Add documentation for translations.cacert.org
authorJan Dittberner <jandd@cacert.org>
Fri, 23 Feb 2018 19:30:57 +0000 (20:30 +0100)
committerJan Dittberner <jandd@cacert.org>
Fri, 23 Feb 2018 19:30:57 +0000 (20:30 +0100)
Information has been gathered from the system, DNS and memories about
the installation of Pootle. The system has been setup to utilize Puppet
and use proxyout for APT. The system has been upgraded to Debian
Stretch.

docs/systems.rst
docs/systems/proxyout.rst
docs/systems/puppet.rst
docs/systems/translations.rst [new file with mode: 0644]

index eaedc8c..ad89d78 100644 (file)
@@ -26,6 +26,7 @@ administrator team.
    systems/proxyin
    systems/proxyout
    systems/svn
+   systems/translations
    systems/web
    systems/webmail
    systems/webstatic
index 92afc8f..38835f9 100644 (file)
@@ -164,6 +164,7 @@ Connected Systems
 * :doc:`proxyin`
 * :doc:`puppet`
 * :doc:`svn`
+* :doc:`translations`
 * :doc:`web`
 * :doc:`webstatic`
 
index eb2ff6d..fbeff7c 100644 (file)
@@ -183,6 +183,7 @@ Connected Systems
 * :doc:`proxyin`
 * :doc:`proxyout`
 * :doc:`svn`
+* :doc:`translations`
 
 Outbound network connections
 ----------------------------
diff --git a/docs/systems/translations.rst b/docs/systems/translations.rst
new file mode 100644 (file)
index 0000000..d8834a8
--- /dev/null
@@ -0,0 +1,357 @@
+.. index::
+   single: Systems; Translations
+
+============
+Translations
+============
+
+Purpose
+=======
+
+This system runs a `Pootle`_ translation server.
+
+.. _Pootle: http://pootle.translatehouse.org/
+
+
+Application Links
+-----------------
+
+Pootle web interface
+     https://translations.cacert.org/
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: None
+
+.. todo:: find an additional admin
+
+Application Administration
+--------------------------
+
++-------------+---------------------+
+| Application | Administrator(s)    |
++=============+=====================+
+| Pootle      | :ref:`people_jandd` |
++-------------+---------------------+
+
+Contact
+-------
+
+* translations-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.240`
+:IP Intranet: :ip:v4:`172.16.2.31`
+:IP Internal: :ip:v4:`10.0.0.31`
+:MAC address: :mac:`00:ff:6c:7d:5b:c5` (eth0)
+
+.. seealso::
+
+   See :doc:`../network`
+
+DNS
+---
+
+.. index::
+   single: DNS records; Translations
+
+============================== ======== ==========================================
+Name                           Type     Content
+============================== ======== ==========================================
+translations.cacert.org.       IN A     213.154.225.240
+translations.cacert.org.       IN SSHFP 1 1 1128972FB54F927477A781718E2F9C114E9CA383
+translations.cacert.org.       IN SSHFP 2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
+translations.intra.cacert.org. IN A     172.16.2.31
+============================== ======== ==========================================
+
+.. seealso::
+
+   See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+   single: Debian GNU/Linux; Stretch
+   single: Debian GNU/Linux; 9.3
+
+* Debian GNU/Linux 9.3
+
+Applicable Documentation
+------------------------
+
+This is it :-)
+
+Services
+========
+
+Listening services
+------------------
+
++----------+---------+---------+----------------------------+
+| Port     | Service | Origin  | Purpose                    |
++==========+=========+=========+============================+
+| 22/tcp   | ssh     | ANY     | admin console access       |
++----------+---------+---------+----------------------------+
+| 25/tcp   | smtp    | local   | mail delivery to local MTA |
++----------+---------+---------+----------------------------+
+| 80/tcp   | http    | ANY     | redirect to https          |
++----------+---------+---------+----------------------------+
+| 443/tcp  | https   | ANY     | application                |
++----------+---------+---------+----------------------------+
+| 3306/tcp | mysql   | local   | MySQL database for Pootle  |
++----------+---------+---------+----------------------------+
+| 5666/tcp | nrpe    | monitor | remote monitoring service  |
++----------+---------+---------+----------------------------+
+| 6379/tcp | redis   | local   | Redis in memory cache      |
++----------+---------+---------+----------------------------+
+
+Running services
+----------------
+
+.. index::
+   single: Apache
+   single: MariaDB
+   single: Postfix
+   single: Redis
+   single: cron
+   single: nrpe
+   single: openssh
+   single: rsyslog
+   single: supervisord
+
++--------------------+------------------------------+-----------------------------------------------------+
+| Service            | Usage                        | Start mechanism                                     |
++====================+==============================+=====================================================+
+| openssh server     | ssh daemon for               | init script :file:`/etc/init.d/ssh`                 |
+|                    | remote                       |                                                     |
+|                    | administration               |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
+| Apache httpd       | Webserver for                | init script                                         |
+|                    | Pootle                       | :file:`/etc/init.d/apache2`                         |
++--------------------+------------------------------+-----------------------------------------------------+
+| cron               | job scheduler                | init script :file:`/etc/init.d/cron`                |
++--------------------+------------------------------+-----------------------------------------------------+
+| rsyslog            | syslog daemon                | init script                                         |
+|                    |                              | :file:`/etc/init.d/syslog`                          |
++--------------------+------------------------------+-----------------------------------------------------+
+| MySQL              | MySQL database               | init script                                         |
+|                    | server for Pootle            | :file:`/etc/init.d/mysql`                           |
++--------------------+------------------------------+-----------------------------------------------------+
+| Postfix            | SMTP server for              | init script                                         |
+|                    | local mail                   | :file:`/etc/init.d/postfix`                         |
+|                    | submission                   |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
+| Nagios NRPE server | remote monitoring            | init script                                         |
+|                    | service queried by           | :file:`/etc/init.d/nagios-nrpe-server`              |
+|                    | :doc:`monitor`               |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
+| Redis              | Job queue for Pootle         | init script :file:`/etc/init.d/redis-server`        |
++--------------------+------------------------------+-----------------------------------------------------+
+| Supervisord        | Supervisor for background    | init script :file:`/etc/init.d/supervisor`          |
+|                    | tasks                        |                                                     |
++--------------------+------------------------------+-----------------------------------------------------+
+| Pootle rqworker    | Worker for Pootle background | supervisor task in                                  |
+|                    | tasks                        | :file:`/etc/supervisor/conf.d/pootle-rqworker.conf` |
++--------------------+------------------------------+-----------------------------------------------------+
+
+Databases
+---------
+
++-------+--------+----------+
+| RDBMS | Name   | Used for |
++=======+========+==========+
+| MySQL | pootle | Pootle   |
++-------+--------+----------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`proxyout` as HTTP proxy for APT
+* arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching Pootle
+  dependencies (via ``&CONTAINER_OUT_ELEVATED("translations");`` in
+  :file:`/etc/ferm/ferm.d/translations.conf` on :doc:`infra02`).
+
+Security
+========
+
+.. sshkeys::
+   :RSA:     SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0 MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
+   :DSA:     SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
+   :ECDSA:   SHA256:RB1262UQIqjFgQxpRsvexHUE6XrWabBz7J1uJ3kafE0 MD5:0a:39:d9:22:39:3a:48:5d:fb:a3:27:15:d9:30:a8:64
+   :ED25519: SHA256:b+MzS1Hmj59lCwDRP1BDBgKbcadsWv9Uhz1ysk7RndU MD5:ca:a6:93:70:8c:38:23:26:16:68:5b:87:16:ee:70:17
+
+Dedicated user roles
+--------------------
+
++-------------+-----------------------------+
+| Group       | Purpose                     |
++=============+=============================+
+| <groupname> | <short purpose description> |
++-------------+-----------------------------+
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+Pootle is a Python/Django application that has been installed in a Python
+virtualenv. Pootle and all its dependencies have been installed using:
+
+   .. code-block:: bash
+
+      cd /var/www/pootle
+      virtualenv pootle-2.8.2
+      ln -s pootle-2.8.2 current
+      chown -R pootle.www-data pootle-2.8.2
+      sudo -s -u pootle
+      . pootle-2.8.2/bin/activate
+      pip install --process-dependency-links Pootle[mysql]
+      pootle migrate
+
+Pootle is installed in a versioned directory. The used version is a symlink in
+:file:`/var/www/pootle/current`. The rationale is to avoid changes to many
+different configuration files when updating to a newer Pootle version.
+
+The installation needs an installed :program:`gcc` and a few library development
+packages.
+
+.. todo::
+
+   consider building the virtualenv on :doc:`jenkins` to avoid development tools
+   on this system
+
+Risk assessments on critical packages
+-------------------------------------
+
+System access is limited to http/https via Apache httpd which is restricted to
+a minimal set of modules.
+
+Pootle is based on Django 1.10 and should be updated to a newer version when it
+becomes available. Pootle is run as a dedicated system user `pootle` that is
+restricted via filesystem permissions.
+
+Critical Configuration items
+============================
+
+The system configuration is managed via Puppet profiles. There should be no
+configuration items outside of the Puppet repository.
+
+.. todo:: move configuration of :doc:`translations` to Puppet code
+
+Keys and X.509 certificates
+---------------------------
+
+.. sslcert:: translations.cacert.org
+   :altnames:   DNS:l10n.cacert.org, DNS:translations.cacert.org
+   :certfile:   /etc/ssl/public/translations.c.o.chain.crt
+   :keyfile:    /etc/ssl/private/translations.c.o.key
+   :serial:     11E887
+   :expiration: Mar 31 21:26:56 18 GMT
+   :sha1fp:     44:44:42:E5:4F:A9:29:94:18:71:BC:C9:7C:06:3C:EA:01:7E:75:DB
+   :issuer:     CA Cert Signing Authority
+
+.. seealso::
+
+   * :wiki:`SystemAdministration/CertificateList`
+
+Apache configuration
+--------------------
+
+The main configuration files for Apache httpd are:
+
+* :file:`/etc/apache2/sites-available/pootle-nossl.conf`
+
+  defines the HTTP VirtualHost that redirects all requests to
+  https://translations.cacert.org/
+
+* :file:`/etc/apache2/sites-available/pootle-ssl.conf`
+
+  defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup
+
+Pootle configuration
+--------------------
+
+The main Pootle configuration file is
+:file:`/var/www/pootle/current/pootle.conf`. The file defines the database
+and CAcert specific settings.
+
+Pootle runs some background jobs that are queued via redis and run from a
+worker process. The worker process lifecycle is managed via
+:program:`supervisord`. The supervisor configuration for this worker is in
+:file:`/etc/supervisor/conf.d/pootle-rqworker.conf`.
+
+The WSGI_ runner for Pootle is contained in :file:`/var/www/pootle/wsgi.py`
+it references the symlinked Pootle instance directory
+:file:`/var/www/pootle/current` and should not need changes when a new
+Pootle version is installed.
+
+.. _WSGI: https://en.wikipedia.org/wiki/Web_Server_Gateway_Interface
+
+Tasks
+=====
+
+Planned
+-------
+
+* None
+
+Changes
+=======
+
+System Future
+-------------
+
+* keep Pootle up to date
+
+Additional documentation
+========================
+
+.. todo:: review/update documentation from :wiki:`SystemAdministration/Systems/Translations`
+
+.. seealso::
+
+   * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+Apache httpd documentation
+   http://httpd.apache.org/docs/2.4/
+MariaDB knowledge base
+   https://mariadb.com/kb/en/
+mod_wsgi documentation
+   https://modwsgi.readthedocs.io/en/develop/
+Pootle documentation
+   http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/
+Redis documentation
+   https://redis.io/documentation
+Supervisord documentation
+   http://supervisord.org/