Translations

Purpose

This system runs a Pootle translation server.

Administration

System Administration

Todo

find an additional admin

Application Administration

Application

Administrator(s)

Pootle

Jan Dittberner

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.240

IP Intranet:

172.16.2.31

IP Internal:

10.0.0.31

IPv6:

2001:7b8:616:162:2::31

MAC address:

00:ff:6c:7d:5b:c5 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for translations.infra.cacert.org

DNS

Name

Type

Content

l10n.cacert.org.

IN CNAME

translations.cacert.org.

translations.cacert.org.

IN A

213.154.225.240

translations.cacert.org.

IN AAAA

2001:7b8:616:162:2::31

translations.cacert.org.

IN SSHFP

1 1 1128972FB54F927477A781718E2F9C114E9CA383

translations.cacert.org.

IN SSHFP

1 2 F223904069AEAA2E0EAC5D9092AB7DEBAE70F06EC3C25E94F49F1B15F633ED5D

translations.cacert.org.

IN SSHFP

2 1 3A36E5DF06304C481F01FC723FD88A086E82D986

translations.cacert.org.

IN SSHFP

2 2 4A1FF7396AE874559CF196D54D5D7F6890DBA6DE73B46AF049258B1024CDACE2

translations.cacert.org.

IN SSHFP

3 1 0F0CBD9C188D619D743859A249238F684D6CCA5F

translations.cacert.org.

IN SSHFP

3 2 441D76EB651022A8C5810C6946CBDEC47504E97AD669B073EC9D6E27791A7C4D

translations.cacert.org.

IN SSHFP

4 1 A4102E1FBF1BE1ACD53F2E7653DD8898E567C437

translations.cacert.org.

IN SSHFP

4 2 6FE3334B51E68F9F650B00D13F504306029B71A76C5AFF54873D72B24ED19DD5

translations.intra.cacert.org.

IN A

172.16.2.31

Operating System

  • Debian GNU/Linux 10 Buster

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

application

5665/tcp

icinga2

monitor

remote monitoring service

3306/tcp

mariadb

local

MariaDB database for blog

6379/tcp

redis

local

Redis in memory cache

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for Pootle

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

MariaDB

MariaDB database server for Pootle

systemd unit mariadb.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Pootle rqworker

Worker for Pootle background tasks

systemd unit pootle-rqworker.service

Puppet agent

configuration management agent

systemd unit puppet.service

Redis

Job queue for Pootle

systemd unit redis-server.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Databases

RDBMS

Name

Used for

MariaDB

pootle

Pootle

Connected Systems

Outbound network connections

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0, MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6

DSA

-

ECDSA

SHA256:RB1262UQIqjFgQxpRsvexHUE6XrWabBz7J1uJ3kafE0, MD5:0a:39:d9:22:39:3a:48:5d:fb:a3:27:15:d9:30:a8:64

ED25519

SHA256:b+MzS1Hmj59lCwDRP1BDBgKbcadsWv9Uhz1ysk7RndU, MD5:ca:a6:93:70:8c:38:23:26:16:68:5b:87:16:ee:70:17

Dedicated user roles

Group

Purpose

pootle-update

Planned translation update group

Non-distribution packages and modifications

Pootle is a Python/Django application that has been installed in a Python virtualenv. Pootle and all its dependencies have been installed using:

cd /var/www/pootle
python -m virtualenv pootle-2.8.2
ln -s pootle-2.8.2 current
chown -R pootle.www-data pootle-2.8.2
sudo -s -u pootle
. pootle-2.8.2/bin/activate
env http_proxy=http://proxyout:3128 https_proxy=http://proxyout:3128 pip install 'Pootle[mysql]' 'django-appconf<1.0.4'
pootle migrate

Pootle is installed in a versioned directory. The used version is a symlink in /var/www/pootle/current. The rationale is to avoid changes to many different configuration files when updating to a newer Pootle version.

The installation needs an installed gcc and a few library development packages.

Todo

consider building the virtualenv on jenkins to avoid development tools on this system

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

System access is limited to http/https via Apache httpd which is restricted to a minimal set of modules.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Pootle is based on Django 1.10 and should be updated to a newer version when it becomes available. Pootle is run as a dedicated system user pootle that is restricted via filesystem permissions.

The following change has been made to the translation toolkit filters that are used by Pootle in /var/www/pootle/pootle-2.8.2/lib/python2.7/site-packages/translate/filters/checks.py to add CAcert specific translation checks:

commit 4d107e5019f4794b4581cadaf4e9a8339868f6a4
Author: Jan Dittberner <jandd@cacert.org>
Date:   Fri Feb 23 20:39:03 2018 +0000

    Add CAcert checkers

    Signed-off-by: Jan Dittberner <jandd@cacert.org>

diff --git a/filters/checks.py b/filters/checks.py
index db10937..45b464c 100644
--- a/filters/checks.py
+++ b/filters/checks.py
@@ -2475,6 +2475,24 @@ class IOSChecker(StandardChecker):
         StandardChecker.__init__(self, **kwargs)


+cacertconfig = CheckerConfig(
+    notranslatewords = ["CAcert", "Assurer"],
+    criticaltests = ["printf"],
+)
+
+
+class CAcertChecker(StandardChecker):
+
+    def __init__(self, **kwargs):
+        checkerconfig = kwargs.get("checkerconfig", None)
+        if checkerconfig is None:
+            checkerconfig = CheckerConfig()
+            kwargs["checkerconfig"] = checkerconfig
+
+        checkerconfig.update(cacertconfig)
+        StandardChecker.__init__(self, **kwargs)
+
+
 projectcheckers = {
     "minimal": MinimalChecker,
     "standard": StandardChecker,
@@ -2490,6 +2508,7 @@ projectcheckers = {
     "terminology": TermChecker,
     "l20n": L20nChecker,
     "ios": IOSChecker,
+    "cacert": CAcertChecker,
 }

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of translations to Puppet code

Keys and X.509 certificates

  • Certificate for CN translations.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/translations.cacert.org.chain.pem

    • private key in file /etc/ssl/private/translations.cacert.org.key.pem

Apache configuration

The main configuration files for Apache httpd are:

  • /etc/apache2/sites-available/pootle-nossl.conf

    defines the HTTP VirtualHost that redirects all requests to https://translations.cacert.org/

  • /etc/apache2/sites-available/pootle-ssl.conf

    defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup

Pootle configuration

The main Pootle configuration file is /var/www/pootle/current/pootle.conf. The file defines the database and CAcert specific settings.

Pootle runs some background jobs that are queued via redis and run from a worker process. The worker process lifecycle is managed via supervisord. The supervisor configuration for this worker is in /etc/supervisor/conf.d/pootle-rqworker.conf.

The WSGI runner for Pootle is contained in /var/www/pootle/wsgi.py it references the symlinked Pootle instance directory /var/www/pootle/current and should not need changes when a new Pootle version is installed.

There are scripts in /usr/local/bin that were implemented for an older Pootle version and have to be checked/updated.

Tasks

Changes

Planned

Todo

integrate the pootle projects with version control systems. The templates (.pot files) in /var/www/pootle/po can be updated and loaded into Pootle by invoking:

pootle update_stores --project=<project_id> --language=templates

see the Pootle documentation

Todo

update and improve the scripts in /usr/local/bin and integrate them with the sudo system to allow members of the pootle-update group to run them in the context of the pootle system user

System Future

  • keep Pootle up to date

Additional documentation

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

MariaDB knowledge base

https://mariadb.com/kb/en/

mod_wsgi documentation

https://modwsgi.readthedocs.io/en/develop/

Pootle documentation

http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/

Redis documentation

https://redis.io/documentation