DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-04-07T00:05:40ZDuckCorp Projects
Redmine DuckCorp Infrastructure - External #768 (Resolved): Perte du xco Oxymium/Nerim à PA3 le 14/04https://projects.duckcorp.org/issues/7682022-04-07T00:05:40ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On Toushirou, the current link provided by Acontios will end in one week (2022-04-14).</p>
<p>According to the checks made by Acontios about the used bandwith, the Nerim link can be used instead of the current one.</p>
<p>A L2TP tunnel will be required in order to keep/use our current IP.</p>
The requirements:
<ol>
<li>✅ If any issue occurs during the migration, a physical access will be required
<ul>
<li>Pilou asked Chojin about it (Pilou will be available 2022-04-11 or 2022-04-13).</li>
</ul>
</li>
<li>✅ Duck: contact Acontios to provide the L2TP setup</li>
</ol>
The required tasks in order to update the configuration:
<ol>
<li>✅ ensure we are able to connect through the Nerim link</li>
<li>✅ remove any reference to the hivane network interface<br /><pre># rgrep -l eth-wan-hivane /etc/
/etc/network/interfaces.d/hivane-link
/etc/network/multihoming
/etc/default/grub
/etc/systemd/network/10_eth-wan-hivane.link
/etc/mp-admin/firewalling
/etc/sysctl.d/90-disable-accept_ra.conf</pre><br />Notes that the following services aren't listening on nerim IP:
<ul>
<li><code>slapd</code> (TCP ports 389 and 636)</li>
<li><code>apache2</code> (TCP ports 80 and 443)</li>
<li><code>proftpd</code> (TCP port 21)</li>
</ul>
</li>
<li>✅ stop the multihoming setup</li>
<li>✅ run the L2TP service</li>
<li>✅ start the multihoming setup</li>
</ol>
<p>✅ <code>poulet</code>: I have checked that SSH is listening on the IP provided by Nerim (<code>213.215.11.165</code>)</p> DuckCorp Infrastructure - Review #712 (Resolved): Fix 'ipaddr' Jinja filter usage and avoid a forkhttps://projects.duckcorp.org/issues/7122020-08-28T10:34:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/fix_ipaddr_usage" class="external"><code>fix_ipaddr_usage</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Use <code>address</code> parameter with hosts and <code>network</code> parameter with ranges.</p>
<p><code>ipaddr</code> Jinja filter behavior is quiet unexpected but a fork of this filter isn't required.</p>
<p>Tested with the following play and command:</p>
<pre><code>- hosts: all<br /> tasks:<br /> - debug:<br /> msg: "{{ item ~ ' : ' ~ (item|ipaddr('address') or item|ipaddr('network')) ~ '/' ~ item|ipaddr('netmask') }}" <br /> loop: '{{ firewalling.whitelist }}'</code></pre>
<pre><code>$ ansible-playbook -c local -l Elwing test.yaml</code></pre>
<p>The playbook output is the same with these ipaddr versions:</p>
<p>- the one committed<br />- <a href="https://github.com/ansible/ansible/blob/stable-2.9/lib/ansible/plugins/filter/ipaddr.py" class="external">ansible/ansible: branch stable-2.9</a><br />- <a href="https://github.com/ansible-collections/ansible.netcommon/blob/1.1.2/plugins/filter/ipaddr.py" title="<redpre#5></code> tag" class="external">ansible-collections/ansible.netcommon</a></p>
<p>Relates: <a class="issue tracker-1 status-3 priority-6 priority-high2 closed" title="Bug: restrict LDAP service accounts (Resolved)" href="https://projects.duckcorp.org/issues/646">#646</a></p> DuckCorp Infrastructure - Review #711 (Resolved): Allow to connect to services hosted on Orthos w...https://projects.duckcorp.org/issues/7112020-08-25T15:42:24ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/allow_input_connections_from_hypervisor" class="external"><code>allow_input_connections_from_hypervisor</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Allow input connections from the hypervisor</p>
<p>While being at Conde, without this patch, I am not able to reach <code>sup.duckcorp.org</code>. Indeed the following packet is dropped:</p>
<p>On the hypervisor:</p>
<pre><code>IP 192.168.100.1.33874 > 192.168.100.2.443: Flags [S]</code></pre>
<p>where:</p>
<pre>
192.168.100.1: IP of the hypervisor on the bridge used with libvirt
192.168.100.2: Orthos
</pre>
<p>This patch has been applied already.</p> DuckCorp Infrastructure - Review #707 (Resolved): ansible-role-zabbix: ignore debian bugs #909750https://projects.duckcorp.org/issues/7072020-07-09T00:45:21ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/ignore_debian_bugs_#909750</code></a></p>
<p>Ignore debian bugs #909750, workaround this issue:</p>
<pre>
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml
Suggested packages:
libgd-tools
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml zabbix-frontend-php
0 upgraded, 24 newly installed, 0 to remove and 40 not upgraded.
[...]
serious bugs of libfontconfig1 (-> 2.13.1-2) <Forwarded>
b1 - #909750 - applications tries to write to /usr/* directories via
libfontconfig1
Summary:
libfontconfig1(1 bug)
libfontconfig1 pinned by adding Pin preferences in
/etc/apt/preferences.d/apt-listbugs. Restart APT session to enable
**********************************************************************
****** Exiting with an error in order to stop the installation. ******
**********************************************************************
</pre> DuckCorp Infrastructure - Review #706 (Resolved): ansible-role-httpd_php_fpm: dont_check_potentia...https://projects.duckcorp.org/issues/7062020-07-08T19:59:48ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/dont_check_potentially_non_existent_path</code></a></p>
<p>Don't check existence of potentially nonexistent paths.</p>
<p>Some paths might be created later, for example: <code>/etc/zabbix/zabbix.conf.php</code>. This file can not be rendered before since owner is created in the following task.<br />Nonexistent path mentioned in <code>open_basedir</code> php configuration seems to be without any consequence.</p> DuckCorp Infrastructure - Review #705 (Rejected): ansible-role-httpd_php_fpm: create Unix group u...https://projects.duckcorp.org/issues/7052020-07-08T19:49:29ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/create_unix_group_for_pool_workers</code></a></p>
<p>Create Unix group used for pool workers.</p>
<p>Fix this error:</p>
<pre>
TASK [zabbix : Generate Zabbix UI configuration]
task path: duckcorp-infra/ansible/roles/zabbix/tasks/webui.yml:30
fatal: [Orthos]: FAILED! => {
"changed": false,
"owner": "root",
"group": "root",
"mode": "0644",
"msg": "chgrp failed: failed to look up group php_sup.duckcorp.org",
"path": "/etc/zabbix/zabbix.conf.php",
"state": "file",
}
</pre> DuckCorp Infrastructure - Review #703 (Resolved): dc-web: improve check mode supporthttps://projects.duckcorp.org/issues/7032020-07-08T02:52:52ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/dc-web_check_mode</code></a></p>
Improve check mode support:
<ul>
<li>don't fail when <code>rsync</code> binary isn't installed</li>
<li>allow apache2_module to fail when check mode is enabled and apache2ctl isn't installed yet</li>
</ul> DuckCorp Infrastructure - Review #702 (Resolved): ansible-role-httpd_php_fpm: improve check mode ...https://projects.duckcorp.org/issues/7022020-07-07T09:36:07ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/improve_check_mode_handling</code></a></p>
Improve check mode support:
<ul>
<li>check mode: handle <code>apache2_module</code> failure</li>
<li>don't check paths existence when check mode is enabled</li>
<li>Check mode: don't fail when <code>php</code> binary isn't installed</li>
</ul>
One unrelated change included:
<ul>
<li>Ensure <code>php_minor_version</code> var isn't empty</li>
</ul> DuckCorp Infrastructure - Review #701 (Resolved): ansible-role-zabbix: improve check mode supporthttps://projects.duckcorp.org/issues/7012020-07-01T16:44:58ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/check_mode_support</code></a>.</p>
Improve check mode support:
<ul>
<li>when <code>psycopg/PostgreSQL</code> isn't installed yet</li>
<li>always execute <code>timedatectl</code> command</li>
</ul> DuckCorp Infrastructure - Review #681 (Resolved): Undefined attribute: mda_usergrouphttps://projects.duckcorp.org/issues/6812019-10-09T10:18:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fix the following error:</p>
<pre>
$ ansible-playbook playbooks/tenants/duckcorp/security.yml -u root
TASK [dc-antivirus : ClamAV Setup -- Connection Type] ***********************************************************************************************************************
fatal: [Orfeo]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'mda_usergroup'\n\nThe error appears to be in '/srv/share/src/duckcorp/duckcorp-infra.git/ansible/roles/dc-antivirus/tasks/main.yml': line 21, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n notify: Reconfigure ClamAV\n- name: ClamAV Setup -- Connection Type\n ^ here\n"}
</pre> DuckCorp Infrastructure - Review #562 (Rejected): Fix "Invalid SCRIPTWHITELIST configuration opti...https://projects.duckcorp.org/issues/5622017-06-19T12:27:16ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Could you review <code>rkhunter_lwp_request_isnt_a_dependency</code> branch ?</p>
<p><code>lwp-request</code> belongs to <code>libwww-perl</code> but <code>libwww-perl</code> isn't a dependency of <code>rkhunter</code>.</p> UFWI - Bug #418 (Resolved): Erreur configure - makehttps://projects.duckcorp.org/issues/4182014-11-25T22:46:46ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Bonjour,<br />lors de l'installation du module ufwi-base, le make génére un src/MakeFile contenant une erreur : l'installation avec make install appelle deux fois successivement le script security.h ce qui retourne un message d'erreur. Il faut donc éditer le MakeFile généré et supprimé le deuxième security.h pour que l'installation fonctionne correctement :</p>
<p>src/MakeFile<br />ligne 223 : <br />include_HEADERS = linuxlist.h config-table.h ipv6.h log.h ufwibase.h packet_par$<br /> <strong>security.h</strong> debug.h documentation.h jhash.h ufwi_source.h proto.$<br /> proto_v3.h proto_v4.h proto_v5.h <strong>security.h</strong></p>
<p>Hello,<br />when installing the module ufwi-base, make generates a src/Makefile with an error: install with make install call the script security.h twice successively which returns an error message. Therefore edit the generated Makefile and removed the second security.h for the installation to work properly:<br />src/MakeFile<br />line 223:<br />include_HEADERS = linuxlist.h config-table.h ipv6.h log.h ufwibase.h packet_par$<br /> <strong>security.h</strong> debug.h documentation.h jhash.h ufwi_source.h proto.$<br /> proto_v3.h proto_v4.h proto_v5.h <strong>security.h</strong></p>
<p>sorry for my bad english</p>
<p>Test on Linux Mint Debian 3.0.0-1-amd64</p>
<p>Added by Cyril PIERRÉ</p> Bip - Bug #339 (Rejected): Client side ssl not workinghttps://projects.duckcorp.org/issues/3392014-06-10T14:02:00ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>kick wrote on irc:</p>
<blockquote>
<p>I copied my working config file from my bip 0.8.8-2<br />and I've got ssl handshake problems.. <br />I'm using a ubnutu trusty for bip 0.8.9-1 <br />I have a bip.pem set, with good owner and permissions.</p>
</blockquote>
<p>Error in client:</p>
<blockquote>
<p>connexion a échoué. Erreur : (336151568) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure</p>
</blockquote>
<p>bip.log contains:</p>
<blockquote>
<p>139638493165216:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358:ERROR: Error in SSL handshake.</p>
</blockquote>
<p><strong>bip 0.8.8-2, sslv3</strong><br /><pre>
openssl s_client -ssl3 -connect edited.bip.server:7778
CONNECTED(00000003)
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify error:num=18:self signed certificate
verify return:1
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify return:1
---
Certificate chain
0 s:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
i:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
Server certificate
-----BEGIN CERTIFICATE-----
EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
issuer=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
No client certificate CA names sent
---
SSL handshake has read 2318 bytes and written 364 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: EDITED XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406408
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
</pre></p>
<p><strong>bip 0.8.8-2, tls1</strong><br /><pre>
openssl s_client -tls1 -connect server.bip.edited:7778
CONNECTED(00000003)
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify error:num=18:self signed certificate
verify return:1
depth=0 C = fr, O = Sexy boys, OU = Bip, CN = Bip
verify return:1
---
Certificate chain
0 s:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
i:/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
Server certificate
-----BEGIN CERTIFICATE-----
Edited XXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
subject=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
issuer=/C=fr/O=Sexy boys/OU=Bip/CN=Bip
---
No client certificate CA names sent
---
SSL handshake has read 2454 bytes and written 423 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: Edited XXXXXXXXXXXXXXXXXXXXXXX
Session-ID-ctx:
Master-Key: Edited XXXXXXXXXXXXXXXXXXXXXXX
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 60 (seconds)
TLS session ticket:
0000 - 0d b9 57 57 8b b7 cd bf-70 3c 72 79 d0 f4 6f 81 ..WW....p<ry..o.
0010 - e4 30 64 d1 97 96 62 05-8c ed 45 8e d8 36 d6 52 .0d...b...E..6.R
0020 - 37 65 b5 7d 6d 19 5c 8e-22 ab 31 4c a5 b9 ac 6a 7e.}m.\.".1L...j
Edited XXXXXXXXXXXXXXXXXXXXXXX
0080 - f7 cc ab e5 18 cc 33 28-b0 7a 12 46 3f 21 ba 1b ......3(.z.F?!..
0090 - c0 9b 4c 8b 61 3a 4d d4-78 e8 77 91 80 b9 ab a1 ..L.a:M.x.w.....
Start Time: 1402406391
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
</pre></p>
<p><strong>bip 0.8.9-1, sslv3</strong><br /><pre>
openssl s_client -ssl3 -connect edited:7778
CONNECTED(00000003)
140228681320096:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140228681320096:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406211
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
</pre></p>
<p><strong>bip 0.8.9-1, tls1</strong><br /><pre>
openssl s_client -tls1 -connect edited:7778
CONNECTED(00000003)
140587600295584:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1260:SSL alert number 40
140587600295584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1402406299
Timeout : 7200 (sec)
Verify return code: 0 (ok)
</pre></p> Bip - Bug #265 (Resolved): bip segfaults when a client uses a password with a spacehttps://projects.duckcorp.org/issues/2652011-12-20T01:08:58ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Reported by Tim Hansen</p>
<p>The bip log shows:<br />19-12-2011 16:56:42 ERROR: [*connecting*] Error in protocol, closing...</p>
<p>I can reproduce (impossible to use space in password) but segfault didn't happen.</p> MyCyma - Cosmetic #3 (Rejected): Upper case acute accent is not correctly displayedhttps://projects.duckcorp.org/issues/32008-11-23T21:32:53ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>In Admin UI, see attached file.</p>