Merge pull request 'Fix IPFS node connectivity from the outside as well as the private network' (#442) from bugfix/ipfs_connectivity into master

Reviewed-on: #442
2022-11-02 18:32:44 +00:00 · 2022-11-02 18:32:44 +00:00 · 08bcdcc395
parent b8d6ba4c89 90b62e3fc1
commit 08bcdcc395
3 changed files with 64 additions and 7 deletions
--- a/nodes/ipfs-1.json
+++ b/nodes/ipfs-1.json
@ -37,13 +37,13 @@
      "hostname::default",
      "ipfs::default",
      "ipfs::_user",
+      "firewall::default",
+      "chef-sugar::default",
      "kosmos-ipfs::kredits_pinner",
      "kosmos-nodejs::default",
      "nodejs::nodejs_from_package",
      "nodejs::repo",
      "kosmos-ipfs::firewall_swarm",
-      "firewall::default",
-      "chef-sugar::default",
      "kosmos-nginx::default",
      "nginx::default",
      "nginx::package",
--- a/site-cookbooks/kosmos-ipfs/attributes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb
@ -1,20 +1,55 @@
 node.normal['ipfs']['version'] = "0.15.0"
 node.normal['ipfs']['checksum'] = "5830ce226956c5e2a2de3a3440704402dd3501c43ec16eeec2d61491317005f2"

+node.default['kosmos-ipfs']['api']['port'] = 5001
 node.default['kosmos-ipfs']['ipfs']['config'] = {
  # The default gateway is already used by kosmos' hubot (8080)
  "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090",
-  # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can
-  # lead to a slight performance improvement, as well as a reduction in memory
-  # usage.
-  'Swarm.DisableBandwidthMetrics' => true,
+  # API with Web UI
+  "Addresses.API" => "/ip4/0.0.0.0/tcp/5001",
+  # Enable bandwith metrics
+  'Swarm.DisableBandwidthMetrics' => false,
  # Disable the p2p-circuit relay transport
  'Swarm.Transports.Network.Relay' => false,
  # Number of connections that, when exceeded, will trigger a connection GC
  # operation
  'Swarm.ConnMgr.HighWater' => 40,
  # Minimum number of connections to maintain
-  'Swarm.ConnMgr.LowWater' => 20
+  'Swarm.ConnMgr.LowWater' => 20,
+  # Do not dial out to these IP ranges
+  # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own
+  # private network
+  'Swarm.AddrFilters' => [
+                          '/ip4/10.128.0.0/ipcidr/9',
+                          '/ip4/10.64.0.0/ipcidr/10',
+                          '/ip4/10.32.0.0/ipcidr/11',
+                          '/ip4/10.16.0.0/ipcidr/12',
+                          '/ip4/10.8.0.0/ipcidr/13',
+                          '/ip4/10.4.0.0/ipcidr/14',
+                          '/ip4/10.2.0.0/ipcidr/15',
+                          '/ip4/10.0.0.0/ipcidr/16',
+                          '/ip4/10.1.128.0/ipcidr/17',
+                          '/ip4/10.1.64.0/ipcidr/18',
+                          '/ip4/10.1.32.0/ipcidr/19',
+                          '/ip4/10.1.16.0/ipcidr/20',
+                          '/ip4/10.1.8.0/ipcidr/21',
+                          '/ip4/10.1.4.0/ipcidr/22',
+                          '/ip4/10.1.2.0/ipcidr/23',
+                          '/ip4/10.1.0.0/ipcidr/24',
+                          '/ip4/100.64.0.0/ipcidr/10',
+                          '/ip4/169.254.0.0/ipcidr/16',
+                          '/ip4/172.16.0.0/ipcidr/12',
+                          '/ip4/192.0.0.0/ipcidr/24',
+                          '/ip4/192.0.0.0/ipcidr/29',
+                          '/ip4/192.0.0.8/ipcidr/32',
+                          '/ip4/192.0.0.170/ipcidr/32',
+                          '/ip4/192.0.0.171/ipcidr/32',
+                          '/ip4/192.0.2.0/ipcidr/24',
+                          '/ip4/192.168.0.0/ipcidr/16',
+                          '/ip4/198.18.0.0/ipcidr/15',
+                          '/ip4/198.51.100.0/ipcidr/24',
+                          '/ip4/203.0.113.0/ipcidr/24',
+                          '/ip4/240.0.0.0/ipcidr/4'],
 }

 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
--- a/site-cookbooks/kosmos-ipfs/recipes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb
@ -4,6 +4,7 @@
 #

 include_recipe "ipfs"
+include_recipe 'firewall'
 include_recipe "kosmos-ipfs::kredits_pinner"

 node['kosmos-ipfs']['ipfs']['config'].each do |k, v|
@ -15,3 +16,24 @@ end
 unless node.chef_environment == "development"
  include_recipe "kosmos-ipfs::firewall_swarm"
 end
+
+firewall_rule 'ipfs_api' do
+  port     node['kosmos-ipfs']['api']['port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ipfs_local_p2p_allow_out' do
+  destination "10.1.1.0/24"
+  direction   :out
+  protocol    :none
+  command     :allow
+end
+
+firewall_rule 'ipfs_local_p2p_deny_out' do
+  destination "10.0.0.0/8"
+  direction   :out
+  protocol    :none
+  command     :deny
+end