Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-06-09T23:34:46Zhttps://gitlab.com/sympl.io/sympl/-/issues/219Administrative user should be named something unique / permissions tidyup2019-06-09T23:34:46ZPaul CammishAdministrative user should be named something unique / permissions tidyupAs is, Symbiosis has an 'admin' user which is used for most functions, and (in theory) some level of security, although this is weakly enforced, and there is a possibility of a name collision.
A better alternative would probably be to h...As is, Symbiosis has an 'admin' user which is used for most functions, and (in theory) some level of security, although this is weakly enforced, and there is a possibility of a name collision.
A better alternative would probably be to have a user called 'sympl' or similar which would own the configs, files and so on, and then it would be safe to chown/chmod items in the config directory to prevent access to things which should be secure.
This looks to be a fairly simple change, and would go with giving the user a proper home directory (/home/sympl) rather than forcing them to use /srv, which becomes untidy quickly, and gives us the opportunity to pre-populate some basic settings (prompt, etc) for ease of use.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/233An installer script would be nice...2019-06-20T22:41:04ZPaul CammishAn installer script would be nice...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sym...This would allow us to run a single command which would install Sympl and set the relevant option so the user is not prompted at all.
This would also be able to point the user to documentation and make them aware of things like the `sympl` user using the `root` users password (which may not be secure) and/or force them to set a new one and include the root users authorized keys file.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/209Build tests should check upgrading from a current install2019-06-11T12:02:28ZPaul CammishBuild tests should check upgrading from a current installThis should prevent an upgrade breaking all the versions.This should prevent an upgrade breaking all the versions.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/212Finish SNI for Support Exim and Dovecot2019-06-20T13:23:25ZPaul CammishFinish SNI for Support Exim and DovecotIt's possible to do this in Symbiosis with some changes, and a legacy branch included the change for Exim, however, the dovecot change will need a little more work.
https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/...It's possible to do this in Symbiosis with some changes, and a legacy branch included the change for Exim, however, the dovecot change will need a little more work.
https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/
https://docs.bytemark.co.uk/article/enabling-sni-for-dovecot-on-symbiosis/Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/244Incorrect permissions on dkim selector file2019-06-28T16:43:46ZPaul CammishIncorrect permissions on dkim selector fileMy dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlys...My dkim selector file is currently owned by sympl:sympl, with permissions set to 660.
I received the following error in my logs overnight:
2019-06-27 06:39:42 1hgN8H-0005FM-Rw failed to expand dkim_selector: failed to open /srv/gentlysympl.gentlyhosting.uk/config/dkim: Permission denied (euid=105 egid=109)
What should the permissions / ownership be set to? The uid / gid referred to in the error are both Debian-exim. Can sympl automatically adjust these permissions if a specific set are required?Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/245Job Failed #83802019-07-02T16:38:11ZPaul CammishJob Failed #8380This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:This is breaking phpMyAdmin, which should be split into a separate config as it's being retired.
Job [#8380](https://gitlab.mythic-beasts.com/sympl/sympl/-/jobs/8380) failed for 477a89553e5662f5d77f15a5ba1739cdb60ebbf8:Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/210Packages should be published in a repo2019-06-08T22:06:25ZPaul CammishPackages should be published in a repoThis will include properly signed packages, via the Mythic Beasts repo.This will include properly signed packages, via the Mythic Beasts repo.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/13poppass_handler.rb no longer checks passwords for complexity2019-06-10T15:01:30ZPaul Cammishpoppass_handler.rb no longer checks passwords for complexity`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.`email/lib/symbiosis/email/poppass_handler.rb` has been switched from ruby-cracklib to plain ruby-password.
As part of the change (quick fix), it no longer enforces password complexity, allowing weak and possibly compromisable passwords.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/197Publish packages properly ;)2019-06-07T10:49:35ZPaul CammishPublish packages properly ;)The installation instructions smell a little -- getting a proper repo might be a nice touch.
You might find [Bintray](https://bintray.com/signup/oss) one way of doing it. I came across it for TV headend.The installation instructions smell a little -- getting a proper repo might be a nice touch.
You might find [Bintray](https://bintray.com/signup/oss) one way of doing it. I came across it for TV headend.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/223Ruby scripts have output noise when run in verbose.2019-06-07T14:21:08ZPaul CammishRuby scripts have output noise when run in verbose.The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t....The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
/usr/lib/ruby/vendor_ruby/erubis/enhancer.rb:517: warning: instance variable @prefixrexp not initialized
```
symbiosis-firewall --verbose
```
Falling back to gcc to determine sizeof size_t.
readnews defined twice. Ignoring definition for port 532
dicom defined twice. Ignoring definition for port 11112
```
symbiosis-firewall-blacklist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-firewall-whitelist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-httpd-generate-stats --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
```
symbiosis-httpd-rotate-logs --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-ssl
```
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/14Stretch version requires stretch-backports repo2019-06-07T10:58:32ZPaul CammishStretch version requires stretch-backports repoThis is due to the XMPP functionality which uses Prosody's mod_auth_dovecot module from `prosody-modules`, which is not included in the normal stretch release.This is due to the XMPP functionality which uses Prosody's mod_auth_dovecot module from `prosody-modules`, which is not included in the normal stretch release.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/16symbiosis-encrypt-password doesn't check for weak passwords2019-06-10T15:01:46ZPaul Cammishsymbiosis-encrypt-password doesn't check for weak passwordsNeeds to be updated to use ruby-password rather than cracklibNeeds to be updated to use ruby-password rather than cracklibSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/17symbiosis-password-test doesn't do anything serious2019-06-10T15:01:48ZPaul Cammishsymbiosis-password-test doesn't do anything seriousThis will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.This will also need the old ruby-cracklib code swapping to use ruby-password.
As is, it won't check for weak passwords, which is it's core function.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/199symbiosis-ssl reports `Failed: signature type 'none' in JWS header is not sup...2019-06-07T10:51:28ZPaul Cammishsymbiosis-ssl reports `Failed: signature type 'none' in JWS header is not supported` when trying to get cert.As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported,...As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512
* Examining certificates for localhost.localdomain
Current SSL set 0: self-signed for /CN=localhost.localdomain, expires 2020-04-15 16:32:06 UTC
```
Possible dependency or other issueSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/127Symbiosis: admin' user should be added to the 'www-data' group for compatibility2019-06-20T13:21:53ZPaul CammishSymbiosis: admin' user should be added to the 'www-data' group for compatibilityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/115
In quite a few cases where web apps update themselves, such as WordPress, the updaters check that specific files and directories are owned by the user Apache is r...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/115
In quite a few cases where web apps update themselves, such as WordPress, the updaters check that specific files and directories are owned by the user Apache is running as, and fail if they don't match.
By adding the `admin` user to the `www-data` group, and setting ownership to be www-data:www-data, both the web app and Symbiosis FTP users can update files and directories as needed without stepping on each others toes too much.
Note that this will often require the group to be set to www-data also (and sometimes rw permissions set for the group), but this prevents web app installs from arguing with the admin permissions, and allows the admin user (ie: the user used with FTP) to overwrite files as needed.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/142Symbiosis: Frequently used packages aren't installed by default2019-06-20T13:42:39ZPaul CammishSymbiosis: Frequently used packages aren't installed by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/120
There are a number of packages which are typically installed manually on a newly created Symbiosis server as a first priority, since they're used so often. The fo...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/120
There are a number of packages which are typically installed manually on a newly created Symbiosis server as a first priority, since they're used so often. The following packages are sure bets to be installed in most cases:
`curl, iotop, less, lsof, psmisc, rsync, screen, smartmontools, telnet, vim, wget, htop, mtr-tiny, xfsprogs, tree, dnsutils`
It would be useful if we could add these packages as a Symbiosis dependency to ensure they're installed automatically.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/143Symbiosis: I want SSL only without HSTS2020-07-11T06:36:30ZPaul CammishSymbiosis: I want SSL only without HSTSImported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certifi...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/66
I want a back-out path from ssl-only. Currently, if I deploy SSL only HSTS headers get issued, which mean I have no way to back out if I have problems with certificate renewal or spot a problem with the way the SSL site renders
So, maybe I could make a file `config/ssl-only-no-sts` to get ssl throughout the site, and when I'm confident that I can commit to this configuration, then deploy STS.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/147Symbiosis: It's too easy to break Exim by changing ssl certificate ownership.2019-06-20T13:19:51ZPaul CammishSymbiosis: It's too easy to break Exim by changing ssl certificate ownership.Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/47
Pretty much everything in /srv/ is owned by admin:admin, so it's tempting to run something like "chown -R admin:admin /srv". The problem is that Exim certificates ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/47
Pretty much everything in /srv/ is owned by admin:admin, so it's tempting to run something like "chown -R admin:admin /srv". The problem is that Exim certificates lie in /srv/<HOSTNAME>/config/ssl/sets and Debian-exim (the user that runs Exim) is not a member of the admin group, so this is an awkward fact to learn and remember.
It might be better if the certificates were managed in /etc/ssl - from where they are currently, and tortuously symlinked.
Alternatively, if issue 38 https://gitlab.bytemark.co.uk/open-source/symbiosis/issues/38 is implemented, then I've made a suggestion for managing these certs.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/148Symbiosis: Log files not created in /srv/site.com/public/logs/2019-06-20T13:20:10ZPaul CammishSymbiosis: Log files not created in /srv/site.com/public/logs/Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/140
I've recently setup Symbiosis on a Digital Ocean droplet to test some things. The initial setup worked perfectly on the second attempt. But I have a few questions...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/140
I've recently setup Symbiosis on a Digital Ocean droplet to test some things. The initial setup worked perfectly on the second attempt. But I have a few questions:
1) Is there a recommended approach for handling the DNS side? I found that adding the server's IP into /srv/mysite.com/config/ip did the trick along with a real email address to ensure Letsencrypt works as expected.
2) Curious also that I don't see any log files.
/srv/mysite.com/public/logs hasn't even been created. EDIT: Seems like symbiosis-httpd-logger is not running ...
Can anyone illuminate?Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/149Symbiosis: Logrotate cron error for prosody when it's not running2019-06-07T14:25:51ZPaul CammishSymbiosis: Logrotate cron error for prosody when it's not runningImported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate s...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate script for
'/var/log/prosody/prosody.log /var/log/prosody/prosody.err '
run-parts: /etc/cron.daily/logrotate exited with return code 1
</pre>
It looks like this is because the postrotate tries to check for the existence of `/var/run/prosody/prosody.pid` which won't be there when prosody is disabled (by default):
<pre>
[ -e /var/run/prosody/prosody.pid ] && /etc/init.d/prosody reload > /dev/null
</pre>
We should be able to suppress that by changing this line to e.g
<pre>
/etc/init.d/prosody reload > /dev/null
</pre>Sympl v9.0 (for Debian Stretch)