From f7ff1248fe074cd07ab4c526c582712c76e3d8f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 2 Nov 2022 14:05:43 +0100 Subject: [PATCH 1/3] Enable Web UI on private network --- nodes/ipfs-1.json | 4 ++-- site-cookbooks/kosmos-ipfs/attributes/default.rb | 5 +++++ site-cookbooks/kosmos-ipfs/recipes/default.rb | 9 +++++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/nodes/ipfs-1.json b/nodes/ipfs-1.json index 2252a37..637f7f2 100644 --- a/nodes/ipfs-1.json +++ b/nodes/ipfs-1.json @@ -37,13 +37,13 @@ "hostname::default", "ipfs::default", "ipfs::_user", + "firewall::default", + "chef-sugar::default", "kosmos-ipfs::kredits_pinner", "kosmos-nodejs::default", "nodejs::nodejs_from_package", "nodejs::repo", "kosmos-ipfs::firewall_swarm", - "firewall::default", - "chef-sugar::default", "kosmos-nginx::default", "nginx::default", "nginx::package", diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index e86b20f..466342c 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -1,6 +1,7 @@ node.normal['ipfs']['version'] = "0.15.0" node.normal['ipfs']['checksum'] = "5830ce226956c5e2a2de3a3440704402dd3501c43ec16eeec2d61491317005f2" +node.default['kosmos-ipfs']['api']['port'] = 5001 node.default['kosmos-ipfs']['ipfs']['config'] = { # The default gateway is already used by kosmos' hubot (8080) "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090", @@ -8,6 +9,10 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { # lead to a slight performance improvement, as well as a reduction in memory # usage. 'Swarm.DisableBandwidthMetrics' => true, + # API with Web UI + "Addresses.API" => "/ip4/0.0.0.0/tcp/5001", + # Enable bandwith metrics + 'Swarm.DisableBandwidthMetrics' => false, # Disable the p2p-circuit relay transport 'Swarm.Transports.Network.Relay' => false, # Number of connections that, when exceeded, will trigger a connection GC diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 30391bc..c4f867a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -4,6 +4,7 @@ # include_recipe "ipfs" +include_recipe 'firewall' include_recipe "kosmos-ipfs::kredits_pinner" node['kosmos-ipfs']['ipfs']['config'].each do |k, v| @@ -15,3 +16,11 @@ end unless node.chef_environment == "development" include_recipe "kosmos-ipfs::firewall_swarm" end + +firewall_rule 'ipfs_api' do + port 5001 + source "10.1.1.0/24" + protocol :tcp + command :allow + logging :connections +end From b1922d26f61e3d9a5fc2ca7049af8ba59cddf8be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 2 Nov 2022 14:06:07 +0100 Subject: [PATCH 2/3] Allow IPFS connections on private network (HAProxy is now also using the private network.) This fixes IPFS connections to Kosmos nodes from outside the network, as well as in between nodes on the private network. --- .../kosmos-ipfs/attributes/default.rb | 40 ++++++++++++++++--- site-cookbooks/kosmos-ipfs/recipes/default.rb | 16 ++++++++ 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index 466342c..ee892d9 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -5,10 +5,6 @@ node.default['kosmos-ipfs']['api']['port'] = 5001 node.default['kosmos-ipfs']['ipfs']['config'] = { # The default gateway is already used by kosmos' hubot (8080) "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090", - # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can - # lead to a slight performance improvement, as well as a reduction in memory - # usage. - 'Swarm.DisableBandwidthMetrics' => true, # API with Web UI "Addresses.API" => "/ip4/0.0.0.0/tcp/5001", # Enable bandwith metrics @@ -19,7 +15,41 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { # operation 'Swarm.ConnMgr.HighWater' => 40, # Minimum number of connections to maintain - 'Swarm.ConnMgr.LowWater' => 20 + 'Swarm.ConnMgr.LowWater' => 20, + # Do not dial out to these IP ranges + # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own + # private network + 'Swarm.AddrFilters' => [ + '/ip4/10.128.0.0/ipcidr/9', + '/ip4/10.64.0.0/ipcidr/10', + '/ip4/10.32.0.0/ipcidr/11', + '/ip4/10.16.0.0/ipcidr/12', + '/ip4/10.8.0.0/ipcidr/13', + '/ip4/10.4.0.0/ipcidr/14', + '/ip4/10.2.0.0/ipcidr/15', + '/ip4/10.0.0.0/ipcidr/16', + '/ip4/10.1.128.0/ipcidr/17', + '/ip4/10.1.64.0/ipcidr/18', + '/ip4/10.1.32.0/ipcidr/19', + '/ip4/10.1.16.0/ipcidr/20', + '/ip4/10.1.8.0/ipcidr/21', + '/ip4/10.1.4.0/ipcidr/22', + '/ip4/10.1.2.0/ipcidr/23', + '/ip4/10.1.0.0/ipcidr/24', + '/ip4/100.64.0.0/ipcidr/10', + '/ip4/169.254.0.0/ipcidr/16', + '/ip4/172.16.0.0/ipcidr/12', + '/ip4/192.0.0.0/ipcidr/24', + '/ip4/192.0.0.0/ipcidr/29', + '/ip4/192.0.0.8/ipcidr/32', + '/ip4/192.0.0.170/ipcidr/32', + '/ip4/192.0.0.171/ipcidr/32', + '/ip4/192.0.2.0/ipcidr/24', + '/ip4/192.168.0.0/ipcidr/16', + '/ip4/198.18.0.0/ipcidr/15', + '/ip4/198.51.100.0/ipcidr/24', + '/ip4/203.0.113.0/ipcidr/24', + '/ip4/240.0.0.0/ipcidr/4'], } node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index c4f867a..3adb0ae 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -24,3 +24,19 @@ firewall_rule 'ipfs_api' do command :allow logging :connections end + +firewall_rule 'ipfs_local_p2p_allow_out' do + destination "10.1.1.0/24" + direction :out + protocol :none + command :allow + logging :connections +end + +firewall_rule 'ipfs_local_p2p_deny_out' do + destination "10.0.0.0/8" + direction :out + protocol :none + command :deny + logging :connections +end From 90b62e3fc102d12e896b6c2b0d3a3b751474f892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 2 Nov 2022 19:27:09 +0100 Subject: [PATCH 3/3] Remove ufw logging for ipfs --- site-cookbooks/kosmos-ipfs/recipes/default.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 3adb0ae..66ef62a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -18,11 +18,10 @@ unless node.chef_environment == "development" end firewall_rule 'ipfs_api' do - port 5001 + port node['kosmos-ipfs']['api']['port'] source "10.1.1.0/24" protocol :tcp command :allow - logging :connections end firewall_rule 'ipfs_local_p2p_allow_out' do @@ -30,7 +29,6 @@ firewall_rule 'ipfs_local_p2p_allow_out' do direction :out protocol :none command :allow - logging :connections end firewall_rule 'ipfs_local_p2p_deny_out' do @@ -38,5 +36,4 @@ firewall_rule 'ipfs_local_p2p_deny_out' do direction :out protocol :none command :deny - logging :connections end