Changes between Version 4 and Version 5 of schleuder-setup

Timestamp:

Feb 11, 2017, 8:09:57 PM (7 years ago)

Author:

JaimeV

Comment:

--

schleuder-setup

@@ -30 +30 @@
 
 {{{
-0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base linux-image-4.8.0-2-amd64
+0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base
+}}}
+
+''The following step is subject to change in the future.''
+
+{{{
+0 herman:~# apt purge linux-image-4.8.0-2-amd64
 }}}
 
@@ -42 +48 @@
 
 === Install packages from unstable repository ===
+
+''The use of these packages from the unstable repository is subject to change in the future.''
 
 Add the unstable repository.
@@ -88 +96 @@
 At this point the server should be accessible over ssh.
 
-== No logs ==
+== No logging to disk ==
 
 When both journald and rsyslog are installed, the default is that journald spits out all its messages to syslog and syslog writes them to disk. Without syslog, journald is responsible for writing whatever needs to be written. See configuration choices for {{{/etc/systemd/journald.conf}}} with {{{man journald.conf}}}
@@ -95 +103 @@
 note that /run is a tmpfs, meaning it's ephemeral, and disappears when the machine loses power so since we've avoided placing a permanent journal everything is being logged in /run
 
+
+Some services implement their own mechanisms for writing logs, we need to deal with these individually.
 The following command will show any processes still holding open files in /var/log
 
@@ -114 +124 @@
 }}}
 
+''The tor daemon should log to syslog by default in [https://bugs.debian.org/852716 | future versions] so the above fix is temporary.''
+  
 == tmpfs for /tmp ==
 
 Setup the /tmp directory with temporary file storage facility so that all writes to /tmp are written to volatile memory and not to disk.
+This has the following benefits:
+* Having globally-writable directories in filesystems opens up a few different classes of vulnerabilities and bugs based on hardlinks and undeleted data. Separating the /tmp filesystem from the root filesystem avoids those classes. 
+* /tmp is expected to be cleared automatically at boot.  Using memory as the backing store does that automatically.
+* using memory reduces the amount of disk I/O 
+
 
 Add the following line to the end of {{{/etc/fstab}}}
@@ -124 +141 @@
 }}}
 
-Why? Maybe this? https://0xacab.org/schleuder/schleuder/issues/154
 
 == Postfix ==
@@ -179 +195 @@
 }}}
 
+''The above schleuder/postfix sqlite integration is now [https://0xacab.org/schleuder/schleuder/merge_requests/38 | shipping upstream]:'' 
+
 In the master.cf this line {{{schleuder_destination_recipient_limit = 1}}} means, "if a message comes in headed for the schleuder transport and it is headed for multiple recipients, feed it to each of them separately, one at a time." {{{compatibility_level = 2}}} just disables backwards compatibility. 
 
@@ -244 +262 @@
 }}}
 
-''The api_key and tls fingerprint have been removed in this example and should not be public. Always use secure channels to transport this information.''
+''The api_key has been removed in this example and should not be public. Always use secure and authenticated channels to transport this information to ensure both the confidentiality of the api_key and the integrity of the tls_fingerprint''
 
 Check that the schleuder-cli client is able to establish a connection to the api.