tldr:

• Ansible is a best in class tool used to configure servers and applications
• This proposal aims to build a official Ansible role to be used to deploy nodes in different linux distributions, network topologies, DDoS protections, metrics exporters, and logging agents.
• The role aims to encourage heterogeneity of the network with multiple supported and tested configurations while also making it easy for node operators to adopt operational and security best practices
• The features of the module can be used extend functionality from the other proposed projects like the [status page], [monitoring & alarms], and [secrets management projects].

Status: Already started

Timeline: January 2020 - 2021+

Background

To run a node on the ICON network, the application needs to be setup on the node with the proper prerequisites. This can be done by running either a series of commands or some kind of script to automate the process. While shell scripts can configure a node automatically, they are often fragile, difficult to maintain, and generally lead to lots of repetitious code or terse logic that is difficult to maintain. For these reasons and others, professional node operators will use a configuration management solution with Ansible being the most popular option. This project aims to build an official Ansible collection of roles based on best class development principles and security standards.

Supported Configurations

Linux Distributions

• [ ] Ubuntu
  • [x] 18.04
  • [ ] 20.04 - (April 23, 2020)
• [ ] Debian
  • [x] 9
  • [x] 10
• [ ] Centos
  • [ ] 7
  • [ ] 8

Reverse Proxies

• [ ] Nginx
  • [x] Block42 configuration
  • [ ] Official ICON configuration
• [ ] Envoy
• [ ] HA Proxy
  • [ ] Rhizome configuration

Secrets Management

• [ ] Vault sidecar container
• [ ] SGX enclave plugin

Network configurations

• [x] Single host
• [ ] HA with pacemaker

Prometheus Exporters

• [x] Node - system metrics
• [x] Blackbox - http endpoints
• [x] Cadvisor - docker
• [x] Nginx - network
• [x] SSH - intrusion detection
• [ ] Fluentd - logs
• [ ] Custom
  • [ ] Block finality
  • [ ] Ping time to leader
  • [ ] Cumulative errors

Log Collectors

• [ ] Fluentd
• [ ] OSSEC / Wazuh HIDS agent

Add-ons

• [ ] Blockmove Autostaker
• [ ] Daedric Price Oracle
• [ ] Double signing protector

Execution Plan

This project is being developed by Insight engineers during their fellowships. The projects are tied to the following Insight project seeds.

Fellow Project Seeds DB

Many of the components are built from aggregating best practices developed by the community. The following teams have contributed tools that this tool has or will incorporate into the stack: