Create an ansible script for deploying a CENOBridge

[misaakidis]

We need an ansible playbook to use for deploying CENO Bridges.

The user will have to place a CENOBox.zip file in a specific place ( https://docs.ansible.com/ansible/playbooks_best_practices.html#id9 ). She should be able to choose whether the bridge will be an RSS inserter bridge (isMasterBridge in .CENO/bridge.properties), a signal receiver bridge (isSignalBridge), or both.
Users should also be able to specify the insertion key the bridge will be using (insertURI and requestURI in bridge.properties).

The playbook will go through the following steps:

• Install dependencies (for debian stable: default-jre, nodejs, nodejs-legacy, npm)
• Create a "ceno" user on the remote machine
• Extract/copy CENOBridge files under /home/ceno/CENOBridge
• chmod 600 /home/ceno/CENOBridge/.CENO/bridge.properties /home/ceno/CENOBridge/.CENO/bridge.db
• Execute npm install in /home/ceno/CENOBridge/bundle-server/
• Add cronjobs (you will find them at the end of the list)
• Start the node and the other agents: /home/ceno/CENOBridge/CENOBridge.sh
• Harden the bridge, by following nccgroup's recommendations (Appendix C) - open for discussion on what can be done

* * * * *  if ! /usr/bin/pgrep node >/dev/null; then /home/ceno/CENOBridge/bundle-server/node /home/ceno/CENOBridge/bundle-server/bundle-server.js; fi
0 * * * *  cat /home/ceno/CENOBridge/logs/freenet-previous.log | grep CENO | grep -v RGA | grep -v re-running >> /home/ceno/CENOBridge/logs/CENO.log

Make sure that cronjob does start bundle-server (it might take a couple of minutes).

A role should be added to deploy a CENO client node, using the existing playbook.
The scripts will be placed on either a new directory (e.g. ceno-deploy), or under ceno-box.

[ivilata]

I'd like to take a chance on this one. Shall I take any particular playbook under ceno-box/ceno-provisioner as a reference, or may I do better by starting one anew? Thanks!

[ivilata]

I've started this under https://github.com/ivilata/ceno/tree/ansible-for-bridge. I will probably use Supervisor to run and monitor the bridge, bundle server and reader daemons.

[ivilata]

The current playbook (playbook_bridge.yaml, with the bridge role) is able to deploy and run the Bundle Server and the Freenet node with the Bridge plugin. Next week I'll have a look at the RSS reader.

[ivilata]

Ok, I think the Ansible config files under ceno-box/ceno-provisioner (playbook_bridge.yaml and role bridge) in https://github.com/ivilata/ceno/tree/ansible-for-bridge are complete, or at least they do as much as the CENOBridge.sh script. The user running the playbook must provide a CENOBridge.jar and reader binary (and optionally a seednodes.fref file) and the playbook creates/uses a particular user in the target host to deploy and run Freenet, the Bundler and the Reader.

The main difference from @misaakidis' proposal is that daemons are run by Supervisor instead of Cron, so they can be properly restarted when they die. The Freenet installation is a very raw one just using the jars, with Supervisor invoking Java straight away (without a wrapper) so as to keep track of subprocesses. Stdout and stderr logs go to the standard /var/log/supervisor directory without any processing.

Some pending issues that I'd like to check:

• whether redirecting logs to syslog gives more useful data (i.e. line timestamps)
• whether using the wrapper plays well with Supervisor (but it requires installing more files)
• whether registering friend connections in Freenet creates a seednodes.fref file so it makes sense to provide your own (someone who knows Freenet better may know)

Also, only ports 3094 (Bundler), 3095 (Bridge plugin) and 3096 (Reader) are open, while bridge install instructions mention that the plugin should also open port 3093, but maybe the docs are obsolete here.

[ivilata]

Sending the output of daemons started by Supervisor to syslog seems to work and adds proper timestamps to lines, so I've enabled this.

Regarding seednodes.fref, by looking at the code it seems that it's either read or downloaded from Freenet, so it never saves current friends, but I guess one may still manually build such a file from friend contacts. However, since node.updater.updateSeednodes=true by default, once the node reaches Freenet it may download opennet seeds and later connect to them, revealing its IP address. Maybe node.updater.updateSeednodes=false should be added to ceno-bridge/freenet.ini. Or maybe I just got the role of opennet seed nodes wrong and we may as well just download the seednodes.fref file during bridge setup.;)

[ivilata]

I decided to just download seednodes.fref along Freenet jars, it looks to me pretty safe.

Since adding the wrapper looks like a pointless complication (Supervisor takes care of the Java process), I think the playbook is now complete. Maybe checking downloaded Freenet files with GPG would be desirable…