Translations

Purpose

This system runs a Pootle translation server.

Application Links

Pootle web interface

https://translations.cacert.org/

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Todo

find an additional admin

Application Administration

Application	Administrator(s)
Pootle	Jan Dittberner

Contact

• translations-admin@cacert.org

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.240

IP Intranet

172.16.2.31

IP Internal

10.0.0.31

IPv6

2001:7b8:616:162:2::31

MAC address

00:ff:6c:7d:5b:c5 (eth0)

See also

See Network

Monitoring

internal checks

Monitoring checks for translations.infra.cacert.org

DNS

Name	Type	Content
l10n.cacert.org.	IN CNAME	translations.cacert.org.
translations.cacert.org.	IN A	213.154.225.240
translations.cacert.org.	IN AAAA	2001:7b8:616:162:2::31
translations.cacert.org.	IN SSHFP	1 1 1128972FB54F927477A781718E2F9C114E9CA383
translations.cacert.org.	IN SSHFP	1 2 F223904069AEAA2E0EAC5D9092AB7DEBAE70F06EC3C25E94F49F1B15F633ED5D
translations.cacert.org.	IN SSHFP	2 1 3A36E5DF06304C481F01FC723FD88A086E82D986
translations.cacert.org.	IN SSHFP	2 2 4A1FF7396AE874559CF196D54D5D7F6890DBA6DE73B46AF049258B1024CDACE2
translations.cacert.org.	IN SSHFP	3 1 0F0CBD9C188D619D743859A249238F684D6CCA5F
translations.cacert.org.	IN SSHFP	3 2 441D76EB651022A8C5810C6946CBDEC47504E97AD669B073EC9D6E27791A7C4D
translations.cacert.org.	IN SSHFP	4 1 A4102E1FBF1BE1ACD53F2E7653DD8898E567C437
translations.cacert.org.	IN SSHFP	4 2 6FE3334B51E68F9F650B00D13F504306029B71A76C5AFF54873D72B24ED19DD5
translations.intra.cacert.org.	IN A	172.16.2.31

See also

See Wiki SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 9.13

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	local	mail delivery to local MTA
80/tcp	http	ANY	redirect to https
443/tcp	https	ANY	application
3306/tcp	mysql	local	MySQL database for Pootle
5666/tcp	nrpe	monitor	remote monitoring service
6379/tcp	redis	local	Redis in memory cache

Running services

Service	Usage	Start mechanism
Apache httpd	Webserver for Pootle	init script /etc/init.d/apache2
cron	job scheduler	init script /etc/init.d/cron
MySQL	MySQL database server for Pootle	init script /etc/init.d/mysql
Postfix	SMTP server for local mail submission	init script /etc/init.d/postfix
Puppet agent	local Puppet agent	init script /etc/init.d/puppet
Nagios NRPE server	remote monitoring service queried by Monitor	init script /etc/init.d/nagios-nrpe-server
openssh server	ssh daemon for remote administration	init script /etc/init.d/ssh
Redis	Job queue for Pootle	init script /etc/init.d/redis-server
rsyslog	syslog daemon	init script /etc/init.d/syslog
Supervisord	Supervisor for background tasks	init script /etc/init.d/supervisor
Pootle rqworker	Worker for Pootle background tasks	supervisor task in /etc/supervisor/conf.d/pootle-rqworker.conf

Databases

RDBMS	Name	Used for
MySQL	pootle	Pootle

Connected Systems

• Monitor

Outbound network connections

• Infra02 as resolving nameserver

• Emailout as SMTP relay

• Puppet (tcp/8140) as Puppet master

• Proxyout as HTTP proxy for APT

• arbitrary Internet HTTP, HTTPS, FTP, FTPS, git servers for fetching Pootle dependencies (via &CONTAINER_OUT_ELEVATED("translations"); in /etc/ferm/ferm.d/translations.conf on Infra02).

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:8iOQQGmuqi4OrF2Qkqt9665w8G7Dwl6U9J8bFfYz7V0, MD5:df:98:f5:ea:05:c1:47:52:97:58:8f:42:55:d6:d9:b6
DSA	SHA256:Sh/3OWrodFWc8ZbVTV1/aJDbpt5ztGrwSSWLECTNrOI, MD5:07:2b:10:b1:6d:79:35:0f:83:aa:fc:ba:d6:2f:51:dc
ECDSA	SHA256:RB1262UQIqjFgQxpRsvexHUE6XrWabBz7J1uJ3kafE0, MD5:0a:39:d9:22:39:3a:48:5d:fb:a3:27:15:d9:30:a8:64
ED25519	SHA256:b+MzS1Hmj59lCwDRP1BDBgKbcadsWv9Uhz1ysk7RndU, MD5:ca:a6:93:70:8c:38:23:26:16:68:5b:87:16:ee:70:17

See also

SSH host key list

Dedicated user roles

Group	Purpose
pootle-update	Planned translation update group

Non-distribution packages and modifications

Pootle is a Python/Django application that has been installed in a Python virtualenv. Pootle and all its dependencies have been installed using:

cd /var/www/pootle
virtualenv pootle-2.8.2
ln -s pootle-2.8.2 current
chown -R pootle.www-data pootle-2.8.2
sudo -s -u pootle
. pootle-2.8.2/bin/activate
pip install --process-dependency-links Pootle[mysql]
pootle migrate

Pootle is installed in a versioned directory. The used version is a symlink in /var/www/pootle/current. The rationale is to avoid changes to many different configuration files when updating to a newer Pootle version.

The installation needs an installed gcc and a few library development packages.

Todo

consider building the virtualenv on jenkins to avoid development tools on this system

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Risk assessments on critical packages

System access is limited to http/https via Apache httpd which is restricted to a minimal set of modules.

The system uses third party packages with a good security track record and regular updates. The attack surface is small due to the tightly restricted access to the system. The puppet agent is not exposed for access from outside the system.

Pootle is based on Django 1.10 and should be updated to a newer version when it becomes available. Pootle is run as a dedicated system user pootle that is restricted via filesystem permissions.

The following change has been made to the translation toolkit filters that are used by Pootle in /var/www/pootle/pootle-2.8.2/lib/python2.7/site-packages/translate/filters/checks.py to add CAcert specific translation checks:

commit 4d107e5019f4794b4581cadaf4e9a8339868f6a4
Author: Jan Dittberner <jandd@cacert.org>
Date:   Fri Feb 23 20:39:03 2018 +0000

    Add CAcert checkers

    Signed-off-by: Jan Dittberner <jandd@cacert.org>

diff --git a/filters/checks.py b/filters/checks.py
index db10937..45b464c 100644
--- a/filters/checks.py
+++ b/filters/checks.py
@@ -2475,6 +2475,24 @@ class IOSChecker(StandardChecker):
         StandardChecker.__init__(self, **kwargs)


+cacertconfig = CheckerConfig(
+    notranslatewords = ["CAcert", "Assurer"],
+    criticaltests = ["printf"],
+)
+
+
+class CAcertChecker(StandardChecker):
+
+    def __init__(self, **kwargs):
+        checkerconfig = kwargs.get("checkerconfig", None)
+        if checkerconfig is None:
+            checkerconfig = CheckerConfig()
+            kwargs["checkerconfig"] = checkerconfig
+
+        checkerconfig.update(cacertconfig)
+        StandardChecker.__init__(self, **kwargs)
+
+
 projectcheckers = {
     "minimal": MinimalChecker,
     "standard": StandardChecker,
@@ -2490,6 +2508,7 @@ projectcheckers = {
     "terminology": TermChecker,
     "l20n": L20nChecker,
     "ios": IOSChecker,
+    "cacert": CAcertChecker,
 }

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the Puppet repository.

Todo

move configuration of translations to Puppet code

Keys and X.509 certificates

• Certificate for CN translations.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/translations.c.o.chain.crt

• private key in file /etc/ssl/private/translations.c.o.key

See also

• Wiki SystemAdministration/CertificateList

Apache configuration

The main configuration files for Apache httpd are:

• /etc/apache2/sites-available/pootle-nossl.conf

  defines the HTTP VirtualHost that redirects all requests to https://translations.cacert.org/

• /etc/apache2/sites-available/pootle-ssl.conf

  defines the HTTPS VirtualHost for Pootle including the TLS and WSGI setup

Pootle configuration

The main Pootle configuration file is /var/www/pootle/current/pootle.conf. The file defines the database and CAcert specific settings.

Pootle runs some background jobs that are queued via redis and run from a worker process. The worker process lifecycle is managed via supervisord. The supervisor configuration for this worker is in /etc/supervisor/conf.d/pootle-rqworker.conf.

The WSGI runner for Pootle is contained in /var/www/pootle/wsgi.py it references the symlinked Pootle instance directory /var/www/pootle/current and should not need changes when a new Pootle version is installed.

There are scripts in /usr/local/bin that were implemented for an older Pootle version and have to be checked/updated.

Tasks

Changes

Planned

Todo

integrate the pootle projects with version control systems. The templates (.pot files) in /var/www/pootle/po can be updated and loaded into Pootle by invoking:

pootle update_stores --project=<project_id> --language=templates

see the Pootle documentation

Todo

update and improve the scripts in /usr/local/bin and integrate them with the sudo system to allow members of the pootle-update group to run them in the context of the pootle system user

System Future

• keep Pootle up to date

Additional documentation

See also

• Wiki PostfixConfiguration

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

MariaDB knowledge base

https://mariadb.com/kb/en/

mod_wsgi documentation

https://modwsgi.readthedocs.io/en/develop/

Pootle documentation

http://docs.translatehouse.org/projects/pootle/en/stable-2.8.x/

Redis documentation

https://redis.io/documentation

Supervisord documentation

http://supervisord.org/