tldr:
- Ansible is a best in class tool used to configure servers and applications
- This proposal aims to build a official Ansible role to be used to deploy nodes in different linux distributions, network topologies, DDoS protections, metrics exporters, and logging agents.
- The role aims to encourage heterogeneity of the network with multiple supported and tested configurations while also making it easy for node operators to adopt operational and security best practices
- The features of the module can be used extend functionality from the other proposed projects like the [status page], [monitoring & alarms], and [secrets management projects].
Status: Already started
Timeline: January 2020 - 2021+
Background
To run a node on the ICON network, the application needs to be setup on the node with the proper prerequisites. This can be done by running either a series of commands or some kind of script to automate the process. While shell scripts can configure a node automatically, they are often fragile, difficult to maintain, and generally lead to lots of repetitious code or terse logic that is difficult to maintain. For these reasons and others, professional node operators will use a configuration management solution with Ansible being the most popular option. This project aims to build an official Ansible collection of roles based on best class development principles and security standards.
Supported Configurations
Linux Distributions
- [ ] Ubuntu
- [x] 18.04
- [ ] 20.04 - (April 23, 2020)
- [ ] Debian
- [ ] Centos
Reverse Proxies
- [ ] Nginx
- [x] Block42 configuration
- [ ] Official ICON configuration
- [ ] Envoy
- [ ] HA Proxy
- [ ] Rhizome configuration
Secrets Management
- [ ] Vault sidecar container
- [ ] SGX enclave plugin
Network configurations
- [x] Single host
- [ ] HA with pacemaker
Prometheus Exporters
- [x] Node - system metrics
- [x] Blackbox - http endpoints
- [x] Cadvisor - docker
- [x] Nginx - network
- [x] SSH - intrusion detection
- [ ] Fluentd - logs
- [ ] Custom
- [ ] Block finality
- [ ] Ping time to leader
- [ ] Cumulative errors
Log Collectors
- [ ] Fluentd
- [ ] OSSEC / Wazuh HIDS agent
Add-ons
- [ ] Blockmove Autostaker
- [ ] Daedric Price Oracle
- [ ] Double signing protector
Execution Plan
This project is being developed by Insight engineers during their fellowships. The projects are tied to the following Insight project seeds.
Fellow Project Seeds DB
Many of the components are built from aggregating best practices developed by the community. The following teams have contributed tools that this tool has or will incorporate into the stack: