[ooni-dev] Fwd: Ooni / M-Lab Deployment Automation Script

Nathan Wilcox nathan at leastauthority.com
Wed Jul 16 21:44:55 UTC 2014


Hi ooni-dev.  For your viewing pleasure, here is a forward about
tickets related to deploying M-Lab on Ooni (without integration into
mlab-ns).  We'll send these announcements directly to ooni-dev
henceforth.  Enjoy.

---------- Forwarded message ----------
From: Taylor Hornby <taylor at leastauthority.com>
Date: Wed, Jul 16, 2014 at 2:42 PM
Subject: Ooni / M-Lab Deployment Automation Script
To: Liz Pruszko Steininger <steiningerl at rfa.org>, Dan Meredith
<meredithd at rfa.org>, lynna at rfa.org, Roger Dingledine <arma at mit.edu>,
Arturo Filastò <art at torproject.org>, Meredith Whittaker
<meredithrachel at google.com>, Will Hawkins
<hawkinsw at opentechinstitute.org>, Jordan McCarthy
<mccarthy at opentechinstitute.org>, critzo at opentechinstitute.org
Cc: "consultancy at leastauthority.com" <consultancy at leastauthority.com>,
taylor at leastauthority.com, Zooko Wilcox-OHearn
<zooko at leastauthority.com>, Jessica Augustus
<jessica at leastauthority.com>, Nathan Wilcox
<nathan at leastauthority.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear OTF, Ooni, and M-Lab,

We've finished our work for Milestone C. This milestone is about writing
a script for automating the process of deploying Ooni to M-Lab slices.
Since such a script had already been written before we arrived, we
shifted our goals for this milestone as follows:

1. Usability and reliability testing of the existing deployment
   automation scripts.
2. Fix any issues that we identified during that process.

Also part of Milestone C is the credential rotation deliverable, which
is no longer relevant because the mechanism for distributing .ooni
addresses has changed since the contract was negotiated. This is
documented in the following ticket:

    https://github.com/m-lab-tools/ooni-support/issues/32

As part of the first (new) goal, we ran through a deployment several
times using the scripts, which is documented in this ticket:

    https://github.com/m-lab-tools/ooni-support/issues/17

The issues we encountered are summarized in this umbrella ticket:

    https://github.com/m-lab-tools/ooni-support/issues/21

Each issue was split out into separate tickets:

    #23: Fix or document deployment gotcha of deleting $HOME
    https://github.com/m-lab-tools/ooni-support/issues/23

    #24: Specify dependency on yum-cron for installation.
    https://github.com/m-lab-tools/ooni-support/issues/24

    #25: Missing ``/etc/mlab/slice-functions``
    https://github.com/m-lab-tools/ooni-support/issues/25

    #26: Add root uid documentation and check in initialize.sh ...
    https://github.com/m-lab-tools/ooni-support/issues/26

    #27: Fix initialize.sh to create ``/var/spool/mlab_ooni``
    https://github.com/m-lab-tools/ooni-support/issues/27

    #29: Ensure test_helpers can be reached from the public internet
    https://github.com/m-lab-tools/ooni-support/issues/29

    #28: ``stop.sh`` failed to stop multiple processes.
    https://github.com/m-lab-tools/ooni-support/issues/28

    #40: Make openssl an explicit dependency of the Ooni RPM
    https://github.com/m-lab-tools/ooni-support/issues/40

    #12641: IStreamClientEndpointStringParser is Deprecated
    https://trac.torproject.org/projects/tor/ticket/12641#ticket

    #41: Install service_identity
    https://github.com/m-lab-tools/ooni-support/issues/41

    #42: prepare.sh violates ooni-backend's README instructions
    https://github.com/m-lab-tools/ooni-support/issues/42

    #44: Is dependency installation vulnerable to MITM attacks?
    https://github.com/m-lab-tools/ooni-support/issues/44

All of these tickets, with the exception of #40, #12641, #41, #42, and
#44 are now closed. Ticket #40 is a minor issue, but would involve
significant design decisions on M-Lab's part, so we left it open for
M-Lab to close. Ticket #12641 is about the use of a deprecated function
in Ooni, to be fixed by the Ooni team.  Ticket #42 is about a missing
dependency in Ooni for the Ooni team to fix.  Ticket #44 is about
a security vulnerability that requires Ooni collaboration to resolve
(see below).

We also found a new security vulnerability in Ooni:

    #12642: Can Network Attacker Downgrade Dependency Install Security?
    https://trac.torproject.org/projects/tor/ticket/12642#ticket

Our fixes to the issues are contained in three pull requests:

    #36: Improvements to the README.md.
    https://github.com/m-lab-tools/ooni-support/pull/36

    #37: Improvements to the initialize.sh script.
    https://github.com/m-lab-tools/ooni-support/pull/37

    #43: Install dependencies according to ooni-backend README
    https://github.com/m-lab-tools/ooni-support/pull/43

Note that pull request #36 contains work from Milestone B as well.

Please let us know if you have any suggestions, questions, or concerns.


- --
Taylor Hornby
Least Authoritarian

Email:      taylor at leastauthority.com
PGP:        CE3 F8ED D999 F066 C2E2  9124 F6D4 D32C E31C 99FE
Twitter:    @DefuseSec
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJTxvB6AAoJEPbU0yzjHJn+ccQQALHndy9a7kuz9MDifXrS+z2s
uzzizfUK5EZB12G+mFaAfqF/t8pa/zcD2mZ2ycpna8AruhZPH5x9poxoZI/Agz59
gb8xlaJMwOJWFmeBHkn60Jz/zyaVZF0xTkQ8YhGKeqzXkfo1Vp+EI0ZFcanLKIvZ
EaL+zHPZNyb5SQXOTiiy9OpyCXhboNOaXQru9GgxvBYJFosEeKA6aLVVyPx2ZSci
irBg0KNt8jCkPQtH5YjkCrjKwjNI40niBpVU3B/jz5CvMb4f5B08ZjqL7t+Hhpul
/c9dbYV7VILkq2/Q1/G5SNiosl8SUkjf3U8hDmb0pQpMeoZ/aE9V3AWDCrcABNvD
dbJF9K3FD2YRrRjCBPNO0KWxXCU3X45oc58JAQbOuHbH6AVPazZB9WRgdu1pAisv
Ikidl1yovoqxJkN3iEybfX3I2p1geMrDB4Q/z7FOdRP2dBNzTKR7zkTvJdXyulZf
q1yI+Qav7MVQBGdCN87jX8xtt1eUXMEQXu7TVcxcNlvfgea5Uewv9s5l2/84fYa3
qu0Kp/+8BOioXIbG09PJREHzoHEeNSJvLqF7B6d5r3enBv5H0YvC194s8wjkZGTz
sQBsAl4HI+7xEdeQ44vez+SV11i9NkEyHo1rwqh4T4glM8yXcdQ4buZaMwcXJ2V7
0UKWa6Sj2n563Dclb47K
=RS7C
-----END PGP SIGNATURE-----


-- 
Nathan Wilcox
Least Authoritarian

email: nathan at leastauthority.com
twitter: @least_nathan
PGP: 11169993 / AAAC 5675 E3F7 514C 67ED  E9C9 3BFE 5263 1116 9993


More information about the ooni-dev mailing list