Changes between Version 4 and Version 5 of schleuder-setup
- Timestamp:
- Feb 11, 2017, 8:09:57 PM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
schleuder-setup
v4 v5 30 30 31 31 {{{ 32 0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base linux-image-4.8.0-2-amd64 32 0 herman:~# apt purge rsyslog logrotate cron tasksel installation-report wamerican console-setup keyboard-configuration kbd isc-dhcp-client isc-dhcp-common discover laptop-detect ifupdown dmidecode eject netcat-traditional traceroute usbutils iptables pciutils reportbug os-prober gcc-5-base 33 }}} 34 35 ''The following step is subject to change in the future.'' 36 37 {{{ 38 0 herman:~# apt purge linux-image-4.8.0-2-amd64 33 39 }}} 34 40 … … 42 48 43 49 === Install packages from unstable repository === 50 51 ''The use of these packages from the unstable repository is subject to change in the future.'' 44 52 45 53 Add the unstable repository. … … 88 96 At this point the server should be accessible over ssh. 89 97 90 == No log s==98 == No logging to disk == 91 99 92 100 When both journald and rsyslog are installed, the default is that journald spits out all its messages to syslog and syslog writes them to disk. Without syslog, journald is responsible for writing whatever needs to be written. See configuration choices for {{{/etc/systemd/journald.conf}}} with {{{man journald.conf}}} … … 95 103 note that /run is a tmpfs, meaning it's ephemeral, and disappears when the machine loses power so since we've avoided placing a permanent journal everything is being logged in /run 96 104 105 106 Some services implement their own mechanisms for writing logs, we need to deal with these individually. 97 107 The following command will show any processes still holding open files in /var/log 98 108 … … 114 124 }}} 115 125 126 ''The tor daemon should log to syslog by default in [https://bugs.debian.org/852716 | future versions] so the above fix is temporary.'' 127 116 128 == tmpfs for /tmp == 117 129 118 130 Setup the /tmp directory with temporary file storage facility so that all writes to /tmp are written to volatile memory and not to disk. 131 This has the following benefits: 132 * Having globally-writable directories in filesystems opens up a few different classes of vulnerabilities and bugs based on hardlinks and undeleted data. Separating the /tmp filesystem from the root filesystem avoids those classes. 133 * /tmp is expected to be cleared automatically at boot. Using memory as the backing store does that automatically. 134 * using memory reduces the amount of disk I/O 135 119 136 120 137 Add the following line to the end of {{{/etc/fstab}}} … … 124 141 }}} 125 142 126 Why? Maybe this? https://0xacab.org/schleuder/schleuder/issues/154127 143 128 144 == Postfix == … … 179 195 }}} 180 196 197 ''The above schleuder/postfix sqlite integration is now [https://0xacab.org/schleuder/schleuder/merge_requests/38 | shipping upstream]:'' 198 181 199 In the master.cf this line {{{schleuder_destination_recipient_limit = 1}}} means, "if a message comes in headed for the schleuder transport and it is headed for multiple recipients, feed it to each of them separately, one at a time." {{{compatibility_level = 2}}} just disables backwards compatibility. 182 200 … … 244 262 }}} 245 263 246 ''The api_key and tls fingerprint have been removed in this example and should not be public. Always use secure channels to transport this information.''264 ''The api_key has been removed in this example and should not be public. Always use secure and authenticated channels to transport this information to ensure both the confidentiality of the api_key and the integrity of the tls_fingerprint'' 247 265 248 266 Check that the schleuder-cli client is able to establish a connection to the api.