From a3817066a5da25a6fc3609e3193c1c5874b72291 Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Wed, 28 Feb 2024 10:29:57 +0200 Subject: [PATCH 01/15] ATOR-173 - Bandwidth authority setup, docker support and CI --- .github/actions/build-and-push/action.yml | 34 ++++ .github/actions/deploy/action.yml | 24 +++ .github/workflows/dev-deploy.yml | 28 ++++ .github/workflows/stage-deploy.yml | 28 ++++ .gitignore | 1 + docker/destination/Dockerfile | 9 ++ docker/destination/default.conf | 16 ++ docker/destination/docker-entrypoint.sh | 5 + docker/docker-compose.yml | 16 ++ docker/scanner/.sbws.ini | 58 +++++++ docker/scanner/Dockerfile | 18 +++ docker/scanner/docker-entrypoint.sh | 6 + operations/admin-ui-ca.crt | 31 ++++ operations/deploy-dev.hcl | 183 ++++++++++++++++++++++ operations/deploy-stage.hcl | 183 ++++++++++++++++++++++ sbws/globals.py | 2 + sbws/util/config.py | 5 +- 17 files changed, 645 insertions(+), 2 deletions(-) create mode 100644 .github/actions/build-and-push/action.yml create mode 100644 .github/actions/deploy/action.yml create mode 100644 .github/workflows/dev-deploy.yml create mode 100644 .github/workflows/stage-deploy.yml create mode 100755 docker/destination/Dockerfile create mode 100644 docker/destination/default.conf create mode 100755 docker/destination/docker-entrypoint.sh create mode 100755 docker/docker-compose.yml create mode 100755 docker/scanner/.sbws.ini create mode 100755 docker/scanner/Dockerfile create mode 100755 docker/scanner/docker-entrypoint.sh create mode 100644 operations/admin-ui-ca.crt create mode 100644 operations/deploy-dev.hcl create mode 100644 operations/deploy-stage.hcl diff --git a/.github/actions/build-and-push/action.yml b/.github/actions/build-and-push/action.yml new file mode 100644 index 00000000..45c7a83f --- /dev/null +++ b/.github/actions/build-and-push/action.yml @@ -0,0 +1,34 @@ +name: Build and Push Docker Image +inputs: + docker-username: + required: true + docker-password: + required: true + docker-tag: + required: true + +runs: + using: "composite" + steps: + - name: Log in to Docker Hub + uses: docker/login-action@v1 + with: + username: ${{ inputs.docker-username }} + password: ${{ inputs.docker-password }} + + - name: Build and push Docker image of scanner + uses: docker/build-push-action@v2 + with: + context: . + file: ./docker/Dockerfile + push: true + tags: ${{ inputs.docker-username }}/sbws-scanner:${{ github.sha }},${{ inputs.docker-username }}/sbws-scanner:${{ inputs.docker-tag }} + + - name: Build and push Docker image of destination + uses: docker/build-push-action@v2 + with: + context: ./docker/destination + file: ./docker/destination/Dockerfile + push: true + tags: ${{ inputs.docker-username }}/sbws-destination:${{ github.sha }},${{ inputs.docker-username }}/sbws-destination:${{ inputs.docker-tag }} + diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml new file mode 100644 index 00000000..42728d8b --- /dev/null +++ b/.github/actions/deploy/action.yml @@ -0,0 +1,24 @@ +name: 'Deploy new version' +inputs: + environment: + required: true + nomad-cacert: + required: true + nomad-token: + required: true + nomad-addr: + required: true + +runs: + using: "composite" + steps: + - name: Deploy new version + shell: bash + env: + NOMAD_CACERT: ${{ inputs.nomad-cacert }} + NOMAD_TOKEN: ${{ inputs.nomad-token }} + NOMAD_ADDR: ${{ inputs.nomad-addr }} + run: | + curl -L https://releases.hashicorp.com/nomad/1.6.3/nomad_1.6.3_linux_amd64.zip -o nomad.zip + unzip nomad.zip + ./nomad job run operations/deploy-${{ inputs.environment }}.hcl diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml new file mode 100644 index 00000000..f32a0ac3 --- /dev/null +++ b/.github/workflows/dev-deploy.yml @@ -0,0 +1,28 @@ +name: Build and Push Docker Image + +on: + pull_request: + branches: + - development + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Check out the repo + uses: actions/checkout@v4 + - name: Build and push + uses: ./.github/actions/build-and-push + with: + docker-username: ${{ secrets.DOCKER_HUB_USERNAME }} + docker-password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker-tag: latest-dev +# - name: Deploy +# uses: ./.github/actions/deploy +# with: +# environment: dev +# nomad-cacert: operations/admin-ui-ca.crt +# nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }} +# nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }} diff --git a/.github/workflows/stage-deploy.yml b/.github/workflows/stage-deploy.yml new file mode 100644 index 00000000..8d55ade6 --- /dev/null +++ b/.github/workflows/stage-deploy.yml @@ -0,0 +1,28 @@ +name: Build and Push Docker Image + +on: + push: + branches: + - main + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Check out the repo + uses: actions/checkout@v4 + - name: Build and push + uses: ./.github/actions/build-and-push + with: + docker-username: ${{ secrets.DOCKER_HUB_USERNAME }} + docker-password: ${{ secrets.DOCKER_HUB_PASSWORD }} + docker-tag: latest + - name: Deploy + uses: ./.github/actions/deploy + with: + environment: stage + nomad-cacert: operations/admin-ui-ca.crt + nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }} + nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }} diff --git a/.gitignore b/.gitignore index 744436b7..ea66127a 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ dist build *.lockfile chutney +.idea diff --git a/docker/destination/Dockerfile b/docker/destination/Dockerfile new file mode 100755 index 00000000..421ad176 --- /dev/null +++ b/docker/destination/Dockerfile @@ -0,0 +1,9 @@ +FROM nginx + +WORKDIR /app/destination + +COPY docker-entrypoint.sh /app/destination + +#COPY default.conf /etc/nginx/conf.d/default.conf + +ENTRYPOINT [ "sh", "docker-entrypoint.sh" ] diff --git a/docker/destination/default.conf b/docker/destination/default.conf new file mode 100644 index 00000000..cb9e54f3 --- /dev/null +++ b/docker/destination/default.conf @@ -0,0 +1,16 @@ +server { + + root /app/destination/data; + + autoindex on; + + listen 0.0.0.0:80; + + location / { + try_files $uri $uri/ =404; + } + + location ~/\.ht { + deny all; + } +} diff --git a/docker/destination/docker-entrypoint.sh b/docker/destination/docker-entrypoint.sh new file mode 100755 index 00000000..28d5660b --- /dev/null +++ b/docker/destination/docker-entrypoint.sh @@ -0,0 +1,5 @@ +mkdir -p data && cd data + +head -c $((1024*1024*1024)) /dev/urandom > 1GiB + +nginx -g 'daemon off;' diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml new file mode 100755 index 00000000..0f06dbd3 --- /dev/null +++ b/docker/docker-compose.yml @@ -0,0 +1,16 @@ +version: '2.2' +services: + sbws-scanner: + image: sbws-scanner + restart: always + volumes: + - ./scanner/.sbws.ini:/root/.sbws.ini + - ./scanner/data/:/app/scanner/data + sbws-destination: + image: sbws-destination + restart: always + ports: + - "8888:80" + volumes: + - ./destination/default.conf:/etc/nginx/conf.d/default.conf + - ./destination/data/:/app/destination/data diff --git a/docker/scanner/.sbws.ini b/docker/scanner/.sbws.ini new file mode 100755 index 00000000..d6225776 --- /dev/null +++ b/docker/scanner/.sbws.ini @@ -0,0 +1,58 @@ +# Minimum configuration that needs to be customized +[scanner] +# ISO 3166-1 alpha-2 country code where the scanner is located. +# Default AA, to detect it was not edited. +country = DE +# A human-readable string with chars in a-zA-Z0-9 to identify the dirauth +# nickname that will publish the BandwidthFiles generated from this scanner. +# Default to a non existing dirauth_nickname to detect it was not edited. +dirauth_nickname = Anon + +[destinations] +# With several destinations, the scanner can continue even if some of them +# fail, which can be caused by a network problem on their side. +# If all of them fail, the scanner will stop, which +# will happen if there is network problem on the scanner side. + +# A destination can be disabled changing `on` by `off` +foo = on + +[destinations.foo] +# the domain and path to the 1GB file or POST URL. +url = http://host.docker.internal:8888/1GiB +# Whether to verify or not the TLS certificate. Default True +verify = False +# ISO 3166-1 alpha-2 country code where the Web server destination is located. +# Default AA, to detect it was not edited. +# Use ZZ if the location is unknown (for instance, a CDN). +country = ZZ + +## The following logging options are set by default. +## There is no need to change them unless other options are preferred. +; [logging] +; # Whether or not to log to a rotating file the directory paths.log_dname +; to_file = yes +; # Whether or not to log to stdout +; to_stdout = yes +; # Whether or not to log to syslog +; # NOTE that when sbws is launched by systemd, stdout goes to journal and +; # syslog. +; to_syslog = no + +; # Level to log at. Debug, info, warning, error, critical. +; # `level` must be set to the lower of all the handler levels. +; level = debug +; to_file_level = debug +; to_stdout_level = info +; to_syslog_level = info +; # Format string to use when logging +; format = %(module)s[%(process)s]: <%(levelname)s> %(message)s +; # verbose formatter useful for debugging +; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s +; # Not adding %(asctime)s to to stdout since it'll go to syslog when using +; # systemd, and it'll have already the date. +; to_stdout_format = ${format} +; to_syslog_format = ${format} + +# To disable certificate validation, uncomment the following +# verify = False diff --git a/docker/scanner/Dockerfile b/docker/scanner/Dockerfile new file mode 100755 index 00000000..f0452cc5 --- /dev/null +++ b/docker/scanner/Dockerfile @@ -0,0 +1,18 @@ +FROM debian:bookworm + +RUN apt update && \ + DEBIAN_FRONTEND=noninteractive apt install -y \ + python3-dateutil python3-stem pip cron +# pip install requests + +WORKDIR /app/scanner + +ADD ../.. /app/scanner/temp + +RUN cd temp && ls -la && \ + pip install . --break-system-packages && \ + cp docker/scanner/docker-entrypoint.sh .. && \ + cd .. && \ + rm -rf temp + +ENTRYPOINT [ "sh", "docker-entrypoint.sh" ] diff --git a/docker/scanner/docker-entrypoint.sh b/docker/scanner/docker-entrypoint.sh new file mode 100755 index 00000000..35fc4751 --- /dev/null +++ b/docker/scanner/docker-entrypoint.sh @@ -0,0 +1,6 @@ +mkdir -p /app/scanner/data/logs + +crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - +crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - + +cron -f diff --git a/operations/admin-ui-ca.crt b/operations/admin-ui-ca.crt new file mode 100644 index 00000000..939344fb --- /dev/null +++ b/operations/admin-ui-ca.crt @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFVzCCAz+gAwIBAgIUdUo5LO+M2vEiSyfvDSOhKxVBko0wDQYJKoZIhvcNAQEL +BQAwOzELMAkGA1UEBhMCTk8xETAPBgNVBAoMCEF0b3IgTExDMRkwFwYDVQQDDBBB +dG9yIEFkbWluIFVJIENBMB4XDTIzMDUxMDE0NTk0M1oXDTQzMDIyNDE0NTk0M1ow +OzELMAkGA1UEBhMCTk8xETAPBgNVBAoMCEF0b3IgTExDMRkwFwYDVQQDDBBBdG9y +IEFkbWluIFVJIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA1gcK +cqC81T4YHcu3DfoSA2ghART6ImQSStXhuJfWqJPjJG0PtT58t3OJ6jS84zxTWPoZ +e2gfcA4VunW5+gTTQVra8gBdNthT4jOZJ9TYS54kSRJ9st7ZPctOYzD97NXeMeWp +TCgtkoGhaVLBeFE2z8xI2V+coIs00WG+GyC1St4DlmbezKUrpODWdfiRZfYa3lNy +uamPLY3nsDq8APVq4BKrauAxfnVmeItIdjC82KhCykeWyVVOrj7PeXbfWus79YON +KuXsLbFnSR1xO5QEtaYk3A3XXN81Xe0i5qNoWJAczYIrPLAsjIo+fDw/8ENoC9+j +SfS6gNdgd0A2Le31J5Bd76QZipDBa9+5EhZNGK/19qfypTzayRT4JpErAa8zKGIy +V9csdacobuQ+0UuU+li8EavWl8vFUSb1Uh1cnhudhr2NbAiuqjwwffOmgcTnOESg +cbAXPUhGWSQU2DyrFiDebo/HbiFZGzKxL7FcoK1j08gqcMzc+3gIF4uCKkMM+rk0 +5GWNsp3VoQv9E5ytYYbN8Lk1yxRY3KWhISiDmK/cS3FW4LRrcS2H+Se+hWLNyHDN +P0yQXQh068DdCjZAQYOeXcQWKBAI1kcwu6KyidOpZKwhCZKbMGHsoURhKsfL9NEh +HDjQXrPXJ7d++Akmek2Eu9tXz7sVFJE7mB3SE0cCAwEAAaNTMFEwHQYDVR0OBBYE +FJAGJ5Vj7nX/cRLIKorIuudZoHcbMB8GA1UdIwQYMBaAFJAGJ5Vj7nX/cRLIKorI +uudZoHcbMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFk8SYO0 +w0RHpCfrytF/rFTZUtIPNnol3/PRMq6WYT/fmTLhpt8S8+Yuz6YykRzVf4JI4LT8 +Y5nbZV/5fynbCfOP3pBWl/C7npdQtVsGVGVX7Hh1M+8Q9RKl+NA8gyHxKYfXJtEr +c6sSewBJ62eARP4dztbO8T/ydvfI6VJyKbJhGeO7vU+p13qbYAVMYeQ3sUjpazKZ +haqtTRp2lNDKK4SJ2mxW+pnac8S8E88+LP1O8U0hZphddfRgmwjuzeu+remwjkF8 +obreQRk2BR58v+tGTxfxHT0XJSK9b+G7QRmEKy+V4hXZPcynF5Xbdqu8fT7cVF6s +TfL9dCDMQoBsiWElFllSmBruWvp5gv086fwObFeQfw94Y3qvFawLMPUdI76uYPlR +3VuAs5MFncohOL12+/2o4nST2v4WKDLoWxcze49r6iCFMe2UEhhuydEXnQHp7el9 +w1NMfXxH6PzOAvMG1WtlkyT45agAIETW76/SSJH8e9j21m6cXcaaK6kJvhPga1X7 +Cd3XaiTg1r39S7Nxm/g8xDmVV738lguuj3TN5RwbNfR/rNcVUG5VUNDGea/bzQLl +eyjkXk1rFn5mYTf8tCcFfvu7pcH0Ds902zZvdysvaMGCxQu3bVpdkSn+3/6dUNCA +FFWzsbx0wrWxCyFPedz8OWgtdYu1TMtvXrWE +-----END CERTIFICATE----- diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl new file mode 100644 index 00000000..5808851f --- /dev/null +++ b/operations/deploy-dev.hcl @@ -0,0 +1,183 @@ +job "sbws-dev" { + datacenters = ["ator-fin"] + type = "service" + namespace = "ator-network" + + group "sbws-dev-group" { + count = 1 + +# volume "sbws-data" { +# type = "host" +# read_only = false +# source = "sbws-dev" +# } + + network { +# mode = "bridge" + port "http-port" { + static = 9000 + to = 80 +# host_network = "wireguard" + } + } + + ephemeral_disk { + migrate = true + sticky = true + } + + task "sbws-scanner-dev-task" { + driver = "docker" + +# env { +# LOGBASE = "data/logs" +# } + +# volume_mount { +# volume = "sbws-data" +# destination = "/srv/sbws/data" +# read_only = false +# } + + config { + image = "svforte/sbws-scanner:latest-dev" + volumes = [ + "local/.sbws.ini:/root/.sbws.ini:ro", + "local/data:/app/scanner/data" + ] + } + + resources { + cpu = 256 + memory = 1024 + } + + template { + change_mode = "noop" + data = < %(message)s +; # verbose formatter useful for debugging +; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s +; # Not adding %(asctime)s to to stdout since it'll go to syslog when using +; # systemd, and it'll have already the date. +; to_stdout_format = ${format} +; to_syslog_format = ${format} + +# To disable certificate validation, uncomment the following +# verify = False + EOH + destination = "local/.sbws.ini" + } + } + + task "sbws-destination-dev-task" { + driver = "docker" + +# volume_mount { +# volume = "sbws-data" +# destination = "/var/www/sbws-destination/data" +# read_only = true +# } + + config { + image = "svforte/sbws-destination:latest-dev" + volumes = [ + "local/nginx-sbws:/etc/nginx/conf.d/default.conf:ro" + ] + ports = ["http-port"] + } + + resources { + cpu = 256 + memory = 256 + } + + service { + name = "sbws-destination-dev" + provider = "nomad" + tags = ["sbws"] + port = "http-port" + check { + name = "sbws destination nginx http server alive" + type = "tcp" + interval = "10s" + timeout = "10s" + check_restart { + limit = 10 + grace = "30s" + } + } + } + + template { + change_mode = "noop" + data = < %(message)s +; # verbose formatter useful for debugging +; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s +; # Not adding %(asctime)s to to stdout since it'll go to syslog when using +; # systemd, and it'll have already the date. +; to_stdout_format = ${format} +; to_syslog_format = ${format} + +# To disable certificate validation, uncomment the following +# verify = False + EOH + destination = "local/.sbws.ini" + } + } + + task "sbws-destination-stage-task" { + driver = "docker" + + # volume_mount { + # volume = "sbws-data" + # destination = "/var/www/sbws-destination/data" + # read_only = true + # } + + config { + image = "svforte/sbws-destination:latest" + volumes = [ + "local/nginx-sbws:/etc/nginx/conf.d/default.conf:ro" + ] + ports = ["http-port"] + } + + resources { + cpu = 256 + memory = 256 + } + + service { + name = "sbws-destination-stage" + provider = "nomad" + tags = ["sbws"] + port = "http-port" + check { + name = "sbws destination nginx http server alive" + type = "tcp" + interval = "10s" + timeout = "10s" + check_restart { + limit = 10 + grace = "30s" + } + } + } + + template { + change_mode = "noop" + data = < Date: Wed, 28 Feb 2024 10:32:05 +0200 Subject: [PATCH 02/15] ATOR-173 - Fix scanner Dockerfile's path --- .github/actions/build-and-push/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-and-push/action.yml b/.github/actions/build-and-push/action.yml index 45c7a83f..4bfa14dd 100644 --- a/.github/actions/build-and-push/action.yml +++ b/.github/actions/build-and-push/action.yml @@ -20,7 +20,7 @@ runs: uses: docker/build-push-action@v2 with: context: . - file: ./docker/Dockerfile + file: ./docker/scanner/Dockerfile push: true tags: ${{ inputs.docker-username }}/sbws-scanner:${{ github.sha }},${{ inputs.docker-username }}/sbws-scanner:${{ inputs.docker-tag }} From 5d9d5381485041909d1849c52676c91ddd20af68 Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Wed, 28 Feb 2024 23:20:47 +0200 Subject: [PATCH 03/15] ATOR-173 - Add anon client and control socket --- docker/destination/Dockerfile | 2 -- docker/docker-compose.yml | 3 +-- docker/scanner/.sbws.ini | 5 +++++ docker/scanner/Dockerfile | 8 ++++++++ docker/scanner/anonrc | 5 +++++ docker/scanner/docker-entrypoint.sh | 12 +++++++----- operations/deploy-dev.hcl | 19 ++++++++++++++++--- sbws/util/stem.py | 17 +++++++++-------- 8 files changed, 51 insertions(+), 20 deletions(-) create mode 100644 docker/scanner/anonrc diff --git a/docker/destination/Dockerfile b/docker/destination/Dockerfile index 421ad176..7fba28c3 100755 --- a/docker/destination/Dockerfile +++ b/docker/destination/Dockerfile @@ -4,6 +4,4 @@ WORKDIR /app/destination COPY docker-entrypoint.sh /app/destination -#COPY default.conf /etc/nginx/conf.d/default.conf - ENTRYPOINT [ "sh", "docker-entrypoint.sh" ] diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 0f06dbd3..bd9d6bca 100755 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -5,7 +5,7 @@ services: restart: always volumes: - ./scanner/.sbws.ini:/root/.sbws.ini - - ./scanner/data/:/app/scanner/data + - ./scanner/anonrc:/etc/anon/anonrc sbws-destination: image: sbws-destination restart: always @@ -13,4 +13,3 @@ services: - "8888:80" volumes: - ./destination/default.conf:/etc/nginx/conf.d/default.conf - - ./destination/data/:/app/destination/data diff --git a/docker/scanner/.sbws.ini b/docker/scanner/.sbws.ini index d6225776..8cfc0be5 100755 --- a/docker/scanner/.sbws.ini +++ b/docker/scanner/.sbws.ini @@ -56,3 +56,8 @@ country = ZZ # To disable certificate validation, uncomment the following # verify = False + +[tor] +control_socket = /var/lib/anon/control +;external_control_host = 127.0.0.1 +;external_control_port = 9051 diff --git a/docker/scanner/Dockerfile b/docker/scanner/Dockerfile index f0452cc5..3fc2a14a 100755 --- a/docker/scanner/Dockerfile +++ b/docker/scanner/Dockerfile @@ -15,4 +15,12 @@ RUN cd temp && ls -la && \ cd .. && \ rm -rf temp +RUN apt-get -y update && \ + apt-get -y install wget apt-transport-https && \ + . /etc/os-release && \ + wget -qO- https://deb.dmz.ator.dev/anon.asc | tee /etc/apt/trusted.gpg.d/anon.asc && \ + echo "deb [signed-by=/etc/apt/trusted.gpg.d/anon.asc] https://deb.dmz.ator.dev anon-dev-$VERSION_CODENAME main" > /etc/apt/sources.list.d/anon.list && \ + apt-get -y update && \ + apt-get -y install anon + ENTRYPOINT [ "sh", "docker-entrypoint.sh" ] diff --git a/docker/scanner/anonrc b/docker/scanner/anonrc new file mode 100644 index 00000000..525f8914 --- /dev/null +++ b/docker/scanner/anonrc @@ -0,0 +1,5 @@ +User debian-anon +DataDirectory /var/lib/anon +ControlSocket /var/lib/anon/control +Nickname AnonSBWS +FetchUselessDescriptors 1 diff --git a/docker/scanner/docker-entrypoint.sh b/docker/scanner/docker-entrypoint.sh index 35fc4751..407f5b47 100755 --- a/docker/scanner/docker-entrypoint.sh +++ b/docker/scanner/docker-entrypoint.sh @@ -1,6 +1,8 @@ -mkdir -p /app/scanner/data/logs +anon -crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - -crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - - -cron -f +#mkdir -p /app/scanner/data/logs +# +#crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - +#crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - +# +#cron -f diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index 5808851f..97d9aaed 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -15,7 +15,7 @@ job "sbws-dev" { network { # mode = "bridge" port "http-port" { - static = 9000 + static = 8888 to = 80 # host_network = "wireguard" } @@ -43,7 +43,7 @@ job "sbws-dev" { image = "svforte/sbws-scanner:latest-dev" volumes = [ "local/.sbws.ini:/root/.sbws.ini:ro", - "local/data:/app/scanner/data" + "local/anonrc:/etc/anon/anonrc:ro" ] } @@ -76,7 +76,7 @@ foo = on [destinations.foo] # the domain and path to the 1GB file or POST URL. -url = http://host.docker.internal:8888/1GiB +url = http://5.78.90.106:8888/1GiB # Whether to verify or not the TLS certificate. Default True verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. @@ -118,6 +118,19 @@ country = ZZ } } + template { + change_mode = "noop" + data = < Date: Thu, 29 Feb 2024 22:05:36 +0200 Subject: [PATCH 04/15] ATOR-173 - Fix docker and mount sbws data locally --- docker/scanner/Dockerfile | 1 - operations/deploy-dev.hcl | 102 +++++++++++++----------------------- operations/deploy-stage.hcl | 61 ++++++++------------- 3 files changed, 58 insertions(+), 106 deletions(-) diff --git a/docker/scanner/Dockerfile b/docker/scanner/Dockerfile index 3fc2a14a..39c77955 100755 --- a/docker/scanner/Dockerfile +++ b/docker/scanner/Dockerfile @@ -3,7 +3,6 @@ FROM debian:bookworm RUN apt update && \ DEBIAN_FRONTEND=noninteractive apt install -y \ python3-dateutil python3-stem pip cron -# pip install requests WORKDIR /app/scanner diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index 97d9aaed..fff85060 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -6,18 +6,18 @@ job "sbws-dev" { group "sbws-dev-group" { count = 1 -# volume "sbws-data" { -# type = "host" -# read_only = false -# source = "sbws-dev" -# } + # volume "sbws-data" { + # type = "host" + # read_only = false + # source = "sbws-dev" + # } network { -# mode = "bridge" + # mode = "bridge" port "http-port" { static = 8888 to = 80 -# host_network = "wireguard" + # host_network = "wireguard" } } @@ -29,21 +29,23 @@ job "sbws-dev" { task "sbws-scanner-dev-task" { driver = "docker" -# env { -# LOGBASE = "data/logs" -# } + # env { + # LOGBASE = "data/logs" + # } -# volume_mount { -# volume = "sbws-data" -# destination = "/srv/sbws/data" -# read_only = false -# } + # volume_mount { + # volume = "sbws-data" + # destination = "/srv/sbws/data" + # read_only = false + # } config { image = "svforte/sbws-scanner:latest-dev" + force_pull = true volumes = [ "local/.sbws.ini:/root/.sbws.ini:ro", - "local/anonrc:/etc/anon/anonrc:ro" + "local/anonrc:/etc/anon/anonrc:ro", + "local/data:/root/.sbws" ] } @@ -66,82 +68,50 @@ country = DE dirauth_nickname = Anon [destinations] -# With several destinations, the scanner can continue even if some of them -# fail, which can be caused by a network problem on their side. -# If all of them fail, the scanner will stop, which -# will happen if there is network problem on the scanner side. - # A destination can be disabled changing `on` by `off` -foo = on +dest = on -[destinations.foo] -# the domain and path to the 1GB file or POST URL. -url = http://5.78.90.106:8888/1GiB -# Whether to verify or not the TLS certificate. Default True +[destinations.dest] +# the domain and path to the 1GB file. +url = http://host.docker.internal:8888/1GiB +# Whether to verify or not the TLS certificate. Default True. verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. # Default AA, to detect it was not edited. # Use ZZ if the location is unknown (for instance, a CDN). country = ZZ -## The following logging options are set by default. -## There is no need to change them unless other options are preferred. -; [logging] -; # Whether or not to log to a rotating file the directory paths.log_dname -; to_file = yes -; # Whether or not to log to stdout -; to_stdout = yes -; # Whether or not to log to syslog -; # NOTE that when sbws is launched by systemd, stdout goes to journal and -; # syslog. -; to_syslog = no - -; # Level to log at. Debug, info, warning, error, critical. -; # `level` must be set to the lower of all the handler levels. -; level = debug -; to_file_level = debug -; to_stdout_level = info -; to_syslog_level = info -; # Format string to use when logging -; format = %(module)s[%(process)s]: <%(levelname)s> %(message)s -; # verbose formatter useful for debugging -; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s -; # Not adding %(asctime)s to to stdout since it'll go to syslog when using -; # systemd, and it'll have already the date. -; to_stdout_format = ${format} -; to_syslog_format = ${format} - -# To disable certificate validation, uncomment the following -# verify = False +[tor] +control_socket = /var/lib/anon/control EOH destination = "local/.sbws.ini" } - } - template { - change_mode = "noop" - data = < %(message)s -; # verbose formatter useful for debugging -; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s -; # Not adding %(asctime)s to to stdout since it'll go to syslog when using -; # systemd, and it'll have already the date. -; to_stdout_format = ${format} -; to_syslog_format = ${format} - -# To disable certificate validation, uncomment the following -# verify = False +[tor] +control_socket = /var/lib/anon/control EOH destination = "local/.sbws.ini" } + + template { + change_mode = "noop" + data = < Date: Thu, 29 Feb 2024 22:16:24 +0200 Subject: [PATCH 05/15] ATOR-173 - Fix docker and mount sbws data locally --- operations/deploy-dev.hcl | 2 +- operations/deploy-stage.hcl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index fff85060..d0cbc4d8 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -73,7 +73,7 @@ dest = on [destinations.dest] # the domain and path to the 1GB file. -url = http://host.docker.internal:8888/1GiB +url = http://5.78.90.106:8888/1GiB # Whether to verify or not the TLS certificate. Default True. verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index 120e7de9..250ba492 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -73,7 +73,7 @@ dest = on [destinations.dest] # the domain and path to the 1GB file. -url = http://host.docker.internal:8888/1GiB +url = http://5.78.90.106:9888/1GiB # Whether to verify or not the TLS certificate. Default True. verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. From 299ff4a4ee2d23d4dbe72bbf6dd6d7deffe9d6eb Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Sun, 3 Mar 2024 22:14:22 +0200 Subject: [PATCH 06/15] ATOR-173 - Extract relay to separate container and connect through control port --- .gitignore | 1 + docker/docker-compose.yml | 29 ++++++++++- docker/relay/anonrc | 10 ++++ docker/scanner/.sbws.ini | 39 ++------------- docker/scanner/Dockerfile | 8 ---- docker/scanner/anonrc | 5 -- docker/scanner/docker-entrypoint.sh | 14 +++--- operations/deploy-dev.hcl | 69 ++++++++++++++++++--------- sbws/globals.py | 2 +- sbws/util/stem.py | 22 ++++----- scripts/tools/get-per-relay-budget.py | 2 +- 11 files changed, 110 insertions(+), 91 deletions(-) create mode 100644 docker/relay/anonrc delete mode 100644 docker/scanner/anonrc diff --git a/.gitignore b/.gitignore index ea66127a..ec4cd4ec 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ build *.lockfile chutney .idea +docker/data diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index bd9d6bca..f421f529 100755 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,11 +1,27 @@ version: '2.2' services: + sbws-relay: + image: svforte/anon-dev + restart: always + expose: + - "9051" + volumes: + - ./data/:/var/lib/anon + - ./relay/anonrc:/etc/anon/anonrc + networks: + local: + ipv4_address: 172.18.0.2 sbws-scanner: image: sbws-scanner restart: always + depends_on: + - sbws-relay volumes: - ./scanner/.sbws.ini:/root/.sbws.ini - - ./scanner/anonrc:/etc/anon/anonrc + - ./data:/root/.sbws + networks: + local: + ipv4_address: 172.18.0.3 sbws-destination: image: sbws-destination restart: always @@ -13,3 +29,14 @@ services: - "8888:80" volumes: - ./destination/default.conf:/etc/nginx/conf.d/default.conf + networks: + local: + ipv4_address: 172.18.0.4 + +networks: + local: + ipam: + driver: default + config: + - subnet: "172.18.0.0/24" + gateway: "172.18.0.1" diff --git a/docker/relay/anonrc b/docker/relay/anonrc new file mode 100644 index 00000000..99f25156 --- /dev/null +++ b/docker/relay/anonrc @@ -0,0 +1,10 @@ +User anond + +Nickname AnonSBWS + +DataDirectory /var/lib/anon + +ControlPort 0.0.0.0:9051 +HashedControlPassword 16:3ACE689A3BC1B7D06025EA6BC9CB1C9B99EB21FE4877ECD803E6EAD9BE + +FetchUselessDescriptors 1 diff --git a/docker/scanner/.sbws.ini b/docker/scanner/.sbws.ini index 8cfc0be5..375995a7 100755 --- a/docker/scanner/.sbws.ini +++ b/docker/scanner/.sbws.ini @@ -2,7 +2,7 @@ [scanner] # ISO 3166-1 alpha-2 country code where the scanner is located. # Default AA, to detect it was not edited. -country = DE +country = ZZ # A human-readable string with chars in a-zA-Z0-9 to identify the dirauth # nickname that will publish the BandwidthFiles generated from this scanner. # Default to a non existing dirauth_nickname to detect it was not edited. @@ -19,7 +19,7 @@ foo = on [destinations.foo] # the domain and path to the 1GB file or POST URL. -url = http://host.docker.internal:8888/1GiB +url = http://5.78.90.106:8888/1GiB # Whether to verify or not the TLS certificate. Default True verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. @@ -27,37 +27,6 @@ verify = False # Use ZZ if the location is unknown (for instance, a CDN). country = ZZ -## The following logging options are set by default. -## There is no need to change them unless other options are preferred. -; [logging] -; # Whether or not to log to a rotating file the directory paths.log_dname -; to_file = yes -; # Whether or not to log to stdout -; to_stdout = yes -; # Whether or not to log to syslog -; # NOTE that when sbws is launched by systemd, stdout goes to journal and -; # syslog. -; to_syslog = no - -; # Level to log at. Debug, info, warning, error, critical. -; # `level` must be set to the lower of all the handler levels. -; level = debug -; to_file_level = debug -; to_stdout_level = info -; to_syslog_level = info -; # Format string to use when logging -; format = %(module)s[%(process)s]: <%(levelname)s> %(message)s -; # verbose formatter useful for debugging -; to_file_format = %(asctime)s %(levelname)s %(threadName)s %(filename)s:%(lineno)s - %(funcName)s - %(message)s -; # Not adding %(asctime)s to to stdout since it'll go to syslog when using -; # systemd, and it'll have already the date. -; to_stdout_format = ${format} -; to_syslog_format = ${format} - -# To disable certificate validation, uncomment the following -# verify = False - [tor] -control_socket = /var/lib/anon/control -;external_control_host = 127.0.0.1 -;external_control_port = 9051 +external_control_ip = 172.18.0.2 +external_control_port = 9051 diff --git a/docker/scanner/Dockerfile b/docker/scanner/Dockerfile index 39c77955..51cc9360 100755 --- a/docker/scanner/Dockerfile +++ b/docker/scanner/Dockerfile @@ -14,12 +14,4 @@ RUN cd temp && ls -la && \ cd .. && \ rm -rf temp -RUN apt-get -y update && \ - apt-get -y install wget apt-transport-https && \ - . /etc/os-release && \ - wget -qO- https://deb.dmz.ator.dev/anon.asc | tee /etc/apt/trusted.gpg.d/anon.asc && \ - echo "deb [signed-by=/etc/apt/trusted.gpg.d/anon.asc] https://deb.dmz.ator.dev anon-dev-$VERSION_CODENAME main" > /etc/apt/sources.list.d/anon.list && \ - apt-get -y update && \ - apt-get -y install anon - ENTRYPOINT [ "sh", "docker-entrypoint.sh" ] diff --git a/docker/scanner/anonrc b/docker/scanner/anonrc deleted file mode 100644 index 525f8914..00000000 --- a/docker/scanner/anonrc +++ /dev/null @@ -1,5 +0,0 @@ -User debian-anon -DataDirectory /var/lib/anon -ControlSocket /var/lib/anon/control -Nickname AnonSBWS -FetchUselessDescriptors 1 diff --git a/docker/scanner/docker-entrypoint.sh b/docker/scanner/docker-entrypoint.sh index 407f5b47..d2ed7db3 100755 --- a/docker/scanner/docker-entrypoint.sh +++ b/docker/scanner/docker-entrypoint.sh @@ -1,8 +1,8 @@ -anon +mkdir -p /app/scanner/data/logs -#mkdir -p /app/scanner/data/logs -# -#crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - -#crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - -# -#cron -f +crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - +crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - + +cron -f + +#sbws scanner diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index d0cbc4d8..77645e63 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -6,11 +6,11 @@ job "sbws-dev" { group "sbws-dev-group" { count = 1 - # volume "sbws-data" { - # type = "host" - # read_only = false - # source = "sbws-dev" - # } +# volume "dir-auth-dev" { +# type = "host" +# read_only = false +# source = "dir-auth-dev" +# } network { # mode = "bridge" @@ -26,12 +26,48 @@ job "sbws-dev" { sticky = true } - task "sbws-scanner-dev-task" { + task "sbws-relay-dev-task" { driver = "docker" - # env { - # LOGBASE = "data/logs" - # } +# volume_mount { +# volume = "anon-check-data" +# destination = "/var/lib/anon" +# read_only = false +# } + + config { + image = "svforte/anon-dev" + force_pull = true + volumes = [ + "local/anonrc:/etc/anon/anonrc" + ] + } + + resources { + cpu = 256 + memory = 256 + } + + template { + change_mode = "noop" + data = < Date: Sun, 3 Mar 2024 23:05:33 +0200 Subject: [PATCH 07/15] ATOR-173 - Add missed external control ip support --- sbws/config.default.ini | 1 + sbws/util/config.py | 1 + 2 files changed, 2 insertions(+) diff --git a/sbws/config.default.ini b/sbws/config.default.ini index 142c8954..df49eee9 100644 --- a/sbws/config.default.ini +++ b/sbws/config.default.ini @@ -70,6 +70,7 @@ control_socket = ${tor:run_dpath}/control pid = ${tor:run_dpath}/tor.pid # note this is a directory log = ${tor:datadir}/log +external_control_ip = external_control_port = extra_lines = diff --git a/sbws/util/config.py b/sbws/util/config.py index cb105244..d63f4d05 100644 --- a/sbws/util/config.py +++ b/sbws/util/config.py @@ -396,6 +396,7 @@ def _validate_tor(conf): "control_socket", "pid", "log", + "external_control_ip", "external_control_port", "extra_lines", ] From b9991c8c6ba3c2daa568e2f5f56b7804331abeef Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Mon, 4 Mar 2024 14:26:52 +0200 Subject: [PATCH 08/15] ATOR-173 - Add volume and network --- docker/relay/anonrc | 9 +++ docker/scanner/.sbws.ini | 2 +- operations/deploy-dev.hcl | 88 +++++++++++++++--------- operations/deploy-stage.hcl | 131 ++++++++++++++++++++++++------------ 4 files changed, 154 insertions(+), 76 deletions(-) diff --git a/docker/relay/anonrc b/docker/relay/anonrc index 99f25156..f46a3528 100644 --- a/docker/relay/anonrc +++ b/docker/relay/anonrc @@ -7,4 +7,13 @@ DataDirectory /var/lib/anon ControlPort 0.0.0.0:9051 HashedControlPassword 16:3ACE689A3BC1B7D06025EA6BC9CB1C9B99EB21FE4877ECD803E6EAD9BE +SocksPort auto +SafeLogging 1 +UseEntryGuards 0 +ProtocolWarnings 1 +FetchDirInfoEarly 1 +LogTimeGranularity 1 +UseMicrodescriptors 0 +FetchDirInfoExtraEarly 1 FetchUselessDescriptors 1 +LearnCircuitBuildTimeout 0 diff --git a/docker/scanner/.sbws.ini b/docker/scanner/.sbws.ini index 375995a7..670bb4fb 100755 --- a/docker/scanner/.sbws.ini +++ b/docker/scanner/.sbws.ini @@ -19,7 +19,7 @@ foo = on [destinations.foo] # the domain and path to the 1GB file or POST URL. -url = http://5.78.90.106:8888/1GiB +url = http://5.78.90.106:9077/1GiB # Whether to verify or not the TLS certificate. Default True verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index 77645e63..87019d9b 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -4,21 +4,41 @@ job "sbws-dev" { namespace = "ator-network" group "sbws-dev-group" { - count = 1 + count = 3 -# volume "dir-auth-dev" { -# type = "host" -# read_only = false -# source = "dir-auth-dev" -# } + spread { + attribute = "${node.unique.id}" + weight = 100 + target "067a42a8-d8fe-8b19-5851-43079e0eabb4" { + percent = 34 + } + target "16be0723-edc1-83c4-6c02-193d96ec308a" { + percent = 33 + } + target "e6e0baed-8402-fd5c-7a15-8dd49e7b60d9" { + percent = 33 + } + } + + volume "dir-auth-dev" { + type = "host" + read_only = false + source = "dir-auth-dev" + } network { - # mode = "bridge" + mode = "bridge" + port "http-port" { - static = 8888 + static = 9077 to = 80 # host_network = "wireguard" } + + port "control-port" { + static = 9051 + host_network = "wireguard" + } } ephemeral_disk { @@ -29,12 +49,6 @@ job "sbws-dev" { task "sbws-relay-dev-task" { driver = "docker" -# volume_mount { -# volume = "anon-check-data" -# destination = "/var/lib/anon" -# read_only = false -# } - config { image = "svforte/anon-dev" force_pull = true @@ -57,30 +71,44 @@ Nickname AnonSBWS DataDirectory /var/lib/anon -ControlPort 0.0.0.0:9051 -HashedControlPassword 16:3ACE689A3BC1B7D06025EA6BC9CB1C9B99EB21FE4877ECD803E6EAD9BE +ControlPort {{ env `NOMAD_PORT_control_port` }} +SocksPort auto +SafeLogging 1 +UseEntryGuards 0 +ProtocolWarnings 1 +FetchDirInfoEarly 1 +LogTimeGranularity 1 +UseMicrodescriptors 0 +FetchDirInfoExtraEarly 1 FetchUselessDescriptors 1 +LearnCircuitBuildTimeout 0 EOH destination = "local/anonrc" } + + service { + name = "sbws-relay-dev" + provider = "nomad" + tags = ["sbws"] + port = "control-port" + } } task "sbws-scanner-dev-task" { driver = "docker" - # volume_mount { - # volume = "sbws-data" - # destination = "/srv/sbws/data" - # read_only = false - # } + volume_mount { + volume = "dir-auth-dev" + destination = "/root/.sbws" + read_only = false + } config { image = "svforte/sbws-scanner:latest-dev" force_pull = true volumes = [ - "local/.sbws.ini:/root/.sbws.ini:ro", - "local/data:/root/.sbws" + "local/.sbws.ini:/root/.sbws.ini:ro" ] } @@ -96,7 +124,7 @@ FetchUselessDescriptors 1 [scanner] # ISO 3166-1 alpha-2 country code where the scanner is located. # Default AA, to detect it was not edited. -country = DE +country = ZZ # A human-readable string with chars in a-zA-Z0-9 to identify the dirauth # nickname that will publish the BandwidthFiles generated from this scanner. # Default to a non existing dirauth_nickname to detect it was not edited. @@ -108,7 +136,7 @@ dest = on [destinations.dest] # the domain and path to the 1GB file. -url = http://5.78.90.106:8888/1GiB +url = http://{{ env `NOMAD_HOST_ADDR_http-port` }}/1GiB # Whether to verify or not the TLS certificate. Default True. verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. @@ -117,8 +145,8 @@ verify = False country = ZZ [tor] -external_control_ip = 127.0.0.1 -external_control_port = 9051 +external_control_ip = {{ env `NOMAD_IP_control_port` }} +external_control_port = {{ env `NOMAD_PORT_control_port` }} EOH destination = "local/.sbws.ini" } @@ -128,12 +156,6 @@ external_control_port = 9051 task "sbws-destination-dev-task" { driver = "docker" - # volume_mount { - # volume = "sbws-data" - # destination = "/var/www/sbws-destination/data" - # read_only = true - # } - config { image = "svforte/sbws-destination:latest-dev" force_pull = true diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index 250ba492..0045f8b2 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -4,21 +4,41 @@ job "sbws-stage" { namespace = "ator-network" group "sbws-stage-group" { - count = 1 + count = 3 - # volume "sbws-data" { - # type = "host" - # read_only = false - # source = "sbws-stage" - # } + spread { + attribute = "${node.unique.id}" + weight = 100 + target "067a42a8-d8fe-8b19-5851-43079e0eabb4" { + percent = 34 + } + target "16be0723-edc1-83c4-6c02-193d96ec308a" { + percent = 33 + } + target "e6e0baed-8402-fd5c-7a15-8dd49e7b60d9" { + percent = 33 + } + } + + volume "dir-auth-stage" { + type = "host" + read_only = false + source = "dir-auth-stage" + } network { - # mode = "bridge" + mode = "bridge" + port "http-port" { - static = 9888 + static = 9177 to = 80 # host_network = "wireguard" } + + port "control-port" { + static = 9051 + host_network = "wireguard" + } } ephemeral_disk { @@ -26,26 +46,69 @@ job "sbws-stage" { sticky = true } - task "sbws-scanner-stage-task" { + task "sbws-relay-stage-task" { driver = "docker" - # env { - # LOGBASE = "data/logs" - # } + config { + image = "svforte/anon-stage" + force_pull = true + volumes = [ + "local/anonrc:/etc/anon/anonrc" + ] + } + + resources { + cpu = 256 + memory = 256 + } + + template { + change_mode = "noop" + data = < Date: Mon, 4 Mar 2024 19:23:19 +0200 Subject: [PATCH 09/15] ATOR-173 - Fix after review --- .github/workflows/dev-deploy.yml | 14 +++++++------- .github/workflows/stage-deploy.yml | 4 ++++ docker/scanner/docker-entrypoint.sh | 10 ++++------ operations/deploy-dev.hcl | 11 +++-------- operations/deploy-stage.hcl | 5 ----- 5 files changed, 18 insertions(+), 26 deletions(-) diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml index f32a0ac3..09821d6f 100644 --- a/.github/workflows/dev-deploy.yml +++ b/.github/workflows/dev-deploy.yml @@ -19,10 +19,10 @@ jobs: docker-username: ${{ secrets.DOCKER_HUB_USERNAME }} docker-password: ${{ secrets.DOCKER_HUB_PASSWORD }} docker-tag: latest-dev -# - name: Deploy -# uses: ./.github/actions/deploy -# with: -# environment: dev -# nomad-cacert: operations/admin-ui-ca.crt -# nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }} -# nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }} + - name: Deploy + uses: ./.github/actions/deploy + with: + environment: dev + nomad-cacert: operations/admin-ui-ca.crt + nomad-token: ${{ secrets.NOMAD_TOKEN_SBWS_DEPLOY }} + nomad-addr: ${{ secrets.NOMAD_DEPLOY_ADDR }} diff --git a/.github/workflows/stage-deploy.yml b/.github/workflows/stage-deploy.yml index 8d55ade6..22cb97c9 100644 --- a/.github/workflows/stage-deploy.yml +++ b/.github/workflows/stage-deploy.yml @@ -1,6 +1,10 @@ name: Build and Push Docker Image on: + # temporary + pull_request: + branches: + - development push: branches: - main diff --git a/docker/scanner/docker-entrypoint.sh b/docker/scanner/docker-entrypoint.sh index d2ed7db3..62ef8f66 100755 --- a/docker/scanner/docker-entrypoint.sh +++ b/docker/scanner/docker-entrypoint.sh @@ -1,8 +1,6 @@ -mkdir -p /app/scanner/data/logs +mkdir -p /root/.sbws/logs -crontab -l | { cat; echo "*/5 * * * * sbws generate >> /app/scanner/data/logs/generate.log 2>&1"; } | crontab - -crontab -l | { cat; echo "30 0 * * * sbws cleanup >> /app/scanner/data/logs/cleanup.log 2>&1"; } | crontab - +crontab -l | { cat; echo "*/5 * * * * /usr/local/bin/sbws -c /root/.sbws.ini generate >> /root/.sbws/logs/generate.log 2>&1"; } | crontab - +crontab -l | { cat; echo "30 0 * * * /usr/local/bin/sbws -c /root/.sbws.ini cleanup >> /root/.sbws/logs/cleanup.log 2>&1"; } | crontab - -cron -f - -#sbws scanner +sbws scanner diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index 87019d9b..90d067ce 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -20,10 +20,10 @@ job "sbws-dev" { } } - volume "dir-auth-dev" { + volume "sbws-dev" { type = "host" read_only = false - source = "dir-auth-dev" + source = "sbws-dev" } network { @@ -41,11 +41,6 @@ job "sbws-dev" { } } - ephemeral_disk { - migrate = true - sticky = true - } - task "sbws-relay-dev-task" { driver = "docker" @@ -99,7 +94,7 @@ LearnCircuitBuildTimeout 0 driver = "docker" volume_mount { - volume = "dir-auth-dev" + volume = "sbws-dev" destination = "/root/.sbws" read_only = false } diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index 0045f8b2..fd05d96b 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -41,11 +41,6 @@ job "sbws-stage" { } } - ephemeral_disk { - migrate = true - sticky = true - } - task "sbws-relay-stage-task" { driver = "docker" From 83cbf3fcad9ef1ba84f6158ecf104f49044ccfa5 Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Mon, 4 Mar 2024 23:04:30 +0200 Subject: [PATCH 10/15] ATOR-173 - Add stage deployment --- operations/deploy-stage.hcl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index fd05d96b..e987a5b0 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -20,17 +20,17 @@ job "sbws-stage" { } } - volume "dir-auth-stage" { + volume "sbws-stage" { type = "host" read_only = false - source = "dir-auth-stage" + source = "sbws-stage" } network { mode = "bridge" port "http-port" { - static = 9177 + static = 9077 to = 80 # host_network = "wireguard" } @@ -94,7 +94,7 @@ LearnCircuitBuildTimeout 0 driver = "docker" volume_mount { - volume = "dir-auth-stage" + volume = "sbws-stage" destination = "/root/.sbws" read_only = false } From 70a2d92919ab503cbbc6793cf90116c3528549dc Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Tue, 5 Mar 2024 09:20:09 +0200 Subject: [PATCH 11/15] ATOR-173 - Fix cron and add todos for later improvements --- docker/scanner/docker-entrypoint.sh | 8 +++++--- docs/source/config_tor.rst | 3 ++- sbws/util/stem.py | 3 ++- scripts/tools/get-per-relay-budget.py | 1 + 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/docker/scanner/docker-entrypoint.sh b/docker/scanner/docker-entrypoint.sh index 62ef8f66..be656771 100755 --- a/docker/scanner/docker-entrypoint.sh +++ b/docker/scanner/docker-entrypoint.sh @@ -1,6 +1,8 @@ -mkdir -p /root/.sbws/logs +mkdir -p /root/.sbws/log -crontab -l | { cat; echo "*/5 * * * * /usr/local/bin/sbws -c /root/.sbws.ini generate >> /root/.sbws/logs/generate.log 2>&1"; } | crontab - -crontab -l | { cat; echo "30 0 * * * /usr/local/bin/sbws -c /root/.sbws.ini cleanup >> /root/.sbws/logs/cleanup.log 2>&1"; } | crontab - +crontab -l | { cat; echo "*/5 * * * * /usr/local/bin/sbws -c /root/.sbws.ini generate >> /root/.sbws/log/generate.log 2>&1"; } | crontab - +crontab -l | { cat; echo "30 0 * * * /usr/local/bin/sbws -c /root/.sbws.ini cleanup >> /root/.sbws/log/cleanup.log 2>&1"; } | crontab - + +service cron start sbws scanner diff --git a/docs/source/config_tor.rst b/docs/source/config_tor.rst index e6094687..35bd9add 100644 --- a/docs/source/config_tor.rst +++ b/docs/source/config_tor.rst @@ -10,7 +10,8 @@ connection to an existing Tor daemon. Default configuration: - ``SocksPort auto``: To proxy requests over Tor. -- ``CookieAuthentication 1``: The easiest way to authenticate to Tor. +- ``CookieAuthentication 0``: The easiest way to authenticate to Tor. +- ``HashedControlPassword``: The how to authenticate using password - ``UseEntryGuards 0``: To avoid path bias warnings. - ``UseMicrodescriptors 0``: Because full server descriptors are needed. - ``SafeLogging 0``: Useful for logging, since there's no need for anonymity. diff --git a/sbws/util/stem.py b/sbws/util/stem.py index 608de2e6..c54ff04b 100644 --- a/sbws/util/stem.py +++ b/sbws/util/stem.py @@ -166,6 +166,7 @@ def is_bootstrapped(c): def _init_controller_port(port): try: c = Controller.from_port(port=port) + # todo - extract password to config c.authenticate(password="password") except (IncorrectSocketType, SocketError): fail_hard("Unable to connect to control port %s.", port) @@ -177,6 +178,7 @@ def _init_controller_port(port): def _init_controller_socket(socket): try: c = Controller.from_socket_file(path=socket) + # todo - extract password to config c.authenticate(password="password") except (IncorrectSocketType, SocketError): log.debug("Error initting controller socket: socket error.") @@ -305,7 +307,6 @@ def launch_tor(conf): torrc = parse_user_torrc_config(torrc, conf["tor"]["extra_lines"]) # Finally launch Tor - log.info(torrc) try: # If there is already a tor process running with the same control # socket, this will exit here. diff --git a/scripts/tools/get-per-relay-budget.py b/scripts/tools/get-per-relay-budget.py index 96cf08fc..8529aecc 100755 --- a/scripts/tools/get-per-relay-budget.py +++ b/scripts/tools/get-per-relay-budget.py @@ -37,6 +37,7 @@ def print_regular(bws): def main(args): cont = get_controller(args) + # todo - extract password to config cont.authenticate(password="password") bws = [ns.bandwidth for ns in cont.get_network_statuses()] if args.quiet: From 36229d601e8f8f863f7b28baae71f3554b88f4bc Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Tue, 5 Mar 2024 12:00:05 +0200 Subject: [PATCH 12/15] ATOR-173 - Fix cron and add todos for later improvements --- operations/deploy-stage.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index e987a5b0..d0d8332c 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -30,7 +30,7 @@ job "sbws-stage" { mode = "bridge" port "http-port" { - static = 9077 + static = 9177 to = 80 # host_network = "wireguard" } From 3a914b794ebb4be18347e09f177e6464aa6a7a84 Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Tue, 5 Mar 2024 12:05:31 +0200 Subject: [PATCH 13/15] ATOR-173 - Fix stage ports --- operations/deploy-stage.hcl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/operations/deploy-stage.hcl b/operations/deploy-stage.hcl index d0d8332c..745e8896 100644 --- a/operations/deploy-stage.hcl +++ b/operations/deploy-stage.hcl @@ -36,7 +36,7 @@ job "sbws-stage" { } port "control-port" { - static = 9051 + static = 9151 host_network = "wireguard" } } From 37ecd220f9ec3033642a1288455b741f94c7d7bd Mon Sep 17 00:00:00 2001 From: Yurii Kovalchuk Date: Wed, 6 Mar 2024 09:36:39 +0200 Subject: [PATCH 14/15] ATOR-173 - Add mount for cached consensus --- docker/scanner/.sbws.ini | 3 ++- operations/deploy-dev.hcl | 15 +++++++++++++-- operations/deploy-stage.hcl | 15 +++++++++++++-- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/docker/scanner/.sbws.ini b/docker/scanner/.sbws.ini index 670bb4fb..fbf5b75c 100755 --- a/docker/scanner/.sbws.ini +++ b/docker/scanner/.sbws.ini @@ -19,7 +19,7 @@ foo = on [destinations.foo] # the domain and path to the 1GB file or POST URL. -url = http://5.78.90.106:9077/1GiB +url = http://5.161.108.187:9177/1GiB # Whether to verify or not the TLS certificate. Default True verify = False # ISO 3166-1 alpha-2 country code where the Web server destination is located. @@ -28,5 +28,6 @@ verify = False country = ZZ [tor] +datadir = docker/data external_control_ip = 172.18.0.2 external_control_port = 9051 diff --git a/operations/deploy-dev.hcl b/operations/deploy-dev.hcl index 90d067ce..aaa723ba 100644 --- a/operations/deploy-dev.hcl +++ b/operations/deploy-dev.hcl @@ -44,6 +44,16 @@ job "sbws-dev" { task "sbws-relay-dev-task" { driver = "docker" + env { + ANON_USER = "root" + } + + volume_mount { + volume = "sbws-dev" + destination = "/var/lib/anon" + read_only = false + } + config { image = "svforte/anon-dev" force_pull = true @@ -60,11 +70,11 @@ job "sbws-dev" { template { change_mode = "noop" data = < Date: Wed, 6 Mar 2024 12:22:07 +0200 Subject: [PATCH 15/15] ATOR-173 - Replace PR with push --- .github/workflows/dev-deploy.yml | 2 +- .github/workflows/stage-deploy.yml | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/dev-deploy.yml b/.github/workflows/dev-deploy.yml index 09821d6f..978cade6 100644 --- a/.github/workflows/dev-deploy.yml +++ b/.github/workflows/dev-deploy.yml @@ -1,7 +1,7 @@ name: Build and Push Docker Image on: - pull_request: + push: branches: - development workflow_dispatch: diff --git a/.github/workflows/stage-deploy.yml b/.github/workflows/stage-deploy.yml index 22cb97c9..8d55ade6 100644 --- a/.github/workflows/stage-deploy.yml +++ b/.github/workflows/stage-deploy.yml @@ -1,10 +1,6 @@ name: Build and Push Docker Image on: - # temporary - pull_request: - branches: - - development push: branches: - main