From f6d9dfbc19380166210cbc0bff0ba8fa8791b060 Mon Sep 17 00:00:00 2001 From: Beardstack Date: Fri, 4 Nov 2022 13:29:13 -0400 Subject: [PATCH 1/9] Refactoring Dockerfile to optimize build time, reduce build layers and remove bloat --- lokinet/lokinet-base.dockerfile | 38 +++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 14 deletions(-) diff --git a/lokinet/lokinet-base.dockerfile b/lokinet/lokinet-base.dockerfile index 8056118..9d11079 100644 --- a/lokinet/lokinet-base.dockerfile +++ b/lokinet/lokinet-base.dockerfile @@ -1,24 +1,34 @@ -FROM debian:stable AS lokinet-base +#use argument instead of lsb-release +ARG DEBIAN_RELEASE=bullseye + +FROM debian:${DEBIAN_RELEASE} AS lokinet-base ENV container docker + +ENV RELEASE=${DEBIAN_RELEASE:-bullseye} +#Add oxen public key +ADD --chmod=644 --chown=_apt https://deb.oxen.io/pub.gpg /etc/apt/trusted.gpg.d/lokinet.gpg + # set up packages -RUN /bin/bash -c 'echo "man-db man-db/auto-update boolean false" | debconf-set-selections' -RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends ca-certificates curl iptables dnsutils lsb-release systemd systemd-sysv cron conntrack iproute2 python3-pip wget' -RUN /bin/bash -c 'curl -so /etc/apt/trusted.gpg.d/lokinet.gpg https://deb.oxen.io/pub.gpg' -RUN /bin/bash -c 'echo "deb https://deb.oxen.io $(lsb_release -sc) main" > /etc/apt/sources.list.d/lokinet.list' -RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends lokinet' +# not sure if wget, lsb-release and curl are needed (maybe they can be removed to make a smaller image?) +RUN DEBIAN_FRONTEND=noninteractive \ + && echo "deb https://deb.oxen.io ${RELEASE} main" > /etc/apt/sources.list.d/lokinet.list \ + && echo "man-db man-db/auto-update boolean false" | debconf-set-selections \ + && apt update -y \ + && apt full-upgrade -y \ + && apt install -y --no-install-recommends ca-certificates curl iptables dnsutils lsb-release systemd systemd-sysv cron conntrack iproute2 python3-pip wget \ + && apt update -y \ + && apt install -y --no-install-recommends lokinet \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir -p /var/lib/lokinet/conf.d \ + && mkdir /data && chown _lokinet:_loki /data -# make config dir for lokinet -RUN /bin/bash -c 'mkdir -p /var/lib/lokinet/conf.d' -# set up private data dir for lokinet -RUN /bin/bash -c 'mkdir /data && chown _lokinet:_loki /data' # print lokinet util -COPY contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh -RUN /bin/bash -c 'chmod 700 /usr/local/bin/print-lokinet-address.sh' +COPY --chmod=700 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh # dns -COPY contrib/lokinet.resolveconf.txt /etc/resolv.conf -RUN /bin/bash -c 'chmod 644 /etc/resolv.conf' +COPY --chmod=644 contrib/lokinet.resolveconf.txt /etc/resolv.conf STOPSIGNAL SIGRTMIN+3 ENTRYPOINT ["/sbin/init", "verbose", "systemd.unified_cgroup_hierarchy=0", "systemd.legacy_systemd_cgroup_controller=0"] From 0b814dbd132afe5e266c1d8f616ed56eee4aaf9d Mon Sep 17 00:00:00 2001 From: Beardstack Date: Fri, 4 Nov 2022 13:50:14 -0400 Subject: [PATCH 2/9] Refactoring Dockerfile to optimize build time, reduce build layers and remove bloat --- lokinet/lokinet-exit-custom.dockerfile | 2 +- lokinet/lokinet-exit.dockerfile | 16 ++++++---------- lokinet/lokinet-nginx.dockerfile | 5 ++++- 3 files changed, 11 insertions(+), 12 deletions(-) diff --git a/lokinet/lokinet-exit-custom.dockerfile b/lokinet/lokinet-exit-custom.dockerfile index 7a03ec1..a478256 100644 --- a/lokinet/lokinet-exit-custom.dockerfile +++ b/lokinet/lokinet-exit-custom.dockerfile @@ -1,3 +1,3 @@ FROM registry.oxen.rocks/lokinet-exit:latest -RUN /bin/bash -c 'ln -s /var/lib/lokinet/conf.d/custom.ini /data/custom.ini' +RUN ln -s /var/lib/lokinet/conf.d/custom.ini /data/custom.ini diff --git a/lokinet/lokinet-exit.dockerfile b/lokinet/lokinet-exit.dockerfile index 1600c37..04fb257 100644 --- a/lokinet/lokinet-exit.dockerfile +++ b/lokinet/lokinet-exit.dockerfile @@ -5,17 +5,13 @@ COPY contrib/lokinet-exit.ini /var/lib/lokinet/conf.d/exit.ini # set up system configs COPY contrib/lokinet-exit-sysctl.conf /etc/sysctl.d/00-lokinet-exit.conf -COPY contrib/lokinet-exit-rc.local.sh /etc/rc.local -RUN /bin/bash -c 'chmod 700 /etc/rc.local' +COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local -COPY contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh -RUN /bin/bash -c 'chmod 700 /usr/local/bin/print-lokinet-address.sh' +COPY --chmod=700 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh # setup cron jobs -COPY contrib/lokinet-kill-scans.sh /usr/local/bin/lokinet-kill-scans.sh -RUN /bin/bash -c 'chmod 700 /usr/local/bin/lokinet-kill-scans.sh' -COPY contrib/lokinet-update-exit-address.sh /usr/local/bin/lokinet-update-exit-address.sh -RUN /bin/bash -c 'chmod 700 /usr/local/bin/lokinet-update-exit-address.sh' +COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/bin/lokinet-kill-scans.sh +COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/bin/lokinet-update-exit-address.sh + +COPY --chmod=644 contrib/lokinet-exit.crontab /etc/cron.d/lokinet-exit -COPY contrib/lokinet-exit.crontab /etc/cron.d/lokinet-exit -RUN /bin/bash -c 'chmod 644 /etc/cron.d/lokinet-exit' diff --git a/lokinet/lokinet-nginx.dockerfile b/lokinet/lokinet-nginx.dockerfile index 5172ae7..ff45960 100644 --- a/lokinet/lokinet-nginx.dockerfile +++ b/lokinet/lokinet-nginx.dockerfile @@ -1,6 +1,9 @@ FROM registry.oxen.rocks/lokinet-base:latest -RUN /bin/bash -c 'apt-get -o=Dpkg::Use-Pty=0 -q update && apt-get -o=Dpkg::Use-Pty=0 -q dist-upgrade -y && apt-get -o=Dpkg::Use-Pty=0 -q install -y --no-install-recommends nginx' +RUN DEBIAN_FRONTEND=noninteractive \ + && apt update -y \ + && apt apt full-upgrade -y \ + && apt install -y --no-install-recommends nginx # set up configs for lokinet nginx COPY contrib/lokinet-nginx.ini /var/lib/lokinet/conf.d/nginx.ini From b55522fc9fcdf164642ae2227dc92b6e9697d8ac Mon Sep 17 00:00:00 2001 From: Beardstack Date: Fri, 4 Nov 2022 14:14:51 -0400 Subject: [PATCH 3/9] Refactoring Dockerfile to optimize build time, reduce build layers and remove bloat --- lokinet/lokinet-base.dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lokinet/lokinet-base.dockerfile b/lokinet/lokinet-base.dockerfile index 9d11079..22db418 100644 --- a/lokinet/lokinet-base.dockerfile +++ b/lokinet/lokinet-base.dockerfile @@ -1,7 +1,7 @@ #use argument instead of lsb-release ARG DEBIAN_RELEASE=bullseye -FROM debian:${DEBIAN_RELEASE} AS lokinet-base +FROM debian:${DEBIAN_RELEASE}-slim AS lokinet-base ENV container docker ENV RELEASE=${DEBIAN_RELEASE:-bullseye} @@ -15,7 +15,7 @@ RUN DEBIAN_FRONTEND=noninteractive \ && echo "man-db man-db/auto-update boolean false" | debconf-set-selections \ && apt update -y \ && apt full-upgrade -y \ - && apt install -y --no-install-recommends ca-certificates curl iptables dnsutils lsb-release systemd systemd-sysv cron conntrack iproute2 python3-pip wget \ + && apt install -y --no-install-recommends ca-certificates iptables dnsutils systemd systemd-sysv cron conntrack iproute2 python3-pip \ && apt update -y \ && apt install -y --no-install-recommends lokinet \ && apt-get clean \ From 5f755f999233c02dac74582f94ea10533722ef34 Mon Sep 17 00:00:00 2001 From: beardstack <33128510+beardstack@users.noreply.github.com> Date: Fri, 4 Nov 2022 18:39:53 +0000 Subject: [PATCH 4/9] Update lokinet/lokinet-exit.dockerfile These ones are privileged Co-authored-by: Jason Rhinelander --- lokinet/lokinet-exit.dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lokinet/lokinet-exit.dockerfile b/lokinet/lokinet-exit.dockerfile index 04fb257..e195028 100644 --- a/lokinet/lokinet-exit.dockerfile +++ b/lokinet/lokinet-exit.dockerfile @@ -10,8 +10,8 @@ COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local COPY --chmod=700 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh # setup cron jobs -COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/bin/lokinet-kill-scans.sh -COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/bin/lokinet-update-exit-address.sh +COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/sbin/lokinet-kill-scans.sh +COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/sbin/lokinet-update-exit-address.sh COPY --chmod=644 contrib/lokinet-exit.crontab /etc/cron.d/lokinet-exit From 7898d6efaf085699371d1213d0e26e126b97282c Mon Sep 17 00:00:00 2001 From: majestrate Date: Fri, 4 Nov 2022 16:05:59 -0400 Subject: [PATCH 5/9] use 755 for permissions Co-authored-by: Jason Rhinelander --- lokinet/lokinet-base.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lokinet/lokinet-base.dockerfile b/lokinet/lokinet-base.dockerfile index 22db418..0fef938 100644 --- a/lokinet/lokinet-base.dockerfile +++ b/lokinet/lokinet-base.dockerfile @@ -25,7 +25,7 @@ RUN DEBIAN_FRONTEND=noninteractive \ # print lokinet util -COPY --chmod=700 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh +COPY --chmod=755 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh # dns COPY --chmod=644 contrib/lokinet.resolveconf.txt /etc/resolv.conf From 7b895b330298e6c496335c8a3c720f232447b89c Mon Sep 17 00:00:00 2001 From: majestrate Date: Fri, 4 Nov 2022 16:06:10 -0400 Subject: [PATCH 6/9] use 755 for permissions Co-authored-by: Jason Rhinelander --- lokinet/lokinet-exit.dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lokinet/lokinet-exit.dockerfile b/lokinet/lokinet-exit.dockerfile index e195028..39a59e7 100644 --- a/lokinet/lokinet-exit.dockerfile +++ b/lokinet/lokinet-exit.dockerfile @@ -7,7 +7,7 @@ COPY contrib/lokinet-exit.ini /var/lib/lokinet/conf.d/exit.ini COPY contrib/lokinet-exit-sysctl.conf /etc/sysctl.d/00-lokinet-exit.conf COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local -COPY --chmod=700 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh +COPY --chmod=755 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh # setup cron jobs COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/sbin/lokinet-kill-scans.sh From 6d1b71687e449cbbf314c16eaa51dbb970aebe40 Mon Sep 17 00:00:00 2001 From: Beardstack Date: Sat, 5 Nov 2022 12:14:58 -0400 Subject: [PATCH 7/9] More tweaks --- lokinet/lokinet-base.dockerfile | 11 +++++------ lokinet/lokinet-exit.dockerfile | 3 +++ lokinet/lokinet-nginx.dockerfile | 6 +++--- 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/lokinet/lokinet-base.dockerfile b/lokinet/lokinet-base.dockerfile index 0fef938..1360ff7 100644 --- a/lokinet/lokinet-base.dockerfile +++ b/lokinet/lokinet-base.dockerfile @@ -9,15 +9,14 @@ ENV RELEASE=${DEBIAN_RELEASE:-bullseye} ADD --chmod=644 --chown=_apt https://deb.oxen.io/pub.gpg /etc/apt/trusted.gpg.d/lokinet.gpg # set up packages -# not sure if wget, lsb-release and curl are needed (maybe they can be removed to make a smaller image?) RUN DEBIAN_FRONTEND=noninteractive \ && echo "deb https://deb.oxen.io ${RELEASE} main" > /etc/apt/sources.list.d/lokinet.list \ && echo "man-db man-db/auto-update boolean false" | debconf-set-selections \ - && apt update -y \ - && apt full-upgrade -y \ - && apt install -y --no-install-recommends ca-certificates iptables dnsutils systemd systemd-sysv cron conntrack iproute2 python3-pip \ - && apt update -y \ - && apt install -y --no-install-recommends lokinet \ + && apt-get update -y \ + && apt-get dist-upgrade -y \ + && apt-get install -y --no-install-recommends ca-certificates iptables dnsutils systemd systemd-sysv cron conntrack iproute2 \ + && apt-get update -y \ + && apt-get install -y --no-install-recommends lokinet \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && mkdir -p /var/lib/lokinet/conf.d \ diff --git a/lokinet/lokinet-exit.dockerfile b/lokinet/lokinet-exit.dockerfile index 39a59e7..c12212d 100644 --- a/lokinet/lokinet-exit.dockerfile +++ b/lokinet/lokinet-exit.dockerfile @@ -7,8 +7,11 @@ COPY contrib/lokinet-exit.ini /var/lib/lokinet/conf.d/exit.ini COPY contrib/lokinet-exit-sysctl.conf /etc/sysctl.d/00-lokinet-exit.conf COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local +<<<<<<< HEAD COPY --chmod=755 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh +======= +>>>>>>> b13525e (More tweaks) # setup cron jobs COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/sbin/lokinet-kill-scans.sh COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/sbin/lokinet-update-exit-address.sh diff --git a/lokinet/lokinet-nginx.dockerfile b/lokinet/lokinet-nginx.dockerfile index ff45960..90a1c98 100644 --- a/lokinet/lokinet-nginx.dockerfile +++ b/lokinet/lokinet-nginx.dockerfile @@ -1,9 +1,9 @@ FROM registry.oxen.rocks/lokinet-base:latest RUN DEBIAN_FRONTEND=noninteractive \ - && apt update -y \ - && apt apt full-upgrade -y \ - && apt install -y --no-install-recommends nginx + && apt-get update -y \ + && apt-get dist-upgrade -y \ + && apt-get install -y --no-install-recommends nginx # set up configs for lokinet nginx COPY contrib/lokinet-nginx.ini /var/lib/lokinet/conf.d/nginx.ini From 583e4dcfb4ee002e16c3846550076941a98f53a8 Mon Sep 17 00:00:00 2001 From: Beardstack Date: Sat, 5 Nov 2022 12:19:42 -0400 Subject: [PATCH 8/9] More tweaks --- lokinet/lokinet-exit.dockerfile | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lokinet/lokinet-exit.dockerfile b/lokinet/lokinet-exit.dockerfile index c12212d..c189b04 100644 --- a/lokinet/lokinet-exit.dockerfile +++ b/lokinet/lokinet-exit.dockerfile @@ -7,11 +7,6 @@ COPY contrib/lokinet-exit.ini /var/lib/lokinet/conf.d/exit.ini COPY contrib/lokinet-exit-sysctl.conf /etc/sysctl.d/00-lokinet-exit.conf COPY --chmod=700 contrib/lokinet-exit-rc.local.sh /etc/rc.local -<<<<<<< HEAD -COPY --chmod=755 contrib/print-lokinet-address.sh /usr/local/bin/print-lokinet-address.sh - -======= ->>>>>>> b13525e (More tweaks) # setup cron jobs COPY --chmod=700 contrib/lokinet-kill-scans.sh /usr/local/sbin/lokinet-kill-scans.sh COPY --chmod=700 contrib/lokinet-update-exit-address.sh /usr/local/sbin/lokinet-update-exit-address.sh From 46f8af140592f569b5a280b9794fbe2431dcb066 Mon Sep 17 00:00:00 2001 From: beardstack Date: Sun, 6 Nov 2022 10:24:51 -0500 Subject: [PATCH 9/9] Code analysis and questions --- lokinet/contrib/lokinet-auth.ini | 3 ++- lokinet/contrib/lokinet-authserv.service | 10 +++++++++- lokinet/contrib/lokinet-exit-broker.service | 5 ++++- lokinet/contrib/lokinet-exit-rc.local.sh | 3 +++ lokinet/contrib/lokinet-exit-sysctl.conf | 9 ++++++++- lokinet/contrib/lokinet-exit.crontab | 4 ++++ lokinet/contrib/lokinet-exit.ini | 6 +++++- lokinet/contrib/lokinet-firewall.crontab | 8 ++++++++ lokinet/contrib/lokinet-kill-scans.sh | 7 ++++++- lokinet/contrib/lokinet-nginx.ini | 2 ++ lokinet/contrib/lokinet-update-exit-address.sh | 3 +++ lokinet/contrib/lokinet-update-firewall.sh | 2 ++ 12 files changed, 56 insertions(+), 6 deletions(-) diff --git a/lokinet/contrib/lokinet-auth.ini b/lokinet/contrib/lokinet-auth.ini index 0db3802..b1312a2 100644 --- a/lokinet/contrib/lokinet-auth.ini +++ b/lokinet/contrib/lokinet-auth.ini @@ -1,3 +1,4 @@ +#What is this ip? [network] auth=lmq -auth-lmq=tcp://10.0.3.1:5555 \ No newline at end of file +auth-lmq=tcp://10.0.3.1:5555 diff --git a/lokinet/contrib/lokinet-authserv.service b/lokinet/contrib/lokinet-authserv.service index e21ab18..4bed9cf 100644 --- a/lokinet/contrib/lokinet-authserv.service +++ b/lokinet/contrib/lokinet-authserv.service @@ -1,3 +1,11 @@ +# where is logic.py coming from? +# /var/lib/lokinet-exit-provider/logic.py +# what is the format/options of /data/lokinet-exit-broker.env / what are it's default contents? +# I assume that it's an authentication server of some kind for the exit node +# I could be wrong but I believe that this is meant to behave as a separate authenticaton server +# if it is then when running without systemd, then maybe I'd want to run it in a separate container. + + [Unit] Description=Lokinet authserv: exit authentication server Wants=network.target @@ -12,4 +20,4 @@ ExecStart=/usr/bin/python3 -m lokinet.auth --cmd /var/lib/lokinet-exit-provider/ Restart=always [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/lokinet/contrib/lokinet-exit-broker.service b/lokinet/contrib/lokinet-exit-broker.service index c417a06..6e8806a 100644 --- a/lokinet/contrib/lokinet-exit-broker.service +++ b/lokinet/contrib/lokinet-exit-broker.service @@ -1,3 +1,6 @@ +# Need some clarification on what this does. + + [Unit] Description=Lokinet exit broker: exit broker webapp thing Wants=nginx.service @@ -12,4 +15,4 @@ ExecStart=/usr/bin/gunicorn3 exit_broker:app Restart=always [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/lokinet/contrib/lokinet-exit-rc.local.sh b/lokinet/contrib/lokinet-exit-rc.local.sh index 6b77fcd..2c6f75d 100644 --- a/lokinet/contrib/lokinet-exit-rc.local.sh +++ b/lokinet/contrib/lokinet-exit-rc.local.sh @@ -1,6 +1,7 @@ #!/bin/bash # wait for lokinet +# to do what? How can we tell if lokinet has done what it needs to do? sleep 10 # flush iptables @@ -18,6 +19,8 @@ if_range=$(ip addr show $if_name | grep inet\ | sed 's/inet //' | cut -d' ' -f5 # add ipv4 forward rule iptables -t nat -A POSTROUTING -s $if_range -o $exit_if -j MASQUERADE + +#I'm not sure what the loop below is supposed to do. It only runs once on port 25? # drop outbound ports for port in 25 ; do iptables -A FORWARD -p tcp --dport $port -j REJECT --reject-with tcp-reset -s $if_range diff --git a/lokinet/contrib/lokinet-exit-sysctl.conf b/lokinet/contrib/lokinet-exit-sysctl.conf index 5dc89ec..1223f33 100644 --- a/lokinet/contrib/lokinet-exit-sysctl.conf +++ b/lokinet/contrib/lokinet-exit-sysctl.conf @@ -1,3 +1,10 @@ +# This file can become redundant when using compose. +# sysctls: +# - net.ipv4.ip_forward=1 +# - net.ipv6.conf.all.forwarding=1 +# + + # ip forwarding allowed net.ipv4.ip_forward=1 -net.ipv6.conf.all.forwarding=1 \ No newline at end of file +net.ipv6.conf.all.forwarding=1 diff --git a/lokinet/contrib/lokinet-exit.crontab b/lokinet/contrib/lokinet-exit.crontab index e4c20e1..d9ad532 100644 --- a/lokinet/contrib/lokinet-exit.crontab +++ b/lokinet/contrib/lokinet-exit.crontab @@ -1,3 +1,7 @@ +# This file could become redundant together with the usage of cron; since it's repeating continously - why not use an infinite loop for the address update? +# +# lokinet-kill-scans.sh script seems like a bad idea .. details in the file + # lokinet exit cronjobs SHELL=/bin/bash diff --git a/lokinet/contrib/lokinet-exit.ini b/lokinet/contrib/lokinet-exit.ini index 162dd3e..967a2c4 100644 --- a/lokinet/contrib/lokinet-exit.ini +++ b/lokinet/contrib/lokinet-exit.ini @@ -1,3 +1,7 @@ +# This file could also become redundant if we have a script generate run time values based on arguments/env variables/docker secrets +# I am not sure what other options can be configured. + + [network] exit=true keyfile=/data/exit.private @@ -6,4 +10,4 @@ paths=8 [router] min-connections=18 -max-connections=20 \ No newline at end of file +max-connections=20 diff --git a/lokinet/contrib/lokinet-firewall.crontab b/lokinet/contrib/lokinet-firewall.crontab index c9e3395..35d454c 100644 --- a/lokinet/contrib/lokinet-firewall.crontab +++ b/lokinet/contrib/lokinet-firewall.crontab @@ -1,3 +1,11 @@ +# it seems that the purpose of this cronjob is to download/apply a block list through iptables +# This is problematic for several reasons +# 1. Some legit IPs could be blocked and would be hard to find +# 2. Running it is not optional +# 3. Rather than run in the 'container', it should run separately inside a privileged container using the host namespace, the reason being +# that the container is attached to DOCKER-USER chain instead of INPUT, the rules will be applied only to containers. +# any packets coming into the INPUT chain will bypass these rules that now reside under the FORWARD chain. + # lokinet firewall cronjobs SHELL=/bin/bash diff --git a/lokinet/contrib/lokinet-kill-scans.sh b/lokinet/contrib/lokinet-kill-scans.sh index 9865968..5e9c0f4 100644 --- a/lokinet/contrib/lokinet-kill-scans.sh +++ b/lokinet/contrib/lokinet-kill-scans.sh @@ -1,7 +1,12 @@ #!/bin/bash # # run every minute with cron -# +# If I understand correctly, this script is responsible for blocking IPs that are attempting to DDOS the server with SYN FLOOD type attacks. +# There are some issues with this script, it would be much better to implement it using fail2ban with an expiry time, ability to whitelist and notify +# I could be wrong but it could cause an issue if the SYN/ACK packets are coming from IPs masquerading as legit SNs as a way to impact the network? +# https://serverfault.com/questions/640873/how-to-ban-syn-flood-attacks-using-fail2ban +# This seems like a more elegant solution + for ip in $( conntrack -p tcp -L | grep SYN_SENT | cut -d'=' -f 2 | cut -d' ' -f 1 | sort | uniq -c | awk '$1 > 1000 { print $2 ; }' ) ; do echo "banning $ip" diff --git a/lokinet/contrib/lokinet-nginx.ini b/lokinet/contrib/lokinet-nginx.ini index 74e0308..d31a97a 100644 --- a/lokinet/contrib/lokinet-nginx.ini +++ b/lokinet/contrib/lokinet-nginx.ini @@ -1,2 +1,4 @@ +#What is the purpose of this file? + [network] keyfile=/data/nginx.private diff --git a/lokinet/contrib/lokinet-update-exit-address.sh b/lokinet/contrib/lokinet-update-exit-address.sh index 7f0b0c0..176fc7c 100644 --- a/lokinet/contrib/lokinet-update-exit-address.sh +++ b/lokinet/contrib/lokinet-update-exit-address.sh @@ -1,3 +1,6 @@ +# what is the purpose of the lokinet-addr.txt file? +# what process uses it? + #!/bin/bash print-lokinet-address.sh > /data/lokinet-addr.txt chmod 444 /data/lokinet-addr.txt diff --git a/lokinet/contrib/lokinet-update-firewall.sh b/lokinet/contrib/lokinet-update-firewall.sh index 1b066a5..e8e9761 100644 --- a/lokinet/contrib/lokinet-update-firewall.sh +++ b/lokinet/contrib/lokinet-update-firewall.sh @@ -1,5 +1,7 @@ #!/bin/bash +# There's definitely a better way to do this. + # get lokinet's address if_name=lokitun0 if_range=$(ip addr show $if_name | grep inet\ | sed 's/inet //' | cut -d' ' -f5)