DC-Users

dc-users@lists.duckcorp.org

79 discussions

This is not an idle threat! Planned outage: Orfeo 2016-02-26

by DuckCorp Admin Team

Youhou, === Planned outage === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a new short term hosting. Big thanks to Hivane for the short term hosting. A few services will be unavailable: - mail (mx1.duckcorp.org) - websites (webmail, lists, webdesk, web IRC) - DNS (but Toushirou should handle) - IRC (but Jinta should handle), - Jabber (but Thorfinn should handle), - PostgreSQL - IRC2IM gateway - LDAP (but other nodes should handle in read-only mode), - NTP, sorry for the inconvenience. Orfeo === Still Looking for Sponsoring === The new accommodation is temporarily, Orfeo will be moved again before this summer. If you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. バイバイ。 -- Pilou

7 years, 1 month

This is not an idle threat! Planned outage: Orfeo 2016-02-26

by DuckCorp Admin Team

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Youhou, === Planned outage === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a new short term hosting. Big thanks to Hivane for the short term hosting. A few services will be unavailable: - - mail (mx1.duckcorp.org) - - websites (webmail, lists, webdesk, web IRC) - - DNS (but Toushirou should handle) - - IRC (but Jinta should handle), - - Jabber (but Thorfinn should handle), - - PostgreSQL - - IRC2IM gateway - - LDAP (but other nodes should handle in read-only mode), - - NTP, sorry for the inconvenience. Orfeo === Still Looking for Sponsoring === The new accommodation is temporarily, Orfeo will be moved again before this summer. If you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. バイバイ。 - -- Pilou -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGcBAEBCgAGBQJWzmJfAAoJEFmb43K6MKeM/pAL/jxfjYyAWc4F6Y34EAESEV2I GzXSgTo6qjFzzFVh0jLVClY1EtwVzAt9U70wtNXIR8250/nuTHEq3PnkYp5BCzN5 P7ROCmscNYjNgtvy8HZfYDUdsYHu3SwB8153cP6zTEqAP/qj5pCDASPs26fyMuhT kXOd0uH3cioYkaTzkh8rnhzu7y5N6ffXAj2X77F36FN/RWk8+5i9YgSQ0Zs3bs11 mtR7l9wM9O/I+AUYstES2af0VISnIfIYoRU6PkC9xXWr4qUKVTkP8jpA/n3yz7RF 83f3xFhBV9EPOiUs6kN8le9uzfEujKnupkIR5w0lWBZtCGqEDnYfCLbGcTcHyMaq RnrLL8aesIXvRF935/yjYU6SaIOPptjYRonkOjp0s8A3m818TyJUzKfv9odjmPjD NuC/8kIu5e2Brf7Q4FIVG1P3KpuotOOFpHYmbEYyaat5bO0IlNFaxhGLjBB+ulpb pqBe8mnSUF5dD8fN+6zZ6M/uUGZZNwaXukzMR6TnJw== =u5wI -----END PGP SIGNATURE-----

7 years, 1 month

Silent but still around

by DuckCorp Admin Team

Coin, Long time no quack, but even if there was some work and maintenance done, not much was really visible and needed advertisement. === Still Looking for Sponsoring === Our most important machine, Orfeo, is gonna be kicked out of its cosy sponsored place. Currently the costly but possible plan is probably a few months far but we have no certainty about the exact date of availability and we may be forced to remove the machine very soon. So if you have any knowledge about generous people who may be willing to host this small (1U) machine, please tell us. === Upcoming Maintenance === The PostgreSQL database is gonna be upgraded, which means a few things will be on hold until it finishes (mostly incoming mail and webmails). This would probably take a few hours, so please be patient. We'll been upgrading servers under the hood, but it is now time to remove obsolete feature: the old Apache ACLs will be deactivated in a matter of hours/days. Moreover, to finish these upgrades, we need to reboot Orfeo and Toushirou, which is gonna take place on the next we (2015-07-18/19). === Security Updates === With all the bad bugs and protocol problems discovered, the insecure SSH DSA keys were removed. On all services the accepted ciphers and algorithms were, again, tightened, so you should upgrade your systems too if you don't want to be out one day. === Security Certificated === As we are using a self-signed CA, this is a recurring topic when people try to access our services. The way to solve this problem in a secure fashion has been summarized here: http://ca.duckcorp.org/ We also had time to implement a security alternative: DANE/TLSA[1]. If you are using secure DNS[2] (DNSSEC validation) on your systems, then you may have another way to access our services securely. Currently the software support is not very widespread and requires additional software. Plugins for major browsers have been implemented here and seems to be working well: https://www.dnssec-validator.cz/ On Chromium nevertheless the plugin is a bit ugly to install. The browser may still complain about the certificate, but if you proceed to the page the DNSSEC+TLSA indicators should help recognize you're connected to the right site. [1] https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities [2] https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions === Quick News === * [2015-07-08] Throfinn was rebooted due to an hypervisor problem in the Hivane architecture * [2015-07-11] Jinta was rebooted * [???] stuff.duckcorp.org improvements: new SMS (not MMS!) app, experimenting a new Notes app (old notes are in your Files), raised quota from 1GB to 5GB \o/ Have a pleasant summer! -- Marc Dequènes (Duck)

7 years, 8 months

Maintenance: Thorfinn rebooted Saturday

by DuckCorp Admin Team

8 years, 1 month

DuckCorp CA rollover -- update your config *NOW*

by DuckCorp Admin Team

Coin, All our encrypted services are based on our self-signed CA which in turn generates SSL/TLS certificates for all secure services. Our current CA is now 10 years old and using older encryption algorithms, so it's time to rollover. Thus, you need to add the new 'duckcorp.crt' file on your systems _before_ 2014-10-04. The switch may occur a tad later but i plan to swiftly get this over with. If you don't know to install the file, you should have a look in the wiki: https://users.duckcorp.org/index.php/Services/Security#TLS.2FSSL-based_Serv… Beware you need to leave the previous file around until the switch is done (simply rename it). As for the new file itself, 'duckcorp.crt', it is attached in this mail (and updated in the wiki too). Nevertheless, if you have keysigned (GPG) with one of the admin, you should verify and extract it using the following command: gpg --output duckcorp.crt <pilou_duckcorp.crt.asc (replace 'pilou' by 'arnau' or 'duck' accordingly to your web of trust) Have a Lot of FUN ! -- Marc Dequènes (Duck)

8 years, 4 months

Beach reading

by DuckCorp Admin Team

Coin, === Team changes === Pilou is a new fallback admin in charge of hardware/breakage rescue. Arnau being in Japan and as i'm willing to fly away sometime in the future, it was necessary to get help to handle things that can only be done live. === Services Secuuuuuuuuuure Certificates === If you upgraded Firefox to version 31 you may have had difficulties reaching our websites. Firefox has upgraded his certificate validation methods[1] leading to our certificates being rejected. We did not change our certificates configuration during the last decade and a few things needed to be updated. We fixed and regenerated all certificated (for all services). By the way, our custom CA (master certificate) has been there for almost a decade and is gonna die soon. We will prepublish the new one soon to have some time before we break the world. [1] https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificat… === Thorfinn OoO on 2014-07-13 === Probably due to scripts/bots the resources on this machine went down to a nasty point. Unfortunately we were on "admin vacation" and the Jabber notifications broke on our supervision software, so we had to reboot the machine because to was too late for a medic. You're welcome to have long-running scripts on this machine but please check it does not go mad or consume too much resources. If you know anything about TLS/SASL we'll welcome your help debugging this (Zabbix) bug. === Quick News === * new TT-RSS plugin (openinbgtab) to open articles in background tab (Chrome/Opera only) * new Tasks app in owncloud, see our users' wiki for more info * the PHP accelerator (Xcache) is still broken, it was disabled everywher; no hope of fixes at the moment * our Webdesk was painfully slow since the PHP accelerator problem but it's now ok * Nob (IRC bot) has been retired (Rbot is not working well with recent Ruby and is being removed from Debian) * the secondary IRC node will need an upgrade (first one was upgraded recently), so we'll announce the restart on IRC Have a pleasant summer. -- Marc Dequènes (Duck)

8 years, 8 months

Hey! We'll sleep when we're dead. C'mon!

by DuckCorp Admin Team

Coin, === Plans for the Futur\WPresent === Toushirou is a bit overloaded. After some care it is stable again, but it really needs some help. Besides, Thorfinn is a VDS gained/included in my ADSL offer, and I need to be free to move in the future. I wish we could have been able to rack a machine Finger kindly obtained for us, but we failed on this (we asked a lot of people for sponsoring but to no avail). Thus I've asked Hivane to provide us two VDS in order to handle this situation fast. One of them may still be transferred to a real machine one day. Hivane kindly accepted and created them lightning fast. Thus, several services will move to Jinta (revival), with almost no consequences: - our dico will still be accessible from http://dico.duckcorp.org/ but the DICT server will move to dict.dc.o - same for the streaming service https://radio.duckcorp.org/ and stream.dc.o Later, user shells and bots will move to Thorfinn (NG); we'll send further instructions and schedule soon. === Future Maintenance === Orfeo will be rebooted on 2014-04-05/06 on a new kernel (security…). === Blogs are not for Sissies === Seems several of you still like writing. We had an old blog engine used for HurdFr which was crumbling into pieces, so we resurrected this service with a maintained software and opened it to all DC users. It is not well tested yet but should work fine. Ask if you need an account. === XMPP is dead, long live XMPP! === We've had a hard time keeping the XMPP service working properly and we decided such workload was not acceptable anymore. We found another software to take the place and it seems to work nicely ever since. We lost the cluster functionality, which means there is only one single node and point of failure, but better than multiple failing nodes. Please note the obsolete MSN gateway was removed in the process. === Quick News === * News fetch frequency was too high (5min) and was changed to 30min (helping cooling down Toushirou) * Mail indexing has been much improved, and should be more accurate and faster than before * stuff.dc.o was improved: - new Firefox Sync application (please note it is incompatible with the bookmark application because FFS data are encrypted in your browser and then unusable for any app) - interface was adapted to better work on touchpads even though moving files is still not user-friendly on such devices - interface is now Japanese-friendly * web: - mod_fcgi has been removed, as previously announced - xcache (PHP accelerator) was disabled because it breaks badly (see Debian#739789), sorry if you're using its API; we hope to reenable it soon (and regain some speed in the process) * filesystem migration to ext4 is done now That's all for now. Have a pleasant time. -- Marc Dequènes (Duck)

9 years

Happy New Year Ducklings!

by DuckCorp Admin Team

Coin, After the big bunch of upgrades during feast time, we plan a bit of cleanup and a few other improvements ; fasten your seat belt :-). === Recent IRC problems === Our primary IRC server needed a restart in order to load the new SSL certificates, unfortunately it was hit by a bug (Debian#714219) and is OoS until then. Our IRC services got problems too, probably for the same reason. Keep in mind that irc.milkypond.org is the IRC entry point. It contains several hosts in order to have a backup when one fail. You should not use another address unless you know what you are doing (seems several users did not). Unfortunately, SSL access on our secondary server was unusable due to a misconfiguration, sorry, we found it out the hard way when the first one went down === Upcoming Server's FS Layout Changes and Consequences === In order to cleanup and follow the FHS a bit more, we're planning to move a few data in better places. This will mostly affect shell and VCS users. Mostly users data outside your own home directory will be relocated in /srv, so you need not look around weird top directories anymore. For web users: /www will be relocated into /srv/www /sites will be kept as a symlink ~1 month before being removed For VCS users: /rcs will be relocated into /src/vcs => all rcs-* websites will be renamed accordingly, with a redirection until it seems unnecessary For FTP Users with shell access: /ftp will be relocated into /srv/ftp For project members having data in /private on Toushirou: /private/{projects,duckcorp,hurdfr} will be relocated into /srv/projects. We're also trying to finish the ext3->ext4 migration, which is not fully possible yet, but at least we'd like all data partitions to switch. So we're gonna disconnect /home on Toushirou one day for just a few minutes, which means no SSH access and user scripts (bots?) will have to be shutdown as well. We will announce it on IRC, but if you have such scripts, do not hesitate to contact us so we can coordinate so you can restart them very fast. Other changes should not have any consequences. We plan to do this really soon. === Recent Web Hosting Upgrades === As previously said, and with a lot a delay, mod_ruby was removed. By the way, mod_wsgi was removed too. We are now using Passenger to provide a cleaner and less resource intensive way of hosting webapps. The following languages are now handled: - Ruby - Python (WSGI apps are very easy to adapt) - NodeJS (new!) You can still use CGI for very simple scripts, but beware FCGI (with spawning processes) support will be removed soon. As previously not announced, sorry, Ruby 1.8 support was removed and Passenger now spawn Ruby apps using version 1.9 of the interpreter now. Also, Apache moved to 2.4, which should not be a big deal for you except for ACLs. There is a compatibility module to ensure everything continues to work as before but we add surprises so… be sure to learn the new way and adapt your .htaccess files using the following documentation: http://httpd.apache.org/docs/2.4/howto/auth.html The compatibility module is to stay at least a few month but do not wait until we announce the end of support. ACLs also are tighter now, which means almost no global access to files by default. === Recent SSH Security Upgrades === We recently enabled EDCSA host keys on all SSH servers, with updates in the SSHFP DNS records. === Supervision is back === Daneel has been rebuilt, not fully yet, but it is able to monitor our machines again. The configuration is quite not finished but the basics are working. It was really difficult to run blindly so we're eager to have again a good view of our service availability. As the software is by the way upgraded, we should be able to monitor in deeper details. Well, that is all for now. Assimilate these news well :-). Have a pleasant year! -- Marc Dequènes (Duck)

9 years, 2 months

Happy New Year Ducklings!

by DuckCorp Admin Team

Coin, After the big bunch of upgrades during feast time, we plan a bit of cleanup and a few other improvements ; fasten your seat belt :-). === Recent IRC problems === Our primary IRC server needed a restart in order to load the new SSL certificates, unfortunately it was hit by a bug (Debian#714219) and is OoS until then. Our IRC services got problems too, probably for the same reason. Keep in mind that irc.milkypond.org is the IRC entry point. It contains several hosts in order to have a backup when one fail. You should not use another address unless you know what you are doing (seems several users did not). Unfortunately, SSL access on our secondary server was unusable due to a misconfiguration, sorry, we found it out the hard way when the first one went down === Upcoming Server's FS Layout Changes and Consequences === In order to cleanup and follow the FHS a bit more, we're planning to move a few data in better places. This will mostly affect shell and VCS users. Mostly users data outside your own home directory will be relocated in /srv, so you need not look around weird top directories anymore. For web users: /www will be relocated into /srv/www /sites will be kept as a symlink ~1 month before being removed For VCS users: /rcs will be relocated into /src/vcs => all rcs-* websites will be renamed accordingly, with a redirection until it seems unnecessary For FTP Users with shell access: /ftp will be relocated into /srv/ftp For project members having data in /private on Toushirou: /private/{projects,duckcorp,hurdfr} will be relocated into /srv/projects. Other changes should not have any consequences. We plan to do this really soon. === Recent Web Hosting Upgrades === As previously said, and with a lot a delay, mod_ruby was removed. By the way, mod_wsgi was removed too. We are now using Passenger to provide a cleaner and less resource intensive way of hosting webapps. The following languages are now handled: - Ruby - Python (WSGI apps are very easy to adapt) - NodeJS (new!) You can still use CGI for very simple scripts, but beware FCGI (with spawning processes) support will be removed soon. As previously not announced, sorry, Ruby 1.8 support was removed and Passenger now spawn Ruby apps using version 1.9 of the interpreter now. Also, Apache moved to 2.4, which should not be a big deal for you except for ACLs. There is a compatibility module to ensure everything continues to work as before but we add surprises so… be sure to learn the new way and adapt your .htaccess files using the following documentation: http://httpd.apache.org/docs/2.4/howto/auth.html The compatibility module is to stay at least a few month but do not wait until we announce the end of support. ACLs also are tighter now, which means almost no global access to files by default. === Recent SSH Security Upgrades === We recently enabled EDCSA host keys on all SSH servers, with updates in the SSHFP DNS records. === Supervision is back === Daneel has been rebuilt, not fully yet, but it is able to monitor our machines again. The configuration is quite not finished but the basics are working. It was really difficult to run blindly so we're eager to have again a good view of our service availability. As the software is by the way upgraded, we should be able to monitor in deeper details. Well, that is all for now. Assimilate these news well :-). Have a pleasant year! -- Marc Dequènes (Duck)

9 years, 2 months

Yec'h mat minna !

by DuckCorp Admin Team

Coin, Sorry for the disturbance in the force last saturday, a database migration took far longer than expected affecting incoming mails and 2/3 webmails mostly. The end of the year being hot, it was totally unplanned and, except for this part, should have been unnoticed from a user point of view. The final bunch of major maintenance is coming soon (probably between both feast times) and should not be too noisy (a short disturbance in the web hosting is to be expected though). If you have wishes to express for X-mas (landing to be planned sometime next year), tell us. If you feel you have some energy to spare, tell us too. Merry X-mas folks. So say we all! -- Marc Dequènes (Duck)

9 years, 3 months

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

DC-Users