[ooni-dev] Fwd: Ooni / M-Lab Deployment Automation Script
Nathan Wilcox
nathan at leastauthority.com
Wed Jul 16 21:44:55 UTC 2014
Hi ooni-dev. For your viewing pleasure, here is a forward about
tickets related to deploying M-Lab on Ooni (without integration into
mlab-ns). We'll send these announcements directly to ooni-dev
henceforth. Enjoy.
---------- Forwarded message ----------
From: Taylor Hornby <taylor at leastauthority.com>
Date: Wed, Jul 16, 2014 at 2:42 PM
Subject: Ooni / M-Lab Deployment Automation Script
To: Liz Pruszko Steininger <steiningerl at rfa.org>, Dan Meredith
<meredithd at rfa.org>, lynna at rfa.org, Roger Dingledine <arma at mit.edu>,
Arturo Filastò <art at torproject.org>, Meredith Whittaker
<meredithrachel at google.com>, Will Hawkins
<hawkinsw at opentechinstitute.org>, Jordan McCarthy
<mccarthy at opentechinstitute.org>, critzo at opentechinstitute.org
Cc: "consultancy at leastauthority.com" <consultancy at leastauthority.com>,
taylor at leastauthority.com, Zooko Wilcox-OHearn
<zooko at leastauthority.com>, Jessica Augustus
<jessica at leastauthority.com>, Nathan Wilcox
<nathan at leastauthority.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear OTF, Ooni, and M-Lab,
We've finished our work for Milestone C. This milestone is about writing
a script for automating the process of deploying Ooni to M-Lab slices.
Since such a script had already been written before we arrived, we
shifted our goals for this milestone as follows:
1. Usability and reliability testing of the existing deployment
automation scripts.
2. Fix any issues that we identified during that process.
Also part of Milestone C is the credential rotation deliverable, which
is no longer relevant because the mechanism for distributing .ooni
addresses has changed since the contract was negotiated. This is
documented in the following ticket:
https://github.com/m-lab-tools/ooni-support/issues/32
As part of the first (new) goal, we ran through a deployment several
times using the scripts, which is documented in this ticket:
https://github.com/m-lab-tools/ooni-support/issues/17
The issues we encountered are summarized in this umbrella ticket:
https://github.com/m-lab-tools/ooni-support/issues/21
Each issue was split out into separate tickets:
#23: Fix or document deployment gotcha of deleting $HOME
https://github.com/m-lab-tools/ooni-support/issues/23
#24: Specify dependency on yum-cron for installation.
https://github.com/m-lab-tools/ooni-support/issues/24
#25: Missing ``/etc/mlab/slice-functions``
https://github.com/m-lab-tools/ooni-support/issues/25
#26: Add root uid documentation and check in initialize.sh ...
https://github.com/m-lab-tools/ooni-support/issues/26
#27: Fix initialize.sh to create ``/var/spool/mlab_ooni``
https://github.com/m-lab-tools/ooni-support/issues/27
#29: Ensure test_helpers can be reached from the public internet
https://github.com/m-lab-tools/ooni-support/issues/29
#28: ``stop.sh`` failed to stop multiple processes.
https://github.com/m-lab-tools/ooni-support/issues/28
#40: Make openssl an explicit dependency of the Ooni RPM
https://github.com/m-lab-tools/ooni-support/issues/40
#12641: IStreamClientEndpointStringParser is Deprecated
https://trac.torproject.org/projects/tor/ticket/12641#ticket
#41: Install service_identity
https://github.com/m-lab-tools/ooni-support/issues/41
#42: prepare.sh violates ooni-backend's README instructions
https://github.com/m-lab-tools/ooni-support/issues/42
#44: Is dependency installation vulnerable to MITM attacks?
https://github.com/m-lab-tools/ooni-support/issues/44
All of these tickets, with the exception of #40, #12641, #41, #42, and
#44 are now closed. Ticket #40 is a minor issue, but would involve
significant design decisions on M-Lab's part, so we left it open for
M-Lab to close. Ticket #12641 is about the use of a deprecated function
in Ooni, to be fixed by the Ooni team. Ticket #42 is about a missing
dependency in Ooni for the Ooni team to fix. Ticket #44 is about
a security vulnerability that requires Ooni collaboration to resolve
(see below).
We also found a new security vulnerability in Ooni:
#12642: Can Network Attacker Downgrade Dependency Install Security?
https://trac.torproject.org/projects/tor/ticket/12642#ticket
Our fixes to the issues are contained in three pull requests:
#36: Improvements to the README.md.
https://github.com/m-lab-tools/ooni-support/pull/36
#37: Improvements to the initialize.sh script.
https://github.com/m-lab-tools/ooni-support/pull/37
#43: Install dependencies according to ooni-backend README
https://github.com/m-lab-tools/ooni-support/pull/43
Note that pull request #36 contains work from Milestone B as well.
Please let us know if you have any suggestions, questions, or concerns.
- --
Taylor Hornby
Least Authoritarian
Email: taylor at leastauthority.com
PGP: CE3 F8ED D999 F066 C2E2 9124 F6D4 D32C E31C 99FE
Twitter: @DefuseSec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJTxvB6AAoJEPbU0yzjHJn+ccQQALHndy9a7kuz9MDifXrS+z2s
uzzizfUK5EZB12G+mFaAfqF/t8pa/zcD2mZ2ycpna8AruhZPH5x9poxoZI/Agz59
gb8xlaJMwOJWFmeBHkn60Jz/zyaVZF0xTkQ8YhGKeqzXkfo1Vp+EI0ZFcanLKIvZ
EaL+zHPZNyb5SQXOTiiy9OpyCXhboNOaXQru9GgxvBYJFosEeKA6aLVVyPx2ZSci
irBg0KNt8jCkPQtH5YjkCrjKwjNI40niBpVU3B/jz5CvMb4f5B08ZjqL7t+Hhpul
/c9dbYV7VILkq2/Q1/G5SNiosl8SUkjf3U8hDmb0pQpMeoZ/aE9V3AWDCrcABNvD
dbJF9K3FD2YRrRjCBPNO0KWxXCU3X45oc58JAQbOuHbH6AVPazZB9WRgdu1pAisv
Ikidl1yovoqxJkN3iEybfX3I2p1geMrDB4Q/z7FOdRP2dBNzTKR7zkTvJdXyulZf
q1yI+Qav7MVQBGdCN87jX8xtt1eUXMEQXu7TVcxcNlvfgea5Uewv9s5l2/84fYa3
qu0Kp/+8BOioXIbG09PJREHzoHEeNSJvLqF7B6d5r3enBv5H0YvC194s8wjkZGTz
sQBsAl4HI+7xEdeQ44vez+SV11i9NkEyHo1rwqh4T4glM8yXcdQ4buZaMwcXJ2V7
0UKWa6Sj2n563Dclb47K
=RS7C
-----END PGP SIGNATURE-----
--
Nathan Wilcox
Least Authoritarian
email: nathan at leastauthority.com
twitter: @least_nathan
PGP: 11169993 / AAAC 5675 E3F7 514C 67ED E9C9 3BFE 5263 1116 9993
More information about the ooni-dev
mailing list