Sympl issueshttps://gitlab.com/sympl.io/sympl/-/issues2020-09-09T17:23:53Zhttps://gitlab.com/sympl.io/sympl/-/issues/295sympl-cli: running some commands as root doesn't ensure result has the right ...2020-09-09T17:23:53ZPaul Cammishsympl-cli: running some commands as root doesn't ensure result has the right ownerExample: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Example: `sudo sympl web create example.com` creates the directory in /srv with the owner as root.
https://forum.sympl.host/t/sympl-cli-feature-discussion/30/8Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/294sympl-web: php-zip package is not installed by default2020-09-09T17:23:53ZPaul Cammishsympl-web: php-zip package is not installed by defaultIt probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.It probably should be included in typical installs, as windows-centric stuff is likely to expect it to be there.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/298sympl-filesystem-security: public-group doesn't work2020-09-09T17:23:53ZPaul Cammishsympl-filesystem-security: public-group doesn't work# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name o...# Summary
When putting a group into `<domain>/config/public-group`, running `sympl-filesystem-security` produces the output `id: ‘<group>’: no such user`. Found on sympl-core/stretch 9.0.200510.0.
# Steps to reproduce
Place the name of a group that isn't `www-data` in `<domain>/config/public-group` and run `sympl-filesystem-security`.
# Possible fixes
https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/buster/core/sbin/sympl-filesystem-security#L50 (and 51) use `id -g $gid`, which seems like it should find the GID of a group, but actually finds the GID of the primary group of user $gid. If no user of the same name as the requested group exists, this fails. The script seems like it will need to use `getent group` and `cut` or `awk` to get the right fields.
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/299sympl-core: sympl-filesystem-security reset permissions on public/cgi-bin2020-09-09T17:23:53ZPaul Cammishsympl-core: sympl-filesystem-security reset permissions on public/cgi-binThis causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.This causes cgi-bin scripts to fail, and various headaches for anyone with older stuff.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/300sympl-web: Support for Apache Includes2020-09-10T08:28:06ZPaul Cammishsympl-web: Support for Apache IncludesA great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.A great idea in https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3?u=kelduum is to add an IncludeOptional directive to load extra configuration files from the config directory.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/270sympl-web: Allow apache includes in config/2020-09-10T08:28:06ZPaul Cammishsympl-web: Allow apache includes in config/As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl...As per https://forum.sympl.host/t/auto-updating-ssl-certs-with-custom-apache-site-config/69/3
> One of the ways around this under symbiosis was to add an `IncludeOptional` directive to the master templates (`ssl.template.erb` & `non_ssl.template.erb`) with customisations kept in, say, config…
>
> `IncludeOptional /srv/<% domain %>/config/apache-*.conf`
Thanks to alphacabbage1 for the suggestion.
This will need checking for security, as we don't want any random user writing stuff to there, and breaking the security model or stopping Apache from starting.https://gitlab.com/sympl.io/sympl/-/issues/239phpmyadmin: phpmyadmin is no longer packaged in Debian Buster2020-09-16T16:16:37ZPaul Cammishphpmyadmin: phpmyadmin is no longer packaged in Debian BusterBased on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.or...Based on an [informal poll](https://twitter.com/Mythic_Beasts/status/1139540952840908800) it look like a picture of a kitten should be a good replacement, however I'll probably rename the package, swap to [Adminer](https://www.adminer.org/), and add instructions for installing phpmyadmin yourself.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/249sympl-ssl - IPv6 Only DNS Resolution2021-02-12T18:08:30ZPaul Cammishsympl-ssl - IPv6 Only DNS ResolutionDNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts befor...DNS resolution times out in IPv6 Only environment when contacting Let's Encrypt.
This is due to the resolver assuming theres an IPv4 address, and binding to that for replies.
A workaround is to add the relevant host to /etc/hosts before running.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/307Sympl 11: sympl-mail - Update exim configurations (historic)2021-02-12T18:21:16ZPaul CammishSympl 11: sympl-mail - Update exim configurations (historic)Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Changes to the Exim configuration were needed to pass the existing test suite.
These were done in 7dc9c294 15c8c20f 5a1b47ae 33d97665 6b4fbe1c
See also #304 which is related as it involved a workaround.Sympl 11 for Debian Bullseyehttps://gitlab.com/sympl.io/sympl/-/issues/306Sympl 11: Installing sympl-mysql doesnt write the password to /home/sympl2021-02-15T11:33:44ZPaul CammishSympl 11: Installing sympl-mysql doesnt write the password to /home/symplThis is currently causing the testing to fail, and will need looking into.This is currently causing the testing to fail, and will need looking into.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/309sympl11 - Re-enable stable CI2021-08-13T16:08:34ZPaul Cammishsympl11 - Re-enable stable CINo stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.No stable branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the stable branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammish2021-06-01https://gitlab.com/sympl.io/sympl/-/issues/308sympl11 - Re-enable testing CI2021-08-13T16:12:17ZPaul Cammishsympl11 - Re-enable testing CINo testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.No testing branch at present with public packages to test against, so CI was disabled temporarily in 05713c43.
Will need re-enabling once the testing branch has been publicly built.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/315sympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-only2021-08-23T07:35:18ZPaul Cammishsympl-mail: sympl-mail-poppassd fails to start in Bullseye IPv6-onlyIt seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a...It seems that on an IPv6-only instance running Bullseye falls fowl of a change in Ruby which prevents it from binding to 127.0.0.1, but adding a IPv4 address on loopback means it's okay, and this is fine with prior debian versions.
As a short-term work-around, adjusting https://gitlab.mythic-beasts.com/sympl/sympl/-/blob/bullseye/mail/sbin/sympl-mail-poppassd and changing:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
```
to:
```ruby
EventMachine.run do
begin
EventMachine.start_server "127.0.0.1", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
begin
EventMachine.start_server "::", port, Symbiosis::Email::PoppassHandler
rescue StandardError => err
syslog.info "Caught #{err.to_s} "
EM.stop
end
end
end
```
Will have it fallback and still bind to 127.0.0.1. This also binds to other addresses, but it's firewalled so shouldn't be an issue.Sympl 11 for Debian BullseyePaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/316install: fails on Debian 11 without gnupg if debconf-set-selections already i...2021-08-23T07:37:11ZPaul Cammishinstall: fails on Debian 11 without gnupg if debconf-set-selections already installed# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key ...# Summary
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Steps to reproduce
Using a fresh Debian 11 image on Linode, the install script exits at the following line due to lack of gnupg
- create linode with Debian 11 image
- follow documentation to install (https://wiki.sympl.host/view/Installing_Sympl)
- a) `wget https://gitlab.mythic-beasts.com/sympl/install/raw/master/install.sh`
- b) `bash install.sh`
- watch installer die at `Adding repository key...`
- specifically, `apt-key` fails to add the gpg public key due to missing dependency, see logs below
EDIT: It appears that `gnupg` is already listed as a dependency in the install script, but never installed since `debconf-set-selections` is already installed on the Linode image
# Example Project
Follow documentation (https://wiki.sympl.host/view/Installing_Sympl) on Debian 11 image which doesn't contain a gnupg package, such as Linode's Debian 11 image
# What is the current bug behavior?
Installer dies part way though, as above
# What is the expected correct behavior?
Installer completes successfully! :sunglasses:
# Relevant logs and/or screenshots
Before running script
```
root@localhost:~# which debconf-set-selections
/usr/bin/debconf-set-selections
```
Installer failing:
```
-----------------------------------------------------------------------
Sympl Installer v20210818
-----------------------------------------------------------------------
This script will help you install Sympl on a Debian Linux or Raspberry
Pi OS server with minimal hassle, and give you some intial pointers.
Installing initial dependencies...
All packages are up to date.
Installing Sympl from 'bullseye' repository.
Setting defaults...
Adding repository key...root@localhost:~#
```
Failing line ran separately:
```
root@localhost:~# wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
```
# Possible fixes
Lines causing issues:
- `if [ "x$(which debconf-set-selections)" = "x" ]; then`
- `wget -qO- https://mirror.mythic-beasts.com/mythic/support@mythic-beasts.com.gpg.key | apt-key add -`
Either remove the check around dependency `debconf-set-selections` installation, or separate `gnupg` into a separate dependency installation block
/cc @kelduumPaul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/317sympl-mail: /srv/example.com/mailboxes is required to accept mail2021-09-23T21:15:58ZPaul Cammishsympl-mail: /srv/example.com/mailboxes is required to accept mailDue to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.h...Due to the changes in Exim in Debian 11, the config now expects the /srv/example.com/mailboxes directory to exist for incoming mail, and fails if it doesn't (ie: theres aliases or default forward, etc).
Reported in https://forum.sympl.host/t/mail-aliases-in-config-aliases/234Paul CammishPaul Cammish2021-09-24https://gitlab.com/sympl.io/sympl/-/issues/318sympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expired2021-10-04T10:11:53ZPaul Cammishsympl-core: Cross signed Let's Encrypt bundle flags all LE certs as expiredThis is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expir...This is caused by the current Ruby codebase which uses the OpenSSL library to build a certificate store, used to validate certificates.
The bundle now includes an extra cert with a copy of the normal intermediate signed by the now-expired DST X3 Root certificate (used as a workaround for old devices which don't have the new X1 root cert), meaning the bundle is effectively signed twice.
This is fine in the vast majority of cases, but in this instance, the presence of an intermediate signed by an expired root raises an error, which then means sympl-ssl.rb considers the whole chain invalid, leading to it retrieving new certs on every run.
A workaround has been put together in sympl-ssl to remove the expired intermediate from the ssl.bundle and ssl.combined when preceded by the normal cert in !243 !244 !245.
Longer-term, the existing sympl-ssl will be replaced by the new version in development.Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/232Sympl determines host name incorrectly during install2022-04-26T09:50:34ZPaul CammishSympl determines host name incorrectly during installDuring the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains...During the install, sympl creates a 'default' directory based on the hostname of the machine. However, it incorrectly uses the domain 'localdomain' when creating this directory.
On a clean debian machine, the /etc/hostname file contains a bare hostname. Code in core/debian/postinst uses this file as the hostname, and if it sees a 'bare' hostname, appends 'localdomain' to the hostname read from the file.
The debian installation had a full hostname specified, and typing
hostname -f
retrieves this full host name correctly.
The postinst script will also fall back to using hostname -f if /etc/hostname exists.Sympl v9.0 (for Debian Stretch)Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/328sympl-mail: Emailing mailbox quota functionality prevents mail delivery on Bu...2022-10-05T08:22:43ZPaul Cammishsympl-mail: Emailing mailbox quota functionality prevents mail delivery on BullseyeIdentified in an install migrated from Sympl 10, Exim considers the `mailboxes/example/quota`, `config/mailbox-quota` and `/etc/sympl/exim4/mailbox-quota` files tainted.
Mail is received and waits in the local spool, but cannot be deliv...Identified in an install migrated from Sympl 10, Exim considers the `mailboxes/example/quota`, `config/mailbox-quota` and `/etc/sympl/exim4/mailbox-quota` files tainted.
Mail is received and waits in the local spool, but cannot be delivered to user mailboxes until the quota is disabled.
Relevant variables will need de-tainting before they can be used.
Relevant file is `mail/exim4/sympl.d/30-transports/30-address-directory`Paul CammishPaul Cammishhttps://gitlab.com/sympl.io/sympl/-/issues/335Failures: Dovecot2023-05-02T12:02:04ZPaul CammishFailures: DovecotLooks like some breaking changes to the dovecot config in Bookworm, notably mentions of:
```
configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'PREVENT_NO_AUTH' (notify administrat...Looks like some breaking changes to the dovecot config in Bookworm, notably mentions of:
```
configuration error - unknown item 'NONEXISTENT' (notify administrator)
configuration error - unknown item 'PREVENT_NO_AUTH' (notify administrator)
```
...in the logs when installing.Sympl 12 (bookworm)https://gitlab.com/sympl.io/sympl/-/issues/337Build: docker build image not based on bookworm2023-05-02T12:02:32ZPaul CammishBuild: docker build image not based on bookwormThe docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.The docker build image is currently a clone of the buster image, so is building things slightly wrong, which may account for errors in `sympl-firewall`.
This should be fixed up ASAP.Sympl 12 (bookworm)