diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-09-02 21:20:44 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-09-02 21:20:44 +0200 |
commit | 70818f93b4acd86bd27000f85fc76ab1ffa1b38f (patch) | |
tree | 792e6b1bc2f6e63e28061cd446a0597097d92318 /doc/setup.txt | |
parent | 75319dc393c3f1a46b74de1efc42b386a46653fc (diff) |
Make setup notes independent named from host
But retain a symlink to it for now.
Signed-off-by: Salvatore Bonaccorso <carnil@debian.org>
Diffstat (limited to 'doc/setup.txt')
-rw-r--r-- | doc/setup.txt | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/doc/setup.txt b/doc/setup.txt new file mode 100644 index 0000000000..c278198be5 --- /dev/null +++ b/doc/setup.txt @@ -0,0 +1,109 @@ +Tracker setup on soriano.debian.org +=================================== + +(This is internal documentation, in case things need to be fixed. +It is not relevant to day-to-day editing tasks.) + +The code and data is organized via +https://salsa.debian.org/security-tracker-team/ + +Required packages for running the security-tracker are pulled in via the +debian.org-security-tracker.debian.org . A mirror for to the packaging +repository is at https://salsa.debian.org/dsa-team/mirror/debian.org, +which creates the debian.org-security-tracker.debian.org binary package. + +Relevant files and directories +------------------------------ + +The tracker runs under the user ID "sectracker". Most of its files +are stored in the directory /srv/security-tracker.debian.org/website: + + bin/cron invoked by cron once every minute + bin/cron-hourly invoked by cron once every hour + bin/cron-daily invoked by cron once every day + bin/read-and-touch invoked by ~/.procmailrc + bin/start-daemon invoked by cron at reboot + + security-tracker Git checkout + security-tracker/bin/* main entry points, called bin bin/cron + security-tracker/stamps/* files which trigger processing by bin/cron + +~sectracker/.procmailrc invokes bin/read-and-touch to create stamp +files, which are then picked up by bin/cron. This is done to serialize +change events in batches (e.g., commits originated from git). +<sectracker@soriano.debian.org> is subscribed to these mailing lists to +be notified of changes: + + <debian-security-announce@lists.debian.org> + <debian-lts-announce@lists.debian.org> + <debian-security-tracker-commits.alioth-lists.debian.net> + +The crontab of the "sectracker" user is set up such that the scripts +are invoked as specified above. + +~sectracker/.wgetrc contains the path to the bundle of certificate +authorities to verify peers for the data fetched via wget: + +ca-certificate=/etc/ssl/ca-global/ca-certificates.crt + +~sectracker/.curlrc contains a similar setting: + +capath=/etc/ssl/ca-global + +Web server +---------- + +80/TCP is handled by Apache. The Apache configuration is here: + + /srv/security-tracker.debian.org/etc/apache.conf + +mod_proxy is used to forward requests to the actual server which +listens on 127.0.0.1:25648 and is started by a user systemd unit +/srv/security-tracker.debian.org/website/systemd/tracker_service.service + +The user systemd unit needs to be activated and started once at initial +setup of the host (including requesting DSA to activate lingering for +the sectracker user): + +As the sectracker running user: + +systemctl --user enable /srv/security-tracker.debian.org/website/systemd/tracker_service.service + +To restart the security tracker service, restart the user systemd unit. + +Logging +------- + +Apache logs are stored in: + + /var/log/apache2/security-tracker.debian.org.access.log + /var/log/apache2/security-tracker.debian.org.error.log + +The Python daemon writes logs to a separate file, too: + + /srv/security-tracker.debian.org/website/log/daemon.log + +This also contains the exception traces. + +debsecan metadata +----------------- + +/srv/security-tracker.debian.org/website/bin/cron contains code which +pushes updates to secure-testing-master, using rsync. + +PTS interface +------------- + +The PTS fetches bug counts from this URL: + + https://security-tracker.debian.org/tracker/data/pts/1 + +Code updates +------------ + +Updates to the Git checkout only affect the directory +/srv/security-tracker.debian.org/website/security-tracker/data. Code +changes need to be applied manually by inspecting the changes done in +the security-tracker.git. + +After that a service restart is needed (see above) |