svn commit: r245975 - in projects/portbuild: admin/conf conf

Sun Jan 27 07:22:47 UTC 2013

Author: linimon (doc,ports committer)
Date: Sun Jan 27 07:22:46 2013
New Revision: 245975
URL: http://svnweb.freebsd.org/changeset/base/245975

Log:
  Move README.dotunnel and apache.conf away from the portbuild user and
  over to the admin user.  This is required for security reasons.

Added:
  projects/portbuild/admin/conf/README.dotunnel
     - copied unchanged from r245972, projects/portbuild/conf/README.dotunnel
  projects/portbuild/admin/conf/apache.conf
     - copied unchanged from r245972, projects/portbuild/conf/apache.conf
Deleted:
  projects/portbuild/conf/README.dotunnel
  projects/portbuild/conf/apache.conf

Copied: projects/portbuild/admin/conf/README.dotunnel (from r245972, projects/portbuild/conf/README.dotunnel)
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/portbuild/admin/conf/README.dotunnel	Sun Jan 27 07:22:46 2013	(r245975, copy of r245972, projects/portbuild/conf/README.dotunnel)
@@ -0,0 +1,31 @@
+Various package build nodes require us to set up TCP tunnels to talk
+to them.  (Some systems don't pass certain ports; some systems have
+firewalls; some systems have multiple nodes on one IP address.)
+
+These have always been hardcoded in crontab lines of the form "while true;
+do <hardcoded-tunnel-stuff>; done".  Other than the magic hardcoding,
+there's a problem with this.  When the tunnel command exits, such as if
+the host suddenly becoming unreachable, it doesn't send mail -- instead
+it just accumulates a huge file in /var/spool/clientmqueue which never
+gets sent.  To add insult to injury, /var is on our root partition.
+
+To cure these problems, we now have
+
+   /var/portbuild/conf/<arch>/dotunnel.XXX
+
+where XXX corresponds to one line in the old crontab.  Each script sets
+up one tunnel, sends mail to the user(s) in
+
+  /var/portbuild/<arch>/portbuild.conf
+
+once the command exits, and then sleeps.
+
+Why not put it in /var/portbuild/<arch> you ask?  That directory is
+propogated to all nodes for that arch.  This would be a security leak.
+The intention is that none of the dotunnel files will be checked into
+CVS.
+
+Final note: each script figures out which arch it is for by fiddling
+with its $0, so invoke it with its full pathname.
+
+mcl

Copied: projects/portbuild/admin/conf/apache.conf (from r245972, projects/portbuild/conf/apache.conf)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ projects/portbuild/admin/conf/apache.conf	Sun Jan 27 07:22:46 2013	(r245975, copy of r245972, projects/portbuild/conf/apache.conf)
@@ -0,0 +1,50 @@
+DocumentRoot "/var/portbuild/www"
+
+# filter magic to decompress bzip2 logs  - pav@
+LoadModule ext_filter_module libexec/apache22/mod_ext_filter.so
+ExtFilterDefine BUNZIP2 mode=output intype=application/x-bzip2 outtype=text/plain cmd=/usr/bin/bunzip2
+
+<Directory /var/portbuild/www>
+    Order allow,deny
+    Allow from all
+    Options FollowSymLinks
+    AllowOverride None
+    #Redirect permanent /index.html http://pointyhat.freebsd.org/errorlogs/
+</Directory>
+
+Alias /errorlogs/ /var/portbuild/errorlogs/
+     
+<Directory /var/portbuild/errorlogs>
+    Order allow,deny
+    Allow from all
+    Options FollowSymLinks Indexes
+# Added kk 030222
+    Options       +IncludesNoExec
+    AddHandler    server-parsed .shtml
+    DirectoryIndex        index.shtml index.html
+# filter magic to decompress bzip2 logs  - pav@
+    Options +MultiViews
+    AddOutputFilterByType BUNZIP2 application/x-bzip2
+</Directory>
+    
+Alias /ganglia/ "/usr/local/www/ganglia/"
+    
+<Directory "/usr/local/www/ganglia">
+    Order allow,deny
+    Allow from all
+    Options Indexes FollowSymlinks MultiViews
+    AllowOverride None
+    AddType text/html       php
+    #AddType application/x-httpd-php .php
+    #AddType application/x-httpd-php-source .phps
+    addhandler php5-script .php
+    DirectoryIndex index.php
+</Directory>
+
+# sometimes useful as a playpen
+#<Directory /var/portbuild/www/studies>
+#    Order allow,deny
+#    Allow from all
+#    Options Indexes FollowSymlinks MultiViews
+#    AllowOverride None
+#</Directory>
