Changes between Version 4 and Version 5 of schleuder-setup


Ignore:
Timestamp:
Feb 11, 2017, 3:09:57 PM (3 years ago)
Author:
JaimeV
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • schleuder-setup

    v4 v5  
    3030
    3131{{{
    32 0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base linux-image-4.8.0-2-amd64
     320 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base
     33}}}
     34
     35''The following step is subject to change in the future.''
     36
     37{{{
     380 herman:~# apt purge linux-image-4.8.0-2-amd64
    3339}}}
    3440
     
    4248
    4349=== Install packages from unstable repository ===
     50
     51''The use of these packages from the unstable repository is subject to change in the future.''
    4452
    4553Add the unstable repository.
     
    8896At this point the server should be accessible over ssh.
    8997
    90 == No logs ==
     98== No logging to disk ==
    9199
    92100When both journald and rsyslog are installed, the default is that journald spits out all its messages to syslog and syslog writes them to disk. Without syslog, journald is responsible for writing whatever needs to be written. See configuration choices for {{{/etc/systemd/journald.conf}}} with {{{man journald.conf}}}
     
    95103note that /run is a tmpfs, meaning it's ephemeral, and disappears when the machine loses power so since we've avoided placing a permanent journal everything is being logged in /run
    96104
     105
     106Some services implement their own mechanisms for writing logs, we need to deal with these individually.
    97107The following command will show any processes still holding open files in /var/log
    98108
     
    114124}}}
    115125
     126''The tor daemon should log to syslog by default in [https://bugs.debian.org/852716 | future versions] so the above fix is temporary.''
     127 
    116128== tmpfs for /tmp ==
    117129
    118130Setup the /tmp directory with temporary file storage facility so that all writes to /tmp are written to volatile memory and not to disk.
     131This has the following benefits:
     132* Having globally-writable directories in filesystems opens up a few different classes of vulnerabilities and bugs based on hardlinks and undeleted data. Separating the /tmp filesystem from the root filesystem avoids those classes.
     133* /tmp is expected to be cleared automatically at boot.  Using memory as the backing store does that automatically.
     134* using memory reduces the amount of disk I/O
     135
    119136
    120137Add the following line to the end of {{{/etc/fstab}}}
     
    124141}}}
    125142
    126 Why? Maybe this? https://0xacab.org/schleuder/schleuder/issues/154
    127143
    128144== Postfix ==
     
    179195}}}
    180196
     197''The above schleuder/postfix sqlite integration is now [https://0xacab.org/schleuder/schleuder/merge_requests/38 | shipping upstream]:''
     198
    181199In the master.cf this line {{{schleuder_destination_recipient_limit = 1}}} means, "if a message comes in headed for the schleuder transport and it is headed for multiple recipients, feed it to each of them separately, one at a time." {{{compatibility_level = 2}}} just disables backwards compatibility.
    182200
     
    244262}}}
    245263
    246 ''The api_key and tls fingerprint have been removed in this example and should not be public. Always use secure channels to transport this information.''
     264''The api_key has been removed in this example and should not be public. Always use secure and authenticated channels to transport this information to ensure both the confidentiality of the api_key and the integrity of the tls_fingerprint''
    247265
    248266Check that the schleuder-cli client is able to establish a connection to the api.