DuckCorp Projects: Issueshttps://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422022-04-07T00:05:40ZDuckCorp Projects
Redmine DuckCorp Infrastructure - External #768 (Resolved): Perte du xco Oxymium/Nerim à PA3 le 14/04https://projects.duckcorp.org/issues/7682022-04-07T00:05:40ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>On Toushirou, the current link provided by Acontios will end in one week (2022-04-14).</p>
<p>According to the checks made by Acontios about the used bandwith, the Nerim link can be used instead of the current one.</p>
<p>A L2TP tunnel will be required in order to keep/use our current IP.</p>
The requirements:
<ol>
<li>✅ If any issue occurs during the migration, a physical access will be required
<ul>
<li>Pilou asked Chojin about it (Pilou will be available 2022-04-11 or 2022-04-13).</li>
</ul>
</li>
<li>✅ Duck: contact Acontios to provide the L2TP setup</li>
</ol>
The required tasks in order to update the configuration:
<ol>
<li>✅ ensure we are able to connect through the Nerim link</li>
<li>✅ remove any reference to the hivane network interface<br /><pre># rgrep -l eth-wan-hivane /etc/
/etc/network/interfaces.d/hivane-link
/etc/network/multihoming
/etc/default/grub
/etc/systemd/network/10_eth-wan-hivane.link
/etc/mp-admin/firewalling
/etc/sysctl.d/90-disable-accept_ra.conf</pre><br />Notes that the following services aren't listening on nerim IP:
<ul>
<li><code>slapd</code> (TCP ports 389 and 636)</li>
<li><code>apache2</code> (TCP ports 80 and 443)</li>
<li><code>proftpd</code> (TCP port 21)</li>
</ul>
</li>
<li>✅ stop the multihoming setup</li>
<li>✅ run the L2TP service</li>
<li>✅ start the multihoming setup</li>
</ol>
<p>✅ <code>poulet</code>: I have checked that SSH is listening on the IP provided by Nerim (<code>213.215.11.165</code>)</p> Bip - Enhancement #715 (New): Backlog one channel onlyhttps://projects.duckcorp.org/issues/7152020-12-17T09:34:26ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The backlog command only allows to backlog all the channels from one network.</p>
<p>It would be nice to fetch backlog from one channel only.</p>
<p>From: Debian bug <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668420" class="external">#668420</a>.</p> DuckCorp Infrastructure - Review #712 (Resolved): Fix 'ipaddr' Jinja filter usage and avoid a forkhttps://projects.duckcorp.org/issues/7122020-08-28T10:34:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/fix_ipaddr_usage" class="external"><code>fix_ipaddr_usage</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Use <code>address</code> parameter with hosts and <code>network</code> parameter with ranges.</p>
<p><code>ipaddr</code> Jinja filter behavior is quiet unexpected but a fork of this filter isn't required.</p>
<p>Tested with the following play and command:</p>
<pre><code>- hosts: all<br /> tasks:<br /> - debug:<br /> msg: "{{ item ~ ' : ' ~ (item|ipaddr('address') or item|ipaddr('network')) ~ '/' ~ item|ipaddr('netmask') }}" <br /> loop: '{{ firewalling.whitelist }}'</code></pre>
<pre><code>$ ansible-playbook -c local -l Elwing test.yaml</code></pre>
<p>The playbook output is the same with these ipaddr versions:</p>
<p>- the one committed<br />- <a href="https://github.com/ansible/ansible/blob/stable-2.9/lib/ansible/plugins/filter/ipaddr.py" class="external">ansible/ansible: branch stable-2.9</a><br />- <a href="https://github.com/ansible-collections/ansible.netcommon/blob/1.1.2/plugins/filter/ipaddr.py" title="<redpre#5></code> tag" class="external">ansible-collections/ansible.netcommon</a></p>
<p>Relates: <a class="issue tracker-1 status-3 priority-6 priority-high2 closed" title="Bug: restrict LDAP service accounts (Resolved)" href="https://projects.duckcorp.org/issues/646">#646</a></p> DuckCorp Infrastructure - Review #711 (Resolved): Allow to connect to services hosted on Orthos w...https://projects.duckcorp.org/issues/7112020-08-25T15:42:24ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git;a=log;h=refs/heads/allow_input_connections_from_hypervisor" class="external"><code>allow_input_connections_from_hypervisor</code></a> branch from <code>duckcorp-infra</code> repository.</p>
<p>Allow input connections from the hypervisor</p>
<p>While being at Conde, without this patch, I am not able to reach <code>sup.duckcorp.org</code>. Indeed the following packet is dropped:</p>
<p>On the hypervisor:</p>
<pre><code>IP 192.168.100.1.33874 > 192.168.100.2.443: Flags [S]</code></pre>
<p>where:</p>
<pre>
192.168.100.1: IP of the hypervisor on the bridge used with libvirt
192.168.100.2: Orthos
</pre>
<p>This patch has been applied already.</p> DuckCorp Infrastructure - Review #707 (Resolved): ansible-role-zabbix: ignore debian bugs #909750https://projects.duckcorp.org/issues/7072020-07-09T00:45:21ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-zabbix" class="external"><code>ansible-role-zabbix/ignore_debian_bugs_#909750</code></a></p>
<p>Ignore debian bugs #909750, workaround this issue:</p>
<pre>
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml
Suggested packages:
libgd-tools
The following NEW packages will be installed:
fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0
libjpeg62-turbo libtiff5 libwebp6 libxpm4 php php-bcmath php-gd
php-ldap php-mbstring php-pgsql php-xml php7.3 php7.3-bcmath php7.3-gd
php7.3-ldap php7.3-mbstring php7.3-pgsql php7.3-xml zabbix-frontend-php
0 upgraded, 24 newly installed, 0 to remove and 40 not upgraded.
[...]
serious bugs of libfontconfig1 (-> 2.13.1-2) <Forwarded>
b1 - #909750 - applications tries to write to /usr/* directories via
libfontconfig1
Summary:
libfontconfig1(1 bug)
libfontconfig1 pinned by adding Pin preferences in
/etc/apt/preferences.d/apt-listbugs. Restart APT session to enable
**********************************************************************
****** Exiting with an error in order to stop the installation. ******
**********************************************************************
</pre> DuckCorp Infrastructure - Review #706 (Resolved): ansible-role-httpd_php_fpm: dont_check_potentia...https://projects.duckcorp.org/issues/7062020-07-08T19:59:48ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/dont_check_potentially_non_existent_path</code></a></p>
<p>Don't check existence of potentially nonexistent paths.</p>
<p>Some paths might be created later, for example: <code>/etc/zabbix/zabbix.conf.php</code>. This file can not be rendered before since owner is created in the following task.<br />Nonexistent path mentioned in <code>open_basedir</code> php configuration seems to be without any consequence.</p> DuckCorp Infrastructure - Review #705 (Rejected): ansible-role-httpd_php_fpm: create Unix group u...https://projects.duckcorp.org/issues/7052020-07-08T19:49:29ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/ansible-role-httpd_php_fpm" class="external"><code>ansible-role-httpd_php_fpm/create_unix_group_for_pool_workers</code></a></p>
<p>Create Unix group used for pool workers.</p>
<p>Fix this error:</p>
<pre>
TASK [zabbix : Generate Zabbix UI configuration]
task path: duckcorp-infra/ansible/roles/zabbix/tasks/webui.yml:30
fatal: [Orthos]: FAILED! => {
"changed": false,
"owner": "root",
"group": "root",
"mode": "0644",
"msg": "chgrp failed: failed to look up group php_sup.duckcorp.org",
"path": "/etc/zabbix/zabbix.conf.php",
"state": "file",
}
</pre> DuckCorp Infrastructure - Review #704 (Resolved): duckcorp-infra: move supervision serverhttps://projects.duckcorp.org/issues/7042020-07-08T03:04:18ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Repository/branch: <a href="https://vcs-git-viewer.duckcorp.org/?p=duckcorp/duckcorp-infra.git" class="external"><code>duckcorp-infra/move_sup_server</code></a></p>
<p>Supervision server: use Orthos instead of Nicecity</p>
<p>Tested with check mode enabled only using the following command:<br /><pre>
ansible-playbook --check -vv --diff playbooks/dc.yml -l Orthos -e_pg_version=11 -ehttpd_version=2.4.38 -ephp_minor_version=7.3
</pre></p> Bip - Bug #481 (In Progress): Fix log level for erroneous messageshttps://projects.duckcorp.org/issues/4812015-10-13T12:54:28ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Bip should display IRC <a href="https://tools.ietf.org/html/rfc1459#section-6" class="external">errors</a> sent by IRC servers using <code>error</code> log level.</p>
<p>The current behaviour is:<br /><pre>
13-10-2015 14:48:14 DEBUG: ":irc.server.local 432 * Pilou :Nickname too long, max. 9 characters
</pre></p> Bip - Bug #432 (Resolved): authenticated bip users could stop bip daemonhttps://projects.duckcorp.org/issues/4322015-01-15T03:56:50ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>Fran found that these commands allow an authenticated bip user to stop bip daemon:<br /><pre>
{ echo PASS bipnick:mysecretpassword:freenode; echo NICK Pilou; echo USER Pilou 0 Pilou :blah; sleep 2; } | telnet 127.0.0.1 7778 | read
</pre></p>
<pre>
15-01-2015 04:26:44 DEBUG: Trying to accept new client on 0
15-01-2015 04:26:44 DEBUG: New client on socket 41 !
15-01-2015 04:26:44 DEBUG: fd:41 Connection established !
15-01-2015 04:26:44 DEBUG: "PASS bipnick:mysecretpassword:freenode"
15-01-2015 04:26:44 DEBUG: "NICK Pilou"
15-01-2015 04:26:44 DEBUG: "USER Pilou 0 Pilou :blah"
15-01-2015 04:26:44 DEBUG: Connection close asked. FD:41
15-01-2015 04:26:44 DEBUG: A client connected
15-01-2015 04:26:44 FATAL: select(): Bad file descriptor
</pre> Bip - Bug #431 (New): bip is leaking file descriptorshttps://projects.duckcorp.org/issues/4312015-01-15T02:01:19ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>fran wrote:</p>
<blockquote>
<p>bip is leaking file descriptors on my server, and the fix is pretty easy: on connection.c, on read_socket, whenever read returns <1 and errno is different to EAGAIN and EINTR, the socket MUST be closed <br />because read will not return 0 on the following iterations of select (cause it's not added to the read fd_set after that), plus after read failing with fatal error it keeps returning -1</p>
</blockquote> Bip - Enhancement #343 (New): Allow to blreset all queries or all channelshttps://projects.duckcorp.org/issues/3432014-07-24T00:21:01ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><code>blreset</code> command allows to reset backlog of an entire connection, a chan, a query.</p>
<p>Be able to reset all queries or all channels would be a nice feature.</p> Bip - Bug #342 (New): 'list connections' command doesn't display status of channelshttps://projects.duckcorp.org/issues/3422014-07-24T00:13:06ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>It seems that output of <code>list connections</code> command should use a suffix on channels without backlog: <a class="source" href="https://projects.duckcorp.org/projects/bip/repository/bip/entry/src/bip.c#L1395">source:src/bip.c#L1395</a>, but this is not the case.</p>
<p><code>list connections</code> doesn't display a suffix on any channel:</p>
<pre>
02:04:18 Pilou | list connections
[...]
02:04:18 -bip | * milkypond to milkypond as "pilou" (pilou!pilou) :
02:04:18 -bip | Options:
02:04:18 -bip | Channels (* with key, ` no backlog) #test #milkypond #DuckCorp
02:04:18 -bip | Status: connected !
</pre> Bip - Bug #341 (New): 'bip list connections' command should display querieshttps://projects.duckcorp.org/issues/3412014-07-24T00:01:23ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p>The command <code>bip list connections</code> lists channels for all connections.</p>
<p>Queries could be listed too.</p> Bip - Bug #165 (New): doesn't load openssl support for sha-256 digesthttps://projects.duckcorp.org/issues/1652010-10-26T00:21:16ZPierre-Louis Bonicolipierre-louis.bonicoli@ir5.eu
<p><a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601021" class="external">Debian bug #601021</a></p>
<blockquote>
<p>As the subject says, bip doesn't make openssl load support for the sha-256<br />digest algorhytm. I've fixed a similar bug in fetchmail a while ago, see<br />Debian bug #576430 for a bit more info on the matter.<br />Attached is a simple patch that forces openssl to load support for everything<br />it knows :)<br />Sjoerd Simons</p>
</blockquote>