Translations¶
Purpose¶
This system runs a Pootle translation server.
Application Links¶
- Pootle web interface
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Todo
find an additional admin
Application Administration¶
Application |
Administrator(s) |
---|---|
Pootle |
Contact¶
Additional People¶
Mario Lipinski has sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet
- IP Intranet
- IP Internal
- IPv6
- MAC address
00:ff:6c:7d:5b:c5
(eth0)
See also
See Network
Monitoring¶
- internal checks
DNS¶
Name |
Type |
Content |
---|---|---|
l10n.cacert.org. |
IN CNAME |
translations.cacert.org. |
translations.cacert.org. |
IN A |
213.154.225.240 |
translations.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::31 |
translations.cacert.org. |
IN SSHFP |
1 1 1128972FB54F927477A781718E2F9C114E9CA383 |
translations.cacert.org. |
IN SSHFP |
1 2 F223904069AEAA2E0EAC5D9092AB7DEBAE70F06EC3C25E94F49F1B15F633ED5D |
translations.cacert.org. |
IN SSHFP |
2 1 3A36E5DF06304C481F01FC723FD88A086E82D986 |
translations.cacert.org. |
IN SSHFP |
2 2 4A1FF7396AE874559CF196D54D5D7F6890DBA6DE73B46AF049258B1024CDACE2 |
translations.cacert.org. |
IN SSHFP |
3 1 0F0CBD9C188D619D743859A249238F684D6CCA5F |
translations.cacert.org. |
IN SSHFP |
3 2 441D76EB651022A8C5810C6946CBDEC47504E97AD669B073EC9D6E27791A7C4D |
translations.cacert.org. |
IN SSHFP |
4 1 A4102E1FBF1BE1ACD53F2E7653DD8898E567C437 |
translations.cacert.org. |
IN SSHFP |
4 2 6FE3334B51E68F9F650B00D13F504306029B71A76C5AFF54873D72B24ED19DD5 |
translations.intra.cacert.org. |
IN A |
172.16.2.31 |
See also
Operating System¶
Debian GNU/Linux 9.13
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
local |
mail delivery to local MTA |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
application |
3306/tcp |
mysql |
local |
MySQL database for Pootle |
5666/tcp |
nrpe |
monitor |
remote monitoring service |
6379/tcp |
redis |
local |
Redis in memory cache |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for Pootle |
init script
|
cron |
job scheduler |
init script |
MySQL |
MySQL database server for Pootle |
init script
|
Postfix |
SMTP server for local mail submission |
init script
|
Puppet agent |
local Puppet agent |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
openssh server |
ssh daemon for remote administration |
init script |
Redis |
Job queue for Pootle |
init script |
rsyslog |
syslog daemon |
init script
|
Supervisord |
Supervisor for background tasks |
init script |
Pootle rqworker |
Worker for Pootle background tasks |
supervisor task in
|
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MySQL |
pootle |
Pootle |
Connected Systems¶
Outbound network connections¶
Infra02 as resolving nameserver
Emailout as SMTP relay
Puppet (tcp/8140) as Puppet master
Proxyout as HTTP proxy for APT
arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching Pootle dependencies (via
&CONTAINER_OUT_ELEVATED("translations");
in/etc/ferm/ferm.d/translations.conf
on Infra02).
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
|
See also
Dedicated user roles¶
Group |
Purpose |
---|---|
pootle-update |
Planned translation update group |
Non-distribution packages and modifications¶
Pootle is a Python/Django application that has been installed in a Python virtualenv. Pootle and all its dependencies have been installed using:
cd /var/www/pootle virtualenv pootle-2.8.2 ln -s pootle-2.8.2 current chown -R pootle.www-data pootle-2.8.2 sudo -s -u pootle . pootle-2.8.2/bin/activate pip install --process-dependency-links Pootle[mysql] pootle migrate
Pootle is installed in a versioned directory. The used version is a symlink in
/var/www/pootle/current
. The rationale is to avoid changes to many
different configuration files when updating to a newer Pootle version.
The installation needs an installed gcc and a few library development packages.
Todo
consider building the virtualenv on jenkins to avoid development tools on this system
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Risk assessments on critical packages¶
System access is limited to http/https via Apache httpd which is restricted to a minimal set of modules.
The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.
Pootle is based on Django 1.10 and should be updated to a newer version when it becomes available. Pootle is run as a dedicated system user pootle that is restricted via filesystem permissions.
The following change has been made to the translation toolkit filters that are
used by Pootle in /var/www/pootle/pootle-2.8.2/lib/python2.7/site-packages/translate/filters/checks.py
to add CAcert specific translation checks:
commit 4d107e5019f4794b4581cadaf4e9a8339868f6a4 Author: Jan Dittberner <jandd@cacert.org> Date: Fri Feb 23 20:39:03 2018 +0000 Add CAcert checkers Signed-off-by: Jan Dittberner <jandd@cacert.org> diff --git a/filters/checks.py b/filters/checks.py index db10937..45b464c 100644 --- a/filters/checks.py +++ b/filters/checks.py @@ -2475,6 +2475,24 @@ class IOSChecker(StandardChecker): StandardChecker.__init__(self, **kwargs) +cacertconfig = CheckerConfig( + notranslatewords = ["CAcert", "Assurer"], + criticaltests = ["printf"], +) + + +class CAcertChecker(StandardChecker): + + def __init__(self, **kwargs): + checkerconfig = kwargs.get("checkerconfig", None) + if checkerconfig is None: + checkerconfig = CheckerConfig() + kwargs["checkerconfig"] = checkerconfig + + checkerconfig.update(cacertconfig) + StandardChecker.__init__(self, **kwargs) + + projectcheckers = { "minimal": MinimalChecker, "standard": StandardChecker, @@ -2490,6 +2508,7 @@ projectcheckers = { "terminology": TermChecker, "l20n": L20nChecker, "ios": IOSChecker, + "cacert": CAcertChecker, }
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.
Todo
move configuration of translations to Puppet code
Keys and X.509 certificates¶
Certificate for CN translations.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/translations.cacert.org.chain.pem
private key in file /etc/ssl/private/translations.cacert.org.key.pem
Apache configuration¶
The main configuration files for Apache httpd are:
/etc/apache2/sites-available/pootle-nossl.conf
defines the HTTP VirtualHost that redirects all requests to https://translations.cacert.org/
/etc/apache2/sites-available/pootle-ssl.conf
defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup
Pootle configuration¶
The main Pootle configuration file is
/var/www/pootle/current/pootle.conf
. The file defines the database
and CAcert specific settings.
Pootle runs some background jobs that are queued via redis and run from a
worker process. The worker process lifecycle is managed via
supervisord. The supervisor configuration for this worker is in
/etc/supervisor/conf.d/pootle-rqworker.conf
.
The WSGI runner for Pootle is contained in /var/www/pootle/wsgi.py
it references the symlinked Pootle instance directory
/var/www/pootle/current
and should not need changes when a new
Pootle version is installed.
There are scripts in /usr/local/bin
that were implemented for an older
Pootle version and have to be checked/updated.
Tasks¶
Changes¶
Planned¶
Todo
integrate the pootle projects with version control systems. The templates
(.pot files) in /var/www/pootle/po
can be updated and loaded into
Pootle by invoking:
pootle update_stores --project=<project_id> --language=templates
see the Pootle documentation
Todo
update and improve the scripts in /usr/local/bin
and integrate
them with the sudo system to allow members of the pootle-update
group to run them in the context of the pootle system user
System Future¶
keep Pootle up to date
Additional documentation¶
See also
References¶
- Apache httpd documentation
- MariaDB knowledge base
- mod_wsgi documentation
- Pootle documentation
http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/
- Redis documentation
- Supervisord documentation