Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-07-02T16:38:11Zhttps://gitlab.com/sympl.io/sympl/-/issues/245Job Failed #83802019-07-02T16:38:11ZPaul CammishJob Failed #8380This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/242sympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crt2019-06-26T14:59:50ZPaul Cammishsympl-mail-dovecot-sni should use ssl.bundle rather than ssl.crtAs is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.As is, it provides the cert, but not the bundle, meaning the chain is broken.
It's worth investigating of the exim sni configuration has the same issue also.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/233An installer script would be nice...2019-06-20T22:41:04ZPaul CammishAn installer script would be nice...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sym...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sympl` user using the `root` users password (which may not be secure) and/or force them to set a new one and include the root users authorized keys file.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/232Sympl determines host name incorrectly during install2022-04-26T09:50:34ZPaul CammishSympl determines host name incorrectly during installDuring the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains...During the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains a bare hostname. Code in core/debian/postinst uses this file as the hostname, and if it sees a 'bare' hostname, appends 'localdomain' to the hostname read from the file.
The debian installation had a full hostname specified, and typing
hostname -f
retrieves this full host name correctly.
The postinst script will also fall back to using hostname -f if /etc/hostname exists.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/231sympl-filesystem-security: /srv/example.com/public is not set 27752019-06-12T13:11:10ZPaul Cammishsympl-filesystem-security: /srv/example.com/public is not set 2775Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesyste...Looks like I missed this when I was putting the script together, should be a simple fix:
`find "${domain}/public" ! -type l ! \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)`
sympl-filesystem-security should also check config/ssl/sets exists before trying to do anything with it
Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/230sympl-web: Logs directory is not automatically created2019-06-12T13:11:07ZPaul Cammishsympl-web: Logs directory is not automatically createdThis looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}...This looks to happen when the directory is not owned by a non-system user, and is likely in `sympl-web-logger`
Adding this to sympl-web-configure in a relevant place should fix it:
```ruby
dirname = File.dirname("#{domain.directory}/public/logs/.")
unless File.directory?(dirname)
verbose "\tCReating log directory #{dirname}"
FileUtils.mkdir_p(dirname)
FileUtils.chown_R 'sympl', 'sympl', dirname, :verbose => true
end
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/220Web stats are insecure and need updating2019-06-12T13:10:49ZPaul CammishWeb stats are insecure and need updatingIt's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each si...It's unclear if the stats stuff even gets used, as it's not mentioned much in the old Symbiosis docs.
However, some time ago it was supposed to be disabled by default, but that's not the case, so it's automatically generated for each site at /stats, and doesn't require any auth at all.
This should either be secured properly, or replaced with something a bit more up to date, like goaccess which has a package and is realtime.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/224Web: `sympl-web-* --manual` requires sympl-common package2019-06-28T15:08:51ZPaul CammishWeb: `sympl-web-* --manual` requires sympl-common packageThis isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Opt...This isn't a problem when building in gitlab-ci, but breaks otherwise.
Option 1: Add sympl-common as a build dependency. (quick but untidy!)
Option 2: Make them work like the others and output the man page without any dependencies.
Option 2 is the best option here, especially as the libs aren't needed elsewhere.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/221Symbiosis: symbiosis-httpd-logger is run where it's not really needed2019-06-20T13:24:05ZPaul CammishSymbiosis: symbiosis-httpd-logger is run where it's not really neededThe HTTP and HTTPS templates for sites both run the symbiosis-httpd-logger process (aka sypl-web-logger) which does little other than write logs owned by the admin user.
This is useful for the zz-mass-hosting configuration, as it then w...The HTTP and HTTPS templates for sites both run the symbiosis-httpd-logger process (aka sypl-web-logger) which does little other than write logs owned by the admin user.
This is useful for the zz-mass-hosting configuration, as it then writes logs to the relevant locations, but it's wasted resources when you have a lot of sites running.
If #219 happens, then the templates should just write the files directly via the normal apache method.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/213XMPP support is to be retired.2019-06-07T14:25:53ZPaul CammishXMPP support is to be retired.1. It requires backports in Stretch
2. There little to no evidence if it being used1. It requires backports in Stretch
2. There little to no evidence if it being usedSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/212Finish SNI for Support Exim and Dovecot2019-06-20T13:23:25ZPaul CammishFinish SNI for Support Exim and DovecotIt's possible to do this in Symbiosis with some changes, and a legacy branch included the change for Exim, however, the dovecot change will need a little more work.
https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/...It's possible to do this in Symbiosis with some changes, and a legacy branch included the change for Exim, however, the dovecot change will need a little more work.
https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/
https://docs.bytemark.co.uk/article/enabling-sni-for-dovecot-on-symbiosis/Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/229sympl-webmail: Roundcube configuration is broken2019-06-13T18:38:57ZPaul Cammishsympl-webmail: Roundcube configuration is brokenIt's unclear why, but it may be due to the defaults being misapplied on install, but it reports a problem connecting to the database.
This will need tests created also, as they are missing at present.It's unclear why, but it may be due to the defaults being misapplied on install, but it reports a problem connecting to the database.
This will need tests created also, as they are missing at present.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/217sympl-backup: Pre/post backup scripts need updating2019-06-13T23:36:45ZPaul Cammishsympl-backup: Pre/post backup scripts need updatingThey do 3 things:
1. Sync a copy of any existing backups from the backup space.
2. Dump MySQL and Postgres(!?) databases, although not particularly well.
3. Sync the result of the backups to the backup space once complete.
This uses the...They do 3 things:
1. Sync a copy of any existing backups from the backup space.
2. Dump MySQL and Postgres(!?) databases, although not particularly well.
3. Sync the result of the backups to the backup space once complete.
This uses the old deprecated Bytemark backup space, determining the destination server via the hostname of the local server, although this can be configured.
It's probably worth replacing the backup sync functionality with a couple of popular options and replacing the SQL dump script with something more modern which doesn't lock tables when dumping.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/170Symbiosis: Request: Write mysql root credentials to /root/.my.cnf when imaging.2019-06-09T23:33:49ZPaul CammishSymbiosis: Request: Write mysql root credentials to /root/.my.cnf when imaging.Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/56
(Note: This may be something for imager, or Stretch, but applied to Symbiosis *images* only)
It's never clear that the `root`, `admin` and mysql `root@localhost` ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/56
(Note: This may be something for imager, or Stretch, but applied to Symbiosis *images* only)
It's never clear that the `root`, `admin` and mysql `root@localhost` users all have the same password in a newly imaged machine, which leads to users likely changing the root/admin passwords like they should, and not making note of the `root@localhost` password we set for mysql.
Simply writing the below to `/root/.my.cnf` (with relevant permissions) would make password recovery simpler, and allow the user to log in directly.
```config
[client]
user=root
password="<example>"
```
There's a small outside risk to this, by keeping it in `/root` would negate most of this, and make things simpler for users.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/219Administrative user should be named something unique / permissions tidyup2019-06-09T23:34:46ZPaul CammishAdministrative user should be named something unique / permissions tidyupAs is, Symbiosis has an 'admin' user which is used for most functions, and (in theory) some level of security, although this is weakly enforced, and there is a possibility of a name collision.
A better alternative would probably be to h...As is, Symbiosis has an 'admin' user which is used for most functions, and (in theory) some level of security, although this is weakly enforced, and there is a possibility of a name collision.
A better alternative would probably be to have a user called 'sympl' or similar which would own the configs, files and so on, and then it would be safe to chown/chmod items in the config directory to prevent access to things which should be secure.
This looks to be a fairly simple change, and would go with giving the user a proper home directory (/home/sympl) rather than forcing them to use /srv, which becomes untidy quickly, and gives us the opportunity to pre-populate some basic settings (prompt, etc) for ease of use.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/17symbiosis-password-test doesn't do anything serious2019-06-10T15:01:48ZPaul Cammishsymbiosis-password-test doesn't do anything seriousThis will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.This will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/16symbiosis-encrypt-password doesn't check for weak passwords2019-06-10T15:01:46ZPaul Cammishsymbiosis-encrypt-password doesn't check for weak passwordsNeeds to be updated to use ruby-password rather than cracklibNeeds to be updated to use ruby-password rather than cracklibSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/13poppass_handler.rb no longer checks passwords for complexity2019-06-10T15:01:30ZPaul Cammishpoppass_handler.rb no longer checks passwords for complexity`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/209Build tests should check upgrading from a current install2019-06-11T12:02:28ZPaul CammishBuild tests should check upgrading from a current installThis should prevent an upgrade breaking all the versions.This should prevent an upgrade breaking all the versions.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammish