Issue¶
Purpose¶
The purpose of the issue server is to serve the issue tracking system, implemented with OTRS <https://www.otrs.com/> used by Wiki Triage and Wiki Support for handling requests going to the support@cacert.org mail address. Usage for other teams e.g. Arbitration (currently used occasionally), Organisation Assurance is planned in future.
Application Links¶
- OTRS URL
Administration¶
System Administration¶
Primary: Mario Lipinski
Secondary: Michael Tänzer
Application Administration¶
Application |
Administrator(s) |
|---|---|
OTRS |
Contact¶
Additional People¶
Jan Dittberner and Dirk Astrath have sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet
- IP Intranet
- IP Internal
- MAC address
00:ff:8c:94:e1:c8(eth0)
See also
See Network
Monitoring¶
- internal checks
DNS¶
Name |
Type |
Content |
|---|---|---|
issue.cacert.org. |
IN A |
213.154.225.244 |
issue.intra.cacert.org. |
IN A |
172.16.2.28 |
issue.cacert.org. |
IN SSHFP |
2 1 FD9A5C79C4A9057B87AE8E639FD223B386AF4BDB |
issue.cacert.org. |
IN SSHFP |
1 1 3F55E52B51D142EF9D15EEAA9CA25B3AA30C7C6E |
See also
Operating System¶
Debian GNU/Linux 9.13
Todo
upgrade to Debian Buster
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
localnet |
local mail pickup in order to send out notifications via Emailout, incoming mail from Email |
80/tcp |
http |
ANY |
HTTP access to issue, redirects to HTTPS |
443/tcp |
https |
ANY |
HTTPS access to issue |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
3306/tcp |
mysql |
local |
MySQL database for OTRS |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
openssh server |
ssh daemon for remote administration |
init script |
Apache httpd |
Webserver for OTRS |
init script
|
cron |
job scheduler |
init script |
rsyslog |
syslog daemon |
init script
|
MySQL |
MySQL database server for OTRS |
init script
|
Postfix |
SMTP server for local mail submission and for receiving mail directed to OTRS addresses |
init script
|
Puppet agent |
configuration management agent |
init script |
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
Databases¶
RDBMS |
Name |
Used for |
|---|---|---|
MySQL |
otrs |
database for OTRS |
Connected Systems¶
Outbound network connections¶
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Emailout as SMTP relay
Email as SMTP submission relay (587, tcp) for specific addresses (see Postfix configuration below)
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
crl.cacert.org (rsync) for getting CRLs
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
- |
See also
Todo
setup ED25519 host key
Non-distribution packages and modifications¶
OTRS is installed from Debian packages but has been patched. The OTRS packages must not be updated from Debian packages without reapplying the patch.
/usr/share/otrs/Kernel/Output/HTML/Layout.pm
--- otrs_orig/Layout.pm 2015-01-11 03:13:29.049626928 +0000
+++ /usr/share/otrs/Kernel/Output/HTML/Layout.pm 2015-01-11 03:18:55.736035997 +0000
@@ -369,7 +369,21 @@
}
# locate template files
- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+ $Self->{TemplateDir}
+ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
+ $Self->{StandardTemplateDir}
+ = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . 'Standard';
+
+ # Check if 'Standard' fallback exists
+ if ( !-e $Self->{StandardTemplateDir} ) {
+ $Self->{LogObject}->Log(
+ Priority => 'error',
+ Message =>
+ "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
+ );
+ $Self->FatalDie();
+ }
+
if ( !-e $Self->{TemplateDir} ) {
$Self->{LogObject}->Log(
Priority => 'error',
@@ -378,17 +392,9 @@
Default theme used instead.",
);
- # Set TemplateDir to 'Standard' as a fallback and check if it exists.
+ # Set TemplateDir to 'Standard' as a fallback.
$Theme = 'Standard';
- $Self->{TemplateDir} = $Self->{ConfigObject}->Get('TemplateDir') . '/HTML/' . $Theme;
- if ( !-e $Self->{TemplateDir} ) {
- $Self->{LogObject}->Log(
- Priority => 'error',
- Message =>
- "No existing template directory found ('$Self->{TemplateDir}')! Check your Home in Kernel/Config.pm",
- );
- $Self->FatalDie();
- }
+ $Self->{TemplateDir} = $Self->{StandardTemplateDir};
}
# load sub layout files
@@ -531,7 +537,7 @@
$File = "$Self->{TemplateDir}/$Param{TemplateFile}.dtl";
}
else {
- $File = "$Self->{TemplateDir}/../Standard/$Param{TemplateFile}.dtl";
+ $File = "$Self->{StandardTemplateDir}/$Param{TemplateFile}.dtl";
}
if ( open my $TEMPLATEIN, '<', $File ) {
$TemplateString = do { local $/; <$TEMPLATEIN> };
Risk assessments on critical packages¶
Patching OTRS implies the danger of delayed security updates. The package is set on hold via echo otrs hold | dpkg --set-selections and must be updated explicitly. OTRS 3.1 is not supported by upstream anymore.
The used Apache httpd has a good reputation. OTRS is integrated into Apache httpd via mod_perl2.
Critical Configuration items¶
Keys and X.509 certificates¶
All keys and certificates are managed in the file
hieradata/nodes/issue.yaml in the CAcert Git repository cacert-puppet.
The following certificate and its corresponding private key is used by Apache httpd and Postfix:
Certificate for CN issue.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/issue.cacert.org.chain.pem
private key in file /etc/ssl/private/issue.cacert.org.key.pem
Apache httpd configuration¶
/etc/apache2/sites-available/defaultHTTP virtualhost configuration that redirects to HTTPS
/etc/apache2/sites-available/default-sslHTTPS virtualhost configuration, /cgi-bin/ is aliased to /usr/lib/cgi-bin/ which contains a symbolic link to the OTRS CGIs
OTRS configuration¶
/etc/otrs/OTRS configuration
/etc/otrs/database.pmOTRS’s database configuration
Postfix configuration¶
/etc/postfixPostfix configuration
/etc/postfix/sender_relayDefines a list of sender addresses that are relayed via Email
/etc/postfix/sender_rewriteConfigures rewriting of all but a short list of addresses to returns@cacert.org
Tasks¶
Creating new OTRS user accounts¶
Go to Admin -> Users -> Add
Fill out user details
Use a securely random generated password (min. 12 chars, mixed of capital- non-capital letters, numbers and special chars), send it to the user via encrypted mail (also include URL of the issue tracking system, username and some initial instructions or a link to documentation if available)
Use CAcert email addresses only
Set the preferences for the user. Good standards are:
Show tickets: 25
New ticket notification: Yes (or No for high volume queues having agents regulary looking at
Follow up notification: Yes
Ticket lock timeout notification: Yes
Move notification: Yes (or No if the queues for the user get many new tickets)
Spelling Dictionary: English
Submit
Do NOT set any groups for the user.
Go to Admin -> Users -> Roles <-> Users
Choose the newly created user
Set the roles the user has
Submit
Now you are done :)
Changes¶
Planned¶
Ideas¶
The system should be upgraded to a newer Debian release.
Deployment
implement access for other teams
OTRS
change to CAcert corporate design (low priority)
should be updated to a newer release that is supported by upstream
Monitoring
create a list of services to monitor
Configuration management
X.509 Authentication
Use centralised logging
System Future¶
No plans
Additional documentation¶
See also
