Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2019-09-17T13:45:19Zhttps://gitlab.com/sympl.io/sympl/-/issues/265sympl-backup triggers `tar` warnings2019-09-17T13:45:19ZPaul Cammishsympl-backup triggers `tar` warningshttps://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar:...https://forum.sympl.host/t/backups-tar-warning-about-non-optional-arguments/44
## Problem Description
When doing backups, the following message is shown, with the backup succeeding:
```
Creating archive using 'DRIVER_TAR_GZ'...
tar: The following options were used after any non-optional arguments in archive create or update mode. These options are positional and affect only arguments that follow them. Please, rearrange them properly.
tar: --no-recursion has no effect
tar: Exiting with failure status due to previous errors
Checking TOC of archive file (< real file, > archive entry)...
```
This is due to changes to `tar` in Buster.
Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/263LetsEncrypt certificates not renewed early enough2019-09-08T15:13:43ZPaul CammishLetsEncrypt certificates not renewed early enough# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
...# Summary
LetsEncrypt certificates are not renewed a month before expiry (as recommended). This causes warning emails to be received from LetsEncrypt.
# Steps to reproduce
Enable LetsEncrypt certificates for a domain. Wait 60 days.
# What is the current bug behavior?
Certificates are not renewed until 2 weeks before expiry, causing a warning.email to be received
# What is the expected correct behavior?
Certificate should be removed 30 days before expiry.
See: https://letsencrypt.org/docs/integration-guide/
for more info.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/261sympl-ssl fails in NAT64 environments with IPv4 addresses2019-09-17T13:45:19ZPaul Cammishsympl-ssl fails in NAT64 environments with IPv4 addressesThis is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.This is due to the old Ruby library being used, which defaults to IPv4.
A workaround exists for this, which adds an entry to the hosts file, but fails to detect NAT64 setups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/260Extra content in /root/.ssh/authorized_keys is copied also2019-08-16T12:20:27ZPaul CammishExtra content in /root/.ssh/authorized_keys is copied alsoIn the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging ...In the event `/root/.ssh/authorized_keys` contains other content (such as a "command=" entry for the key [ref](https://forum.sympl.host/t/dont-login-as-root-warning/39)), then the Sympl user will be similarly restricted on first logging in.
Not necessarily a bug, but we may want to think about excluding these entries or handling them differently.https://gitlab.com/sympl.io/sympl/-/issues/259Running backups manually seems to cause issues2019-08-19T07:25:08ZPaul CammishRunning backups manually seems to cause issuesIt appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probabl...It appears that running backups manually as the `sympl` user will cause the sympl-sqldump script to fail (as it's not running as root), possibly causing later backups to fail as a dump was started but not completed.
Sympl should probably check for a generic user with full mysql access rather than just root (or the root or Sympl user), and/or automatically use the `--force` flag when triggering backups.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/255sympl-web-rotate-logs doesnt work2019-07-09T19:27:36ZPaul Cammishsympl-web-rotate-logs doesnt workThis is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the...This is due to it dropping permissions which is incompatible with the new security permissions system.
As it normally only ever runs as root, this isn't needed, and also means log rotation never happens properly as it's only telling the logger processes to reload, not Apache.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/254sympl-firewall: iptables email warning (buster)2019-08-16T17:51:06ZPaul Cammishsympl-firewall: iptables email warning (buster)It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).It appears with the change to iptables-nft, wanring are being generated about iptables-legacy having rules (although they appear to be empty).Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/251Dovecot doesn't reload after cert changes if config hasn't changed.2019-07-07T00:28:05ZPaul CammishDovecot doesn't reload after cert changes if config hasn't changed.In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert atte...In the situation where no new domains are created, but SSL certs update automatically, Dovecot would eventually expire the cached certs, so a reload is needed, as well as a check for when there are literally no certs (ie: first cert attempt fails).
In progress: sympl/sympl!76Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/250Apache config template changes from Buster need to be backported to Stretch2019-07-06T19:10:34ZPaul CammishApache config template changes from Buster need to be backported to StretchIn progress: !77In progress: !77Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/248sympl-mail: Debian-exim user should be added to sympl group.2019-07-02T16:36:27ZPaul Cammishsympl-mail: Debian-exim user should be added to sympl group.As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via S...As is, the Debian-exim user already has access to the ssl-certs and other things, so giving it access to the config directory shouldn't be a problem now things are properly partitioned and will allow users to still configure things via SFTP.
`sympl-filesystem-security` will need adjusting for this also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/246Roundcube unable to send mail in Buster.2019-07-02T16:38:13ZPaul CammishRoundcube unable to send mail in Buster.Needs confirming if this is affecting Stretch also.Needs confirming if this is affecting Stretch also.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/241stretch-testing -> stretch2019-06-25T08:36:27ZPaul Cammishstretch-testing -> stretch# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions w...# Testing to Stable
## Setup
* [x] Add example.com to /etc/hosts.
* [x] Start with a clean machine running the relevant version of Debian.
## Install
* [x] Run Install script as per https://wiki.sympl.host/Installation_Instructions without dpkg prompts.
* [x] User is pointed to https://wiki.sympl.host for docs, and https://forum.sympl.host for issues.
* [x] User has to set a new password for `sympl`, and is suggested to use an SSH key.
* [x] User can log in as the `sympl` user.
## Core
* [x] Banner happens on login and provides correct version/system stats.
* [x] Typical utilities such as vim, htop, etc are installed and work normally.
## Web
* [x] `mkdir -p /srv/example.com/public/htdocs`, make sure you are served a 'theres nothing here yet' page.
* [x] `echo 'Testing example.com' > /srv/example.com/public/htdocs/index.html`, check the page loads with the new content.
* [x] `echo '<?php phpinfo() ?>' > /srv/example.com/public/htdocs/index.php`, check the page loads with phpinfo.
* [x] `sudo sympl-web-configure --verbose`, check /srv/example.com/ contains public/logs, php_tmp, php_sessions.
* [x] Browse to http://example.com again, check logs are being written to `public/logs/access.log`.
* [x] Browse to https://example.com again (expect browser warning), check logs are being written to `public/logs/ssl_access.log`.
* [x] `sudo sympl-web-rotate-logs`, check logs have rotated.
* [x] `sudo sympl-web-generate-stats --verbose`, check stats have NOT been created.
* [x] `mkdir -p /srv/example.com/config ; echo selfsigned > /srv/example.com/config/ssl-provider ; sudo sympl-ssl --verbose`, check cert is generated.
* [x] `sudo sympl-web-configure --verbose`, check site now loads with self-signed certificate.
## FTP
* [x] Confirm you cannot login anonymously via FTP.
* [x] `echo some-password > /srv/example.com/config/ftp-password`, check you can log in with user `example.com` password `some-password` via FTP and are placed in public.
* [x] Confirm you can upload/download/delete files via FTP.
* [x] `echo someuser:someotherpass:htdocs:0M > /srv/example.com/config/ftp-users`, check you can log in with user `someuser@example.com` password `someotherpass` via FTP and are placed in htdocs.
* [x] Confirm you can download but not upload files via FTP.
* [x] `sudo sympl-password-test --verbose`, confirm password warning.
## Mail & WebMail
* [x] `mkdir -p /srv/example.com/mailboxes/user ; echo some-password > /srv/example.com/mailboxes/user/password ; sudo sympl-password-test --verbose`, confirm password warning.
* [x] Browse to https://example.com/webmail, log in with `user` and `password`
* [x] `echo new-password > /srv/example.com/mailboxes/user/password`, log out of webmail.
* [x] Confirm you cannot log in with old password.
* [x] Confirm you can log in with new password.
* [x] `sudo sympl-mail-encrypt-passwords --verbose`
* [x] Log out and back in again.
* [x] Send mail to a gmail address, confirm bounce/delivery.
* [x] `openssl genrsa -out /srv/example.com/config/dkim.key 2048 ; chmod 640 /srv/example.com/config/dkim.key ; chown admin:Debian-exim /srv/example.com/config/dkim.key ; touch /srv/example.com/config/dkim`
* [x] Send email again, check for DKIM record in bounce/delivery.
## Network
* [x] `ip a ; sympl-ip`, confirm IPs match.
* [x] `echo 10.111.234.56 > /srv/example.com/config/ip ; sudo sympl-configure-ips --verbose`, confirm new IP picked up.
* [x] `ip a ; sympl-ip`, confirm '10.111.234.56' now listed on both results.
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 0.
* [x] `touch /etc/sympl/firewall/incoming.d/99-1234 ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c ':1234'`, confirm result is 2.
* [x] `touch '/etc/sympl/firewall/blacklist.d/10.9.8.7|31' ; sudo sympl-firewall`
* [x] `sudo iptables -L -n | grep -c '10.9.8.6'`, confirm result is 1.
## MySQL / MariaDB & phpMyAdmin
* [x] `mysql -e 'show databases'`, confirm databases are listed.
* [x] Browse to http://example.com/phpmyadmin, confirm redirected to HTTPS.
* [x] `cat ~/mysql_password`, log in with user `sympl` and password.
* [x] Confirm no errors/warnings, database can be created.
## Monit
* [x] `sudo service apache2 stop ; sudo service apache2 status ; sudo sympl-monit ; sudo service apache2 status ;`, confirm apache is started again.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/239phpmyadmin: phpmyadmin is no longer packaged in Debian Buster2020-09-16T16:16:37ZPaul Cammishphpmyadmin: phpmyadmin is no longer packaged in Debian BusterBased on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.or...Based on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.org/), and add instructions for installing phpmyadmin yourself.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/187Symbiosis: testing sites don't get DocumentRoot set2019-04-14T21:44:45ZPaul CammishSymbiosis: testing sites don't get DocumentRoot setImported from https://www.github.com/BytemarkHosting/symbiosis/issues/43
testing sites - e.g. example.com.testing.server.group.user.uk0.bigv.io don't have DocumentRoot set. Not being set by mod_rewriteImported from https://www.github.com/BytemarkHosting/symbiosis/issues/43
testing sites - e.g. example.com.testing.server.group.user.uk0.bigv.io don't have DocumentRoot set. Not being set by mod_rewritehttps://gitlab.com/sympl.io/sympl/-/issues/185Symbiosis: symbiosis-ssl can generate SSL config for sites that have no certi...2019-04-17T20:11:54ZPaul CammishSymbiosis: symbiosis-ssl can generate SSL config for sites that have no certificateImported from https://www.github.com/BytemarkHosting/symbiosis/issues/44
symbiosis-ssl can generate SSL config for sites that have no certificate returned by Lets Encrypt. This can lead to invalid configuration, and Apache being unable ...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/44
symbiosis-ssl can generate SSL config for sites that have no certificate returned by Lets Encrypt. This can lead to invalid configuration, and Apache being unable to re-start.
This has been observed both in terms of missing certs that were never returned successfully from Lets Encrypt, or where symbiosis-ssl didn't have permission to write the certificate, but still wrote the SSL config.https://gitlab.com/sympl.io/sympl/-/issues/183Symbiosis: symbiosis-httpd-configure --diff-only option2019-04-17T20:05:54ZPaul CammishSymbiosis: symbiosis-httpd-configure --diff-only optionImported from https://www.github.com/BytemarkHosting/symbiosis/issues/48
Sometimes the configuration has been manually edited but it'd be nice to go back to the factory one, however the only way to see what would change other than check...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/48
Sometimes the configuration has been manually edited but it'd be nice to go back to the factory one, however the only way to see what would change other than checking manually, is to move the old hand-edited configuration out of the way, and then to run the symbiosis-httpd-configure (which reloads the site) and then compare the changes afterwards.
Would be nice if you could ask symbiosis-httpd-configure just to give you a diff of what would change if you asked it to take over the config for a particular site.https://gitlab.com/sympl.io/sympl/-/issues/181Symbiosis: symbiosis-email-encrypt-passwords --verbose command is not recognised2020-08-22T16:07:25ZPaul CammishSymbiosis: symbiosis-email-encrypt-passwords --verbose command is not recognisedImported from https://www.github.com/BytemarkHosting/symbiosis/issues/65
Using Symbiosis Wheezy.
I need to encrypt a users email account password. Although I remember the password file for a user usually is updated with an encrypted ve...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/65
Using Symbiosis Wheezy.
I need to encrypt a users email account password. Although I remember the password file for a user usually is updated with an encrypted version of same password this doesnt appear to be working for me at the moment.
I tried the below command from /srv as admin user
symbiosis-email-encrypt-passwords --verbose
but just get
-bash: symbiosis-email: command not foundhttps://gitlab.com/sympl.io/sympl/-/issues/180Symbiosis: symbiosis-email cron.d entry points to incorrect binary2019-04-16T22:28:40ZPaul CammishSymbiosis: symbiosis-email cron.d entry points to incorrect binaryImported from https://www.github.com/BytemarkHosting/symbiosis/issues/72
`/usr/sbin/symbiosis-encrypt-mailpass` should be `/usr/sbin/symbiosis-email-encrypt-passwords`.
```
@hourly root [ -x /usr/sbin/symbiosis-encrypt-mailpass ] && /...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/72
`/usr/sbin/symbiosis-encrypt-mailpass` should be `/usr/sbin/symbiosis-email-encrypt-passwords`.
```
@hourly root [ -x /usr/sbin/symbiosis-encrypt-mailpass ] && /usr/sbin/symbiosis-encrypt-mailpass
```https://gitlab.com/sympl.io/sympl/-/issues/179Symbiosis: Symbiosis monit failure emails in Stretch2019-04-14T21:37:56ZPaul CammishSymbiosis: Symbiosis monit failure emails in StretchImported from https://www.github.com/BytemarkHosting/symbiosis/issues/129
The symbiosis-monit script will return an exit code of 75 for a few reasons: if it's been disabled, if the machine is still booting, if the load is higher than th...Imported from https://www.github.com/BytemarkHosting/symbiosis/issues/129
The symbiosis-monit script will return an exit code of 75 for a few reasons: if it's been disabled, if the machine is still booting, if the load is higher than the number of CPU cores, or if dpkg is running:
<pre>root@jessie:~# grep -c processor /proc/cpuinfo
root@jessie:~# cat /proc/loadavg
4.00 4.00 3.87 5/130 5696
root@jessie:~# /usr/sbin/symbiosis-monit -t email /etc/symbiosis/monit.d -a
root@jessie:~# echo $?
75
</pre>
In Symbiosis Stretch, this will be printed to syslog:
<pre>upgrade2 systemd[1]: symbiosis-monit.service: Main process exited, code=exited, status=75/n/a
upgrade2 systemd[1]: symbiosis-monit.service: Unit entered failed state.
upgrade2 systemd[1]: symbiosis-monit.service: Failed with result 'exit-code'.
</pre>
And also as an email:
<pre>Subject: Symbiosis monitor detected service failure
root : TTY=unknown ; PWD=/ ; USER=nobody ; COMMAND=/usr/bin/tee /var/tmp/symbiosis-monit.cursor
pam_unix(sudo:session): session opened for user nobody by (uid=0)
Started Symbiosis monitor.
symbiosis-monit.service: Main process exited, code=exited, status=75/n/a
symbiosis-monit.service: Unit entered failed state.
symbiosis-monit.service: Triggering OnFailure= dependencies.
symbiosis-monit.service: Failed with result 'exit-code'.</pre>
Server load will frequently rise above the number of CPU cores on busy servers, generating a large amount of emails. Printing to syslog is useful if there are problems with the `symbiosis-monit` service itself, but we should probably only send a failure email when an individual test has failed (e.g. `apache2`), rather than the entire service.