Aws fastpath deploy

ansible/deploy-fastpath.yml

@@ -0,0 +1,25 @@
+---
+- name: Deploy fastpath
+  hosts:
+    - fastpath.dev.ooni.io
+  become: true
+  roles:
+    - role: bootstrap
+    - role: dehydrated
+      vars: 
+        ssl_domains: 
+          - "{{ inventory_hostname }}"
+        tls_cert_dir: /var/lib/dehydrated/certs
+    - role: prometheus_node_exporter
+      vars:
+        node_exporter_port: 9100
+        node_exporter_host: "0.0.0.0"
+        prometheus_nginx_proxy_config: 
+          - location: /metrics/node_exporter
+            proxy_pass: http://127.0.0.1:9100/metrics
+    - role: geerlingguy.docker
+      docker_users:
+        - fastpath
+        - ubuntu
+      docker_package_state: latest
+    - role: fastpath

ansible/host_vars/fastpath.dev.ooni.io/vars.yml

@@ -0,0 +1,4 @@
+s3_ooni_open_data_access_key: "{{ vault_s3_ooni_open_data_access_key }}"
+clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.dev.ooni.io/oonitest"
+bucket_name: "ooni-data-eu-fra-test"
+collector_id: "3"

ansible/host_vars/fastpath.dev.ooni.io/vault

@@ -0,0 +1,9 @@
+$ANSIBLE_VAULT;1.1;AES256
+30333638353938613934613439396236613334333437623332653266353065616332323461343537
+6363393434393664626432373738393239346366336236630a653764373339663739393434666162
+37666566306164643738356138363232623461316233396233653030633031303634356233666631
+3863336634343932330a356232343735313033396365383161666666646335333033656639623135
+64366564306163343738316538663539326631653435343232383464666330333765643132363264
+61386432316330383366363665323237663634656630393933303430633034313634633937633337
+36373164353238326265643232626536303165613135396137656566653131393033643062656435
+38303563333835313965

ansible/inventory

@@ -42,3 +42,7 @@ monitoringproxy.prod.ooni.io
 [openvpn]
 openvpn1.htz-fsn.prod.ooni.nu
 openvpn2.htz-fsn.prod.ooni.nu
+
+[aws-backend]
+fastpath.dev.ooni.io
+# fastpath.prod.ooni.io

ansible/requirements/ansible-galaxy.yml

@@ -1,15 +1,21 @@
-- src: willshersystems.sshd
-  version: v0.25.0
-- src: nginxinc.nginx
-  version: 0.24.3
-- src: geerlingguy.certbot
-  version: 5.2.0
-- src: artis3n.tailscale
-  version: v4.5.0
-- src: https://github.com/idealista/clickhouse_role
-  scm: git
-  version: 3.5.1
-  name: idealista.clickhouse_role
-- src: https://github.com/ooni/airflow-role.git
-  scm: git
-  name: ooni.airflow_role
+roles: 
+  - src: willshersystems.sshd
+    version: v0.25.0
+  - src: nginxinc.nginx
+    version: 0.24.3
+  - src: geerlingguy.certbot
+    version: 5.2.0
+  - src: artis3n.tailscale
+    version: v4.5.0
+  - src: https://github.com/idealista/clickhouse_role
+    scm: git
+    version: 3.5.1
+    name: idealista.clickhouse_role
+  - src: https://github.com/ooni/airflow-role.git
+    scm: git
+    name: ooni.airflow_role
+  - src: geerlingguy.docker # installs docker
+    version: 7.4.7
+collections: 
+  - name: community.docker # manages containers
+    version: 4.6.1

ansible/roles/fastpath/defaults/main.yml

@@ -0,0 +1,9 @@
+tls_cert_dir: /var/lib/dehydrated/certs
+
+# Fastpath user
+fastpath_user: fastpath
+fastpath_home: "/opt/{{ fastpath_user }}"
+
+# Fastpath settings
+# TODO Update this to the actual clickhouse host when we have migrated it 
+clickhouse_url: "clickhouse://default:default@clickhouse-server:9000"

ansible/roles/fastpath/handlers/main.yml

@@ -0,0 +1,27 @@
+- name: test nginx config
+  command: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf
+  listen:
+    - restart nginx
+    - reload nginx
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
+
+- name: reload nftables
+  tags: nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: reloaded
+
+- name: restart docker
+  tags: docker
+  ansible.builtin.systemd_service:
+    name: docker
+    state: restarted

ansible/roles/fastpath/tasks/main.yml

@@ -0,0 +1,183 @@
+---
+# For prometheus scrape requests
+- name: Flush all handlers 
+  meta: flush_handlers
+
+- name: Allow traffic on port 9100
+  become: true
+  tags: prometheus-proxy
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/9100.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
+  notify:
+   - reload nftables  
+
+# For incoming fastpath traffic
+- name: Allow traffic on port 8472
+  become: true
+  tags: fastpath
+  blockinfile:
+    path: /etc/ooni/nftables/tcp/8472.nft
+    create: yes
+    block: |
+      add rule inet filter input tcp dport 8472 counter accept comment "fastpath"
+  notify:
+   - reload nftables  
+
+# Docker seems to have problems with nftables, so this command will translate all iptables
+# commands to nftables commands
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
+  notify: 
+   - restart docker
+
+- name: Update alternatives for iptables 
+  tags: docker
+  become: yes
+  ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+  notify: 
+   - restart docker
+
+- name: Flush all handlers # Required to apply iptables settings before docker runs
+  meta: flush_handlers
+
+### Create fastpath user 
+- name: Ensure the fastpath group exists
+  ansible.builtin.group:
+    name: "{{ fastpath_user }}"
+    state: present
+  become: yes
+- name: Create the fastpath user
+  ansible.builtin.user:
+    name: "{{ fastpath_user }}"
+    home: "{{ fastpath_home }}"
+    shell: "/bin/bash"
+    group: "{{ fastpath_user }}"
+    create_home: yes
+    system: yes
+  become: yes
+- name: Set ownership of the fastpath directory
+  ansible.builtin.file:
+    path: "{{ fastpath_home }}"
+    owner: "{{ fastpath_user }}"
+    group: "{{ fastpath_user }}"
+    state: directory
+    mode: '0755'
+  become: yes
+
+### Run fastpath
+- name: Make sure that the fastpath configuration directory exists
+  ansible.builtin.file:
+    path: /opt/{{fastpath_user}}/backend/fastpath/
+    state: directory
+    mode: '0700'
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+
+- name: Create configuration file
+  tags: fastpath
+  template:
+    src: templates/fastpath.conf
+    dest: "/opt/{{fastpath_user}}/backend/fastpath/fastpath.conf"
+    mode: 0444
+    owner: "{{fastpath_user}}"
+  become: yes
+
+- name: Ensure ooniapi directory existence 
+  ansible.builtin.file:
+    path: /var/lib/ooniapi
+    state: directory
+    mode: '0700'
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+
+- name: Ensure fastpath is running
+  community.docker.docker_container:
+    name: fastpath
+    image: ooni/fastpath:latest
+    state: started
+    published_ports: 
+      - "8472:8472"
+    volumes:
+      - /opt/{{fastpath_user}}/backend/fastpath/fastpath.conf:/etc/ooni/fastpath.conf
+      - /var/lib/ooniapi:/var/lib/ooniapi
+
+### API Uploader set up
+- name: configure api uploader using s3 bucket
+  tags: uploader
+  template:
+    src: templates/api-uploader.conf
+    dest: /etc/ooni/api-uploader.conf
+
+- name: Install measurement uploader script
+  tags: uploader
+  template:
+    src: templates/ooni_api_uploader.py
+    dest: /usr/bin/ooni_api_uploader.py
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+    mode: "0755"
+
+- name: Install clickhouse driver (uploader dep)
+  tags: uploader
+  become: true
+  apt: 
+    name: python3-clickhouse-driver
+    state: present
+    update_cache: true
+
+- name: Install ujson (uploader dep)
+  tags: uploader
+  become: true
+  apt: 
+    name: python3-ujson
+    state: present
+    update_cache: true
+
+- name: Install Systemd 
+  tags: uploader
+  apt:
+    name: python3-systemd
+    state: present
+    update_cache: true
+
+- name: Install boto3
+  tags: uploader
+  apt:
+    name: python3-boto3
+    state: present
+    update_cache: true
+
+- name: Install Statsd
+  tags: uploader
+  apt:
+    name: python3-statsd
+    state: present
+    update_cache: true
+
+- name: Install uploder service
+  tags: uploader
+  template:
+    src: templates/ooni-api-uploader.service 
+    dest: /etc/systemd/system/ooni-api-uploader.service
+    mode: 0644
+    owner: root
+
+- name: Install uploader timer
+  tags: uploader
+  template:
+    src: templates/ooni-api-uploader.timer
+    dest: /etc/systemd/system/ooni-api-uploader.timer
+    mode: 0644
+    owner: root
+
+- name: Ensure uploader timer runs
+  tags: uploader
+  systemd:
+    name: ooni-api-uploader.timer
+    state: started
+    enabled: yes

ansible/roles/fastpath/templates/api-uploader.conf

@@ -0,0 +1,10 @@
+# OONI API measurement uploader - Python ini format
+# Deployed by ansible, see roles/ooni-backend/templates/api-uploader.conf
+[DEFAULT]
+# arn:aws:iam::676739448697:user/ooni-pipeline, AWS: OONI Open Data
+aws_access_key_id = AKIAJURD7T4DTN5JMJ5Q
+aws_secret_access_key = {{ s3_ooni_open_data_access_key }}
+bucket_name = {{ bucket_name }}
+msmt_spool_dir = /var/lib/ooniapi/measurements
+collector_id = {{ collector_id }}
+db_uri = {{ clickhouse_url }}

ansible/roles/fastpath/templates/fastpath.conf

@@ -0,0 +1,19 @@
+[DEFAULT]
+# Collector hostnames, comma separated
+collectors = localhost
+
+
+{% if psql_uri is defined %}
+# The password is already made public
+db_uri = {{ psql_uri }}
+{% else %}
+db_uri =
+{% endif %}
+
+# S3 access credentials
+# Currently unused
+s3_access_key =
+s3_secret_key =
+
+
+clickhouse_url = {{clickhouse_url}}

ansible/roles/fastpath/templates/ooni-api-uploader.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Upload raw OONI measurements to S3
+Wants=ooni-api-uploader.timer
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/ooni_api_uploader.py
+
+[Install]
+WantedBy=multi-user.target
+

ansible/roles/fastpath/templates/ooni-api-uploader.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Upload raw OONI measurements to S3
+Requires=ooni-api-uploader.service
+
+[Timer]
+Unit=ooni-api-uploader.service
+# run every hour at 10 minutes past the hour
+OnCalendar=*-*-* *:10
+#OnCalendar=*-*-* *:00/5
+
+[Install]
+WantedBy=timers.target