From 69334dab64f9099e80023f58ca97dc74e9ef9c7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 22 Aug 2025 16:18:15 +0200 Subject: [PATCH 01/18] Add role to deploy test helpers repo --- ansible/deploy-test-helpers.yml | 17 +++ ansible/inventory | 3 +- ansible/roles/test_helpers/defaults/main.yml | 1 + ansible/roles/test_helpers/tasks/main.yml | 108 ++++++++++++++++++ .../test_helpers/templates/jsonth.service | 20 ++++ tf/environments/dev/main.tf | 101 ++++++++++++++++ 6 files changed, 249 insertions(+), 1 deletion(-) create mode 100644 ansible/deploy-test-helpers.yml create mode 100644 ansible/roles/test_helpers/defaults/main.yml create mode 100644 ansible/roles/test_helpers/tasks/main.yml create mode 100644 ansible/roles/test_helpers/templates/jsonth.service diff --git a/ansible/deploy-test-helpers.yml b/ansible/deploy-test-helpers.yml new file mode 100644 index 00000000..bccfddf2 --- /dev/null +++ b/ansible/deploy-test-helpers.yml @@ -0,0 +1,17 @@ +--- +- name: Deploy test helpers + hosts: + - test-helpers.dev.ooni.io + - test-helpers.prod.ooni.io + become: true + roles: + - role: bootstrap + - role: nginx + - role: prometheus_node_exporter + vars: + node_exporter_port: 9100 + node_exporter_host: "0.0.0.0" + prometheus_nginx_proxy_config: + - location: /metrics/node_exporter + proxy_pass: http://127.0.0.1:9100/metrics + - role: test_helpers \ No newline at end of file diff --git a/ansible/inventory b/ansible/inventory index 3a23e524..eede599b 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -45,4 +45,5 @@ openvpn2.htz-fsn.prod.ooni.nu [aws-backend] fastpath.dev.ooni.io -# fastpath.prod.ooni.io \ No newline at end of file +# fastpath.prod.ooni.io +test-helpers.dev.ooni.io \ No newline at end of file diff --git a/ansible/roles/test_helpers/defaults/main.yml b/ansible/roles/test_helpers/defaults/main.yml new file mode 100644 index 00000000..5b636ac5 --- /dev/null +++ b/ansible/roles/test_helpers/defaults/main.yml @@ -0,0 +1 @@ +test_helpers_url: https://github.com/ooni/ooniprobe-rs/releases/download/0.1.0-dfe5/ooniprobe-helpers@0.1.0-dfe5.tar.gz diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml new file mode 100644 index 00000000..47dc176b --- /dev/null +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -0,0 +1,108 @@ +--- + +# For prometheus scrape requests +- name: Allow traffic on port 9100 + become: true + tags: prometheus-proxy + blockinfile: + path: /etc/ooni/nftables/tcp/9100.nft + create: yes + block: | + add rule inet filter input tcp dport 9100 counter accept comment "node exporter" + notify: + - reload nftables + + +# For incoming test helper traffic +- name: Allow traffic on port 8000 (echo) + become: true + tags: test-helpers + blockinfile: + path: /etc/ooni/nftables/tcp/8000.nft + create: yes + block: | + add rule inet filter input tcp dport 8000 counter accept comment "echo" + notify: + - reload nftables + +- name: Allow traffic on port 8001 (json) + become: true + tags: test-helpers + blockinfile: + path: /etc/ooni/nftables/tcp/8001.nft + create: yes + block: | + add rule inet filter input tcp dport 8001 counter accept comment "json" + notify: + - reload nftables + +# Create test helpers user +- name: Create the testhelpers user + ansible.builtin.user: + name: "testhelpers" + shell: "/bin/bash" + create_home: no + system: yes + become: yes + +# Install test helpers +- name: Donwload binaries for test helpers + ansible.builtin.get_url: + url: "{{test_helpers_url}}" + dest: "/tmp/test-helpers.tar.gz" + mode: '0600' + become: true + +- name: Extract tar content + ansible.builtin.unarchive: + src: "/tmp/test-helpers.tar.gz" + dest: "/tmp/test-helpers" + remote_src: yes + become: yes + +- name: Make jsonth accessible system wide + ansible.builtin.copy: + src: "/tmp/test-helpers/jsonth" + dest: "/usr/local/bin/" + mode: '0755' + become: yes + +- name: Make echo accessible system wide + ansible.builtin.copy: + src: "/tmp/test-helpers/echo" + dest: "/usr/local/bin/" + mode: '0755' + become: yes + +- name: Clean up temporary files + ansible.builtin.file: + path: "/tmp/test-helpers" + state: absent + become: yes + +- name: Remove downloaded tarball + ansible.builtin.file: + path: "/tmp/test-helpers.tar.gz" + state: absent + become: yes + +# Create systemd units +- name: Create jsonth.service file + tags: test-helpers + ansible.builtin.template: + src: templates/jsonth.service + dest: /etc/systemd/system/jsonth.service + mode: '0755' + owner: root + +- name: reload systemd + tags: test-helpers + shell: systemctl daemon-reload + +- name: Start jupyter + tags: test-helpers + systemd: + name: jsonth.service + state: started + enabled: yes + \ No newline at end of file diff --git a/ansible/roles/test_helpers/templates/jsonth.service b/ansible/roles/test_helpers/templates/jsonth.service new file mode 100644 index 00000000..ebd3c660 --- /dev/null +++ b/ansible/roles/test_helpers/templates/jsonth.service @@ -0,0 +1,20 @@ +[Unit] +Description=Test helper that will respond with a json showing the headers it received +After=network.target +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +Type=simple +ExecStart=/usr/local/bin/jsonth +Restart=on-failure +RestartSec=5 +User=testhelpers +Group=testhelpers +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 03fbd04b..c41670c2 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -683,6 +683,107 @@ module "fastpath_builder" { ecs_cluster_name = module.ooniapi_cluster.cluster_name } + +#### Test Helpers Machine + +module "ooni_test_helpers" { + source = "../../modules/ec2" + + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io + + key_name = module.adm_iam_roles.oonidevops_key_name + instance_type = "t3a.small" + + name = "oonitesthelpers" + ingress_rules = [{ + from_port = 22, + to_port = 22, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 80, # Echo test helper + to_port = 80, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 8000, # Echo test helper + to_port = 8000, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 8001, # Json test helper + to_port = 8001, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 9100, # Prometheus monitoring + to_port = 9100, + protocol = "tcp" + cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"] + }] + + egress_rules = [{ + from_port = 0, + to_port = 0, + protocol = "-1", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 0, + to_port = 0, + protocol = "-1", + ipv6_cidr_blocks = ["::/0"], + }] + + sg_prefix = "oonitesthelpers" + tg_prefix = "tshp" + + disk_size = 20 + + tags = merge( + local.tags, + { Name = "ooni-tier0-testhelpers" } + ) +} + +resource "aws_route53_record" "testhelpers_alias" { + zone_id = local.dns_zone_ooni_io + name = "test-helpers.${local.environment}.ooni.io" + type = "CNAME" + ttl = 300 + + records = [ + module.ooni_test_helpers.aws_instance_public_dns + ] +} + +resource "aws_route53_record" "testhelpers_echo_alias" { + zone_id = local.dns_zone_ooni_io + name = "echo-th.${local.environment}.ooni.io" + type = "CNAME" + ttl = 300 + + records = [ + module.ooni_test_helpers.aws_instance_public_dns + ] +} + +resource "aws_route53_record" "testhelpers_json_alias" { + zone_id = local.dns_zone_ooni_io + name = "json-th.${local.environment}.ooni.io" + type = "CNAME" + ttl = 300 + + records = [ + module.ooni_test_helpers.aws_instance_public_dns + ] +} + + #### OONI Run service module "ooniapi_oonirun_deployer" { From cc15c5ecb3219ac0fda00b0f334682cf0b33edd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 25 Aug 2025 11:56:26 +0200 Subject: [PATCH 02/18] Change test helpers url --- ansible/roles/test_helpers/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/test_helpers/defaults/main.yml b/ansible/roles/test_helpers/defaults/main.yml index 5b636ac5..2cef1999 100644 --- a/ansible/roles/test_helpers/defaults/main.yml +++ b/ansible/roles/test_helpers/defaults/main.yml @@ -1 +1 @@ -test_helpers_url: https://github.com/ooni/ooniprobe-rs/releases/download/0.1.0-dfe5/ooniprobe-helpers@0.1.0-dfe5.tar.gz +test_helpers_url: https://github.com/ooni/test-helpers/releases/download/0.1.0-dbca/test-helpers@0.1.0-dbca.tar.gz From 0904feae8d5c6a34cb8eece536befdabf24f5ae1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 25 Aug 2025 13:41:53 +0200 Subject: [PATCH 03/18] Set up echo and jsonth services --- ansible/roles/test_helpers/handlers/main.yml | 17 ++++++++++ ansible/roles/test_helpers/tasks/main.yml | 31 ++++++++++++++++++- .../roles/test_helpers/templates/echo.service | 20 ++++++++++++ .../test_helpers/templates/jsonth.service | 2 +- 4 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 ansible/roles/test_helpers/handlers/main.yml create mode 100644 ansible/roles/test_helpers/templates/echo.service diff --git a/ansible/roles/test_helpers/handlers/main.yml b/ansible/roles/test_helpers/handlers/main.yml new file mode 100644 index 00000000..c9efe5d9 --- /dev/null +++ b/ansible/roles/test_helpers/handlers/main.yml @@ -0,0 +1,17 @@ +- name: restart echo + tags: test-helpers + ansible.builtin.systemd_service: + name: echo + state: restarted + +- name: restart jsonth + tags: test-helpers + ansible.builtin.systemd_service: + name: jsonth + state: restarted + +- name: reload nftables + tags: nftables + ansible.builtin.systemd_service: + name: nftables + state: reloaded \ No newline at end of file diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index 47dc176b..e646144e 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -53,6 +53,13 @@ mode: '0600' become: true +- name: Create test helpers temp dir + ansible.builtin.file: + path: "/tmp/test-helpers" + state: directory + mode: "0700" + become: yes + - name: Extract tar content ansible.builtin.unarchive: src: "/tmp/test-helpers.tar.gz" @@ -65,6 +72,7 @@ src: "/tmp/test-helpers/jsonth" dest: "/usr/local/bin/" mode: '0755' + remote_src: yes become: yes - name: Make echo accessible system wide @@ -72,6 +80,7 @@ src: "/tmp/test-helpers/echo" dest: "/usr/local/bin/" mode: '0755' + remote_src: yes become: yes - name: Clean up temporary files @@ -87,6 +96,7 @@ become: yes # Create systemd units + - name: Create jsonth.service file tags: test-helpers ansible.builtin.template: @@ -94,15 +104,34 @@ dest: /etc/systemd/system/jsonth.service mode: '0755' owner: root + notify: + - restart jsonth + +- name: Create echo.service file + tags: test-helpers + ansible.builtin.template: + src: templates/echo.service + dest: /etc/systemd/system/echo.service + mode: '0755' + owner: root + notify: + - restart echo - name: reload systemd tags: test-helpers shell: systemctl daemon-reload -- name: Start jupyter +- name: Start json tags: test-helpers systemd: name: jsonth.service state: started enabled: yes + +- name: Start echo + tags: test-helpers + systemd: + name: echo.service + state: started + enabled: yes \ No newline at end of file diff --git a/ansible/roles/test_helpers/templates/echo.service b/ansible/roles/test_helpers/templates/echo.service new file mode 100644 index 00000000..13388f7b --- /dev/null +++ b/ansible/roles/test_helpers/templates/echo.service @@ -0,0 +1,20 @@ +[Unit] +Description=Test helper that will start an echo session on request +After=network.target +StartLimitIntervalSec=60 +StartLimitBurst=3 + +[Service] +Type=simple +ExecStart=/usr/local/bin/echo --port 8000 +Restart=on-failure +RestartSec=5 +User=testhelpers +Group=testhelpers +ProtectSystem=full +ProtectHome=yes +NoNewPrivileges=yes +PrivateTmp=yes + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/test_helpers/templates/jsonth.service b/ansible/roles/test_helpers/templates/jsonth.service index ebd3c660..fb908501 100644 --- a/ansible/roles/test_helpers/templates/jsonth.service +++ b/ansible/roles/test_helpers/templates/jsonth.service @@ -6,7 +6,7 @@ StartLimitBurst=3 [Service] Type=simple -ExecStart=/usr/local/bin/jsonth +ExecStart=/usr/local/bin/jsonth --port 8001 Restart=on-failure RestartSec=5 User=testhelpers From 620d5a1c94584ede7334140965ff3c9f7642fff1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 25 Aug 2025 13:42:35 +0200 Subject: [PATCH 04/18] Fix bad comment --- tf/environments/dev/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index c41670c2..239ec335 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -706,7 +706,7 @@ module "ooni_test_helpers" { protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 80, # Echo test helper + from_port = 80, # dehydrated to_port = 80, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], From b1ee5cc9eb5be1657571baa2c85426554708816a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 12:19:56 +0200 Subject: [PATCH 05/18] fix certificate deadlock issue --- tf/environments/dev/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 239ec335..189fa7f6 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -1084,6 +1084,10 @@ resource "aws_acm_certificate" "ooniapi_frontend" { tags = local.tags subject_alternative_names = keys(local.ooniapi_frontend_alternative_domains) + + lifecycle { + create_before_destroy = true + } } resource "aws_route53_record" "ooniapi_frontend_cert_validation" { From 3beab5dfc3127384352cf364231d32777e4c2f9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 13:01:52 +0200 Subject: [PATCH 06/18] Routing test helper traffic with nginx --- ansible/roles/test_helpers/handlers/main.yml | 7 ++++- ansible/roles/test_helpers/tasks/main.yml | 28 +++++++++++++------- tf/environments/dev/main.tf | 4 +-- 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/ansible/roles/test_helpers/handlers/main.yml b/ansible/roles/test_helpers/handlers/main.yml index c9efe5d9..30593401 100644 --- a/ansible/roles/test_helpers/handlers/main.yml +++ b/ansible/roles/test_helpers/handlers/main.yml @@ -14,4 +14,9 @@ tags: nftables ansible.builtin.systemd_service: name: nftables - state: reloaded \ No newline at end of file + state: reloaded + +- name: reload nginx + service: + name: nginx + state: reloaded diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index e646144e..636bd65a 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -10,7 +10,7 @@ block: | add rule inet filter input tcp dport 9100 counter accept comment "node exporter" notify: - - reload nftables + - reload nftables # For incoming test helper traffic @@ -23,7 +23,7 @@ block: | add rule inet filter input tcp dport 8000 counter accept comment "echo" notify: - - reload nftables + - reload nftables - name: Allow traffic on port 8001 (json) become: true @@ -34,7 +34,7 @@ block: | add rule inet filter input tcp dport 8001 counter accept comment "json" notify: - - reload nftables + - reload nftables # Create test helpers user - name: Create the testhelpers user @@ -99,22 +99,22 @@ - name: Create jsonth.service file tags: test-helpers - ansible.builtin.template: + ansible.builtin.template: src: templates/jsonth.service dest: /etc/systemd/system/jsonth.service mode: '0755' owner: root - notify: + notify: - restart jsonth - + - name: Create echo.service file tags: test-helpers - ansible.builtin.template: + ansible.builtin.template: src: templates/echo.service dest: /etc/systemd/system/echo.service mode: '0755' owner: root - notify: + notify: - restart echo - name: reload systemd @@ -134,4 +134,14 @@ name: echo.service state: started enabled: yes - \ No newline at end of file + +# Nginx routing +- name: Copy nginx config + tags: test-helpers + ansible.builtin.template: + src: templates/test-helpers.conf + dest: /etc/nginx/sites-enabled/02-test-helpers.conf + mode: '744' + owner: nginx + notify: + - reload nginx \ No newline at end of file diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 189fa7f6..d4584f89 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -763,7 +763,7 @@ resource "aws_route53_record" "testhelpers_alias" { resource "aws_route53_record" "testhelpers_echo_alias" { zone_id = local.dns_zone_ooni_io - name = "echo-th.${local.environment}.ooni.io" + name = "42.th.${local.environment}.ooni.io" type = "CNAME" ttl = 300 @@ -774,7 +774,7 @@ resource "aws_route53_record" "testhelpers_echo_alias" { resource "aws_route53_record" "testhelpers_json_alias" { zone_id = local.dns_zone_ooni_io - name = "json-th.${local.environment}.ooni.io" + name = "43.th.${local.environment}.ooni.io" type = "CNAME" ttl = 300 From d0a9298a9ebbf2592c5be4b212a67323176547b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 13:08:55 +0200 Subject: [PATCH 07/18] nginx config for test helpers --- .../test_helpers/templates/test-helpers.conf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 ansible/roles/test_helpers/templates/test-helpers.conf diff --git a/ansible/roles/test_helpers/templates/test-helpers.conf b/ansible/roles/test_helpers/templates/test-helpers.conf new file mode 100644 index 00000000..a8199377 --- /dev/null +++ b/ansible/roles/test_helpers/templates/test-helpers.conf @@ -0,0 +1,17 @@ +# nginx configuration for routing test helpers depending on their host name + +server { + listen 80; + server_name 42.th.dev.ooni.io; # echo + location / { + proxy_pass http://127.0.0.1:8001; + } +} + +server { + listen 80; + server_name 43.th.dev.ooni.io; # jsonth + location / { + proxy_pass http://127.0.0.1:8000; + } +} From 4c5fcc6ad7b3a9b3e97e223d94aeaca43edd00af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 14:11:38 +0200 Subject: [PATCH 08/18] Creating echo machine --- ...elpers.yml => deploy-echo-test-helper.yml} | 7 +- ansible/deploy-json-test-helper.yml | 20 +++++ ansible/roles/test_helpers/tasks/main.yml | 23 +---- ansible/roles/test_helpers/vars/main.yml | 3 + tf/environments/dev/main.tf | 87 +++++++++++++++---- 5 files changed, 103 insertions(+), 37 deletions(-) rename ansible/{deploy-test-helpers.yml => deploy-echo-test-helper.yml} (77%) create mode 100644 ansible/deploy-json-test-helper.yml create mode 100644 ansible/roles/test_helpers/vars/main.yml diff --git a/ansible/deploy-test-helpers.yml b/ansible/deploy-echo-test-helper.yml similarity index 77% rename from ansible/deploy-test-helpers.yml rename to ansible/deploy-echo-test-helper.yml index bccfddf2..d325b3dc 100644 --- a/ansible/deploy-test-helpers.yml +++ b/ansible/deploy-echo-test-helper.yml @@ -11,7 +11,10 @@ vars: node_exporter_port: 9100 node_exporter_host: "0.0.0.0" - prometheus_nginx_proxy_config: + prometheus_nginx_proxy_config: - location: /metrics/node_exporter proxy_pass: http://127.0.0.1:9100/metrics - - role: test_helpers \ No newline at end of file + - role: test_helpers + vars: + services: + - jsonth diff --git a/ansible/deploy-json-test-helper.yml b/ansible/deploy-json-test-helper.yml new file mode 100644 index 00000000..d325b3dc --- /dev/null +++ b/ansible/deploy-json-test-helper.yml @@ -0,0 +1,20 @@ +--- +- name: Deploy test helpers + hosts: + - test-helpers.dev.ooni.io + - test-helpers.prod.ooni.io + become: true + roles: + - role: bootstrap + - role: nginx + - role: prometheus_node_exporter + vars: + node_exporter_port: 9100 + node_exporter_host: "0.0.0.0" + prometheus_nginx_proxy_config: + - location: /metrics/node_exporter + proxy_pass: http://127.0.0.1:9100/metrics + - role: test_helpers + vars: + services: + - jsonth diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index 636bd65a..1b9be3fa 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -121,27 +121,10 @@ tags: test-helpers shell: systemctl daemon-reload -- name: Start json +- name: Start service tags: test-helpers systemd: - name: jsonth.service + name: "{{item}}.service" state: started enabled: yes - -- name: Start echo - tags: test-helpers - systemd: - name: echo.service - state: started - enabled: yes - -# Nginx routing -- name: Copy nginx config - tags: test-helpers - ansible.builtin.template: - src: templates/test-helpers.conf - dest: /etc/nginx/sites-enabled/02-test-helpers.conf - mode: '744' - owner: nginx - notify: - - reload nginx \ No newline at end of file + loop: "{{helpers}}" diff --git a/ansible/roles/test_helpers/vars/main.yml b/ansible/roles/test_helpers/vars/main.yml new file mode 100644 index 00000000..bb106ad6 --- /dev/null +++ b/ansible/roles/test_helpers/vars/main.yml @@ -0,0 +1,3 @@ + +# choices: jsonth, echo +helpers: "jsonth" \ No newline at end of file diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index d4584f89..b1d3e3a8 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -591,7 +591,7 @@ resource "aws_route53_record" "monitoring_proxy_alias" { } -### Fastpath +### Fastpath module "ooni_fastpath" { source = "../../modules/ec2" @@ -684,8 +684,9 @@ module "fastpath_builder" { } -#### Test Helpers Machine +#### Test Helpers Machines +# jsonth and other http helpers module "ooni_test_helpers" { source = "../../modules/ec2" @@ -697,7 +698,7 @@ module "ooni_test_helpers" { dns_zone_ooni_io = local.dns_zone_ooni_io key_name = module.adm_iam_roles.oonidevops_key_name - instance_type = "t3a.small" + instance_type = "t3.micro" name = "oonitesthelpers" ingress_rules = [{ @@ -707,17 +708,12 @@ module "ooni_test_helpers" { cidr_blocks = ["0.0.0.0/0"], }, { from_port = 80, # dehydrated - to_port = 80, - protocol = "tcp", - cidr_blocks = ["0.0.0.0/0"], - }, { - from_port = 8000, # Echo test helper - to_port = 8000, + to_port = 80, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 8001, # Json test helper - to_port = 8001, + from_port = 8000, # Json test helper + to_port = 8000, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { @@ -750,6 +746,67 @@ module "ooni_test_helpers" { ) } +# Echo test helper, requires a dedicated machine bc it's a tcp server, +# not an HTTP server, so it's harder to reroute using nginx +module "ooni_test_helpers_echo" { + source = "../../modules/ec2" + + stage = local.environment + + vpc_id = module.network.vpc_id + subnet_id = module.network.vpc_subnet_public[0].id + private_subnet_cidr = module.network.vpc_subnet_private[*].cidr_block + dns_zone_ooni_io = local.dns_zone_ooni_io + + key_name = module.adm_iam_roles.oonidevops_key_name + instance_type = "t3.micro" + + name = "ooniechoth" + ingress_rules = [{ + from_port = 22, + to_port = 22, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 80, # dehydrated + to_port = 80, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 8000, # Echo test helper + to_port = 8000, + protocol = "tcp", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 9100, # Prometheus monitoring + to_port = 9100, + protocol = "tcp" + cidr_blocks = ["${module.ooni_monitoring_proxy.aws_instance_private_ip}/32"] + }] + + egress_rules = [{ + from_port = 0, + to_port = 0, + protocol = "-1", + cidr_blocks = ["0.0.0.0/0"], + }, { + from_port = 0, + to_port = 0, + protocol = "-1", + ipv6_cidr_blocks = ["::/0"], + }] + + sg_prefix = "ooniechoth" + tg_prefix = "echo" + + disk_size = 20 + + tags = merge( + local.tags, + { Name = "ooni-tier0-echoth" } + ) +} + resource "aws_route53_record" "testhelpers_alias" { zone_id = local.dns_zone_ooni_io name = "test-helpers.${local.environment}.ooni.io" @@ -763,7 +820,7 @@ resource "aws_route53_record" "testhelpers_alias" { resource "aws_route53_record" "testhelpers_echo_alias" { zone_id = local.dns_zone_ooni_io - name = "42.th.${local.environment}.ooni.io" + name = "42.th.${local.environment}.ooni.io" # json and others type = "CNAME" ttl = 300 @@ -774,12 +831,12 @@ resource "aws_route53_record" "testhelpers_echo_alias" { resource "aws_route53_record" "testhelpers_json_alias" { zone_id = local.dns_zone_ooni_io - name = "43.th.${local.environment}.ooni.io" + name = "43.th.${local.environment}.ooni.io" # echo type = "CNAME" ttl = 300 records = [ - module.ooni_test_helpers.aws_instance_public_dns + module.ooni_test_helpers_echo.aws_instance_public_dns ] } @@ -992,7 +1049,7 @@ module "ooniapi_oonimeasurements" { task_environment = { # it has to be a json-compliant array - OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475"]) + OTHER_COLLECTORS = jsonencode(["http://fastpath.${local.environment}.ooni.io:8475"]) BASE_URL = "https://api.${local.environment}.ooni.io" S3_BUCKET_NAME = "ooni-data-eu-fra-test" } From 61d705eb3b54e48d3c1d7b270491a0fb840ea47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 16:10:33 +0200 Subject: [PATCH 09/18] Creating host for each th --- ansible/roles/test_helpers/tasks/main.yml | 23 ++++-------- .../roles/test_helpers/templates/echo.service | 2 +- .../test_helpers/templates/jsonth.service | 2 +- .../test_helpers/templates/test-helpers.conf | 17 --------- ansible/roles/test_helpers/vars/main.yml | 3 +- tf/environments/dev/main.tf | 35 ++++--------------- 6 files changed, 17 insertions(+), 65 deletions(-) delete mode 100644 ansible/roles/test_helpers/templates/test-helpers.conf diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index 1b9be3fa..252a51f6 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -97,34 +97,23 @@ # Create systemd units -- name: Create jsonth.service file +- name: Create .service file tags: test-helpers ansible.builtin.template: - src: templates/jsonth.service - dest: /etc/systemd/system/jsonth.service + src: templates/{{helper}}.service + dest: /etc/systemd/system/{{helper}}.service mode: '0755' owner: root notify: - - restart jsonth - -- name: Create echo.service file - tags: test-helpers - ansible.builtin.template: - src: templates/echo.service - dest: /etc/systemd/system/echo.service - mode: '0755' - owner: root - notify: - - restart echo + - "restart {{helper}}" - name: reload systemd tags: test-helpers shell: systemctl daemon-reload -- name: Start service +- name: Start helper tags: test-helpers systemd: - name: "{{item}}.service" + name: "{{helper}}.service" state: started enabled: yes - loop: "{{helpers}}" diff --git a/ansible/roles/test_helpers/templates/echo.service b/ansible/roles/test_helpers/templates/echo.service index 13388f7b..cffdf252 100644 --- a/ansible/roles/test_helpers/templates/echo.service +++ b/ansible/roles/test_helpers/templates/echo.service @@ -6,7 +6,7 @@ StartLimitBurst=3 [Service] Type=simple -ExecStart=/usr/local/bin/echo --port 8000 +ExecStart=/usr/local/bin/echo --port {{port}} Restart=on-failure RestartSec=5 User=testhelpers diff --git a/ansible/roles/test_helpers/templates/jsonth.service b/ansible/roles/test_helpers/templates/jsonth.service index fb908501..eb4b4bf7 100644 --- a/ansible/roles/test_helpers/templates/jsonth.service +++ b/ansible/roles/test_helpers/templates/jsonth.service @@ -6,7 +6,7 @@ StartLimitBurst=3 [Service] Type=simple -ExecStart=/usr/local/bin/jsonth --port 8001 +ExecStart=/usr/local/bin/jsonth --port {{port}} Restart=on-failure RestartSec=5 User=testhelpers diff --git a/ansible/roles/test_helpers/templates/test-helpers.conf b/ansible/roles/test_helpers/templates/test-helpers.conf deleted file mode 100644 index a8199377..00000000 --- a/ansible/roles/test_helpers/templates/test-helpers.conf +++ /dev/null @@ -1,17 +0,0 @@ -# nginx configuration for routing test helpers depending on their host name - -server { - listen 80; - server_name 42.th.dev.ooni.io; # echo - location / { - proxy_pass http://127.0.0.1:8001; - } -} - -server { - listen 80; - server_name 43.th.dev.ooni.io; # jsonth - location / { - proxy_pass http://127.0.0.1:8000; - } -} diff --git a/ansible/roles/test_helpers/vars/main.yml b/ansible/roles/test_helpers/vars/main.yml index bb106ad6..671bb91e 100644 --- a/ansible/roles/test_helpers/vars/main.yml +++ b/ansible/roles/test_helpers/vars/main.yml @@ -1,3 +1,4 @@ # choices: jsonth, echo -helpers: "jsonth" \ No newline at end of file +helper: "jsonth" +port: "80" \ No newline at end of file diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index b1d3e3a8..623b813c 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -687,7 +687,7 @@ module "fastpath_builder" { #### Test Helpers Machines # jsonth and other http helpers -module "ooni_test_helpers" { +module "ooni_test_helpers_json" { source = "../../modules/ec2" stage = local.environment @@ -700,23 +700,18 @@ module "ooni_test_helpers" { key_name = module.adm_iam_roles.oonidevops_key_name instance_type = "t3.micro" - name = "oonitesthelpers" + name = "oonijsonth" ingress_rules = [{ from_port = 22, to_port = 22, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 80, # dehydrated + from_port = 80, # jsonth to_port = 80, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 8000, # Json test helper - to_port = 8000, - protocol = "tcp", - cidr_blocks = ["0.0.0.0/0"], - }, { from_port = 9100, # Prometheus monitoring to_port = 9100, protocol = "tcp" @@ -768,16 +763,11 @@ module "ooni_test_helpers_echo" { protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 80, # dehydrated + from_port = 80, # echo to_port = 80, protocol = "tcp", cidr_blocks = ["0.0.0.0/0"], }, { - from_port = 8000, # Echo test helper - to_port = 8000, - protocol = "tcp", - cidr_blocks = ["0.0.0.0/0"], - }, { from_port = 9100, # Prometheus monitoring to_port = 9100, protocol = "tcp" @@ -807,9 +797,9 @@ module "ooni_test_helpers_echo" { ) } -resource "aws_route53_record" "testhelpers_alias" { +resource "aws_route53_record" "testhelpers_json_alias" { zone_id = local.dns_zone_ooni_io - name = "test-helpers.${local.environment}.ooni.io" + name = "json.th.${local.environment}.ooni.io" # json type = "CNAME" ttl = 300 @@ -820,18 +810,7 @@ resource "aws_route53_record" "testhelpers_alias" { resource "aws_route53_record" "testhelpers_echo_alias" { zone_id = local.dns_zone_ooni_io - name = "42.th.${local.environment}.ooni.io" # json and others - type = "CNAME" - ttl = 300 - - records = [ - module.ooni_test_helpers.aws_instance_public_dns - ] -} - -resource "aws_route53_record" "testhelpers_json_alias" { - zone_id = local.dns_zone_ooni_io - name = "43.th.${local.environment}.ooni.io" # echo + name = "echo.th.${local.environment}.ooni.io" # echo type = "CNAME" ttl = 300 From 91bfe43d409be839ff52ac4c75d5c2c576f07739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 16:12:43 +0200 Subject: [PATCH 10/18] Fix bad module name --- tf/environments/dev/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 623b813c..0ee6ff45 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -799,18 +799,18 @@ module "ooni_test_helpers_echo" { resource "aws_route53_record" "testhelpers_json_alias" { zone_id = local.dns_zone_ooni_io - name = "json.th.${local.environment}.ooni.io" # json + name = "json.th.${local.environment}.ooni.io" type = "CNAME" ttl = 300 records = [ - module.ooni_test_helpers.aws_instance_public_dns + module.ooni_test_helpers_json.aws_instance_public_dns ] } resource "aws_route53_record" "testhelpers_echo_alias" { zone_id = local.dns_zone_ooni_io - name = "echo.th.${local.environment}.ooni.io" # echo + name = "echo.th.${local.environment}.ooni.io" type = "CNAME" ttl = 300 From 1f08b62062faeb51e556838d9e7909d1482ef226 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 28 Aug 2025 16:46:38 +0200 Subject: [PATCH 11/18] Set up ansible for each test helper --- ansible/deploy-echo-test-helper.yml | 10 +++++----- ansible/deploy-json-test-helper.yml | 9 ++++----- ansible/inventory | 3 ++- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/ansible/deploy-echo-test-helper.yml b/ansible/deploy-echo-test-helper.yml index d325b3dc..101c2980 100644 --- a/ansible/deploy-echo-test-helper.yml +++ b/ansible/deploy-echo-test-helper.yml @@ -1,12 +1,11 @@ --- - name: Deploy test helpers hosts: - - test-helpers.dev.ooni.io - - test-helpers.prod.ooni.io + - echo.th.dev.ooni.io + - echo.th.prod.ooni.io become: true roles: - role: bootstrap - - role: nginx - role: prometheus_node_exporter vars: node_exporter_port: 9100 @@ -16,5 +15,6 @@ proxy_pass: http://127.0.0.1:9100/metrics - role: test_helpers vars: - services: - - jsonth + helper: echo + port: 80 + diff --git a/ansible/deploy-json-test-helper.yml b/ansible/deploy-json-test-helper.yml index d325b3dc..48dfcefa 100644 --- a/ansible/deploy-json-test-helper.yml +++ b/ansible/deploy-json-test-helper.yml @@ -1,12 +1,11 @@ --- - name: Deploy test helpers hosts: - - test-helpers.dev.ooni.io - - test-helpers.prod.ooni.io + - json.th.dev.ooni.io + - json.th.prod.ooni.io become: true roles: - role: bootstrap - - role: nginx - role: prometheus_node_exporter vars: node_exporter_port: 9100 @@ -16,5 +15,5 @@ proxy_pass: http://127.0.0.1:9100/metrics - role: test_helpers vars: - services: - - jsonth + helper: jsonth + port: 80 diff --git a/ansible/inventory b/ansible/inventory index eede599b..5b39bd18 100644 --- a/ansible/inventory +++ b/ansible/inventory @@ -46,4 +46,5 @@ openvpn2.htz-fsn.prod.ooni.nu [aws-backend] fastpath.dev.ooni.io # fastpath.prod.ooni.io -test-helpers.dev.ooni.io \ No newline at end of file +json.th.dev.ooni.io +echo.th.dev.ooni.io \ No newline at end of file From b77339300bed4d4aa1ca40129d912d9ee2095d61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 29 Aug 2025 10:19:37 +0200 Subject: [PATCH 12/18] Run prometheus without dehydrated when no https is required --- ansible/deploy-json-test-helper.yml | 1 + ansible/roles/prometheus_node_exporter/tasks/main.yml | 1 + tf/environments/dev/main.tf | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/deploy-json-test-helper.yml b/ansible/deploy-json-test-helper.yml index 48dfcefa..ea35bd98 100644 --- a/ansible/deploy-json-test-helper.yml +++ b/ansible/deploy-json-test-helper.yml @@ -13,6 +13,7 @@ prometheus_nginx_proxy_config: - location: /metrics/node_exporter proxy_pass: http://127.0.0.1:9100/metrics + use_https: false - role: test_helpers vars: helper: jsonth diff --git a/ansible/roles/prometheus_node_exporter/tasks/main.yml b/ansible/roles/prometheus_node_exporter/tasks/main.yml index c79a618e..9a4510b7 100644 --- a/ansible/roles/prometheus_node_exporter/tasks/main.yml +++ b/ansible/roles/prometheus_node_exporter/tasks/main.yml @@ -12,6 +12,7 @@ vars: ssl_domains: - "{{ inventory_hostname }}" + when: use_https - include_tasks: install.yml diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 0ee6ff45..9cd05cc7 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -730,14 +730,14 @@ module "ooni_test_helpers_json" { ipv6_cidr_blocks = ["::/0"], }] - sg_prefix = "oonitesthelpers" + sg_prefix = "oonijsonth" tg_prefix = "tshp" disk_size = 20 tags = merge( local.tags, - { Name = "ooni-tier0-testhelpers" } + { Name = "ooni-tier0-jsonth" } ) } From ed6f3a204a72f8504bf6c9301efd98b63fcac6f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 29 Aug 2025 10:57:31 +0200 Subject: [PATCH 13/18] removing unused listen 80 entry in prometheus config --- .../prometheus_node_exporter/templates/nginx-prometheus.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 index 6e7de3d5..5d9c6471 100644 --- a/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 +++ b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 @@ -10,10 +10,6 @@ server { ssl_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/{{ inventory_hostname }}/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/chain.pem; - {% else %} - listen 80; - - server_name {{ inventory_hostname }}; {% endif %} {% for config in prometheus_nginx_proxy_config %} From 94b24cd12b1b87e036bc0930689e0f79566f9225 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 29 Aug 2025 11:22:49 +0200 Subject: [PATCH 14/18] Allow services to run on port 80 --- ansible/roles/test_helpers/templates/echo.service | 2 ++ ansible/roles/test_helpers/templates/jsonth.service | 2 ++ 2 files changed, 4 insertions(+) diff --git a/ansible/roles/test_helpers/templates/echo.service b/ansible/roles/test_helpers/templates/echo.service index cffdf252..996e6aa1 100644 --- a/ansible/roles/test_helpers/templates/echo.service +++ b/ansible/roles/test_helpers/templates/echo.service @@ -15,6 +15,8 @@ ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes PrivateTmp=yes +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target diff --git a/ansible/roles/test_helpers/templates/jsonth.service b/ansible/roles/test_helpers/templates/jsonth.service index eb4b4bf7..54392c17 100644 --- a/ansible/roles/test_helpers/templates/jsonth.service +++ b/ansible/roles/test_helpers/templates/jsonth.service @@ -15,6 +15,8 @@ ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes PrivateTmp=yes +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target From 393803e2ee6cb27ccebcf6cd0248371c36b6e692 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Fri, 29 Aug 2025 12:10:45 +0200 Subject: [PATCH 15/18] Add port parameters to use a different port for test helpers metrics --- ansible/deploy-echo-test-helper.yml | 3 ++- ansible/deploy-json-test-helper.yml | 1 + .../prometheus_node_exporter/templates/nginx-prometheus.j2 | 6 +++++- ansible/roles/prometheus_node_exporter/vars/main.yml | 4 +++- 4 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ansible/deploy-echo-test-helper.yml b/ansible/deploy-echo-test-helper.yml index 101c2980..fe6434a1 100644 --- a/ansible/deploy-echo-test-helper.yml +++ b/ansible/deploy-echo-test-helper.yml @@ -13,8 +13,9 @@ prometheus_nginx_proxy_config: - location: /metrics/node_exporter proxy_pass: http://127.0.0.1:9100/metrics + use_https: false + http_port: 8080 # if we leave port 80, it's taken by nginx - role: test_helpers vars: helper: echo port: 80 - diff --git a/ansible/deploy-json-test-helper.yml b/ansible/deploy-json-test-helper.yml index ea35bd98..ba08b1fc 100644 --- a/ansible/deploy-json-test-helper.yml +++ b/ansible/deploy-json-test-helper.yml @@ -14,6 +14,7 @@ - location: /metrics/node_exporter proxy_pass: http://127.0.0.1:9100/metrics use_https: false + http_port: 8080 # if we leave port 80, it's taken by nginx - role: test_helpers vars: helper: jsonth diff --git a/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 index 5d9c6471..a0019f86 100644 --- a/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 +++ b/ansible/roles/prometheus_node_exporter/templates/nginx-prometheus.j2 @@ -2,7 +2,7 @@ server { {% if use_https %} - listen 443 ssl http2; + listen {{https_port}} ssl http2; server_name {{ inventory_hostname }}; include /etc/nginx/ssl_intermediate.conf; @@ -10,6 +10,10 @@ server { ssl_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem; ssl_certificate_key /var/lib/dehydrated/certs/{{ inventory_hostname }}/privkey.pem; ssl_trusted_certificate /var/lib/dehydrated/certs/{{ inventory_hostname }}/chain.pem; + {% else %} + listen {{http_port}}; + + server_name {{inventory_hostname}}; {% endif %} {% for config in prometheus_nginx_proxy_config %} diff --git a/ansible/roles/prometheus_node_exporter/vars/main.yml b/ansible/roles/prometheus_node_exporter/vars/main.yml index 1cf0521e..567f660b 100644 --- a/ansible/roles/prometheus_node_exporter/vars/main.yml +++ b/ansible/roles/prometheus_node_exporter/vars/main.yml @@ -1 +1,3 @@ -use_https: true \ No newline at end of file +use_https: true +http_port: 80 +https_port: 443 \ No newline at end of file From f5f5819bd9e14a1f55673facd2ca1b3c764855d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 1 Sep 2025 11:01:14 +0200 Subject: [PATCH 16/18] Remove unused firewall rules --- ansible/roles/test_helpers/tasks/main.yml | 24 ----------------------- 1 file changed, 24 deletions(-) diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index 252a51f6..bd728c14 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -12,30 +12,6 @@ notify: - reload nftables - -# For incoming test helper traffic -- name: Allow traffic on port 8000 (echo) - become: true - tags: test-helpers - blockinfile: - path: /etc/ooni/nftables/tcp/8000.nft - create: yes - block: | - add rule inet filter input tcp dport 8000 counter accept comment "echo" - notify: - - reload nftables - -- name: Allow traffic on port 8001 (json) - become: true - tags: test-helpers - blockinfile: - path: /etc/ooni/nftables/tcp/8001.nft - create: yes - block: | - add rule inet filter input tcp dport 8001 counter accept comment "json" - notify: - - reload nftables - # Create test helpers user - name: Create the testhelpers user ansible.builtin.user: From 901639d95700528b6aaa2c852dc4dee0921bd2fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Mon, 1 Sep 2025 11:07:20 +0200 Subject: [PATCH 17/18] Updated comment --- tf/environments/dev/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf index 9cd05cc7..9815be3c 100644 --- a/tf/environments/dev/main.tf +++ b/tf/environments/dev/main.tf @@ -686,7 +686,6 @@ module "fastpath_builder" { #### Test Helpers Machines -# jsonth and other http helpers module "ooni_test_helpers_json" { source = "../../modules/ec2" @@ -742,7 +741,7 @@ module "ooni_test_helpers_json" { } # Echo test helper, requires a dedicated machine bc it's a tcp server, -# not an HTTP server, so it's harder to reroute using nginx +# not an HTTP server. It's impossible to reroute using nginx module "ooni_test_helpers_echo" { source = "../../modules/ec2" From e45f17300c35ba72c0eb044a60647ba5d4806602 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20D=C3=ADaz?= Date: Thu, 4 Sep 2025 11:12:59 +0200 Subject: [PATCH 18/18] Add checksum for test helpers tar download --- ansible/roles/test_helpers/defaults/main.yml | 4 +++- ansible/roles/test_helpers/tasks/main.yml | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ansible/roles/test_helpers/defaults/main.yml b/ansible/roles/test_helpers/defaults/main.yml index 2cef1999..a431bc19 100644 --- a/ansible/roles/test_helpers/defaults/main.yml +++ b/ansible/roles/test_helpers/defaults/main.yml @@ -1 +1,3 @@ -test_helpers_url: https://github.com/ooni/test-helpers/releases/download/0.1.0-dbca/test-helpers@0.1.0-dbca.tar.gz +test_helpers_url: https://github.com/ooni/test-helpers/releases/download/0.1.0-1ac1/test-helpers@0.1.0-1ac1.tar.gz +# remember to remove the "sha256:" prefix from github +checksum: 9a7387050412d747df8d0479c004357edfc4cd7825ce7e1c83141e1e0838715c diff --git a/ansible/roles/test_helpers/tasks/main.yml b/ansible/roles/test_helpers/tasks/main.yml index bd728c14..f35613cc 100644 --- a/ansible/roles/test_helpers/tasks/main.yml +++ b/ansible/roles/test_helpers/tasks/main.yml @@ -29,6 +29,17 @@ mode: '0600' become: true +- name: Get checksum of downloaded file + ansible.builtin.stat: + path: "/tmp/test-helpers.tar.gz" + checksum_algorithm: sha256 + register: file_stat + +- name: Verify checksum + ansible.builtin.fail: + msg: "Checksum failed! Expected: {{checksum}} but got: {{file_stat.stat.checksum}}" + when: file_stat.stat.checksum != checksum + - name: Create test helpers temp dir ansible.builtin.file: path: "/tmp/test-helpers"