Clinton Ebadi [Sat, 13 Jul 2013 06:50:04 +0000 (02:50 -0400)]
Check user exists before opening incoming ports
* Although we can't limit who actually listens on the port, better to
not open any ports for members who might be gone
Clinton Ebadi [Sat, 13 Jul 2013 06:18:45 +0000 (02:18 -0400)]
Overhaul fwtool
* Parse into structured representation, and then convert later
* Printing code is still ugly, the rest is much easier to follow IMHO
* Fix ProxiedServer rule generation ("www-data" on a web nodes needs
port opened too)
* Fix LocalServer rule generation (allow user to connect to their own
server)
* Probably secretly sucks in some way
* UNTESTED
Clinton Ebadi [Tue, 19 Feb 2013 19:29:44 +0000 (14:29 -0500)]
Fix ProxiedServer firewall rule generation for web node
Clinton Ebadi [Fri, 15 Feb 2013 18:54:39 +0000 (13:54 -0500)]
Switch default web node from mire to navajos
Bombs away!
Clinton Ebadi [Thu, 31 Jan 2013 17:22:49 +0000 (12:22 -0500)]
Hide .svn and .git dirs on wordpress sites
Clinton Ebadi [Thu, 31 Jan 2013 17:18:19 +0000 (12:18 -0500)]
Remove php4 support Good riddance
Clinton Ebadi [Tue, 22 Jan 2013 22:23:46 +0000 (17:23 -0500)]
SSLCertificateChainFile support
Like kerberos auth, this works around non-SSL vhosts by printing a
warning and ignore the directive.
Clinton Ebadi [Tue, 22 Jan 2013 18:57:30 +0000 (13:57 -0500)]
bare fwtool regen
Regenerate all nodes at once
Clinton Ebadi [Fri, 18 Jan 2013 18:49:46 +0000 (13:49 -0500)]
Support MultiViews
Closes https://bugzilla.hcoop.net/show_bug.cgi?id=845
Clinton Ebadi [Fri, 18 Jan 2013 18:46:06 +0000 (13:46 -0500)]
Update lib
Clinton Ebadi [Tue, 15 Jan 2013 20:14:58 +0000 (15:14 -0500)]
Remove fritz from webNodes, remove mire from slave dns
Kill all of the old machines, I say.
Clinton Ebadi [Sun, 6 Jan 2013 11:18:52 +0000 (06:18 -0500)]
Change package-exists to return section/description
Kind of ugly, will break in wheezy (fields are localized and names
change), but we need this information for the portal. Possible evil
use of MsgNo without MsgYes.
Clinton Ebadi [Sun, 6 Jan 2013 08:47:38 +0000 (03:47 -0500)]
Add missed signature change
Clinton Ebadi [Sun, 6 Jan 2013 08:33:08 +0000 (03:33 -0500)]
Move Acl.read from start of slave loop to firewall handling case
Reading it before blocking waiting for a message could result in stale
permissions being used for a single request.
Clinton Ebadi [Sun, 6 Jan 2013 08:31:52 +0000 (03:31 -0500)]
Add query for existence of package
Used by the portal to determine if a package exists, rather than
querying the local apt. The implementation is copied from the portal
mostly, and is probably less than ideal: I think the return value of
apt-cache could be used, but the man page is unclear and this works
so...
Clinton Ebadi [Fri, 4 Jan 2013 08:36:01 +0000 (03:36 -0500)]
Do not generate zone files on bind slaves
* bind slaves perform domain transfers from the master server, so
there is no need to generate and push zone files to them. In theory.
Clinton Ebadi [Fri, 4 Jan 2013 08:34:08 +0000 (03:34 -0500)]
Remove `bind_config' group chowning from domtool-publish
* This was added so that jsl and others could adminster the bind
config without full root. No one is doing that now, no reason to
require a non-standard group for the time being.
Clinton Ebadi [Fri, 4 Jan 2013 08:33:10 +0000 (03:33 -0500)]
Add new outpost as domtool-slave and dns slave
Clinton Ebadi [Thu, 3 Jan 2013 06:36:38 +0000 (01:36 -0500)]
Remove outpost
It disappeared on us :(
Clinton Ebadi [Sun, 30 Dec 2012 21:04:42 +0000 (16:04 -0500)]
Add bog as domtool-slave
* firewall and proxy target for user servers
Clinton Ebadi [Sat, 22 Dec 2012 19:37:47 +0000 (14:37 -0500)]
Drop default TTL to one hour
* We're transitioning to a new node, and dyndns says an hour is
reasonable on the modern Internet anyway.
Clinton Ebadi [Tue, 18 Dec 2012 07:34:54 +0000 (02:34 -0500)]
Add new moinmoin static files prefix to world readable files
Clinton Ebadi [Tue, 11 Dec 2012 08:13:53 +0000 (03:13 -0500)]
Use sh instead of pagsh for init scripts
pagsh provides no benefit since domtool is started using k5start, and
should have been removed ages ago. Slipped through the cracks until it
broke something.
Clinton Ebadi [Tue, 11 Dec 2012 07:51:06 +0000 (02:51 -0500)]
Fix domtool-postgres script
Export PGPORT is not enough, because sudo clears the environment. Whoops.
Clinton Ebadi [Mon, 10 Dec 2012 01:44:38 +0000 (20:44 -0500)]
Clean postgres driver variables and add postgres-9.1 support
* Like with mysql, remove magic spaces at the end of the config
settings
* Curry the definitions of the postgres dbms functions for
multi-version support
* Register new postgres-9.1 dbms backend
Clinton Ebadi [Mon, 10 Dec 2012 01:42:18 +0000 (20:42 -0500)]
Remove spaces from dbtool mysql driver config
This was used to avoid an extra " " in the shell command in SML. I
think that's just asking for subtle bugs.
Clinton Ebadi [Mon, 10 Dec 2012 01:41:07 +0000 (20:41 -0500)]
Update Easy_Domain to support trivial configuration of default node
Clinton Ebadi [Mon, 10 Dec 2012 01:40:32 +0000 (20:40 -0500)]
Force php in wordpress locations to version 5
Clinton Ebadi [Mon, 10 Dec 2012 01:40:09 +0000 (20:40 -0500)]
Add navajos to library
Clinton Ebadi [Sun, 9 Dec 2012 06:18:33 +0000 (01:18 -0500)]
EVar -> EString in default for DefaultWebNode
Even sml lets you do stupid things!
Clinton Ebadi [Sun, 9 Dec 2012 02:02:22 +0000 (21:02 -0500)]
Register default value for DefaultWebNode environment variable
This will allow users to change the value used for the defaultA and vhost
Clinton Ebadi [Fri, 7 Dec 2012 20:49:40 +0000 (15:49 -0500)]
Remove automatic insserv in Makefile
It was a bad idea. Added a --bootstrap option to the deploy script instead
Clinton Ebadi [Fri, 7 Dec 2012 20:25:04 +0000 (15:25 -0500)]
Firewell: Concat $WEBNODES list using space instead of comma
Clinton Ebadi [Fri, 7 Dec 2012 20:19:48 +0000 (15:19 -0500)]
Use jump instead of goto in firewall
They do the same thing, but ferm renamed the keyword to reflect what
it does better.
Clinton Ebadi [Fri, 7 Dec 2012 20:19:04 +0000 (15:19 -0500)]
bourne shell vs bashism fix
Clinton Ebadi [Fri, 7 Dec 2012 19:20:19 +0000 (14:20 -0500)]
Correct location of firewall rules
Helps to use the right pathname, usually.
Clinton Ebadi [Fri, 7 Dec 2012 16:42:32 +0000 (11:42 -0500)]
Read ACL in slave service loop
At least the firewall needs to query permissions. Acl.read has the
handy attribute of clearing the current ACL. I think the main service
function sould also be re-reading the permissions on each loop, or
perhaps not because it may call setupUser instead? Investigate.
Clinton Ebadi [Fri, 7 Dec 2012 16:22:29 +0000 (11:22 -0500)]
Better error message for fwtool
Clinton Ebadi [Fri, 7 Dec 2012 15:28:08 +0000 (10:28 -0500)]
Generate config into domtool work directory and copy later
Also update paths in the config to where the live files are
Clinton Ebadi [Fri, 7 Dec 2012 15:27:02 +0000 (10:27 -0500)]
Open outgoing ports on web nodes for firewall ProxiedServer directive
Opens outgoing ports for user on all user-accessible web nodes, but
right now that's just one machine.
Clinton Ebadi [Thu, 6 Dec 2012 08:29:27 +0000 (03:29 -0500)]
For install_{server,slave}, insserv so domtool starts on boot
Brave GNU dependency based boot future
Clinton Ebadi [Fri, 14 Sep 2012 05:33:47 +0000 (01:33 -0400)]
Expand valid proxyHosts
* Instead of matching `localhost', match from a list of possible hosts
Clinton Ebadi [Fri, 14 Sep 2012 05:27:07 +0000 (01:27 -0400)]
Fix firewall input rules, add ProxiedServer directive
* mod uid-owner only works for output connections, hack it for now and
just open the ports for everyone
* ProxiedServer allows connections from all webNodes, but does not
open up output ports from them
Clinton Ebadi [Fri, 14 Sep 2012 05:21:10 +0000 (01:21 -0400)]
Add navajos to domtool reset global
* Should clean this up in general
Clinton Ebadi [Fri, 14 Sep 2012 05:20:38 +0000 (01:20 -0400)]
Fix chown group in publish script
Clinton Ebadi [Sun, 2 Sep 2012 22:17:09 +0000 (18:17 -0400)]
Add navajos as domtool slave and user web node
* A brave new future awaits us
Clinton Ebadi [Tue, 31 Jul 2012 08:07:59 +0000 (04:07 -0400)]
Merge branch 'master' of /afs/hcoop.net/user/h/hc/hcoop/.hcoop-git/domtool2
Clinton Ebadi [Tue, 31 Jul 2012 07:37:41 +0000 (03:37 -0400)]
Fix all domtool scripts for modern Debian and HCoop practices
* There is no longer any local `domtool' group, use `nogroup' instead and
chmod files user readable only
* The init scripts assumed `/usr/local/[s]bin' were in `$PATH', which
is not true on a default Debian install. Rather than require
customization of system defaults, just use long paths. It would be
nice if the Makefile supported relocatable installs, but I also want
a pony for xmas.
* `domtool-admin-sudo' never worked properly. It seems to rely on the
mistaken assumption that starting a `pagsh' gives you a new
PAG... when `pagsh' has the unintuitive behavior of adopting the
current PAG instead of creating a new one if one should
exist. Things appeared to work since there was always a local
domtool user, and some interaction between the init scripts
acquiring tokens outside of a PAG and sudo led to use of the uid
ticket cache. The solution is just to use `k5start' instead of
`kinit && aklog'
Clinton Ebadi [Sat, 14 Jul 2012 23:45:38 +0000 (19:45 -0400)]
Fix unintentional punning of masterNode and dispatcherName
* masterNode is the DNS master, not the domtool dispatcher, but it was
overloaded
* Luckily, there is a dispatcherName and a simple substitution fixes it
Clinton Ebadi [Tue, 27 Mar 2012 03:06:39 +0000 (23:06 -0400)]
Per-host firewall rules
* The implementation is ugly (terribleness with tuples, filtering at
generation time, etc.), but my SML-fu is too weak to do this
properly in a time efficient manner
* Needs to check if user has some domtool permission to that node, ideally
Clinton Ebadi [Sat, 7 Jan 2012 19:42:49 +0000 (14:42 -0500)]
`fwtool' main
* Basic driver
Clinton Ebadi [Thu, 29 Dec 2011 20:06:50 +0000 (15:06 -0500)]
Firewall Regen Support
* Clean up code slightly (still ugly, I'm no good with SML)
* Accept `MsgFirewallRegen' to regenerate firewall on slave
* Not tested much, should also generate the firewall elsewhere and
copy to `/etc'
Clinton Ebadi [Tue, 29 Nov 2011 07:08:16 +0000 (02:08 -0500)]
Port firewall generation from Domtool1/fwtool
* fwtool was a bit of a hack -- try to clean things up...
* Parsing and generating the config are split (somewhat)
* Only one set of rules for all nodes with a firewall
Clinton Ebadi [Sat, 19 Mar 2011 23:11:22 +0000 (19:11 -0400)]
vmailpasswd: actually call domtool-publish
Clinton Ebadi [Tue, 8 Mar 2011 16:35:23 +0000 (11:35 -0500)]
Merge branch 'release'
Clinton Ebadi [Tue, 8 Mar 2011 16:33:32 +0000 (11:33 -0500)]
Remove hopper from domtool email configuration
clinton_admin [Mon, 31 Jan 2011 19:00:03 +0000 (14:00 -0500)]
Force use of actual echo instead of shell builtin
* The default echo builtin used by make doesn't support -e any more!
Clinton Ebadi [Mon, 31 Jan 2011 18:52:00 +0000 (13:52 -0500)]
Enable fritz as an admin web node
root [Sun, 5 Dec 2010 21:38:54 +0000 (21:38 +0000)]
Configure outpost as a dns slave
* And remove hopper as it is not in dnsNodes_all and does not have
bind installed
clinton_admin [Wed, 1 Dec 2010 07:13:20 +0000 (02:13 -0500)]
Merge branch 'dbms-in-slave'
Clinton Ebadi [Wed, 1 Dec 2010 06:49:36 +0000 (01:49 -0500)]
Move Mysql-fixperms into slave
* Occurs on dbmsNode as with other database operations
clinton_admin [Wed, 1 Dec 2010 06:02:53 +0000 (01:02 -0500)]
Add fritz as a slave node
* Not used for anything yet, ensuring that the slave is setup correctly
clinton_admin [Wed, 1 Dec 2010 03:12:42 +0000 (22:12 -0500)]
Readd outpost_ip to hcoop base library
Clinton Ebadi [Thu, 25 Nov 2010 06:10:17 +0000 (01:10 -0500)]
Update domtool-mysql script for local filesystem tablespaces
* /afs/hcoop.net/common/databases -> /srv/databases
* ACL -> give group mysql rw permissions on all files
Clinton Ebadi [Thu, 25 Nov 2010 06:03:40 +0000 (01:03 -0500)]
Attempt to move Dbms handling into slave
* It typechecks and compiles... and looks like it ought to work
* `requestDbFoo' functions make an ad-hoc connection to a slave. There
is much room for cleanup here.
* /Factored/ doIt function from `service' so that the Dbms message
handling could be cut and pasted into the slave function
* Added Dbms.dbmsNode configuration option
* Note that dbms operations *always* occur on a slave now--if the
machine is also the dispatcher node it will now need to run a slave
instance as well
Clinton Ebadi [Tue, 2 Nov 2010 23:09:46 +0000 (19:09 -0400)]
Remove outpost from domtool control
* The domtool config for hcoop.net needs to be updated
clinton_admin [Mon, 4 Oct 2010 04:21:30 +0000 (00:21 -0400)]
Temporary workaround to `domtool-postgres' script
* Explicitly connect to `postgres' host until fritz has a slave
installed and databases can be managed by slavesÃ
Davor Ocelic [Tue, 16 Feb 2010 17:39:13 +0000 (17:39 +0000)]
Fix pcre_sml.so paths
Davor Ocelic [Wed, 6 Jan 2010 11:28:02 +0000 (11:28 +0000)]
Add fritz_ip 69.90.123.75
Adam Chlipala [Tue, 5 Jan 2010 19:13:55 +0000 (19:13 +0000)]
Change deleuze back to default Mailman node
Adam Chlipala [Tue, 29 Sep 2009 14:32:23 +0000 (14:32 +0000)]
Don't send DNS info to servers that don't run DNS daemons
Adam Chlipala [Tue, 29 Sep 2009 14:09:49 +0000 (14:09 +0000)]
Fixing Courier userdb rsync commands
Adam Chlipala [Sun, 27 Sep 2009 19:07:34 +0000 (19:07 +0000)]
Changes to support IMAP on hopper all compile but are not tested yet
Adam Chlipala [Sun, 27 Sep 2009 17:02:49 +0000 (17:02 +0000)]
Make dynamic linking smarter, so this stuff works before running 'make install'
Adam Chlipala [Sun, 26 Jul 2009 17:05:26 +0000 (17:05 +0000)]
bpt's domtool-mode auto-mode suggestion
Adam Chlipala [Sun, 17 May 2009 13:01:15 +0000 (13:01 +0000)]
DefaultA parameter to dom
Adam Chlipala [Tue, 14 Apr 2009 14:07:25 +0000 (14:07 +0000)]
Some mod_expires support
Adam Chlipala [Thu, 19 Feb 2009 14:19:56 +0000 (14:19 +0000)]
Catch OpenSSL exceptions on slave connection acceptance
Adam Chlipala [Tue, 17 Feb 2009 16:46:03 +0000 (16:46 +0000)]
ACL check on reusers requests
Adam Chlipala [Tue, 17 Feb 2009 16:30:21 +0000 (16:30 +0000)]
Generation of slash-tilde waklog directives for each user
Adam Chlipala [Mon, 24 Nov 2008 14:08:35 +0000 (14:08 +0000)]
Print on start of mysql-fixperms in domtool-server
Adam Chlipala [Mon, 22 Sep 2008 15:05:13 +0000 (15:05 +0000)]
Add Apache icons to readable paths
Adam Chlipala [Thu, 14 Aug 2008 13:58:32 +0000 (13:58 +0000)]
Stop warning about silly DNS directives
Adam Chlipala [Thu, 14 Aug 2008 13:07:24 +0000 (13:07 +0000)]
Change some node filenames to avoid clashes with subdomains
Adam Chlipala [Sat, 26 Jul 2008 14:20:37 +0000 (14:20 +0000)]
Output suPHP_UserGroup
Adam Chlipala [Wed, 16 Jul 2008 00:06:43 +0000 (00:06 +0000)]
domtool-addcert handles inability to set an ACL entry
Adam Chlipala [Tue, 15 Jul 2008 20:11:28 +0000 (20:11 +0000)]
domtool-readdcerts
Adam Chlipala [Tue, 15 Jul 2008 19:47:14 +0000 (19:47 +0000)]
Make domtool-tail actually work
Adam Chlipala [Tue, 15 Jul 2008 19:39:28 +0000 (19:39 +0000)]
domtool-tail
Adam Chlipala [Tue, 15 Jul 2008 15:45:36 +0000 (15:45 +0000)]
FilesMatch directive
Adam Chlipala [Tue, 15 Jul 2008 14:58:54 +0000 (14:58 +0000)]
Reduce set of ACL categories to which '-fake' applies
Adam Chlipala [Tue, 15 Jul 2008 14:55:19 +0000 (14:55 +0000)]
'-fake' flag added to 'domtool'
Adam Chlipala [Tue, 15 Jul 2008 14:31:13 +0000 (14:31 +0000)]
Changing handling of Apache log rename/delete
Adam Chlipala [Thu, 10 Jul 2008 23:38:53 +0000 (23:38 +0000)]
More loading of lib.dtl
Adam Chlipala [Sat, 28 Jun 2008 14:40:10 +0000 (14:40 +0000)]
Remove silly special-case servercert stuff
Adam Chlipala [Fri, 20 Jun 2008 18:34:35 +0000 (18:34 +0000)]
Change default nameservers
Adam Chlipala [Fri, 23 May 2008 15:19:26 +0000 (15:19 +0000)]
Expand allowed set of proxy_targets
Adam Chlipala [Mon, 12 May 2008 20:26:51 +0000 (20:26 +0000)]
Allow rmdom on subdomains of those on the user's ACL
Adam Chlipala [Wed, 9 Apr 2008 14:33:42 +0000 (14:33 +0000)]
Fix postgres DB creation
Adam Chlipala [Wed, 9 Apr 2008 14:23:57 +0000 (14:23 +0000)]
Specifying encoding on database creation