Merge pull request #261 from ooni/deploy-fastpath-prod

Deploy fastpath prod

Author: LDiazN

ansible/deploy-fastpath.yml

@@ -2,6 +2,7 @@
 - name: Deploy fastpath
   hosts:
     - fastpath.dev.ooni.io
+    - fastpath.prod.ooni.io
   become: true
   roles:
     - role: bootstrap

ansible/host_vars/fastpath.prod.ooni.io/vars.yml

@@ -0,0 +1,5 @@
+s3_ooni_open_data_access_key: "{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/s3_ooni_open_data_access_key', profile='oonidevops_user_prod') }}"
+clickhouse_url: "clickhouse://write:{{ lookup('amazon.aws.aws_ssm', '/oonidevops/secrets/clickhouse_write_password', profile='oonidevops_user_prod') }}@clickhouseproxy.prod.ooni.io/ooni"
+bucket_name: "ooni-data-eu-fra"
+collector_id: "4"
+env: "prod"

ansible/inventory

@@ -45,4 +45,4 @@ openvpn2.htz-fsn.prod.ooni.nu
 
 [aws-backend]
 fastpath.dev.ooni.io
-# fastpath.prod.ooni.io
+fastpath.prod.ooni.io

ansible/roles/fastpath/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 # For prometheus scrape requests
-- name: Flush all handlers 
+- name: Flush all handlers
   meta: flush_handlers
 
 - name: Allow traffic on port 9100
@@ -12,7 +12,7 @@
     block: |
       add rule inet filter input tcp dport 9100 counter accept comment "node exporter"
   notify:
-   - reload nftables  
+   - reload nftables
 
 # For incoming fastpath traffic
 - name: Allow traffic on port 8472
@@ -24,7 +24,7 @@
     block: |
       add rule inet filter input tcp dport 8472 counter accept comment "fastpath"
   notify:
-   - reload nftables  
+   - reload nftables
 
 # For serving jsonl files
 - name: Allow traffic on port 8475
@@ -36,28 +36,28 @@
     block: |
       add rule inet filter input tcp dport 8475 counter accept comment "serve measurement spool"
   notify:
-   - reload nftables  
+   - reload nftables
 
 # Docker seems to have problems with nftables, so this command will translate all iptables
 # commands to nftables commands
-- name: Update alternatives for iptables 
-  tags: docker
-  become: yes
-  ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
-  notify: 
-   - restart docker
-
-- name: Update alternatives for iptables 
-  tags: docker
-  become: yes
-  ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
-  notify: 
-   - restart docker
-
-- name: Flush all handlers # Required to apply iptables settings before docker runs
-  meta: flush_handlers
-
-### Create fastpath user 
+# - name: Update alternatives for iptables
+#   tags: docker
+#   become: yes
+#   ansible.builtin.command: "update-alternatives --set iptables /usr/sbin/iptables-nft"
+#   notify:
+#    - restart docker
+
+# - name: Update alternatives for iptables
+#   tags: docker
+#   become: yes
+#   ansible.builtin.command: "update-alternatives --set ip6tables /usr/sbin/ip6tables-nft"
+#   notify:
+#    - restart docker
+
+# - name: Flush all handlers # Required to apply iptables settings before docker runs
+#   meta: flush_handlers
+
+### Create fastpath user
 - name: Ensure the fastpath group exists
   ansible.builtin.group:
     name: "{{ fastpath_user }}"
@@ -103,11 +103,11 @@
     owner: "{{fastpath_user}}"
   become: yes
 
-- name: Ensure ooniapi directory existence 
+- name: Ensure ooniapi directory existence
   ansible.builtin.file:
     path: /var/lib/ooniapi
     state: directory
-    mode: "0750"
+    mode: "0711"
     owner: "{{fastpath_user}}"
     group: "{{fastpath_user}}"
 
@@ -119,7 +119,7 @@
     owner: "{{fastpath_user}}"
     group: "{{fastpath_user}}"
 
-- name: Allow nginx access to the spool dir 
+- name: Allow nginx access to the spool dir
   become: true
   ansible.builtin.user:
     name: nginx
@@ -139,20 +139,22 @@
 - name: Ensure fastpath is running
   community.docker.docker_container:
     name: fastpath
-    image: ooni/fastpath:v0.87
+    image: ooni/fastpath:v0.88
     state: started
     user: "{{user_uid.stdout}}:{{user_gid.stdout}}"
-    # use network mode = host to allow traffic from fastpath to the statsd exporter without 
+    # use network mode = host to allow traffic from fastpath to the statsd exporter without
     # creating a network with redirection rules to match the ports
-    network_mode: host  
+    network_mode: host
     # published_ports: # unused on network_mode: host
     #   - "8472:8472"
     volumes:
       - /opt/{{fastpath_user}}/backend/fastpath/fastpath.conf:/etc/ooni/fastpath.conf
       - /var/lib/ooniapi:/var/lib/ooniapi
       - /var/lib/fastpath:/var/lib/fastpath
+  tags:
+    - fastpath
 
-### Serve jsonl from spool dir for oonimeasurements 
+### Serve jsonl from spool dir for oonimeasurements
 - name: Add nginx config file for serving spool dir measurements
   tags: fastpath
   template:
@@ -161,17 +163,17 @@
     mode: "0444"
     owner: nginx
   become: yes
-  notify: 
+  notify:
     - reload nginx
 
 - name: Ensure the statsd to prometheus exporter is running
   community.docker.docker_container:
     name: statsd-exporter
     image: prom/statsd-exporter:v0.28.0
     state: started
-    published_ports: 
+    published_ports:
       - "9102:9102" # for /metrics
-      - "8125:9125" # for reporting metrics 
+      - "8125:9125" # for reporting metrics
       - "8125:9125/udp"
 
 ### API Uploader set up
@@ -193,7 +195,7 @@
 - name: Install dependencies for uploader
   tags: uploader
   apt:
-    pkg: 
+    pkg:
     - python3-statsd
     - python3-boto3
     - python3-clickhouse-driver
@@ -203,7 +205,7 @@
 - name: Install uploder service
   tags: uploader
   template:
-    src: templates/ooni-api-uploader.service 
+    src: templates/ooni-api-uploader.service
     dest: /etc/systemd/system/ooni-api-uploader.service
     mode: "0644"
     owner: root
@@ -216,6 +218,15 @@
     mode: "0644"
     owner: root
 
+- name: Create spool dir
+  tags: uploader
+  ansible.builtin.file:
+    path: /var/lib/ooniapi/measurements/incoming/
+    state: directory
+    mode: '0711'
+    owner: "{{fastpath_user}}"
+    group: "{{fastpath_user}}"
+
 - name: Ensure uploader timer runs
   tags: uploader
   systemd:

tf/environments/dev/main.tf

@@ -322,20 +322,19 @@ resource "aws_iam_role_policy" "ooniprobe_role" {
   name = "${local.name}-task-role"
   role = module.ooniapi_cluster.container_host_role.name
 
-  policy = format(<<EOF
+  policy = <<EOF
 {
 	"Version": "2012-10-17",
 	"Statement": [
 		{
 			"Sid": "",
 			"Effect": "Allow",
 			"Action": "s3:PutObject",
-			"Resource": "%s/*"
+			"Resource": "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*"
 		}
 	]
 }
 EOF
-  , aws_s3_bucket.ooniprobe_failed_reports.arn)
 }
 
 module "ooniapi_ooniprobe_deployer" {
@@ -379,7 +378,7 @@ module "ooniapi_ooniprobe" {
   }
 
   task_environment = {
-    FASTPATH_URL          = format("http://fastpath.%s.ooni.io:8472", local.environment)
+    FASTPATH_URL          = "http://fastpath.${local.environment}.ooni.io:8472"
     FAILED_REPORTS_BUCKET = aws_s3_bucket.ooniprobe_failed_reports.bucket
     COLLECTOR_ID          = 3 # use a different one in prod
   }
@@ -615,12 +614,12 @@ module "ooni_fastpath" {
     from_port   = 8472,
     to_port     = 8472,
     protocol    = "tcp",
-    cidr_blocks = module.network.vpc_subnet_private[*].cidr_block,
+    cidr_blocks = concat(module.network.vpc_subnet_private[*].cidr_block, module.network.vpc_subnet_public[*].cidr_block),
     }, {
     from_port   = 8475, # for serving jsonl files
     to_port     = 8475,
     protocol    = "tcp",
-    cidr_blocks = module.network.vpc_subnet_private[*].cidr_block,
+    cidr_blocks = concat(module.network.vpc_subnet_private[*].cidr_block, module.network.vpc_subnet_public[*].cidr_block),
     }, {
     from_port   = 9100,
     to_port     = 9100,
@@ -891,7 +890,7 @@ module "ooniapi_oonimeasurements" {
 
   task_environment = {
     # it has to be a json-compliant array
-    OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475"]) 
+    OTHER_COLLECTORS = jsonencode(["https://backend-", "http://fastpath.${local.environment}.ooni.io:8475"]) 
     BASE_URL = "https://api.${local.environment}.ooni.io"
     S3_BUCKET_NAME = "ooni-data-eu-fra-test"
   }
@@ -943,6 +942,7 @@ locals {
     "ooniauth.${local.environment}.ooni.io" : local.dns_zone_ooni_io,
     "ooniprobe.${local.environment}.ooni.io" : local.dns_zone_ooni_io,
     "oonirun.${local.environment}.ooni.io" : local.dns_zone_ooni_io,
+    "oonimeasurements.${local.environment}.ooni.io" : local.dns_zone_ooni_io,
     "8.th.dev.ooni.io" : local.dns_zone_ooni_io,
   }
   ooniapi_frontend_main_domain_name         = "api.${local.environment}.ooni.io"
@@ -983,6 +983,10 @@ resource "aws_acm_certificate" "ooniapi_frontend" {
   tags = local.tags
 
   subject_alternative_names = keys(local.ooniapi_frontend_alternative_domains)
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "aws_route53_record" "ooniapi_frontend_cert_validation" {