Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-06-07T14:21:08Zhttps://gitlab.com/sympl.io/sympl/-/issues/223Ruby scripts have output noise when run in verbose.2019-06-07T14:21:08ZPaul CammishRuby scripts have output noise when run in verbose.The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t....The --verbose fag sets the ruby $VERBOSE variable, with is outputting various warnings.
Changing the name of this variable should avoid the collision.
symbiosis-dns-generate --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
/usr/lib/ruby/vendor_ruby/erubis/enhancer.rb:517: warning: instance variable @prefixrexp not initialized
```
symbiosis-firewall --verbose
```
Falling back to gcc to determine sizeof size_t.
readnews defined twice. Ignoring definition for port 532
dicom defined twice. Ignoring definition for port 11112
```
symbiosis-firewall-blacklist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-firewall-whitelist --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-httpd-generate-stats --verbose
```
Falling back to gcc to determine sizeof size_t.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
```
symbiosis-httpd-rotate-logs --verbose
```
Falling back to gcc to determine sizeof size_t.
```
symbiosis-ssl
```
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
net/http: warning: Content-Type did not set; using application/x-www-form-urlencoded
```Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/152Symbiosis: Method redefined' and 'variable not initialized' warnings returned...2019-06-07T14:39:39ZPaul CammishSymbiosis: Method redefined' and 'variable not initialized' warnings returned from symbiosis-httpd-configure when '--verbose' flag usedImported from https://www.github.com/BytemarkHosting/symbiosis/issues/122
Running `symbiosis-httpd-configure` with the `--verbose` flag appended, e.g `symbiosis-httpd-configure -vdf`, returns the following:
<pre>
root@symbiosis2:/etc/e...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/122
Running `symbiosis-httpd-configure` with the `--verbose` flag appended, e.g `symbiosis-httpd-configure -vdf`, returns the following:
<pre>
root@symbiosis2:/etc/exim4# symbiosis-httpd-configure -vdf
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff
Domain: symbiosis2.default.aladlow.uk0.bigv.io
Current SSL set 6: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-09-07 22:00:16 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: example.site.net.conf
Forcing re-creation of configuration due to --force.
/usr/lib/ruby/vendor_ruby/diffy/diff.rb:70: warning: instance variable @tempfiles not initialized
Syntax OK
</pre>
Notably:
`/usr/lib/ruby/vendor_ruby/diffy/diff.rb:43: warning: method redefined; discarding old diff`
`/usr/lib/ruby/vendor_ruby/diffy/diff.rb:70: warning: instance variable @tempfiles not initialized`
These probably shouldn't be displayed as standard.
Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/199symbiosis-ssl reports `Failed: signature type 'none' in JWS header is not sup...2019-06-07T10:51:28ZPaul Cammishsymbiosis-ssl reports `Failed: signature type 'none' in JWS header is not supported` when trying to get cert.As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported,...As mentioned in #198
```
* Examining certificates for example.domain
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: signature type 'none' in JWS header is not supported, expected one of RS256, ES256, ES384 or ES512
* Examining certificates for localhost.localdomain
Current SSL set 0: self-signed for /CN=localhost.localdomain, expires 2020-04-15 16:32:06 UTC
```
Possible dependency or other issueSympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/198Warning during installation about gcc not being found2019-06-07T10:51:32ZPaul CammishWarning during installation about gcc not being foundDuring install, I see the following:
```
Setting up symbiosis-common (2018:0616) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) reque...During install, I see the following:
```
Setting up symbiosis-common (2018:0616) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
Shadow passwords are now on.
Adding 'admin' account
Adding user `admin' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new group `admin' (1001) ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding new user `admin' (1001) with group `admin' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Not creating home directory `/srv'.
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user `admin' to group `adm' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user admin to group adm
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Done.
Adding user `admin' to group `www-data' ...
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Adding user admin to group www-data
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
sent invalidate(group) request, exiting
sent invalidate(passwd) request, exiting
sent invalidate(group) request, exiting
Done.
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
W: SSL certificate generation failed. Retrying with a self-signed certificate...
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
sh: 1: gcc: not found
/usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require': cannot load such file -- faraday (LoadError)
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/acme-client.rb:3:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/vendor_ruby/symbiosis/ssl/letsencrypt.rb:6:in `<top (required)>'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb:55:in `require'
from /usr/bin/symbiosis-ssl:161:in `<main>'
Created symlink /etc/systemd/system/multi-user.target.wants/symbiosis-skel.path → /lib/systemd/system/symbiosis-skel.path.
symbiosis-skel.service is a disabled or a static unit, not starting it.
```
Installation seems to continue and succeed.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/184Symbiosis: symbiosis-httpd-configure breaks when no certificates are available.2019-06-07T14:36:24ZPaul CammishSymbiosis: symbiosis-httpd-configure breaks when no certificates are available.Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/112
symbiosis-httpd-configure breaks when no certificates are available.
Steps to reproduce:
1. Spin up a new Symbiosis 8 server at panel.bytemark.co.uk
2. remove t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/112
symbiosis-httpd-configure breaks when no certificates are available.
Steps to reproduce:
1. Spin up a new Symbiosis 8 server at panel.bytemark.co.uk
2. remove the contents of /etc/ss
3. run "symbiosis-httpd-configure --force --verbose"
4. run "apachectl restart"
Expected behaviour:
* Apache restarts.
Observed behaviour:
* Apache fails to restart. An error message like "Failed to configure at least one certificate and key for symbiosis.foo.bar.uk0.bigv.io:443"
Workaround:
* remove /etc/apache2/sites-enabled/zz-mass-hosting.ssl.conf - Apache will now start, until symbiosis-httpd-configure is run again.
Suggested fix:
* Symbiosis-httpd-configure should test for the presence of some certificate before proceeding to enable zz-mass-hosting.ssl.confBackloghttps://gitlab.com/sympl.io/sympl/-/issues/176Symbiosis: SSL symlinks broken on hostname change2019-07-17T15:54:09ZPaul CammishSymbiosis: SSL symlinks broken on hostname changeImported from https://www.github.com/BytemarkHosting/symbiosis/issues/42
When the hostname of a system running Symbiosis is changed the symbolic links for the self signed certificates in <code>/etc/ssl</code> are broken.
The symbolic l...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/42
When the hostname of a system running Symbiosis is changed the symbolic links for the self signed certificates in <code>/etc/ssl</code> are broken.
The symbolic links in <code>/etc/ssl</code> continue to point at <code>/srv/original-server-name/...</code>.
This then prevents the Apache service from starting as the SSL files are missing/invalid.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/174Symbiosis: Skel missing file references2019-06-20T13:24:53ZPaul CammishSymbiosis: Skel missing file referencesImported from https://www.github.com/BytemarkHosting/symbiosis/issues/135
When a new domain directory is created within `/srv/`, Symbiosis Stretch will create appropriate `config`, and `public` sub-directories.
The `/srv/domain.com/pu...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/135
When a new domain directory is created within `/srv/`, Symbiosis Stretch will create appropriate `config`, and `public` sub-directories.
The `/srv/domain.com/public/htdocs/index.html` file generated refers to incorrect file paths, as it looks for `/bytemark/bytemark.css` and `/bytemark/bytemark.png`, but the `bytemark/` directory doesn't exist.
Additionally, the index points to the Jessie Symbiosis docs, where they should be for Stretch.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/171Symbiosis: Roundcube sieve breaks following dist-upgrade from Symbiosis Jessi...2019-06-07T10:51:35ZPaul CammishSymbiosis: Roundcube sieve breaks following dist-upgrade from Symbiosis Jessie to StretchImported from https://www.github.com/BytemarkHosting/symbiosis/issues/118
Roundcube returns an `Unable to connect to managesieve server` warning when attempting to access the `Filters` or `Vacation` setting. This is due to a change in t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/118
Roundcube returns an `Unable to connect to managesieve server` warning when attempting to access the `Filters` or `Vacation` setting. This is due to a change in the sieve directory structure when moving from Jessie to Stretch.
In Symbiosis Jessie, the structure is as follows:
<pre>
root@symbiosis2:/usr/share/roundcube# ls -al /srv/symbiosis2.default.aladlow.uk0.bigv.io/mailboxes/root/
total 24
drwxr-sr-x 4 admin admin 4096 May 11 11:31 .
drwxr-sr-x 4 admin admin 4096 May 17 12:57 ..
drwx--S--- 9 admin admin 4096 May 27 16:05 Maildir
-rw-r--r-- 1 admin admin 105 May 27 12:51 password
lrwxrwxrwx 1 admin admin 23 May 11 11:30 sieve -> sieve.d/roundcube.sieve
drwx--S--- 3 admin admin 4096 May 11 11:30 sieve.d
</pre>
And in Symbiosis Stretch:
<pre>
root@symbiosis2:/usr/share/roundcube# ls -al /srv/symbiosis2.default.aladlow.uk0.bigv.io/mailboxes/root/
total 20
drwxr-sr-x 4 admin admin 4096 May 27 16:08 .
drwxr-sr-x 4 admin admin 4096 May 17 12:57 ..
lrwxrwxrwx 1 admin admin 21 May 27 16:08 .dovecot.sieve -> sieve/roundcube.sieve
drwx--S--- 9 admin admin 4096 May 27 16:05 Maildir
-rw-r--r-- 1 admin admin 105 May 27 12:51 password
drwx--S--- 3 admin admin 4096 May 27 16:08 sieve
</pre>
To resolve this, the `sieve.d` directory should be renamed to `sieve`, and the `sieve` symlink to `.dovecot.sieve`.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/166Symbiosis: reject-www-data rule unintentionally removed from ip6tables when f...2019-06-07T14:36:07ZPaul CammishSymbiosis: reject-www-data rule unintentionally removed from ip6tables when file contains only IPv4 addressesImported from https://www.github.com/BytemarkHosting/symbiosis/issues/76
When an IPv4 address is added to the reject-www-data rule, the rule is removed from ip6tables.
1. Run `ip6tables -L -v -n` and notice the reject-www-data table is...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/76
When an IPv4 address is added to the reject-www-data rule, the rule is removed from ip6tables.
1. Run `ip6tables -L -v -n` and notice the reject-www-data table is present
2. Add 10.0.0.1 to `/etc/symbiosis/firewall/outgoing.d/50-reject-www-data`
3. Run `ip6tables -L -v -n` and notice the reject-www-data table is *no longer* presentBackloghttps://gitlab.com/sympl.io/sympl/-/issues/158Symbiosis: On Stretch, httpd.postinst doesn't correctly preserve `no-stats` s...2019-06-07T10:51:39ZPaul CammishSymbiosis: On Stretch, httpd.postinst doesn't correctly preserve `no-stats` settingsImported from https://www.github.com/BytemarkHosting/symbiosis/issues/124
This is what I think should happen:
1. If `no-stats` is present and not set to `false`: remove, as this is the default now.
2. If `no-stats` is present and set t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/124
This is what I think should happen:
1. If `no-stats` is present and not set to `false`: remove, as this is the default now.
2. If `no-stats` is present and set to `false`: move to `stats` and truncate, ensuring stats are enabled.
3. If `no-stats` isn't present: create `stats`.
4. Otherwise do nothing.
Patrick advised that we can potentially not do (3) and just put in release notes that the default is now that stats are disabled by default, as we use webalizer which is old and clunky and potentially many customers don't use it.Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/149Symbiosis: Logrotate cron error for prosody when it's not running2019-06-07T14:25:51ZPaul CammishSymbiosis: Logrotate cron error for prosody when it's not runningImported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate s...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/131
The logrotate cron will email the following warning every week if prosody isn't active:
<pre>
/etc/cron.daily/logrotate:
error: error running shared postrotate script for
'/var/log/prosody/prosody.log /var/log/prosody/prosody.err '
run-parts: /etc/cron.daily/logrotate exited with return code 1
</pre>
It looks like this is because the postrotate tries to check for the existence of `/var/run/prosody/prosody.pid` which won't be there when prosody is disabled (by default):
<pre>
[ -e /var/run/prosody/prosody.pid ] && /etc/init.d/prosody reload > /dev/null
</pre>
We should be able to suppress that by changing this line to e.g
<pre>
/etc/init.d/prosody reload > /dev/null
</pre>Sympl v9.0 (for Debian Stretch)https://gitlab.com/sympl.io/sympl/-/issues/144Symbiosis: If an SSL cert is automatically disabled, Symbiosis won't use auto...2019-07-17T15:53:24ZPaul CammishSymbiosis: If an SSL cert is automatically disabled, Symbiosis won't use automatically it again if it becomes validImported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` an...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/111
For example, if I have a site (https://under100words.com) and manually disable Let's Encrypt by placing `false` in `/srv/under100words.com/config/ssl-provider` and moving the `config/ssl directory` out of the way, `symbiosis-httpd-configure` will disable the specific SSL cert for the site, swapping it to self-signed.
This is fine, and to be expected, however it does this by removing the relevant symlink from `/etc/apache2/sites-enabled`, which has the effect of flagging the site as "manually disabled", dropping it back to mass hosting, if configured.
Restoring the SSL configuration (removing `ssl-provider` and restoring `config/ssl`) then re-running `symbiosis-httpd-configure --verbose` you get:
```
# symbiosis-httpd-configure --verbose
[ . . . ]
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
[ . . . ]
Configuration: under100words.com.conf
Configuration is up-to date.
!! Configuration has been manually disabled.
```
So, it's still thinking that the site was manually disabled, so even if it managed to create the individual config as there are valid SSL certs, it's not being symlinked.
A manual workaround is to run `symbiosis-httpd-configure` for the specific site:
```
# symbiosis-httpd-configure --verbose under100words.com
Domain: under100words.com
Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2018-02-20 13:36:22 UTC
This site has SSL enabled, and is using the host's primary IPs -- continuing with SNI.
SSL is enabled -- using SSL template
Adding to configurations
Configuration: under100words.com.conf
Configuration is up-to date.
Enabling configuration.
Reloading Apache
```
This instead enables the config anyway, and things work normally again.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/141Symbiosis: Exim can't deliver to a virgin mailbox2019-06-07T14:36:02ZPaul CammishSymbiosis: Exim can't deliver to a virgin mailboxImported from https://www.github.com/BytemarkHosting/symbiosis/issues/132
Mostly, Exim hands off email to dovecot for delivery. BUT, it's possible to use an Exim filter file to ask Exim to deliver email directly to a mailbox.
If Exim t...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/132
Mostly, Exim hands off email to dovecot for delivery. BUT, it's possible to use an Exim filter file to ask Exim to deliver email directly to a mailbox.
If Exim tries to do that before Dovecot has delivered to that user, Exim will fail.
Dovecot lazily (ie, when it first delivers an email to a user) creates a quota file in the root of the user's mailbox. Exim can't deliver email to a user if that quota file is missing. And it can't create it either.
This only matters if the user doesn't get mail delivered by dovecot, which is kind of unusual. The simple work-around is just to send an unfiltered email to the user.
A better fix might be to have a cron job looking for missing quota files, and adding them where required. Or maybe there's an Exim option to ignore the missing file? Or something.Backloghttps://gitlab.com/sympl.io/sympl/-/issues/137Symbiosis: Don't crash if a password file is empty2019-06-07T14:31:05ZPaul CammishSymbiosis: Don't crash if a password file is emptyImported from https://www.github.com/BytemarkHosting/symbiosis/issues/110
As reported here:
* https://forum.bytemark.co.uk/t/empty-password-crashes-cron-job/2744
The following code reproduces the problem:
```ruby
#!/usr/bin/ruby
requ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/110
As reported here:
* https://forum.bytemark.co.uk/t/empty-password-crashes-cron-job/2744
The following code reproduces the problem:
```ruby
#!/usr/bin/ruby
require 'cracklib'
c = CrackLib::Fascist(nil)
if c.ok?
puts "OK"
end
```
The following patch is probably sufficient to resolve the problem, but requires a test-case:
```
--- a/common/sbin/symbiosis-password-test
+++ b/common/sbin/symbiosis-password-test
@@ -155,6 +155,7 @@ Symbiosis::Domains.each(prefix) do |domain|
end
ftp_users.each do |u|
+ next if c.nil?
c = CrackLib::Fascist(u.password)
if c.ok?
```Backloghttps://gitlab.com/sympl.io/sympl/-/issues/135Symbiosis: DNS service records not created even though mailbox folders are there2019-06-07T14:30:27ZPaul CammishSymbiosis: DNS service records not created even though mailbox folders are thereImported from https://www.github.com/BytemarkHosting/symbiosis/issues/133
DNS srv records are not being created by the symbiosis-dns-generate command, the template suggests these are created at the presence of a mailbox folder:
```
%if...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/133
DNS srv records are not being created by the symbiosis-dns-generate command, the template suggests these are created at the presence of a mailbox folder:
```
%if domain.respond_to?(:mailboxes) and domain.mailboxes.length > 0
#
# SRV records for various mail services
#
:_submission._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,587, "mail."+domain) %>:<%= ttl %>
:_imap._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,143, "mail."+domain) %>:<%= ttl %>
:_imaps._tcp.<%= domain %>:33:<%= domain.srv_record_for(0,5,993, "mail."+domain) %>:<%= ttl %>
:_pop3._tcp.<%= domain %>:33:<%= domain.srv_record_for(10,5,110, "mail."+domain) %>:<%= ttl %>
:_pop3s._tcp.<%= domain %>:33:<%= domain.srv_record_for(10,5,995, "mail."+domain) %>:<%= ttl %>
% end
```
These service records are not created. could this be removed from the template?Backloghttps://gitlab.com/sympl.io/sympl/-/issues/128Symbiosis: Apache PHP7 module isn't enabled automatically following dist-upgr...2019-06-07T14:33:10ZPaul CammishSymbiosis: Apache PHP7 module isn't enabled automatically following dist-upgrade from Symbiosis JessieImported from https://www.github.com/BytemarkHosting/symbiosis/issues/116
During the dist-upgrade from Symbiosis Jessie to Stretch, Apache will not enable the PHP7 module as it conflicts with PHP5 (which should already be enabled). The ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/116
During the dist-upgrade from Symbiosis Jessie to Stretch, Apache will not enable the PHP7 module as it conflicts with PHP5 (which should already be enabled). The PHP5 module should therefore be explicitly disabled in favour of PHP7.https://gitlab.com/sympl.io/sympl/-/issues/122Symbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they ar...2019-06-06T11:08:42ZPaul CammishSymbiosis: `symbiosis-configure-ips` doesn't remove IPs it added once they are removed from /srv/*/config/ipImported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-adde...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/59
If an IP has been added to a machine via `/srv/*/config/ip`, then if removed, it won't be removed from the configuration until next reboot when it won't be re-added.
This is likely as it can't be determined that Symbiosis added the IP, so we should probably either:
1. Make it clear in the docs that removing an IP will need a reboot or manual change via `ip`.
2. Automatically remove any IPs not set somewhere in `/srv/*/config/ip` when running symbiosis-configure-ips.
3. Provide a `--force` switch (like the other Symbiosis apps) to make the config match what symbiosis-configure-ips is trying to do.
Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/182Symbiosis: symbiosis-firewall 99-reject file is blank by default2019-04-15T09:14:34ZPaul CammishSymbiosis: symbiosis-firewall 99-reject file is blank by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we a...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/137
Symbiosis' firewall contains a `/etc/symbiosis/firewall/incoming.d/99-reject` rule by default, which will block connections from `0.0.0.0/0` (anywhere).
If we add an IP to this 99-reject file, connections will only be blocked from this IP and allowed from everywhere else, which isn't usually what we want to happen.
It would be safer if the 99-reject file contained `0.0.0.0/0` by default to avoid allowing more through the firewall than what was intended. This could still be removed from the file if needed.Future Planshttps://gitlab.com/sympl.io/sympl/-/issues/165Symbiosis: Publish CAA (DNS TXT) records to improve security2019-04-14T20:59:45ZPaul CammishSymbiosis: Publish CAA (DNS TXT) records to improve securityImported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restr...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/134
Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates for a particular domain name. It prevents bad people obtaining certificates from rogue or sloppy certification authorities.
It's a simple DNS text record to say, for example:
`example.org. CAA 128 issue "letsencrypt.org"`
At minimum, we could publish this record for a domain that's protected by a LetsEncrypt certificate.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forumFuture Planshttps://gitlab.com/sympl.io/sympl/-/issues/164Symbiosis: Plaintext FTP should be disabled by default2019-04-17T20:30:58ZPaul CammishSymbiosis: Plaintext FTP should be disabled by defaultImported from https://www.github.com/BytemarkHosting/symbiosis/issues/50
`/etc/pure-ftpd/conf/TLS` currently appears to be set to 1 which means "Accept both normal sessions and SSL/TLS ones." - my opinion would be that for the next rele...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/50
`/etc/pure-ftpd/conf/TLS` currently appears to be set to 1 which means "Accept both normal sessions and SSL/TLS ones." - my opinion would be that for the next release, we should change this to 2, or even 3. Options are below.
```
-Y tls behavior
-Y 0 (default) disables SSL/TLS security mechanisms.
-Y 1 Accept both normal sessions and SSL/TLS ones.
-Y 2 refuses connections that aren't using SSL/TLS security
mechanisms, including anonymous ones.
-Y 3 refuses connections that aren't using SSL/TLS security
mechanisms, and refuse cleartext data channels as well.
The server must have been compiled with SSL/TLS support and a
valid certificate must be in place to accept encrypted sessions.
```