DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-08-28T14:08:34ZDuckCorp Projects
Redmine DuckCorp Infrastructure - Bug #779 (Resolved): Upgrade NextCloud (from 23.0.8 to 24.0.4)https://projects.duckcorp.org/issues/7792022-08-28T14:08:34ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Upgrade instructions: <code>toushirou</code>@<code>/srv/www/sites/stuff.milkypond.org/README.Duck</code>.</p>
<pre>
2022-08-28T15:34:59+00:00 Disabled incompatible app: breezedark
2022-08-28T15:34:59+00:00 Disabled incompatible app: end_to_end_encryption
2022-08-28T15:34:59+00:00 Disabled incompatible app: epubreader
2022-08-28T15:34:59+00:00 Disabled incompatible app: spreed
2022-08-28T15:34:59+00:00 Disabled incompatible app: twofactor_admin
2022-08-28T15:34:59+00:00 Disabled incompatible app: weather
</pre>
Supported apps:
<ul>
<li><a href="https://apps.nextcloud.com/apps/end_to_end_encryption" class="external">end_to_end_encryption</a></li>
<li><a href="https://apps.nextcloud.com/apps/breezedark" class="external">breezedark</a></li>
<li><a href="https://apps.nextcloud.com/apps/spreed" class="external">spreed</a></li>
</ul>
Unsupported/Unmaintained apps:
<ul>
<li>weather (disabled): <a class="external" href="https://github.com/nextcloud/weather/issues/102">https://github.com/nextcloud/weather/issues/102</a></li>
<li>twofactor_admin (enabled but the <code>occ</code> command <code> twofactorauth:admin:generate-code</code> doesn't appears ?): <a class="external" href="https://github.com/ChristophWurst/twofactor_admin/issues/229">https://github.com/ChristophWurst/twofactor_admin/issues/229</a></li>
</ul>
Patch applied:
<ul>
<li>epubreader: <a class="external" href="https://github.com/e-alfred/epubreader/issues/44">https://github.com/e-alfred/epubreader/issues/44</a> (patch attached)</li>
</ul> DuckCorp Infrastructure - Bug #778 (Resolved): Upgrade NextCloud (from 23.0.7 to 23.0.8)https://projects.duckcorp.org/issues/7782022-08-28T12:36:32ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Upgrade instructions: <code>toushirou</code>@<code>/srv/www/sites/stuff.milkypond.org/README.Duck</code>.</p> DuckCorp Infrastructure - Bug #774 (Resolved): slapd service was stopped on toushirouhttps://projects.duckcorp.org/issues/7742022-06-27T05:22:44ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>unattended-upgrades restarted slapd process but slapd wasn't able to start due to other slapd being also restarted by unattended-upgrades:<br /><pre>
Log started: 2022-06-27 06:24:52
[...]
Restarting services...
systemctl restart apache2.service clamav-daemon.service clamav-freshclam.service dovecot.service fail2ban.service mariadb.service matrix-appservice-irc.service matrix-synapse.service named.service nslcd.service php7.4-fpm.service postfix-mta-sts-resolver.service postfix@-.service proftpd.service redis-server.service rspamd.service slapd.service smokeping.service spoolinger.service ssh.service stunnel4.service systemd-journald.service systemd-udevd.service thelounge.service tt-rss.service xl2tpd.service
</pre><br /><pre>
Jun 27 06:25:14 Toushirou slapd[51648]: Stopping OpenLDAP: slapd
Jun 27 06:25:14 Toushirou slapd[51914]: failed!
Jun 27 06:25:14 Toushirou systemd[1]: slapd.service: Control process exited, code=exited, status=1/FAILURE
Jun 27 06:25:14 Toushirou systemd[1]: slapd.service: Failed with result 'exit-code'.
Jun 27 06:25:14 Toushirou systemd[1]: slapd.service: Unit process 3026804 (slapd) remains running after unit stopped.
Jun 27 06:25:14 Toushirou systemd[1]: Stopped LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Jun 27 06:25:14 Toushirou systemd[1]: slapd.service: Consumed 23min 5.763s CPU time.
Jun 27 06:25:14 Toushirou systemd[1]: slapd.service: Found left-over process 3026804 (slapd) in control group while starting unit. Ignoring.
Jun 27 06:25:14 Toushirou systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
Jun 27 06:25:14 Toushirou systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Jun 27 06:25:14 Toushirou slapd[51915]: Starting OpenLDAP: slapd.
Jun 27 06:25:14 Toushirou systemd[1]: Started LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Jun 27 06:26:16 Toushirou slapd[3026804]: slap_client_connect: URI=ldaps://db-ldap-3.duckcorp.org DN="cn=[REDACTED],cn=config" ldap_sasl_bind_s failed (-1)
Jun 27 06:26:16 Toushirou slapd[3026804]: do_syncrepl: rid=103 rc -1 retrying
Jun 27 06:29:16 Toushirou slapd[3026804]: slap_client_connect: URI=ldaps://db-ldap-3.duckcorp.org DN="cn=[REDACTED],cn=config" ldap_sasl_bind_s failed (-1)
Jun 27 06:29:16 Toushirou slapd[3026804]: do_syncrepl: rid=003 rc -1 retrying
Jun 27 06:29:16 Toushirou slapd[3026804]: conn=-1 op=0 syncprov_checkpoint: running checkpoint
Jun 27 06:29:16 Toushirou slapd[3026804]: DIGEST-MD5 common mech free
Jun 27 06:29:16 Toushirou slapd[3026804]: DIGEST-MD5 common mech free
Jun 27 06:29:16 Toushirou slapd[3026804]: slapd stopped.
Jun 27 06:29:16 Toushirou slapd[52543]: Stopping OpenLDAP: slapd.
Jun 27 06:29:16 Toushirou systemd[1]: slapd.service: Succeeded.
Jun 27 08:55:22 Toushirou systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Jun 27 08:55:22 Toushirou slapd[117269]: @(#) $OpenLDAP: slapd 2.5.6+dfsg-1~exp1 (Aug 10 2021 03:50:37) $
Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
</pre></p> DuckCorp Infrastructure - Bug #772 (Resolved): toushirou: matrix-appservice-irc.service is failedhttps://projects.duckcorp.org/issues/7722022-06-14T23:14:23ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<pre>
# systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● matrix-appservice-irc.service loaded failed failed Matrix AppService IRC
# journalctl -u matrix-appservice-irc.service
Jun 15 03:06:58 Toushirou systemd[1]: matrix-synapse.service: Scheduled restart job, restart counter is at 169177.
Jun 15 03:06:58 Toushirou systemd[1]: Stopped Synapse Matrix homeserver.
Jun 15 03:06:58 Toushirou systemd[1]: Starting Synapse Matrix homeserver...
Jun 15 03:06:59 Toushirou python3[1288189]: ERROR:root:Needed matrix-common==1.0.0, got matrix-common==1.1.0
Jun 15 03:06:59 Toushirou python3[1288189]: Missing Requirements: "matrix-common==1.0.0"
Jun 15 03:06:59 Toushirou python3[1288189]: To install run:
Jun 15 03:06:59 Toushirou python3[1288189]: pip install --upgrade --force "matrix-common==1.0.0"
Jun 15 03:06:59 Toushirou systemd[1]: matrix-synapse.service: Control process exited, code=exited, status=1/FAILURE
Jun 15 03:06:59 Toushirou systemd[1]: matrix-synapse.service: Failed with result 'exit-code'.
Jun 15 03:06:59 Toushirou systemd[1]: Failed to start Synapse Matrix homeserver.
# apt policy matrix-synapse
matrix-synapse:
Installed: 1.52.0-1~bpo11+1
Candidate: 1.57.1-1~bpo11+1
Version table:
1.57.1-1~bpo11+1 100
100 https://deb.debian.org/debian bullseye-backports/main amd64 Packages
*** 1.52.0-1~bpo11+1 100
100 /var/lib/dpkg/status
1.40.0-1~fto11+1 100
100 https://fasttrack.debian.net/debian bullseye-fasttrack/main amd64 Packages
# apt install -t bullseye-backports matrix-synapse
# systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● matrix-appservice-irc.service loaded failed failed Matrix AppService IRC
# systemctl restart matrix-appservice-irc.service
# systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
0 loaded units listed.
</pre> DuckCorp Infrastructure - Bug #771 (Resolved): Toushirou: leftovers related to 00d55fd3 (apache2 ...https://projects.duckcorp.org/issues/7712022-06-05T18:45:48ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Following <a class="changeset" title="guihome: reorganize DDNS account" href="https://projects.duckcorp.org/projects/dc-admin/repository/duckcorp-infra/revisions/00d55fd33fe9c2d59cfb99ecf4d299e0cad81325">00d55fd3</a>, <code>logrotate</code> failed to reload <code>apache2</code>.</p>
I removed the following files:
<ul>
<li><code>/etc/apache2/sites-enabled/www.<redacted>.eu_ssl.conf</code></li>
<li><code>/etc/php/7.{3,4}/fpm/pool.d/www.<redacted>.eu.conf</code></li>
</ul>
<p>and reloaded <code>apache2.service</code>, restarted both <code>php7.4-fpm.service</code> and <code>logrotate.service</code>.</p>
<p>Then I checked status and logs of these services.</p> DuckCorp Infrastructure - Enhancement #770 (Resolved): redmine_dc: delete spam accountshttps://projects.duckcorp.org/issues/7702022-04-19T20:10:01ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>I deleted some redmine accounts (from the redmine DuckCorp instance only), for example those listed by this command:<br /><pre>
wget https://www.stopforumspam.com/downloads/listed_email_365.gz
gunzip listed_email_365.gz
mysql redmine_dc -B -N -s -e "select user_id, address from email_addresses inner join users where email_addresses.user_id = users.id;" | gawk '$1 !~ /^[0-9]+$/{ a[$1] = ""} $2 in a { print $1 " " $2 }' listed_email_365 | wc -l
</pre><br />I also deleted some (3) locked accounts and almost all inactivated accounts.</p> DuckCorp Infrastructure - Bug #759 (In Progress): redmine instances don't send any notificationhttps://projects.duckcorp.org/issues/7592022-03-15T21:29:07ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Since the redmine instances are hosted within a LXC container, email notifications are no longer sent.</p>
<p>It looks like the issue comes from the Redmine configuration and 127.0.0.1:25 being used within the container.</p>
<p>The following configuration update isn't sufficient:<br /><pre>
--- /etc/redmine/dc/configuration.yml 2022-03-15 22:28:00.095274510 +0000
+++ /etc/redmine/dc/configuration.yml.new 2022-03-15 22:27:44.102827009 +0000
@@ -4,8 +4,8 @@
email_delivery:
delivery_method: :smtp
smtp_settings:
- address: 127.0.0.1
- domain: ''
+ address: 10.0.7.1
+ domain: 'projects.duckcorp.org'
enable_starttls_auto: false
port: 25
</pre><br />due to the grey listing configuration:<br /><pre>
Mar 15 23:12:37 Toushirou postfix/smtpd[1597691]: connect from unknown[10.0.7.2]
Mar 15 23:12:37 Toushirou postfix/smtpd[1597691]: 4KJ71x5crKz4Bs: client=unknown[10.0.7.2]
Mar 15 23:12:37 Toushirou postfix/cleanup[1597693]: 4KJ71x5crKz4Bs: message-id=<redmine.journal-2400.20220315221237.3bd6c5f55c0c0d17@projects.duckcorp.org>
Mar 15 23:12:38 Toushirou postfix/cleanup[1597693]: 4KJ71x5crKz4Bs: milter-reject: END-OF-MESSAGE from unknown[10.0.7.2]: 4.7.1 Try again later; from=<issues@projects.duckcorp.org> to=<[redacted]@ir5.eu> proto=ESMTP helo=<projects.duckcorp.org>
</pre></p>
<p><a class="user active user-mention" href="https://projects.duckcorp.org/users/3">@Marc Dequènes</a> should the grey listing be disabled for 10.0.7.2 or is there another way ?</p> DuckCorp Infrastructure - Bug #754 (Resolved): Redmine: unable to use some unicode unicode charac...https://projects.duckcorp.org/issues/7542022-03-12T03:39:44ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>While commenting <a class="issue tracker-8 status-3 priority-5 priority-high3 closed" title="Review: SASL authentication support (PLAIN/EXTERNAL) (Resolved)" href="https://projects.duckcorp.org/issues/748#note-7">#748#note-7</a>, I found out that some unicode characters raise an error. For example: U+1F4E3, U+1F389.</p>
<p>In the following error message, I replaced these characters with U+1F4E3/U+1F389 (in order to be able to create this issue :)<br /><pre>
Started PUT "/journals/2382" for 86.245.117.73 at 2022-03-12 04:31:38 +0000
Processing by JournalsController#update as JS
Parameters: {"utf8"=>"✓", "journal"=>{"notes"=>"[U+1F4E3] committed commit:dc43d75d1f7e7c01d943f085120f704d2dac831d [U+1F389]\r\n\r\nThanks Loïc ㊗️❤️!", "private_notes"=>"0"}, "commit"=>"Save", "id"=>"2382"}
Current user: pilou (id=4)
Completed 500 Internal Server Error in 21ms (ActiveRecord: 8.9ms)
ActiveRecord::StatementInvalid (Mysql2::Error: Incorrect string value: '\xF0\x9F\x93\xA3 c...' for column `redmine_dc`.`journals`.`notes` at row 1: UPDATE `journals` SET `notes` = '[U+1F4E3] committed commit:dc43d75d1f7e7c01d943f085120f704d2dac831d [U+1F389]\r\n\r\nThanks Loïc ㊗️❤️!' WHERE `journals`.`id` = 2382):
app/models/journal.rb:81:in `save'
app/controllers/journals_controller.rb:90:in `update'
lib/redmine/sudo_mode.rb:63:in `sudo_mode'
</pre></p> DuckCorp Infrastructure - Enhancement #745 (New): ban IPs that try to authenticate with a nonexis...https://projects.duckcorp.org/issues/7452021-11-24T14:03:15ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fail2ban should block the following attemps:<br /><pre>
Nov 24 15:06:46 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:00 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:20 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:30 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:07:44 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
Nov 24 15:08:04 Toushirou dovecot[1308700]: auth: ldap(<redacted>,XXX.237.103.19): unknown user
</pre></p>
<p>Some numbers in order to support the new filter (the oldest entry in the journal is 7 days old):<br /><pre>
root@Toushirou:~# # count all entries
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | wc -l
5032
root@Toushirou:~# # check the regex
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | paste -sd+ | bc
5029
root@Toushirou:~# # display the most used IPs
root@Toushirou:~# journalctl -g '(auth:.*unknown)' | sed -n 's/.*ldap([^,]\+,\([^,)]\+\)\(,<[^>]\+>\)\?):.*/\1/p' | sort | uniq -c | sort -nr | awk '{print $1}' | head -n 10
741
566
467
362
307
182
177
174
167
161
# There are 697 different IPs, the twenty most used produce 85% of the login failure.
</pre></p> DuckCorp Infrastructure - Bug #744 (Resolved): Remove obsolete Buster packageshttps://projects.duckcorp.org/issues/7442021-11-24T09:42:32ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>From a security status mail received today:<br /><pre>
Security report based on the bullseye release
*** Available security updates
CVE-2021-25219 In BIND 9.3.0 -&gt; 9.11.35, 9.12.0 -&gt; 9.16.21,...
<https://security-tracker.debian.org/tracker/CVE-2021-25219>
- libdns-export1104, libisc-export1100
</pre></p>
<pre>
root@orthos:~# apt policy libdns-export1104
libdns-export1104:
Installed: 1:9.11.5.P4+dfsg-5.1+deb10u3
Candidate: 1:9.11.5.P4+dfsg-5.1+deb10u3
Version table:
*** 1:9.11.5.P4+dfsg-5.1+deb10u3 100
100 /var/lib/dpkg/status
</pre>
<p>According to the [Debian security tracker](<a class="external" href="https://security-tracker.debian.org/tracker/CVE-2021-25219">https://security-tracker.debian.org/tracker/CVE-2021-25219</a>) <code>1:9.11.5.P4+dfsg-5.1+deb10u5</code> is vulnerable. This package is buster only and should be removed.</p>
I will remove every buster only (thanks to <code>apt-forktracer</code>).
<ul>
<li>✅ Elwing</li>
<li>❔ Jinta (libgcc1 gcc-8-base e2fslibs libcomerr2 multiarch-support linux-image-4.19.0-18-amd64)</li>
<li>✅ Nicecity (libffi6 libnettle6 libgcc1 libapt-pkg5.0 libip4tc0 gcc-8-base libmpx2 e2fslibs libcomerr2 libreadline7 libapt-inst2.0 linux-headers-4.19.0-5-common cpp-8 libip6tc0 multiarch-support linux-image-4.19.0-18-amd64 libisl19 libhogweed4 linux-kbuild-4.19)</li>
<li>✅ Orfeo (libgcc1 libgupnp-1.0-4 gcc-8-base e2fslibs libcomerr2 libreadline5 libgssdp-1.0-3 el-get linux-image-4.19.0-18-amd64)</li>
<li>✅ Orthos (libapt-pkg5.0 libnettle6 libffi6 libprocps7 libjson-c3 libapt-inst2.0 gcc-8-base libip4tc0 libip6tc0 libhogweed4 perl-modules-5.28 libisc-export1100 libdns-export1104 linux-image-4.19.0-14-amd64</li>
<li>✅ Thorfinn (libgcc1 libtexlua52 gcc-8-base e2fslibs libcomerr2 libbtparse1 el-get multiarch-support linux-image-4.19.0-18-amd64)</li>
<li>✅ Toushirou (libgdbm3 libisc-export160 libhogweed4 echoping linux-image-4.19.0-18-amd64 multiarch-support libip6tc0 libprocps6 libapt-inst2.0 libreadline7 libcomerr2 e2fslibs gcc-8-base libip4tc0 liblogging-stdlog0 linux-image-4.9.0-6-amd64 ttf-dejavu-core libapt-pkg5.0 libgcc1 libunistring0 libnettle6 libffi6 libcryptsetup4)</li>
</ul>
There are some packages not upgraded to bullseyes:
<ul>
<li>molly-guard: ✅ <code>0.7.2.0</code> is now used instead of <code>0.7.2.0~buster</code> on every host</li>
<li>rspamd: this package is upgraded manually, the upgrade requires to perform some manual checks</li>
</ul>
There are some used packages without any bullseyes version:
<ul>
<li>incron: ❔</li>
</ul>
<a class="user active user-mention" href="https://projects.duckcorp.org/users/3">@Marc Dequènes</a> on Jinta, could these packages be removed:
<ul>
<li><a href="https://packages.debian.org/stretch/dict-freedict-all" class="external">dict-freedict-all</a> It looks like there isn't a dict meta package anymore ? Should we update a playbook in order to ensure all other dict packages are installed ?</li>
<li>dict-moby-thesaurus, dict-bouvier, dict-gazetteer2k</li>
</ul> DuckCorp Infrastructure - Tracking #731 (Resolved): redmine: disable usage of non-free gravatar s...https://projects.duckcorp.org/issues/7312021-09-11T23:29:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The <code>projects.duckcorp.org</code> instance of redmine uses the non-free gravatar service.</p>
<p>Usage of the service should be disabled or another instance backed by a free service should be used.</p>
<p>Note that the <a href="https://www.redmine.org/issues/9112" class="external">next release of redmine</a> will allow to choose another instance than gravatar.</p> Bip - Enhancement #343 (New): Allow to blreset all queries or all channelshttps://projects.duckcorp.org/issues/3432014-07-24T00:21:01ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><code>blreset</code> command allows to reset backlog of an entire connection, a chan, a query.</p>
<p>Be able to reset all queries or all channels would be a nice feature.</p> Bip - Bug #342 (New): 'list connections' command doesn't display status of channelshttps://projects.duckcorp.org/issues/3422014-07-24T00:13:06ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>It seems that output of <code>list connections</code> command should use a suffix on channels without backlog: <a class="source" href="https://projects.duckcorp.org/projects/bip/repository/bip/entry/src/bip.c#L1395">source:src/bip.c#L1395</a>, but this is not the case.</p>
<p><code>list connections</code> doesn't display a suffix on any channel:</p>
<pre>
02:04:18 Pilou | list connections
[...]
02:04:18 -bip | * milkypond to milkypond as "pilou" (pilou!pilou) :
02:04:18 -bip | Options:
02:04:18 -bip | Channels (* with key, ` no backlog) #test #milkypond #DuckCorp
02:04:18 -bip | Status: connected !
</pre> Bip - Bug #341 (New): 'bip list connections' command should display querieshttps://projects.duckcorp.org/issues/3412014-07-24T00:01:23ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The command <code>bip list connections</code> lists channels for all connections.</p>
<p>Queries could be listed too.</p> Bip - Bug #165 (New): doesn't load openssl support for sha-256 digesthttps://projects.duckcorp.org/issues/1652010-10-26T00:21:16ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601021" class="external">Debian bug #601021</a></p>
<blockquote>
<p>As the subject says, bip doesn't make openssl load support for the sha-256<br />digest algorhytm. I've fixed a similar bug in fetchmail a while ago, see<br />Debian bug #576430 for a bit more info on the matter.<br />Attached is a simple patch that forces openssl to load support for everything<br />it knows :)<br />Sjoerd Simons</p>
</blockquote>