DuckCorp Projects: Issues
https://projects.duckcorp.org/
https://projects.duckcorp.org/favicon.ico?1669909042
2020-07-09T00:45:21Z
DuckCorp Projects
Redmine
DuckCorp Infrastructure - Review #707 (Resolved): ansible-role-zabbix: ignore debian bugs #909750
https://projects.duckcorp.org/issues/707
2020-07-09T00:45:21Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/ignore_debian_bugs_#909750</code></a></p>
<p>Ignore debian bugs #909750, workaround this issue:</p>
<pre>
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml
Suggested packages:
libgd-tools
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml zabbix-frontend-php
0 upgraded, 24 newly installed, 0 to remove and 40 not upgraded.
[...]
serious bugs of libfontconfig1 (-> 2.13.1-2) <Forwarded>
b1 - #909750 - applications tries to write to /usr/* directories via
libfontconfig1
Summary:
libfontconfig1(1 bug)
libfontconfig1 pinned by adding Pin preferences in
/etc/apt/preferences.d/apt-listbugs. Restart APT session to enable
**********************************************************************
****** Exiting with an error in order to stop the installation. ******
**********************************************************************
</pre>
DuckCorp Infrastructure - Review #706 (Resolved): ansible-role-httpd_php_fpm: dont_check_potentia...
https://projects.duckcorp.org/issues/706
2020-07-08T19:59:48Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/dont_check_potentially_non_existent_path</code></a></p>
<p>Don't check existence of potentially nonexistent paths.</p>
<p>Some paths might be created later, for example: <code>/etc/zabbix/zabbix.conf.php</code>. This file can not be rendered before since owner is created in the following task.<br />Nonexistent path mentioned in <code>open_basedir</code> php configuration seems to be without any consequence.</p>
DuckCorp Infrastructure - Review #705 (Rejected): ansible-role-httpd_php_fpm: create Unix group u...
https://projects.duckcorp.org/issues/705
2020-07-08T19:49:29Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/create_unix_group_for_pool_workers</code></a></p>
<p>Create Unix group used for pool workers.</p>
<p>Fix this error:</p>
<pre>
TASK [zabbix : Generate Zabbix UI configuration]
task path: duckcorp-infra/ansible/roles/zabbix/tasks/webui.yml:30
fatal: [Orthos]: FAILED! => {
"changed": false,
"owner": "root",
"group": "root",
"mode": "0644",
"msg": "chgrp failed: failed to look up group php_sup.duckcorp.org",
"path": "/etc/zabbix/zabbix.conf.php",
"state": "file",
}
</pre>
DuckCorp Infrastructure - Review #704 (Resolved): duckcorp-infra: move supervision server
https://projects.duckcorp.org/issues/704
2020-07-08T03:04:18Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/move_sup_server</code></a></p>
<p>Supervision server: use Orthos instead of Nicecity</p>
<p>Tested with check mode enabled only using the following command:<br /><pre>
ansible-playbook --check -vv --diff playbooks/dc.yml -l Orthos -e_pg_version=11 -ehttpd_version=2.4.38 -ephp_minor_version=7.3
</pre></p>
DuckCorp Infrastructure - Review #703 (Resolved): dc-web: improve check mode support
https://projects.duckcorp.org/issues/703
2020-07-08T02:52:52Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/dc-web_check_mode</code></a></p>
Improve check mode support:
<ul>
<li>don't fail when <code>rsync</code> binary isn't installed</li>
<li>allow apache2_module to fail when check mode is enabled and apache2ctl isn't installed yet</li>
</ul>
DuckCorp Infrastructure - Review #702 (Resolved): ansible-role-httpd_php_fpm: improve check mode ...
https://projects.duckcorp.org/issues/702
2020-07-07T09:36:07Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/improve_check_mode_handling</code></a></p>
Improve check mode support:
<ul>
<li>check mode: handle <code>apache2_module</code> failure</li>
<li>don't check paths existence when check mode is enabled</li>
<li>Check mode: don't fail when <code>php</code> binary isn't installed</li>
</ul>
One unrelated change included:
<ul>
<li>Ensure <code>php_minor_version</code> var isn't empty</li>
</ul>
DuckCorp Infrastructure - Review #701 (Resolved): ansible-role-zabbix: improve check mode support
https://projects.duckcorp.org/issues/701
2020-07-01T16:44:58Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/check_mode_support</code></a>.</p>
Improve check mode support:
<ul>
<li>when <code>psycopg/PostgreSQL</code> isn't installed yet</li>
<li>always execute <code>timedatectl</code> command</li>
</ul>
DuckCorp Infrastructure - Review #700 (Resolved): ansible-role-zabbix: Use 'timedatectl show'
https://projects.duckcorp.org/issues/700
2020-07-01T16:39:30Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/timedatectl_show_is_available</code></a>.</p>
<p><code>timedatectl show</code> <a href="https://manpages.debian.org/buster/systemd/timedatectl.1.en.html" class="external">is now documented</a> and works well with Buster: use it.</p>
DuckCorp Infrastructure - Review #687 (Resolved): encrypt ansible vault password (locally)
https://projects.duckcorp.org/issues/687
2020-03-10T15:53:45Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<ol>
<li><code>duckcorp/admin:encrypt_vault_password</code> branch: encrypt Ansible Vault password</li>
<li><code>duckcorp/duckcorp-infra:decrypt_vault_password</code> branch: decrypt Ansible Vault password when needed</li>
</ol>
DuckCorp Infrastructure - Review #685 (Resolved): opendnssec isn't used anymore
https://projects.duckcorp.org/issues/685
2020-02-19T07:56:27Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<ul>
<li>purge opendnssec Debian package</li>
<li>update srv_dns_update_zone</li>
</ul>
DuckCorp Infrastructure - Review #681 (Resolved): Undefined attribute: mda_usergroup
https://projects.duckcorp.org/issues/681
2019-10-09T10:18:46Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Fix the following error:</p>
<pre>
$ ansible-playbook playbooks/tenants/duckcorp/security.yml -u root
TASK [dc-antivirus : ClamAV Setup -- Connection Type] ***********************************************************************************************************************
fatal: [Orfeo]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'mda_usergroup'\n\nThe error appears to be in '/srv/share/src/duckcorp/duckcorp-infra.git/ansible/roles/dc-antivirus/tasks/main.yml': line 21, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n notify: Reconfigure ClamAV\n- name: ClamAV Setup -- Connection Type\n ^ here\n"}
</pre>
DuckCorp Infrastructure - Review #632 (Resolved): dropbear in initramfs: ansibilize
https://projects.duckcorp.org/issues/632
2018-08-26T00:03:37Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<pre>
$ apt-get install dropbear-initramfs
$ cp /root/.ssh/authorized_keys /etc/dropbear-initramfs/authorized_keys
$ update-initramfs -u -k all # when above command is changed
# Because default configuration doesn't work:
# @GRUB_CMDLINE_LINUX="ip=192.168.3.5::192.168.3.1:255.255.255.0::enp3s0f0:none cgroup_enable=memory swapaccount=1"@ in /etc/default/grub
$ update-grub # above command is changed when
<pre></pre>
DuckCorp Infrastructure - Review #562 (Rejected): Fix "Invalid SCRIPTWHITELIST configuration opti...
https://projects.duckcorp.org/issues/562
2017-06-19T12:27:16Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Could you review <code>rkhunter_lwp_request_isnt_a_dependency</code> branch ?</p>
<p><code>lwp-request</code> belongs to <code>libwww-perl</code> but <code>libwww-perl</code> isn't a dependency of <code>rkhunter</code>.</p>
DuckCorp Infrastructure - Review #561 (Resolved): hostname and inventory name could differ
https://projects.duckcorp.org/issues/561
2017-06-19T11:50:55Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>Branch <code>use_inventory_hostname_with_hostvars</code> fix an <code>AnsibleUndefinedVariable</code> error which occurs when hostname differs from inventory name.</p>
Bip - Bug #339 (Rejected): Client side ssl not working
https://projects.duckcorp.org/issues/339
2014-06-10T14:02:00Z
Pierre-Louis Bonicoli
pierre-louis.bonicoli@ir5.eu
<p>kick wrote on irc:</p>
<blockquote>
<p>I copied my working config file from my bip 0.8.8-2<br />and I've got ssl handshake problems.. <br />I'm using a ubnutu trusty for bip 0.8.9-1 <br />I have a bip.pem set, with good owner and permissions.</p>
</blockquote>
<p>Error in client:</p>
<blockquote>
<p>connexion a échoué. Erreur : (336151568) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure</p>
</blockquote>
<p>bip.log contains:</p>
<blockquote>
<p>139638493165216:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358:ERROR: Error in SSL handshake.</p>
</blockquote>
<p><strong>bip 0.8.8-2, sslv3</strong><br /><pre>
openssl s_client -ssl3 -connect edited.bip.server:7778
CONNECTED(00000003)
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify error:num=18:self signed certificate
verify return:1
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify return:1
---
Certificate chain
0 s:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
i:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
Server certificate
-----BEGIN CERTIFICATE-----
EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
issuer=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
No client certificate CA names sent
---
SSL handshake has read 2318 bytes and written 364 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406408
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
</pre></p>
<p><strong>bip 0.8.8-2, tls1</strong><br /><pre>
openssl s_client -tls1 -connect server.bip.edited:7778
CONNECTED(00000003)
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify error:num=18:self signed certificate
verify return:1
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify return:1
---
Certificate chain
0 s:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
i:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
Server certificate
-----BEGIN CERTIFICATE-----
Edited XXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
issuer=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
No client certificate CA names sent
---
SSL handshake has read 2454 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: Edited XXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: Edited XXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 60 (seconds)
TLS session ticket:
0000 - 0d b9 57 57 8b b7 cd bf-70 3c 72 79 d0 f4 6f 81 ..WW....p<ry..o.
0010 - e4 30 64 d1 97 96 62 05-8c ed 45 8e d8 36 d6 52 .0d...b...E..6.R
0020 - 37 65 b5 7d 6d 19 5c 8e-22 ab 31 4c a5 b9 ac 6a 7e.}m.\.".1L...j
Edited XXXXXXXXXXXXXXXXXXXXXXX
0080 - f7 cc ab e5 18 cc 33 28-b0 7a 12 46 3f 21 ba 1b ......3(.z.F?!..
0090 - c0 9b 4c 8b 61 3a 4d d4-78 e8 77 91 80 b9 ab a1 ..L.a:M.x.w.....
Start Time: 1402406391
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
</pre></p>
<p><strong>bip 0.8.9-1, sslv3</strong><br /><pre>
openssl s_client -ssl3 -connect edited:7778
CONNECTED(00000003)
140228681320096:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140228681320096:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406211
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre></p>
<p><strong>bip 0.8.9-1, tls1</strong><br /><pre>
openssl s_client -tls1 -connect edited:7778
CONNECTED(00000003)
140587600295584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140587600295584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406299
Timeout : 7200 (sec)
Verify return code: 0 (ok)
</pre></p>