blob: 6467e4d0c88460fd9c9cd5a61f9643ce136c4471 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
Tracker setup on soriano.debian.org
===================================
(This is internal documentation, in case things need to be fixed.
It is not relevant to day-to-day editing tasks.)
Relevant files and directories
------------------------------
The tracker runs under the user ID "sectracker". Most of its files
are stored in the directory /srv/security-tracker.debian.org/website:
bin/cron invoked by cron once every minute
bin/cron-hourly invoked by cron once every hour
bin/cron-daily invoked by cron once every day
bin/read-and-touch invoked by ~/.procmailrc
bin/start-daemon invoked by cron at reboot
secure-testing Subversion checkout
secure-testing/bin/* main entry points, called bin bin/cron
secure-testing/stamps/* files which trigger processing by bin/cron
~sectracker/.procmailrc invokes bin/read-and-touch to create stamp
files, which are then picked up by bin/cron. This is done to serialize
change events in batches (e.g., commits originated from git-svn).
<sectracker@soriano.debian.org> is subscribed to these mailing lists to
be notified of changes:
<debian-security-announce@lists.debian.org>
<secure-testing-commits.lists.alioth.debian.org>
The crontab of the "sectracker" user is set up such that the scripts
are invoked as specified above.
~sectracker/.wgetrc contains the path to the bundle of certificate
authorities to verify peers for the data fetched via wget:
ca-certificate=/etc/ssl/ca-global/ca-certificates.crt
Web server
----------
80/TCP is handled by Apache. The Apache configuration is here:
/srv/security-tracker.debian.org/etc/apache.conf
mod_proxy is used to forward requests to the actual server which
listens on 127.0.0.1:25648 and is started by the
/srv/security-tracker.debian.org/website/bin/start-daemon script
(using a @reboot action in sectracker's crontab).
To restart the security tracker service, kill the tracker_service.py
Python process and invoke the start-daemon process as the sectracker
user.
Logging
-------
Apache logs are stored in:
/var/log/apache2/security-tracker.debian.org.access.log
/var/log/apache2/security-tracker.debian.org.error.log
The Python daemon writes logs to a separate file, too:
/srv/security-tracker.debian.org/website/log/daemon.log
This also contains the exception traces.
debsecan metadata
-----------------
/srv/security-tracker.debian.org/website/bin/cron contains code which
pushes updates to secure-testing-master, using rsync.
PTS interface
-------------
The PTS fetches bug counts from this URL:
http://security-tracker.debian.org/tracker/data/pts/1
Code updates
------------
Updates to the Subversion checkout only affect the directory
/srv/security-tracker.debian.org/website/secure-testing/data.
Code changes need to be applied manually, using "svn update",
and a service restart (see above).
Subversion repository mirror
----------------------------
The Subversion repository is mirrored (including history) using
svnsync, to the /srv/security-tracker.debian.org/subversion-backup
directory. The sectracker crontab contains an entry which runs
svnsync periodically.
|