DSA: a8:57:20:2f:09:a2:f3:d6:24:7a:29:35:2f:28:5e:4e
221 :ECDSA: f1:a9:da:27:1a:ef:a8:67:51:d1:b4:e2:b7:83:c8:82
222
223 .. todo:: setup ED25519 host key
224
225 Non-distribution packages and modifications
226 -------------------------------------------
227
228 :program:`OTRS` is installed from Debian packages but has been patched. The
229 OTRS packages must not be updated from Debian packages without reapplying the
230 patch.
231
232 :file:`/usr/share/otrs/Kernel/Output/HTML/Layout.pm`
233
234 .. literalinclude:: ../patches/otrs/Layout.pm.patch
235 :language: diff
236
237 Risk assessments on critical packages
238 -------------------------------------
239
240 Patching OTRS implies the danger of delayed security updates. The package is
241 set on hold via :command:`echo otrs hold | dpkg --set-selections` and must be
242 updated explicitly. OTRS 3.1 is not supported by upstream anymore.
243
244 The used Apache httpd has a good reputation. OTRS is integrated into Apache
245 httpd via mod_perl2.
246
247 Critical Configuration items
248 ============================
249
250 Keys and X.509 certificates
251 ---------------------------
252
253 The following certificate and its corresponding private key is used by Apache
254 httpd and Postfix:
255
256 .. sslcert:: issue.cacert.org
257 :altnames: DNS:issue.cacert.org
258 :certfile: /etc/ssl/certs/issue.cacert.org.pem
259 :keyfile: /etc/ssl/private/issue.cacert.org.key
260 :serial: 1381E9
261 :expiration: Mar 16 09:54:12 2020 GMT
262 :sha1fp: 90:67:C0:57:17:BD:98:66:B1:E2:62:A6:11:59:E4:C3:3E:E3:C0:E4
263 :issuer: CA Cert Signing Authority
264
265 .. seealso::
266
267 * :wiki:`SystemAdministration/CertificateList`
268
269 Apache httpd configuration
270 --------------------------
271
272 * :file:`/etc/apache2/sites-available/default`
273
274 HTTP virtualhost configuration that redirects to HTTPS
275
276 * :file:`/etc/apache2/sites-available/default-ssl`
277
278 HTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/
279 which contains a symbolic link to the OTRS CGIs
280
281 OTRS configuration
282 ------------------
283
284 * :file:`/etc/otrs/`
285
286 OTRS configuration
287
288 * :file:`/etc/otrs/database.pm`
289
290 OTRS's database configuration
291
292
293 .. _postfix_configuration:
294
295 Postfix configuration
296 ---------------------
297
298 * :file:`/etc/postfix`
299
300 Postfix configuration
301
302 * :file:`/etc/postfix/sender_relay`
303
304 Defines a list of sender addresses that are relayed via :doc:`email`
305
306 * :file:`/etc/postfix/sender_rewrite`
307
308 Configures rewriting of all but a short list of addresses to
309 returns@cacert.org
310
311 Tasks
312 =====
313
314 Creating new OTRS user accounts
315 -------------------------------
316
317 * Go to Admin -> Users -> Add
318 * Fill out user details
319
320 * Use a securely random generated password (min. 12 chars, mixed of capital-
321 non-capital letters, numbers and special chars), send it to the user via
322 encrypted mail (also include URL of the issue tracking system, username and
323 some initial instructions or a link to documentation if available)
324 * Use CAcert email addresses only
325
326 * Set the preferences for the user. Good standards are:
327
328 * Show tickets: 25
329 * New ticket notification: Yes (or No for high volume queues having agents regulary looking at
330 * Follow up notification: Yes
331 * Ticket lock timeout notification: Yes
332 * Move notification: Yes (or No if the queues for the user get many new tickets)
333 * Spelling Dictionary: English
334
335 * Submit
336 * Do NOT set any groups for the user.
337 * Go to Admin -> Users -> Roles <-> Users
338 * Choose the newly created user
339 * Set the roles the user has
340 * Submit
341 * Now you are done :)
342
343 Changes
344 =======
345
346 Planned
347 -------
348
349 Ideas
350 -----
351
352 * The system should be upgraded to a newer Debian release.
353
354 * Deployment
355
356 * implement access for other teams
357
358 * OTRS
359
360 * change to CAcert corporate design (low priority)
361 * should be updated to a newer release that is supported by upstream
362
363 * Monitoring
364
365 * create a list of services to monitor
366
367 * Configuration management
368
369 * Implement :wiki:`SystemAdministration/Procedures/OperatingSystemPatches`,
370 see also
371 https://lists.cacert.org/wws/arc/cacert-sysadm/2009-08/msg00007.html
372
373 * X.509 Authentication
374
375 * Use centralised logging
376
377 System Future
378 -------------
379
380 * No plans
381
382 Additional documentation
383 ========================
384
385 .. seealso::
386
387 * :wiki:`PostfixConfiguration`
388
389 References
390 ----------
391
392 * http://doc.otrs.com/doc/manual/admin/3.2/en/html/index.html