Translations¶
Purpose¶
This system runs a Pootle translation server.
Application Links¶
- Pootle web interface
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Pootle |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- IPv6:
- MAC address:
00:ff:6c:7d:5b:c5
(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
---|---|---|
l10n.cacert.org. |
IN CNAME |
translations.cacert.org. |
translations.cacert.org. |
IN A |
213.154.225.240 |
translations.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::31 |
translations.cacert.org. |
IN SSHFP |
1 1 1128972FB54F927477A781718E2F9C114E9CA383 |
translations.cacert.org. |
IN SSHFP |
1 2 F223904069AEAA2E0EAC5D9092AB7DEBAE70F06EC3C25E94F49F1B15F633ED5D |
translations.cacert.org. |
IN SSHFP |
2 1 3A36E5DF06304C481F01FC723FD88A086E82D986 |
translations.cacert.org. |
IN SSHFP |
2 2 4A1FF7396AE874559CF196D54D5D7F6890DBA6DE73B46AF049258B1024CDACE2 |
translations.cacert.org. |
IN SSHFP |
3 1 0F0CBD9C188D619D743859A249238F684D6CCA5F |
translations.cacert.org. |
IN SSHFP |
3 2 441D76EB651022A8C5810C6946CBDEC47504E97AD669B073EC9D6E27791A7C4D |
translations.cacert.org. |
IN SSHFP |
4 1 A4102E1FBF1BE1ACD53F2E7653DD8898E567C437 |
translations.cacert.org. |
IN SSHFP |
4 2 6FE3334B51E68F9F650B00D13F504306029B71A76C5AFF54873D72B24ED19DD5 |
translations.intra.cacert.org. |
IN A |
172.16.2.31 |
See also
Operating System¶
Debian GNU/Linux 10 Buster
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
application |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
3306/tcp |
mariadb |
local |
MariaDB database for blog |
6379/tcp |
redis |
local |
Redis in memory cache |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for Pootle |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for Pootle |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Pootle rqworker |
Worker for Pootle background tasks |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
Redis |
Job queue for Pootle |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MariaDB |
pootle |
Pootle |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Group |
Purpose |
---|---|
pootle-update |
Planned translation update group |
Non-distribution packages and modifications¶
Pootle is a Python/Django application that has been installed in a Python virtualenv. Pootle and all its dependencies have been installed using:
cd /var/www/pootle python -m virtualenv pootle-2.8.2 ln -s pootle-2.8.2 current chown -R pootle.www-data pootle-2.8.2 sudo -s -u pootle . pootle-2.8.2/bin/activate env http_proxy=http://proxyout:3128 https_proxy=http://proxyout:3128 pip install 'Pootle[mysql]' 'django-appconf<1.0.4' pootle migrate
Pootle is installed in a versioned directory. The used version is a symlink in
/var/www/pootle/current
. The rationale is to avoid changes to many
different configuration files when updating to a newer Pootle version.
The installation needs an installed gcc and a few library development packages.
Todo
consider building the virtualenv on jenkins to avoid development tools on this system
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
System access is limited to http/https via Apache httpd which is restricted to a minimal set of modules.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Pootle is based on Django 1.10 and should be updated to a newer version when it becomes available. Pootle is run as a dedicated system user pootle that is restricted via filesystem permissions.
The following change has been made to the translation toolkit filters that are
used by Pootle in /var/www/pootle/pootle-2.8.2/lib/python2.7/site-packages/translate/filters/checks.py
to add CAcert specific translation checks:
commit 4d107e5019f4794b4581cadaf4e9a8339868f6a4 Author: Jan Dittberner <jandd@cacert.org> Date: Fri Feb 23 20:39:03 2018 +0000 Add CAcert checkers Signed-off-by: Jan Dittberner <jandd@cacert.org> diff --git a/filters/checks.py b/filters/checks.py index db10937..45b464c 100644 --- a/filters/checks.py +++ b/filters/checks.py @@ -2475,6 +2475,24 @@ class IOSChecker(StandardChecker): StandardChecker.__init__(self, **kwargs) +cacertconfig = CheckerConfig( + notranslatewords = ["CAcert", "Assurer"], + criticaltests = ["printf"], +) + + +class CAcertChecker(StandardChecker): + + def __init__(self, **kwargs): + checkerconfig = kwargs.get("checkerconfig", None) + if checkerconfig is None: + checkerconfig = CheckerConfig() + kwargs["checkerconfig"] = checkerconfig + + checkerconfig.update(cacertconfig) + StandardChecker.__init__(self, **kwargs) + + projectcheckers = { "minimal": MinimalChecker, "standard": StandardChecker, @@ -2490,6 +2508,7 @@ projectcheckers = { "terminology": TermChecker, "l20n": L20nChecker, "ios": IOSChecker, + "cacert": CAcertChecker, }
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of translations to Puppet code
Keys and X.509 certificates¶
Certificate for CN translations.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/translations.cacert.org.chain.pem
private key in file /etc/ssl/private/translations.cacert.org.key.pem
Apache configuration¶
The main configuration files for Apache httpd are:
/etc/apache2/sites-available/pootle-nossl.conf
defines the HTTP VirtualHost that redirects all requests to https://translations.cacert.org/
/etc/apache2/sites-available/pootle-ssl.conf
defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup
Pootle configuration¶
The main Pootle configuration file is
/var/www/pootle/current/pootle.conf
. The file defines the database
and CAcert specific settings.
Pootle runs some background jobs that are queued via redis and run from a
worker process. The worker process lifecycle is managed via
supervisord. The supervisor configuration for this worker is in
/etc/supervisor/conf.d/pootle-rqworker.conf
.
The WSGI runner for Pootle is contained in /var/www/pootle/wsgi.py
it references the symlinked Pootle instance directory
/var/www/pootle/current
and should not need changes when a new
Pootle version is installed.
There are scripts in /usr/local/bin
that were implemented for an older
Pootle version and have to be checked/updated.
Tasks¶
Changes¶
Planned¶
Todo
integrate the pootle projects with version control systems. The templates
(.pot files) in /var/www/pootle/po
can be updated and loaded into
Pootle by invoking:
pootle update_stores --project=<project_id> --language=templates
see the Pootle documentation
Todo
update and improve the scripts in /usr/local/bin
and integrate
them with the sudo system to allow members of the pootle-update
group to run them in the context of the pootle system user
System Future¶
keep Pootle up to date
Additional documentation¶
See also
References¶
- Apache httpd documentation
- MariaDB knowledge base
- mod_wsgi documentation
- Pootle documentation
http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/
- Redis documentation