From 9933b40cca28f9675f397e2d4e42c9fdb496a237 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 10:43:52 +0200 Subject: [PATCH 01/15] Use native user module to get user and group IDs --- ansible/roles/plpsql/tasks/main.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index bbdfa7dd..874f725d 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -8,12 +8,7 @@ group: "plpsql" comment: "plpsql for Postgres" state: present - -- name: get the user ids - shell: > - egrep "^plpsql:" /etc/passwd | awk -F: '{ print $3":"$4 }' - changed_when: false - register: user_group_id + register: plpsql_user - name: pipeline postgres PGDATA directory file: dest=/srv/pl-psql state=directory owner=plpsql group=plpsql mode=0700 @@ -86,7 +81,7 @@ PUSHGATEWAY_CERT: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.cert" PUSHGATEWAY_KEY: "/srv/pl-psql_ssl/pusher/{{ inventory_hostname }}.key" stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate. - user: "{{ user_group_id.stdout }}" + user: "{{ plpsql_user.uid }}:{{ plpsql_user.group }}" stop_timeout: 60 # default is 10 restart_policy: unless-stopped ... From ff27117613d147c61f1128428e73d1fc489d0193 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 10:49:45 +0200 Subject: [PATCH 02/15] use role based tag to indicate active or standby hosts --- ansible/inventory | 18 ++++++++++++------ ansible/roles/plpsql/tasks/main.yml | 15 ++++----------- ansible/roles/plpsql/templates/pg_hba.conf | 2 +- .../plpsql/templates/postgresql.active.conf | 3 --- .../plpsql/templates/postgresql.standby.conf | 8 +++----- 5 files changed, 20 insertions(+), 26 deletions(-) diff --git a/ansible/inventory b/ansible/inventory index a61147f1..42fc048a 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -48,12 +48,6 @@ ams-jupyter.ooni.nu ams-wcth2.ooni.nu ams-wcth3.ooni.nu -[probe_services] -mia-ps2.ooni.nu -hkg-ps.ooni.nu -ams-ps.ooni.nu -ams-ps2.ooni.nu - ######################################################################## # PSK (pre-shared key) tags @@ -173,9 +167,21 @@ mia-ps2.ooni.nu ams-ps2.ooni.nu mia-ps2.ooni.nu +[db_active] +hkgmetadb.infra.ooni.io + +[db_standby] +amsmetadb.ooni.nu + [have_netdata] fastpath.ooni.nu +[probe_services] +mia-ps2.ooni.nu +hkg-ps.ooni.nu +ams-ps.ooni.nu +ams-ps2.ooni.nu + ######################################################################## # TO DELETE. # Stopped VMs that should be deleted from GH and DNS after some grace period: diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index 874f725d..72312dd8 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -17,32 +17,25 @@ template: src=pg_hba.conf dest=/srv/pl-psql/pg_hba.conf owner=plpsql group=plpsql mode=0444 notify: reload pl-psql -# Warning: hkgmetadb.infra.ooni.io is hardcoded here to identify the active and standby DBs -# TODO: use a flag in inventory instead - -# active host - - name: place config in PGDATA for active DB template: src=postgresql.active.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444 notify: reload pl-psql - when: inventory_hostname == 'hkgmetadb.infra.ooni.io' + when: "'db_active' in group_names" - name: drop recovery.conf from PGDATA on active DB file: name=/srv/pl-psql/recovery.conf state=absent notify: reload pl-psql - when: inventory_hostname == 'hkgmetadb.infra.ooni.io' - -# standby hosts + when: "'db_active' in group_names" - name: place config in PGDATA for standby DB template: src=postgresql.standby.conf dest=/srv/pl-psql/postgresql.conf owner=plpsql group=plpsql mode=0444 notify: reload pl-psql - when: inventory_hostname != 'hkgmetadb.infra.ooni.io' + when: "'db_standby' in group_names" - name: place recovery.conf to PGDATA on standby DB template: src=recovery.conf dest=/srv/pl-psql/recovery.conf owner=plpsql group=plpsql mode=0444 notify: reload pl-psql - when: inventory_hostname != 'hkgmetadb.infra.ooni.io' + when: "'db_standby' in group_names" # if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ - name: docker run pipeline postgres diff --git a/ansible/roles/plpsql/templates/pg_hba.conf b/ansible/roles/plpsql/templates/pg_hba.conf index 33d2eb6b..6a855223 100644 --- a/ansible/roles/plpsql/templates/pg_hba.conf +++ b/ansible/roles/plpsql/templates/pg_hba.conf @@ -93,7 +93,7 @@ host all all ::1/128 trust #host replication postgres ::1/128 trust # NB: `ssl` is neither supported nor enforced. -{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %} +{% if 'db_active' in group_names %} host replication amsrepl {{ lookup('dig', 'amsmetadb.ooni.nu/A') }}/32 md5 {% endif %} diff --git a/ansible/roles/plpsql/templates/postgresql.active.conf b/ansible/roles/plpsql/templates/postgresql.active.conf index c0eec75d..5bbbce88 100644 --- a/ansible/roles/plpsql/templates/postgresql.active.conf +++ b/ansible/roles/plpsql/templates/postgresql.active.conf @@ -208,13 +208,10 @@ wal_level = replica # minimal, replica, or logical. (change requires restart) #checkpoint_warning = 30s # 0 disables # - Archiving - - -{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %} archive_mode = on archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"' # placeholders: %p = path of file to archive # %f = file name only -{% endif %} #archive_timeout = 0 # force a logfile segment switch after this # number of seconds; 0 disables diff --git a/ansible/roles/plpsql/templates/postgresql.standby.conf b/ansible/roles/plpsql/templates/postgresql.standby.conf index 37ef0861..9cca2a59 100644 --- a/ansible/roles/plpsql/templates/postgresql.standby.conf +++ b/ansible/roles/plpsql/templates/postgresql.standby.conf @@ -208,13 +208,11 @@ wal_level = replica # minimal, replica, or logical. (change requires restart) #checkpoint_warning = 30s # 0 disables # - Archiving - - -{% if inventory_hostname == 'hkgmetadb.infra.ooni.io' %} -archive_mode = on -archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"' +# Disable archiving because standby +#archive_mode = on +#archive_command = '/usr/local/bin/metadb_s3_archive "%p" "%f"' # placeholders: %p = path of file to archive # %f = file name only -{% endif %} #archive_timeout = 0 # force a logfile segment switch after this # number of seconds; 0 disables From fac39f016d73d4c4f12e8a141945923944f42ef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 16:11:55 +0200 Subject: [PATCH 03/15] Flesh out basic openvpn based proxy --- ansible/roles/plpsql/handlers/main.yml | 4 ++++ ansible/roles/plpsql/meta/main.yml | 4 ++++ ansible/roles/plpsql/tasks/main.yml | 18 ++++++++++++++++++ .../roles/plpsql/templates/openvpn.active.conf | 17 +++++++++++++++++ .../plpsql/templates/openvpn.standby.conf | 13 +++++++++++++ .../iptables.filter.part/mia-ps-test.ooni.nu | 7 +++++++ 6 files changed, 63 insertions(+) create mode 100644 ansible/roles/plpsql/meta/main.yml create mode 100644 ansible/roles/plpsql/templates/openvpn.active.conf create mode 100644 ansible/roles/plpsql/templates/openvpn.standby.conf diff --git a/ansible/roles/plpsql/handlers/main.yml b/ansible/roles/plpsql/handlers/main.yml index 7e1c15b0..5550c915 100644 --- a/ansible/roles/plpsql/handlers/main.yml +++ b/ansible/roles/plpsql/handlers/main.yml @@ -3,4 +3,8 @@ command: docker restart pl-psql # XXX: is `stop_timeout` respected? - name: reload pl-psql command: docker exec -it pl-psql pg_ctl reload -D /srv/pl-psql +- name: restart openvpn + service: + name: openvpn + state: restarted ... diff --git a/ansible/roles/plpsql/meta/main.yml b/ansible/roles/plpsql/meta/main.yml new file mode 100644 index 00000000..655239f5 --- /dev/null +++ b/ansible/roles/plpsql/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - libhandlers +... diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index 72312dd8..4c7343ef 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -37,6 +37,24 @@ notify: reload pl-psql when: "'db_standby' in group_names" +- name: install openvpn + apt: + name: openvpn + +- name: configure openvpn on standby node + template: src=openvpn.standby.conf dest=/etc/openvpn/oonidbvpn.conf + notify: systemctl daemon-reload + when: "'db_standby' in group_names" + +- name: configure openvpn on active node + template: src=openvpn.active.conf dest=/etc/openvpn/oonidbvpn.conf + notify: systemctl daemon-reload + when: "'db_active' in group_names" + +# TODO add support for copying the secret file over +# - name: copy secret openvpn file +# notify: restart openvpn + # if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ - name: docker run pipeline postgres docker_container: diff --git a/ansible/roles/plpsql/templates/openvpn.active.conf b/ansible/roles/plpsql/templates/openvpn.active.conf new file mode 100644 index 00000000..e8d95c56 --- /dev/null +++ b/ansible/roles/plpsql/templates/openvpn.active.conf @@ -0,0 +1,17 @@ +# OONI DB VPN - managed by ansible +# /etc/openvpn/oonidbvpn.conf +# HKG -> mia-ps-test.ooni.nu -> AMS + +dev tun +remote $BOUNCER +# fallback to direct connection HKG -> AMS +remote $AMS +ifconfig 10.1.0.2 10.1.0.1 +secret oonipgvpn.key +cipher AES-256-CBC +comp-lzo +verb 3 +keepalive 10 60 +ping-timer-rem +persist-tun +persist-key diff --git a/ansible/roles/plpsql/templates/openvpn.standby.conf b/ansible/roles/plpsql/templates/openvpn.standby.conf new file mode 100644 index 00000000..b2f41c72 --- /dev/null +++ b/ansible/roles/plpsql/templates/openvpn.standby.conf @@ -0,0 +1,13 @@ +# OONI DB VPN - managed by ansible +# /etc/openvpn/oonidbvpn.conf +# HKG -> mia-ps-test.ooni.nu -> AMS +# Configuration for AMS db +dev tun +ifconfig 10.1.0.1 10.1.0.2 +secret oonipgvpn.key +comp-lzo +cipher AES-256-CBC +keepalive 10 60 +ping-timer-rem +persist-tun +persist-key diff --git a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu index 36984cfb..dcfbd385 100644 --- a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu +++ b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu @@ -4,4 +4,11 @@ # http & https for public endpoints -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT + +# setup forwarding rules for hkgmetadb +-t nat -I PREROUTING -i eth0 -s $CLIENT -p udp --dport $PORT -j DNAT --to-destination $SERVER +-t nat -I POSTROUTING -o eth0 -s $CLIENT -d $SERVER -p udp --dport $PORT -j SNAT --to-source $BOUNCER +-I FORWARD -i eth0 -o eth0 -s $CLIENT -d $SERVER -p udp --dport $PORT -j ACCEPT +-I FORWARD -i eth0 -o eth0 -s $SERVER -d $CLIENT -p udp --sport $PORT -j ACCEPT + {% endblock %} From f8e384fa4c3ccf21660c02460bcfec70b8eff383 Mon Sep 17 00:00:00 2001 From: Federico Ceratto Date: Tue, 31 Mar 2020 16:17:34 +0100 Subject: [PATCH 04/15] Improve OpenVPN setup --- ansible/deploy-pipeline.yml | 6 +++++ ansible/roles/plpsql/tasks/main.yml | 37 +++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 5 deletions(-) diff --git a/ansible/deploy-pipeline.yml b/ansible/deploy-pipeline.yml index 63a6d0bb..460404dc 100644 --- a/ansible/deploy-pipeline.yml +++ b/ansible/deploy-pipeline.yml @@ -23,6 +23,12 @@ - role: plpsql tags: plpsql +- hosts: [hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu, mia-ps-test.ooni.nu] + roles: + - role: plpsql + tags: plpsql-ssh-tunnel + + - hosts: hkgmetadb.infra.ooni.io gather_facts: false tasks: diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index 4c7343ef..41946fcd 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -40,20 +40,47 @@ - name: install openvpn apt: name: openvpn + install_recommends: no + tags: dbvpn -- name: configure openvpn on standby node +- name: openvpn create conf on standby node template: src=openvpn.standby.conf dest=/etc/openvpn/oonidbvpn.conf notify: systemctl daemon-reload when: "'db_standby' in group_names" + tags: dbvpn -- name: configure openvpn on active node +- name: openvpn create conf on active node template: src=openvpn.active.conf dest=/etc/openvpn/oonidbvpn.conf notify: systemctl daemon-reload when: "'db_active' in group_names" + tags: dbvpn -# TODO add support for copying the secret file over -# - name: copy secret openvpn file -# notify: restart openvpn +- name: openvpn create shared secret on active node + command: openvpn --genkey --secret /etc/openvpn/oonipgvpn.key + when: "'db_active' in group_names" + tags: dbvpn + +- name: openvpn copy shared secret from active node + slurp: + src: /etc/openvpn/oonipgvpn.key + register: pgvpn_secret + when: "'db_active' in group_names" + tags: dbvpn + +- name: openvpn copy shared secret to standby node + copy: + content: "{{ pgvpn_secret }}" + dest: /etc/openvpn/oonipgvpn.key + when: "'db_standby' in group_names" + tags: dbvpn + +- name: openvpn update etckeeper + command: | + etckeeper vcs ignore openvpn/oonipgvpn.key + etckeeper vcs add openvpn/oonidbvpn.conf + etckeeper commit "ansible openvpn" + when: "'db_active' in group_names or 'db_standby' in group_names" + tags: dbvpn # if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ - name: docker run pipeline postgres From a3808eac08f54091503367ab72e1c3f089b36545 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 17:25:03 +0200 Subject: [PATCH 05/15] Use default interpreter --- ansible/deploy-pipeline.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible/deploy-pipeline.yml b/ansible/deploy-pipeline.yml index 460404dc..7b47979c 100644 --- a/ansible/deploy-pipeline.yml +++ b/ansible/deploy-pipeline.yml @@ -17,8 +17,6 @@ - hosts: [hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu] gather_facts: false # already gathered - vars: - ansible_python_interpreter: "/root/venv/bin/python2.7" roles: - role: plpsql tags: plpsql From 971703db0ce029934326d4ec982606d032a6640f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 17:31:08 +0200 Subject: [PATCH 06/15] Replace variables --- ansible/roles/plpsql/templates/openvpn.active.conf | 4 ++-- .../templates/iptables.filter.part/mia-ps-test.ooni.nu | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/roles/plpsql/templates/openvpn.active.conf b/ansible/roles/plpsql/templates/openvpn.active.conf index e8d95c56..e8c37f46 100644 --- a/ansible/roles/plpsql/templates/openvpn.active.conf +++ b/ansible/roles/plpsql/templates/openvpn.active.conf @@ -3,9 +3,9 @@ # HKG -> mia-ps-test.ooni.nu -> AMS dev tun -remote $BOUNCER +remote {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} # fallback to direct connection HKG -> AMS -remote $AMS +remote {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} ifconfig 10.1.0.2 10.1.0.1 secret oonipgvpn.key cipher AES-256-CBC diff --git a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu index dcfbd385..bf1623ab 100644 --- a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu +++ b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu @@ -6,9 +6,9 @@ -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # setup forwarding rules for hkgmetadb --t nat -I PREROUTING -i eth0 -s $CLIENT -p udp --dport $PORT -j DNAT --to-destination $SERVER --t nat -I POSTROUTING -o eth0 -s $CLIENT -d $SERVER -p udp --dport $PORT -j SNAT --to-source $BOUNCER --I FORWARD -i eth0 -o eth0 -s $CLIENT -d $SERVER -p udp --dport $PORT -j ACCEPT --I FORWARD -i eth0 -o eth0 -s $SERVER -d $CLIENT -p udp --sport $PORT -j ACCEPT +-t nat -I PREROUTING -i eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --dport 1194 -j DNAT --to-destination {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} +-t nat -I POSTROUTING -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j SNAT --to-source {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} +-I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j ACCEPT +-I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -d {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --sport 1194 -j ACCEPT {% endblock %} From 3875eb7e225f98cc525c84512a8611fa9163c41d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 17:32:25 +0200 Subject: [PATCH 07/15] Remove unneeded mia-ps line --- ansible/deploy-pipeline.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/ansible/deploy-pipeline.yml b/ansible/deploy-pipeline.yml index 7b47979c..ec03fbaa 100644 --- a/ansible/deploy-pipeline.yml +++ b/ansible/deploy-pipeline.yml @@ -21,12 +21,6 @@ - role: plpsql tags: plpsql -- hosts: [hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu, mia-ps-test.ooni.nu] - roles: - - role: plpsql - tags: plpsql-ssh-tunnel - - - hosts: hkgmetadb.infra.ooni.io gather_facts: false tasks: From 93fbc425970f90d56905b44b2f50e26356d8a2fb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 17:37:30 +0200 Subject: [PATCH 08/15] Get rid of ugly hack for getting user id --- ansible/roles/airflow/tasks/af-redis.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/ansible/roles/airflow/tasks/af-redis.yml b/ansible/roles/airflow/tasks/af-redis.yml index be4345d7..6a4881f9 100644 --- a/ansible/roles/airflow/tasks/af-redis.yml +++ b/ansible/roles/airflow/tasks/af-redis.yml @@ -7,12 +7,7 @@ group: "afredis" comment: "afredis for Pipeline" state: present - -- name: get the user ids - shell: > - egrep "^afredis:" /etc/passwd | awk -F: '{ print $3":"$4 }' - changed_when: false - register: user_group_id + register: afredis_user - name: redis .../etc directory file: dest=/srv/etc/af-redis state=directory owner=root group=root mode=0755 @@ -31,5 +26,5 @@ - /srv/etc/af-redis:/usr/local/etc:ro - /srv/af-redis:/data:rw command: /usr/local/etc/redis.conf - user: "{{ user_group_id.stdout }}" + user: "{{ afredis_user.uid }}:{{ afredis_user.group }}" restart_policy: unless-stopped From 313e5827c0c9c01c00f0941bad4ec11d7c1eda4d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 17:41:50 +0200 Subject: [PATCH 09/15] Get rid of another ugly hack for user_group_id --- ansible/roles/airflow/tasks/af-psql.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ansible/roles/airflow/tasks/af-psql.yml b/ansible/roles/airflow/tasks/af-psql.yml index 6f1fd2a4..ff5ce06c 100644 --- a/ansible/roles/airflow/tasks/af-psql.yml +++ b/ansible/roles/airflow/tasks/af-psql.yml @@ -11,11 +11,8 @@ group: "afpsql" comment: "afpsql for Pipeline" state: present -- name: get the user ids - shell: > - egrep "^afpsql:" /etc/passwd | awk -F: '{ print $3":"$4 }' - changed_when: false - register: user_group_id + register: afpsql_user + - name: airflow postgres tmp directory file: dest=/srv/tmp/af-psql state=directory owner=afpsql group=afpsql mode=0750 - name: airflow postgres /data directory @@ -34,7 +31,7 @@ PGDATA: /srv/af-psql POSTGRES_USER: airflow POSTGRES_PASSWORD: "{{ airflow_postgres_password }}" - user: "{{ user_group_id.stdout }}" + user: "{{ afpsql_user.uid }}:{{ afpsql_user.group }}" stop_signal: SIGINT # Fast shutdown. Default SIGTERM waits for all the sessions to terminate. stop_timeout: 60 # default is 10 restart_policy: unless-stopped From 501513ba0779a42411c70b352ca2a5bdfe6a8759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 18:10:43 +0200 Subject: [PATCH 10/15] allow openvpn connections --- ansible/templates/iptables.filter.part/amsmetadb.ooni.nu | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu b/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu index df76175a..52e23f0f 100644 --- a/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu +++ b/ansible/templates/iptables.filter.part/amsmetadb.ooni.nu @@ -4,4 +4,8 @@ -A INPUT -s {{ lookup('dig', 'ams-api.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT -A INPUT -s {{ lookup('dig', 'fastpath.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT -A INPUT -s {{ lookup('dig', 'ams-jupyter.ooni.nu/A') }}/32 -p tcp -m tcp --dport 5432 -j ACCEPT + +# allow openvpn connections +-A INPUT -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }}/32 -p udp --dport 1194 -j ACCEPT +-A INPUT -s {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }}/32 -p udp --dport 1194 -j ACCEPT {% endblock %} From 4503c84ab2b96978df77801402960cc555b3b901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 18:26:39 +0200 Subject: [PATCH 11/15] Remove etckeeper commands --- ansible/roles/plpsql/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index 41946fcd..f10cdfe6 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -74,14 +74,6 @@ when: "'db_standby' in group_names" tags: dbvpn -- name: openvpn update etckeeper - command: | - etckeeper vcs ignore openvpn/oonipgvpn.key - etckeeper vcs add openvpn/oonidbvpn.conf - etckeeper commit "ansible openvpn" - when: "'db_active' in group_names or 'db_standby' in group_names" - tags: dbvpn - # if `initdb` fails read `Arbitrary --user Notes` at https://hub.docker.com/_/postgres/ - name: docker run pipeline postgres docker_container: From 9ad6d3238f16a459d1107dfcc64d04de70f070a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 18:36:17 +0200 Subject: [PATCH 12/15] invert order of commands --- ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu index bf1623ab..bc2a08e2 100644 --- a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu +++ b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu @@ -6,8 +6,8 @@ -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # setup forwarding rules for hkgmetadb --t nat -I PREROUTING -i eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --dport 1194 -j DNAT --to-destination {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} --t nat -I POSTROUTING -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j SNAT --to-source {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} +-I PREROUTING -t nat -i eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --dport 1194 -j DNAT --to-destination {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} +-I POSTROUTING -t nat -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j SNAT --to-source {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} -I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j ACCEPT -I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -d {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --sport 1194 -j ACCEPT From bb808a3699b706c7c56f9a97a7097d1a775ccd14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 18:37:43 +0200 Subject: [PATCH 13/15] Remote empty space --- ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu | 2 -- 1 file changed, 2 deletions(-) diff --git a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu index bc2a08e2..8fade3d7 100644 --- a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu +++ b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu @@ -4,11 +4,9 @@ # http & https for public endpoints -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT - # setup forwarding rules for hkgmetadb -I PREROUTING -t nat -i eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --dport 1194 -j DNAT --to-destination {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -I POSTROUTING -t nat -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j SNAT --to-source {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} -I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j ACCEPT -I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -d {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --sport 1194 -j ACCEPT - {% endblock %} From 2acf750725ccce04b4ecf13ef7091d6db08e2096 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 18:40:56 +0200 Subject: [PATCH 14/15] Reset iptables rules back to how they were --- ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu | 5 ----- 1 file changed, 5 deletions(-) diff --git a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu index 8fade3d7..36984cfb 100644 --- a/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu +++ b/ansible/templates/iptables.filter.part/mia-ps-test.ooni.nu @@ -4,9 +4,4 @@ # http & https for public endpoints -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -# setup forwarding rules for hkgmetadb --I PREROUTING -t nat -i eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --dport 1194 -j DNAT --to-destination {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} --I POSTROUTING -t nat -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j SNAT --to-source {{ lookup('dig', 'mia-ps-test.ooni.nu/A') }} --I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -d {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -p udp --dport 1194 -j ACCEPT --I FORWARD -i eth0 -o eth0 -s {{ lookup('dig', 'amsmetadb.ooni.nu/A') }} -d {{ lookup('dig', 'hkgmetadb.infra.ooni.io/A') }} -p udp --sport 1194 -j ACCEPT {% endblock %} From d2b7e0ad32c138833a7d2e2f84e0e44b7b9ab760 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Arturo=20Filast=C3=B2?= Date: Tue, 31 Mar 2020 19:02:13 +0200 Subject: [PATCH 15/15] fix some issues with the playbook --- ansible/deploy-pipeline.yml | 2 ++ ansible/roles/plpsql/tasks/main.yml | 13 ++++++++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ansible/deploy-pipeline.yml b/ansible/deploy-pipeline.yml index ec03fbaa..63a6d0bb 100644 --- a/ansible/deploy-pipeline.yml +++ b/ansible/deploy-pipeline.yml @@ -17,6 +17,8 @@ - hosts: [hkgmetadb.infra.ooni.io, amsmetadb.ooni.nu] gather_facts: false # already gathered + vars: + ansible_python_interpreter: "/root/venv/bin/python2.7" roles: - role: plpsql tags: plpsql diff --git a/ansible/roles/plpsql/tasks/main.yml b/ansible/roles/plpsql/tasks/main.yml index f10cdfe6..15a876a1 100644 --- a/ansible/roles/plpsql/tasks/main.yml +++ b/ansible/roles/plpsql/tasks/main.yml @@ -37,10 +37,13 @@ notify: reload pl-psql when: "'db_standby' in group_names" +# TODO fix this with the apt module once we update to the latest debian +# apt: +# name: openvpn +# install_recommends: no + - name: install openvpn - apt: - name: openvpn - install_recommends: no + command: apt-get install --no-install-recommends -y openvpn tags: dbvpn - name: openvpn create conf on standby node @@ -57,6 +60,9 @@ - name: openvpn create shared secret on active node command: openvpn --genkey --secret /etc/openvpn/oonipgvpn.key + args: + creates: /etc/openvpn/oonipgvpn.key + notify: restart openvpn when: "'db_active' in group_names" tags: dbvpn @@ -71,6 +77,7 @@ copy: content: "{{ pgvpn_secret }}" dest: /etc/openvpn/oonipgvpn.key + notify: restart openvpn when: "'db_standby' in group_names" tags: dbvpn