Youhou,
=== Planned outage ===
Our most important machine, Orfeo, is gonna be kicked out of its cosy
sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a
new short term hosting. Big thanks to Hivane for the short term hosting.
A few services will be unavailable:
- mail (mx1.duckcorp.org)
- websites (webmail, lists, webdesk, web IRC)
- DNS (but Toushirou should handle)
- IRC (but Jinta should handle),
- Jabber (but Thorfinn should handle),
- PostgreSQL
- IRC2IM gateway
- LDAP (but other nodes should handle in read-only mode),
- NTP,
sorry for the inconvenience.
Orfeo
=== Still Looking for Sponsoring ===
The new accommodation is temporarily, Orfeo will be moved again before
this summer. If you have any knowledge about generous people who may
be willing to host this small (1U) machine, please tell us.
バイバイ。
--
Pilou
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Youhou,
=== Planned outage ===
Our most important machine, Orfeo, is gonna be kicked out of its cosy
sponsored place: Orfeo will be moved on 2016-02-26 in the afternoon to a
new short term hosting. Big thanks to Hivane for the short term hosting.
A few services will be unavailable:
- - mail (mx1.duckcorp.org)
- - websites (webmail, lists, webdesk, web IRC)
- - DNS (but Toushirou should handle)
- - IRC (but Jinta should handle),
- - Jabber (but Thorfinn should handle),
- - PostgreSQL
- - IRC2IM gateway
- - LDAP (but other nodes should handle in read-only mode),
- - NTP,
sorry for the inconvenience.
Orfeo
=== Still Looking for Sponsoring ===
The new accommodation is temporarily, Orfeo will be moved again before
this summer. If you have any knowledge about generous people who may
be willing to host this small (1U) machine, please tell us.
バイバイ。
- --
Pilou
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWzmJfAAoJEFmb43K6MKeM/pAL/jxfjYyAWc4F6Y34EAESEV2I
GzXSgTo6qjFzzFVh0jLVClY1EtwVzAt9U70wtNXIR8250/nuTHEq3PnkYp5BCzN5
P7ROCmscNYjNgtvy8HZfYDUdsYHu3SwB8153cP6zTEqAP/qj5pCDASPs26fyMuhT
kXOd0uH3cioYkaTzkh8rnhzu7y5N6ffXAj2X77F36FN/RWk8+5i9YgSQ0Zs3bs11
mtR7l9wM9O/I+AUYstES2af0VISnIfIYoRU6PkC9xXWr4qUKVTkP8jpA/n3yz7RF
83f3xFhBV9EPOiUs6kN8le9uzfEujKnupkIR5w0lWBZtCGqEDnYfCLbGcTcHyMaq
RnrLL8aesIXvRF935/yjYU6SaIOPptjYRonkOjp0s8A3m818TyJUzKfv9odjmPjD
NuC/8kIu5e2Brf7Q4FIVG1P3KpuotOOFpHYmbEYyaat5bO0IlNFaxhGLjBB+ulpb
pqBe8mnSUF5dD8fN+6zZ6M/uUGZZNwaXukzMR6TnJw==
=u5wI
-----END PGP SIGNATURE-----
Coin,
Long time no quack, but even if there was some work and maintenance
done, not much was really visible and needed advertisement.
=== Still Looking for Sponsoring ===
Our most important machine, Orfeo, is gonna be kicked out of its cosy
sponsored place. Currently the costly but possible plan is probably a
few months far but we have no certainty about the exact date of
availability and we may be forced to remove the machine very soon. So
if you have any knowledge about generous people who may be willing to
host this small (1U) machine, please tell us.
=== Upcoming Maintenance ===
The PostgreSQL database is gonna be upgraded, which means a few things
will be on hold until it finishes (mostly incoming mail and webmails).
This would probably take a few hours, so please be patient.
We'll been upgrading servers under the hood, but it is now time to
remove obsolete feature: the old Apache ACLs will be deactivated in a
matter of hours/days.
Moreover, to finish these upgrades, we need to reboot Orfeo and
Toushirou, which is gonna take place on the next we (2015-07-18/19).
=== Security Updates ===
With all the bad bugs and protocol problems discovered, the insecure
SSH DSA keys were removed.
On all services the accepted ciphers and algorithms were, again,
tightened, so you should upgrade your systems too if you don't want to
be out one day.
=== Security Certificated ===
As we are using a self-signed CA, this is a recurring topic when
people try to access our services. The way to solve this problem in a
secure fashion has been summarized here:
http://ca.duckcorp.org/
We also had time to implement a security alternative: DANE/TLSA[1]. If
you are using secure DNS[2] (DNSSEC validation) on your systems, then
you may have another way to access our services securely.
Currently the software support is not very widespread and requires
additional software. Plugins for major browsers have been implemented
here and seems to be working well:
https://www.dnssec-validator.cz/
On Chromium nevertheless the plugin is a bit ugly to install. The
browser may still complain about the certificate, but if you proceed
to the page the DNSSEC+TLSA indicators should help recognize you're
connected to the right site.
[1] https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
[2] https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
=== Quick News ===
* [2015-07-08] Throfinn was rebooted due to an hypervisor problem in
the Hivane architecture
* [2015-07-11] Jinta was rebooted
* [???] stuff.duckcorp.org improvements: new SMS (not MMS!) app,
experimenting a new Notes app (old notes are in your Files), raised
quota from 1GB to 5GB \o/
Have a pleasant summer!
--
Marc Dequènes (Duck)
Coin,
All our encrypted services are based on our self-signed CA which in
turn generates SSL/TLS certificates for all secure services. Our
current CA is now 10 years old and using older encryption algorithms,
so it's time to rollover.
Thus, you need to add the new 'duckcorp.crt' file on your systems
_before_ 2014-10-04. The switch may occur a tad later but i plan to
swiftly get this over with.
If you don't know to install the file, you should have a look in the
wiki:
https://users.duckcorp.org/index.php/Services/Security#TLS.2FSSL-based_Serv…
Beware you need to leave the previous file around until the switch is
done (simply rename it).
As for the new file itself, 'duckcorp.crt', it is attached in this
mail (and updated in the wiki too). Nevertheless, if you have
keysigned (GPG) with one of the admin, you should verify and extract
it using the following command:
gpg --output duckcorp.crt <pilou_duckcorp.crt.asc
(replace 'pilou' by 'arnau' or 'duck' accordingly to your web of trust)
Have a Lot of FUN !
--
Marc Dequènes (Duck)
Coin,
=== Team changes ===
Pilou is a new fallback admin in charge of hardware/breakage rescue.
Arnau being in Japan and as i'm willing to fly away sometime in the
future, it was necessary to get help to handle things that can only be
done live.
=== Services Secuuuuuuuuuure Certificates ===
If you upgraded Firefox to version 31 you may have had difficulties
reaching our websites. Firefox has upgraded his certificate validation
methods[1] leading to our certificates being rejected. We did not
change our certificates configuration during the last decade and a few
things needed to be updated. We fixed and regenerated all certificated
(for all services).
By the way, our custom CA (master certificate) has been there for
almost a decade and is gonna die soon. We will prepublish the new one
soon to have some time before we break the world.
[1]
https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificat…
=== Thorfinn OoO on 2014-07-13 ===
Probably due to scripts/bots the resources on this machine went down
to a nasty point. Unfortunately we were on "admin vacation" and the
Jabber notifications broke on our supervision software, so we had to
reboot the machine because to was too late for a medic.
You're welcome to have long-running scripts on this machine but please
check it does not go mad or consume too much resources.
If you know anything about TLS/SASL we'll welcome your help debugging
this (Zabbix) bug.
=== Quick News ===
* new TT-RSS plugin (openinbgtab) to open articles in background tab
(Chrome/Opera only)
* new Tasks app in owncloud, see our users' wiki for more info
* the PHP accelerator (Xcache) is still broken, it was disabled
everywher; no hope of fixes at the moment
* our Webdesk was painfully slow since the PHP accelerator problem but
it's now ok
* Nob (IRC bot) has been retired (Rbot is not working well with recent
Ruby and is being removed from Debian)
* the secondary IRC node will need an upgrade (first one was upgraded
recently), so we'll announce the restart on IRC
Have a pleasant summer.
--
Marc Dequènes (Duck)
Coin,
=== Plans for the Futur\WPresent ===
Toushirou is a bit overloaded. After some care it is stable again, but
it really needs some help.
Besides, Thorfinn is a VDS gained/included in my ADSL offer, and I
need to be free to move in the future.
I wish we could have been able to rack a machine Finger kindly
obtained for us, but we failed on this (we asked a lot of people for
sponsoring but to no avail). Thus I've asked Hivane to provide us two
VDS in order to handle this situation fast. One of them may still be
transferred to a real machine one day. Hivane kindly accepted and
created them lightning fast.
Thus, several services will move to Jinta (revival), with almost no
consequences:
- our dico will still be accessible from http://dico.duckcorp.org/
but the DICT server will move to dict.dc.o
- same for the streaming service https://radio.duckcorp.org/ and stream.dc.o
Later, user shells and bots will move to Thorfinn (NG); we'll send
further instructions and schedule soon.
=== Future Maintenance ===
Orfeo will be rebooted on 2014-04-05/06 on a new kernel (security…).
=== Blogs are not for Sissies ===
Seems several of you still like writing. We had an old blog engine
used for HurdFr which was crumbling into pieces, so we resurrected
this service with a maintained software and opened it to all DC users.
It is not well tested yet but should work fine. Ask if you need an
account.
=== XMPP is dead, long live XMPP! ===
We've had a hard time keeping the XMPP service working properly and we
decided such workload was not acceptable anymore. We found another
software to take the place and it seems to work nicely ever since. We
lost the cluster functionality, which means there is only one single
node and point of failure, but better than multiple failing nodes.
Please note the obsolete MSN gateway was removed in the process.
=== Quick News ===
* News fetch frequency was too high (5min) and was changed to 30min
(helping cooling down Toushirou)
* Mail indexing has been much improved, and should be more accurate
and faster than before
* stuff.dc.o was improved:
- new Firefox Sync application (please note it is incompatible with
the bookmark application because FFS data are encrypted in your
browser and then unusable for any app)
- interface was adapted to better work on touchpads even though
moving files is still not user-friendly on such devices
- interface is now Japanese-friendly
* web:
- mod_fcgi has been removed, as previously announced
- xcache (PHP accelerator) was disabled because it breaks badly
(see Debian#739789), sorry if you're using its API; we hope to
reenable it soon (and regain some speed in the process)
* filesystem migration to ext4 is done now
That's all for now. Have a pleasant time.
--
Marc Dequènes (Duck)
Coin,
After the big bunch of upgrades during feast time, we plan a bit of
cleanup and a few other improvements ; fasten your seat belt :-).
=== Recent IRC problems ===
Our primary IRC server needed a restart in order to load the new SSL
certificates, unfortunately it was hit by a bug (Debian#714219) and is
OoS until then. Our IRC services got problems too, probably for the
same reason. Keep in mind that irc.milkypond.org is the IRC entry
point. It contains several hosts in order to have a backup when one
fail. You should not use another address unless you know what you are
doing (seems several users did not).
Unfortunately, SSL access on our secondary server was unusable due to
a misconfiguration, sorry, we found it out the hard way when the first
one went down
=== Upcoming Server's FS Layout Changes and Consequences ===
In order to cleanup and follow the FHS a bit more, we're planning to
move a few data in better places. This will mostly affect shell and
VCS users.
Mostly users data outside your own home directory will be relocated in
/srv, so you need not look around weird top directories anymore.
For web users:
/www will be relocated into /srv/www
/sites will be kept as a symlink ~1 month before being removed
For VCS users:
/rcs will be relocated into /src/vcs
=> all rcs-* websites will be renamed accordingly, with a redirection
until it seems unnecessary
For FTP Users with shell access:
/ftp will be relocated into /srv/ftp
For project members having data in /private on Toushirou:
/private/{projects,duckcorp,hurdfr} will be relocated into /srv/projects.
We're also trying to finish the ext3->ext4 migration, which is not
fully possible yet, but at least we'd like all data partitions to
switch. So we're gonna disconnect /home on Toushirou one day for just
a few minutes, which means no SSH access and user scripts (bots?) will
have to be shutdown as well. We will announce it on IRC, but if you
have such scripts, do not hesitate to contact us so we can coordinate
so you can restart them very fast.
Other changes should not have any consequences.
We plan to do this really soon.
=== Recent Web Hosting Upgrades ===
As previously said, and with a lot a delay, mod_ruby was removed. By
the way, mod_wsgi was removed too.
We are now using Passenger to provide a cleaner and less resource
intensive way of hosting webapps. The following languages are now
handled:
- Ruby
- Python (WSGI apps are very easy to adapt)
- NodeJS (new!)
You can still use CGI for very simple scripts, but beware FCGI (with
spawning processes) support will be removed soon.
As previously not announced, sorry, Ruby 1.8 support was removed and
Passenger now spawn Ruby apps using version 1.9 of the interpreter now.
Also, Apache moved to 2.4, which should not be a big deal for you
except for ACLs. There is a compatibility module to ensure everything
continues to work as before but we add surprises so… be sure to learn
the new way and adapt your .htaccess files using the following
documentation:
http://httpd.apache.org/docs/2.4/howto/auth.html
The compatibility module is to stay at least a few month but do not
wait until we announce the end of support.
ACLs also are tighter now, which means almost no global access to
files by default.
=== Recent SSH Security Upgrades ===
We recently enabled EDCSA host keys on all SSH servers, with updates
in the SSHFP DNS records.
=== Supervision is back ===
Daneel has been rebuilt, not fully yet, but it is able to monitor our
machines again. The configuration is quite not finished but the basics
are working. It was really difficult to run blindly so we're eager to
have again a good view of our service availability. As the software is
by the way upgraded, we should be able to monitor in deeper details.
Well, that is all for now. Assimilate these news well :-).
Have a pleasant year!
--
Marc Dequènes (Duck)
Coin,
After the big bunch of upgrades during feast time, we plan a bit of
cleanup and a few other improvements ; fasten your seat belt :-).
=== Recent IRC problems ===
Our primary IRC server needed a restart in order to load the new SSL
certificates, unfortunately it was hit by a bug (Debian#714219) and is
OoS until then. Our IRC services got problems too, probably for the
same reason. Keep in mind that irc.milkypond.org is the IRC entry
point. It contains several hosts in order to have a backup when one
fail. You should not use another address unless you know what you are
doing (seems several users did not).
Unfortunately, SSL access on our secondary server was unusable due to
a misconfiguration, sorry, we found it out the hard way when the first
one went down
=== Upcoming Server's FS Layout Changes and Consequences ===
In order to cleanup and follow the FHS a bit more, we're planning to
move a few data in better places. This will mostly affect shell and
VCS users.
Mostly users data outside your own home directory will be relocated in
/srv, so you need not look around weird top directories anymore.
For web users:
/www will be relocated into /srv/www
/sites will be kept as a symlink ~1 month before being removed
For VCS users:
/rcs will be relocated into /src/vcs
=> all rcs-* websites will be renamed accordingly, with a redirection
until it seems unnecessary
For FTP Users with shell access:
/ftp will be relocated into /srv/ftp
For project members having data in /private on Toushirou:
/private/{projects,duckcorp,hurdfr} will be relocated into /srv/projects.
Other changes should not have any consequences.
We plan to do this really soon.
=== Recent Web Hosting Upgrades ===
As previously said, and with a lot a delay, mod_ruby was removed. By
the way, mod_wsgi was removed too.
We are now using Passenger to provide a cleaner and less resource
intensive way of hosting webapps. The following languages are now
handled:
- Ruby
- Python (WSGI apps are very easy to adapt)
- NodeJS (new!)
You can still use CGI for very simple scripts, but beware FCGI (with
spawning processes) support will be removed soon.
As previously not announced, sorry, Ruby 1.8 support was removed and
Passenger now spawn Ruby apps using version 1.9 of the interpreter now.
Also, Apache moved to 2.4, which should not be a big deal for you
except for ACLs. There is a compatibility module to ensure everything
continues to work as before but we add surprises so… be sure to learn
the new way and adapt your .htaccess files using the following
documentation:
http://httpd.apache.org/docs/2.4/howto/auth.html
The compatibility module is to stay at least a few month but do not
wait until we announce the end of support.
ACLs also are tighter now, which means almost no global access to
files by default.
=== Recent SSH Security Upgrades ===
We recently enabled EDCSA host keys on all SSH servers, with updates
in the SSHFP DNS records.
=== Supervision is back ===
Daneel has been rebuilt, not fully yet, but it is able to monitor our
machines again. The configuration is quite not finished but the basics
are working. It was really difficult to run blindly so we're eager to
have again a good view of our service availability. As the software is
by the way upgraded, we should be able to monitor in deeper details.
Well, that is all for now. Assimilate these news well :-).
Have a pleasant year!
--
Marc Dequènes (Duck)
Coin,
Sorry for the disturbance in the force last saturday, a database
migration took far longer than expected affecting incoming mails and
2/3 webmails mostly. The end of the year being hot, it was totally
unplanned and, except for this part, should have been unnoticed from a
user point of view.
The final bunch of major maintenance is coming soon (probably between
both feast times) and should not be too noisy (a short disturbance in
the web hosting is to be expected though).
If you have wishes to express for X-mas (landing to be planned
sometime next year), tell us.
If you feel you have some energy to spare, tell us too.
Merry X-mas folks.
So say we all!
--
Marc Dequènes (Duck)