diff --git a/ansible/deploy-fastpath.yml b/ansible/deploy-fastpath.yml new file mode 100644 index 00000000..29029966 --- /dev/null +++ b/ansible/deploy-fastpath.yml @@ -0,0 +1,26 @@ +--- +- name: Deploy fastpath + hosts: + - fastpath.dev.ooni.io + become: true + roles: + - role: bootstrap + - role: dehydrated + vars: + ssl_domains: + - "{{ inventory_hostname }}" + tls_cert_dir: /var/lib/dehydrated/certs + - role: prometheus_node_exporter + vars: + node_exporter_port: 9100 + node_exporter_host: "0.0.0.0" + prometheus_nginx_proxy_config: + - location: /metrics/node_exporter + proxy_pass: http://127.0.0.1:9100/metrics + - role: geerlingguy.docker + docker_install_compose: true + docker_users: + - fastpath + - ubuntu + docker_package_state: latest + - role: fastpath diff --git a/ansible/inventory b/ansible/inventory index 839b11a8..cc4a2d78 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -42,3 +42,7 @@ monitoringproxy.prod.ooni.io [openvpn] openvpn1.htz-fsn.prod.ooni.nu openvpn2.htz-fsn.prod.ooni.nu + +[aws-backend] +fastpath.dev.ooni.io +# fastpath.prod.ooni.io \ No newline at end of file diff --git a/ansible/requirements/ansible-galaxy.yml b/ansible/requirements/ansible-galaxy.yml index 3b29d9ba..eba94f51 100644 --- a/ansible/requirements/ansible-galaxy.yml +++ b/ansible/requirements/ansible-galaxy.yml @@ -12,4 +12,6 @@ name: idealista.clickhouse_role - src: https://github.com/ooni/airflow-role.git scm: git - name: ooni.airflow_role \ No newline at end of file + name: ooni.airflow_role +- src: geerlingguy.docker + version: 7.4.7 \ No newline at end of file diff --git a/ansible/roles/fastpath/defaults/main.yml b/ansible/roles/fastpath/defaults/main.yml new file mode 100644 index 00000000..af88ea5d --- /dev/null +++ b/ansible/roles/fastpath/defaults/main.yml @@ -0,0 +1,9 @@ +tls_cert_dir: /var/lib/dehydrated/certs + +# Fastpath user +fastpath_user: fastpath +fastpath_home: "/opt/{{ fastpath_user }}" + +# Fastpath settings +# TODO Update this to the actual clickhouse host when we have migrated it +clickhouse_url: "clickhouse://default:default@clickhouse-server:9000" \ No newline at end of file diff --git a/ansible/roles/fastpath/handlers/main.yml b/ansible/roles/fastpath/handlers/main.yml new file mode 100644 index 00000000..594ebfe9 --- /dev/null +++ b/ansible/roles/fastpath/handlers/main.yml @@ -0,0 +1,27 @@ +- name: test nginx config + command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf + listen: + - restart nginx + - reload nginx + +- name: restart nginx + service: + name: nginx + state: restarted + +- name: reload nginx + service: + name: nginx + state: reloaded + +- name: reload nftables + tags: nftables + ansible.builtin.systemd_service: + name: nftables + state: reloaded + +- name: restart docker + tags: docker + ansible.builtin.systemd_service: + name: docker + state: restarted \ No newline at end of file diff --git a/ansible/roles/fastpath/tasks/main.yml b/ansible/roles/fastpath/tasks/main.yml new file mode 100644 index 00000000..c11e3ba5 --- /dev/null +++ b/ansible/roles/fastpath/tasks/main.yml @@ -0,0 +1,106 @@ +--- +# For prometheus scrape requests +- name: Flush all handlers + meta: flush_handlers + +- name: Allow traffic on port 9100 + become: true + tags: prometheus-proxy + blockinfile: + path: /etc/ooni/nftables/tcp/9100.nft + create: yes + block: | + add rule inet filter input tcp dport 9100 counter accept comment "node exporter" + notify: + - reload nftables + +# For incoming fastpath traffic +- name: Allow traffic on port 8472 + become: true + tags: fastpath + blockinfile: + path: /etc/ooni/nftables/tcp/8472.nft + create: yes + block: | + add rule inet filter input tcp dport 8472 counter accept comment "fastpath" + notify: + - reload nftables + +# Docker seems to have problems with nftables, so this command will translate all iptables +# commands to nftables commands +- name: Update alternatives for iptables + tags: docker + become: yes + ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft" + notify: + - restart docker + +- name: Update alternatives for iptables + tags: docker + become: yes + ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft" + notify: + - restart docker + +- name: Flush all handlers # Required to apply iptables settings before docker runs + meta: flush_handlers + +### Install make to build fastpath +- name: Install make + ansible.builtin.apt: + name: make + state: present + update_cache: yes + become: yes + +### Create fastpath user +- name: Ensure the fastpath group exists + ansible.builtin.group: + name: "{{ fastpath_user }}" + state: present + become: yes +- name: Create the fastpath user + ansible.builtin.user: + name: "{{ fastpath_user }}" + home: "{{ fastpath_home }}" + shell: "/bin/bash" + group: "{{ fastpath_user }}" + create_home: yes + system: yes + become: yes +- name: Set ownership of the fastpath directory + ansible.builtin.file: + path: "{{ fastpath_home }}" + owner: "{{ fastpath_user }}" + group: "{{ fastpath_user }}" + state: directory + mode: '0755' + become: yes + + + # We could also create an ECR docker image and use that, but this is a bit simpler + # Install fastpath +- name: Clone backend repo + become: yes + ansible.builtin.git: + repo: 'https://github.com/ooni/backend' + dest: "/opt/{{fastpath_user}}/backend" + # TODO Change to `master` when https://github.com/ooni/backend/pull/935 is merged + version: support-deploying-fastpath-as-docker-container + force: yes + +- name: Create configuration file + tags: fastpath + template: + src: templates/fastpath.conf + dest: "/opt/{{fastpath_user}}/backend/fastpath/fastpath.conf" + mode: 0444 + owner: "{{fastpath_user}}" + become: yes + +- name: Run docker container + tags: fastpath + ansible.builtin.command: "make docker-all" # TODO Change to `make docker` when clickhouse is migrated + args: + chdir: "/opt/{{fastpath_user}}/backend/fastpath" + diff --git a/ansible/roles/fastpath/templates/fastpath.conf b/ansible/roles/fastpath/templates/fastpath.conf new file mode 100644 index 00000000..54ec9d7e --- /dev/null +++ b/ansible/roles/fastpath/templates/fastpath.conf @@ -0,0 +1,19 @@ +[DEFAULT] +# Collector hostnames, comma separated +collectors = localhost + + +{% if psql_uri is defined %} +# The password is already made public +db_uri = {{ psql_uri }} +{% else %} +db_uri = +{% endif %} + +# S3 access credentials +# Currently unused +s3_access_key = +s3_secret_key = + + +clickhouse_url = {{clickhouse_url}} diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 16d7e059..ae646ce6 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -559,6 +559,71 @@ resource "aws_route53_record" "monitoring_proxy_alias" { ] } + +### Fastpath +module "ooni_fastpath" { + source = "../../modules/ec2" + + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io + + key_name = module.adm_iam_roles.oonidevops_key_name + instance_type = "t3a.small" + + name = "oonifastpath" + ingress_rules = [{ + from_port = 22, + to_port = 22, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 80, + to_port = 80, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 9100, + to_port = 9100, + protocol = "tcp" + cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"] + }] + + egress_rules = [{ + from_port = 0, + to_port = 0, + protocol = "-1", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 0, + to_port = 0, + protocol = "-1", + ipv6_cidr_blocks = ["::/0"], + }] + + sg_prefix = "oonifastpath" + tg_prefix = "fstp" + + tags = merge( + local.tags, + { Name = "ooni-tier0-fastpath" } + ) +} + +resource "aws_route53_record" "fastpath_alias" { + zone_id = local.dns_zone_ooni_io + name = "fastpath.${local.environment}.ooni.io" + type = "CNAME" + ttl = 300 + + records = [ + module.ooni_fastpath.aws_instance_public_dns + ] +} + #### OONI Run service module "ooniapi_oonirun_deployer" {