See

• #43 (comment)
  • The same comment apply here (aka running AP-ALB inside containers is not the production recommended way)
• #37 (comment)
  • One way to "emulate" BSD without require a linux host (and, by extension, allowing run tests even on Travis-CI, see #2) would require some basic support to Alpine Linux
• openresty/openresty:alpine-fat
  • https://hub.docker.com/r/openresty/openresty/
  • https://github.com/openresty/docker-openresty/blob/master/alpine/Dockerfile.fat

This issue is related to made minimum changes to allow AP-ALB run, even if with limited functionality, on Alpine Linux

• https://docs.ansible.com/ansible/latest/modules/setup_module.html
• https://github.com/RedHatOfficial/ansible-redhat_cloudforms/blob/master/tasks/install-custom-facts.yml

This maybe will obsolete part of what I was thinking to implementing using #8

This issue is for create on the v0.7.x series a MVP of a component dedicated to do sanity checks. These checks should be

• based on what is enabled on not on that host (so it will not check UFW if is not enabled for that host
• must try to follow the same folder patterns if are not for multiple components
  • tasks/sanitycheck/ufw tests component tasks/ufw/
• Must be enabled by default and be the very first ALB component to run.

On some of my private tests with ALB v0.7.0-alpha (this time using several hosts at once) it is so impressive to be able to configure several machines using only some ansible inventories that I think this module could really be the place where I could put some extra checks, because is too easy to eventually put a full ALB (the HAProxy+OpenResty) on the wrong node.

Maybe in addition to these sanitychecks we even enable some sort of way to a person create a lock file on hosts that even if months or years later the same person or someone else try to run, will have to at least to manually go on that host and delete the lock file.

• Main Site https://rclone.org/

rclone have several backends, including some inexpensive ones for very large amounts of data. And this is very, very interesting to allow end user flexibility and reduce complexity of implementation.

This issue is to do some basic tests with rclone before take other actions.

Required by ALB v0.8.x and clustering related options #17

The drafts on the fititnt/ap-alb-cluster-demo I'm already testing Redis (thats the why Configurable HAProxy Advanced Redis Health Check #19), and one of the main reasons was share Let's Encrypt secrets (and the fact that GUI/lua-resty-autossl support Redis as just point click use).

But there is a catch here: not that Redis for our type os usage would not work, but it both could be used for real services on the same hosts (and them disincentive usage of AP-ALB) and also something I know from the start was that solutions like Etcd/Consul would be much more aligned with such needs.

So, this issue is for testing any solution that could at least work for one v0.8 demo. It also means that #17 is likely to be an release that maybe will take more time than last ones, and maybe not even archive one beta state before v0.9.

• Comparações
  • https://technologyconversations.com/2015/09/08/service-discovery-zookeeper-vs-etcd-vs-consul/
• Consul
  • Consul Performance https://www.consul.io/docs/install/performance.html
  • https://docs.ansible.com/ansible/latest/modules/consul_module.html
  • https://github.com/brianshumate/ansible-consul
  • https://github.com/tdsacilowski/azure-consul-multi-datacenter
  • https://programmer.help/blogs/consul-remote-multi-data-center-and-cluster-deployment-scheme.html
  • https://learn.hashicorp.com/consul/getting-started/ui
• Confd
  • https://github.com/kelseyhightower/confd
  • https://github.com/jivesoftware/ansible-confd
  • https://github.com/andrewrothstein/ansible-confd
  • https://pt.slideshare.net/SeanChittenden/postgresql-highavailability-and-geographic-locality-using-consul?next_slideshow=1
• Etcd
  • https://docs.openstack.org/install-guide/environment-etcd-ubuntu.html
  • https://docs.openstack.org/install-guide/environment-etcd-ubuntu.html
  • https://launchpad.net/ubuntu/+source/etcd
  • https://www.digitalocean.com/community/tutorials/how-to-use-etcdctl-and-etcd-coreos-s-distributed-key-value-store
  • https://blog.openshift.com/metro-area-openshift-stretch-cluster-how-to-survive-an-outage-and-live-to-tell-about-it/
  • https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/clustering.md
  • https://github.com/etcd-io/etcd/blob/master/etcdctl/doc/mirror_maker.md
  • https://pt.slideshare.net/winsletts/etcd-based-postgresql-ha-cluster

• Based on what I discovered on #31 (comment) that actually exists very well defined Standard and and even one organization called LANANA http://www.lanana.org
• Our internal document is alb-internals.md

Review to follow the Filesystem Hierarchy Standard 3.0

TODO: take time and review the full lastest Filesystem Hierarchy Standard
and, if need, make some small adaptations to AP-ALB structure. See
https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard and
https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.pdf
(fititnt, 2019-12-05 21:41 BRT)

Things that we could implement from https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.pdf
that are not implemented yet on Directory structures.

• /opt/alb/
  • 3.13. /opt : Add-on application software
    • "3.13.1. Purpose"
    • "/opt is reserved for the installation of add-on application software packages."
    • "A package to be installed in /opt must locate its static files in a separate /opt/< package > or /
      opt/< provider > directory tree, where < package > is a name that describes the software package
      and < provider > is the provider's LANANA registered name."
      • I did not know that even /opt had some way to register a namespace,
        and was just not simply free to everyone
      • Humm, so ACTUALLY is possible to register application name at
        http://www.lanana.org/lsbreg/instructions.html if we really interested?
        • Neither alb or nlb where registered at
          http://www.lanana.org/lsbreg/providers/providers.txt :)
          • Humm, actually the bugtrack is quite slow and did not processed
            requests even from namespaces like MongoDB, https://lsbbugs.linuxfoundation.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=&content=%2Fopt%2F+namespace+assignment
          • But as I see, one reason is because is running by volunteers and
            also they really require the "email be a permanent one" from the
            organization (like [email protected]) and not ([email protected]),
            see https://lsbbugs.linuxfoundation.org/show_bug.cgi?id=4263
      • Here the git repository https://github.com/LinuxStandardBase/lanana
• /var/opt
  • 5.12. /var/opt : Variable data for /opt
    • "Variable data of the packages in /opt must be installed in /var/opt/< subdir >, where < subdir >
      is the name of the subtree in /opt where the static data from an add-on software package is stored, except
      where superseded by another file in /etc. No structure is imposed on the internal arrangement of /var/
      opt/"
    • "Rationale Refer to the rationale for /opt"
• /var/cache/alb/?
  • FHS 3.0 5.5. /var/cache : Application cache data
    • "/var/cache is intended for cached data from applications. Such data is locally generated as a result of
      time-consuming I/O or calculation. The application must be able to regenerate or restore the data. Unlike
      /var/spool, the cached files can be deleted without data loss. The data must remain valid between
      invocations of the application and rebooting the system."
    • "Files located under /var/cache may be expired in an application specific manner, by the system
      administrator, or both. The application must always be able to recover from manual deletion of these files
      (generally because of a disk space shortage). No other requirements are made on the data format of the
      cache "

The ALB v0.7.4-beta was just relased and I will give a try to dedicate the ALB v0.8.x to implement clustering related options with the following limitations:

1. The implementation should not require floating IPs
   1. Most of well know and very efficient HA setups actually require this (like keepalived). The type of audience and VPSs prices we're targeting does not
      1. To put in perspective can be cheaper to spin a FOUR 8GB RAM VPS on some providers than just pay for one ALB on AWS to route for the VPSs (not included in the price)
2. The implementation should not require additional disks on complex, hard to automate, disk formatting on the main disk
   1. DRBD requires this, so we will have to look for alternatives.

To avoid too much overthink, these are allowed:

1. The implementation could require a minimum number of targets bigger than 2
   1. Some providers that users pay for floating IPs could in theory allow just 2 on some specific cases
2. The implementation could (at first moment) require a very specific number of hosts
   1. 3 is a good number.
3. The implementation is free to decide what strategy to use if it means be easier to setup and maintain in long term and with less human intervention.
   1. So is free if will choose Active/Active, Master/slaves,
      Active/Standby
   2. For data that could be recreated on demand (like Let's Encrypt secrets) the implementation does not need to be ACID compliant.
      1. In the worst case scenario a brain-split should not put down the cluster of Load Balancers.

Maybe I will not be able to even make an MVP of this in a way that could be automated and released on ALB working out of the box, but this issue is about give a try.

This issue is for create a group of tasks, for sure disabled by default, that could have tools non-really essential to run a server, but at least I very often need they when debugging or inspecting the servers.

refs:

• MVP of AP-ALB demo with at least one Virtual Private Network #20
• ALB v0.8.x and clustering related options #17
• About Wireguard:
  • https://www.wireguard.com/
  • https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf
  • https://lists.zx2c4.com/pipermail/wireguard/2017-November/001896.html
• Ansible Role: https://github.com/mawalu/wireguard-private-networking

We will use for the first clustered demo as VPN implementation Wireguard. And the external Ansible role very likely will be https://github.com/mawalu/wireguard-private-networking.

Note: the Wireguard role (like the Consul external role) are not part of AP-ALB, and are used on demo just as example. Wireguard is not considered as production-ready / enterprise friendly than other VPN solutions, and merging Wireguard inside AP-ALB would make the full AP-ALB not production-ready (considering high standards). AP-ALB just should work very fine with private networking, and since I really want to make working demos, we will do with this one.

Refs:

• Ansistrano / Hooks: Custom tasks https://ansistrano.com/
  • https://github.com/ansistrano/deploy#hooks-custom-tasks
  • https://github.com/ansistrano/rollback

The concept of running optional task list when events are triggered (was mostly inspired on the way ansistrano works. I obviously knew before the general idea (but more on the programming side) but not when used to automate deployments. And this actually is very powerful, since it helps to, for example

• Reduce the need to add too much functionality to the AP-ALB core
  • And, for example, if a user could actually turn off some features that tend to be less flexible across different OSs (check my commend here), like with alb_manange_haproxy_repository: no, with a rook that could be trigged before the ALB/HAproxy runs, could allow user specify his tasks to install the repository
• Reduce the need to create other roles for simpler things
  • By simple, I mean not deploying a full Galera Cluster in HA mode
  • A good example would be one-file-installs of for example PHP-FPM, maybe create folders if already does not exist, etc
  • Most

This issue to remember to later eventually add (and document, this is important) how one user could inform tasks that would run before or after some events.

At Application/Sysapplication level

At this moment, we just have basic (but somewhat functional) hooks at app level,see #app_hook_after and #app_hook_before.

Actually, this implementation was easier to do than I expected. I should start doing done this type of hook before.

At AP-ALB level

Some hooks that seems to be more idea in short term would be at least 2 for each subcomponent (one to run before, and another to run after).

About Accidental vs Essential Complexity on Hooks

Implementing hooks can actually get more complex than need. This is one of the reasons (and another note to self) to maybe start by the documentation and only then implement.

For example we could put hooks triggered by near any type of event on the live cycle, but if is getting too much complex to explain, is likely to get to complex to maintain and be reused (and then, be something that would stop working on the long run and get deprecated)

• https://developers.google.com/search/reference/robots_meta_tag
• https://www.robotstxt.org/

Issue about implement a way to, via app configuration, allow enforce hint for search engines to not index not follow content of all pages of the app.

As for sysapps, this should be enabled by default (maybe not even allow disable it).

Security information: note that this does not means that the AP-ALB would block non-humans; also this feature should not be considered as safe as password protection or 2fa

At alb-internals.md there is a overview of ALB, but even if we just do very, very simple usage of HAProxy, this issue is for documenting this in a dedicated file, nlb-internals.md.

Obviously is not possible to deliver physical hardware as a IoC but some features of popular Network Load Balancers are viable.

• ansible-linux-ha-cluster
  • https://github.com/fititnt/ansible-linux-ha-cluster
• openstack/openstack-ansible-galera_server
  • Mai Repository: https://github.com/openstack/openstack-ansible-galera_server
    • Dependencies:
      • https://github.com/openstack/openstack-ansible-galera_client
      • https://github.com/openstack/openstack-ansible-apt_package_pinning
      • https://github.com/openstack/ansible-config_template/blob/master/action/config_template.py
• Galera Cluster
  • https://galeracluster.com/
• MariaDB
  • https://mariadb.org/

While MariaDB clustering is not a core feature of AP-ALB, it's load balancing may become a need for our HAProxy. Another important point here (and the reason to not take time to create from scratch this feature) is that any role that implement such feature should be well tested, so a reason for take special care on how to use this role.

From last days, we already have some MVP of the role openstack/openstack-ansible-galera_server. It's a 3 Node Ubuntu 18.04 LTS, so its' not as complex as the current demo of ansible-linux-ha-cluster. The first impression using this role was: it's not on Ansible Galaxy, but it seems very well tested. On the initial tests, tried to force the requeriments.yml enforce one specific released version, but for some reason it failed. For now I'm using just master at:
https://github.com/fititnt/ansible-linux-ha-cluster/blob/af3e0fc4266ffd97859d632995e8146b78962d9d/requirements.yml

See also:

• auto-ssl/lua-resty-auto-ssl#38
• auto-ssl/lua-resty-auto-ssl#26
• auto-ssl/lua-resty-auto-ssl#170

The AP-ALB v0.4-beta still not expose to the user ways to customize the allow_domain, not even as function. This issue is for improve this.

This is our current rule that is hardcored (not able to not even customize with Ansible).

    # Initial setup tasks.
    init_by_lua_block {
      auto_ssl = (require "resty.auto-ssl").new()

      -- Define a function to determine which SNI domains to automatically handle
      -- and register new certificates for. Defaults to not allowing any domains,
      -- so this must be configured.
      auto_ssl:set("allow_domain", function(domain)
        return true
      end)

      auto_ssl:init()
    }

It's ok for testing (whitelist everything), and in fact was on the documentation of GUI/lua-resty-auto-ssl, but can hit Let's Encrypt limits fast for invalid domains pointing to IP of the server.

• Related: #24, #17
• Lua / OpenResty related links
  • Lean lua in an Hour https://www.youtube.com/watch?v=S4eNl1rA1Ns
  • Definitely an openresty guide https://www.staticshin.com/programming/definitely-an-open-resty-guide/#hello_world
  • Lua in 15 minutes http://tylerneylon.com/a/learn-lua/
  • Lua 4.1 shortreference on lua-users.org. http://lua-users.org/files/wiki_insecure/users/thomasl/luarefv51.pdf
• hamishforbes/lua-resty-consul
  • https://github.com/hamishforbes/lua-resty-consul
  • There is other module here https://github.com/leprechau/lua-consul
• GUI/lua-resty-auto-ssl
  • The repository: https://github.com/GUI/lua-resty-auto-ssl
  • storage_adapter
    • "File-based and redis-based storage adapters are supplied, but custom external adapters may also be specified (the value simply needs to be on the lua_package_path)."
    • "TODO: Document and formalize the API for other storage adapters."
    • https://github.com/GUI/lua-resty-auto-ssl#storage_adapter
  • Source codes of the existent adapters
    • resty/auto-ssl/storage_adapters/redis.lua
      • https://github.com/GUI/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/storage_adapters/redis.lua
    • resty/auto-ssl/storage_adapters/file.lua
      • https://github.com/GUI/lua-resty-auto-ssl/blob/master/lib/resty/auto-ssl/storage_adapters/file.lua

I will try do some MVP of storage adapter for https://github.com/GUI/lua-resty-auto-ssl using https://github.com/hamishforbes/lua-resty-consul as library to talk with Consul.

GUI/lua-resty-auto-ssl does not have formal documentation on how to implement one adapter, but looking at redis.lua (134 lines) and file.lua (92 lines) is likely to be more easy learn the bare minimum of Lua to make a Consul adapter than the not-very-efficient way to create some way to synchronize both ways Consul with files in some folder.

If take too much time or get some hard issues I will prioritize other tasks. But this open issue here is to do try do some Minimal Viable Product that could just works.

At this moment we only use as custom directory that needs documentation the /var/log/application_load_balancer/ for logs. But short name "alb" seems not have issues with other software (at least not for Debian distros) and also is shorter.

OpenResty store all data on /usr/local/openresty/, even configuration files from original NGinx it uses /usr/local/openresty/nginx/ to avoid conflict. I guess that we should do the same.

For now, we're need at least places for logs. But we will really need soon some places to put at least some debuggin files (or hello world pages). And also to allow some shorter configuration options (and avoiding users specifying everything) we would need in addition so logging files, also default place to, for example, put files for static content based on app_uid.

Also, this structure have to somewhat works fine with the ap-application-load-balancer-extras

Our /templates/nlb-strategy/haproxy-minimal.cfg.j2 pre v0.8.x is really too minimal. We dont even have some way to, via variables, define redirection to port 80->8080 and 443->4443 for a host different than localhost, so a user would need to use a custom haproxy.cfg.

This issue is for we make it more friendly. Do not need to be perfect (and maybe the fallback without user extra configurations could still redirect to localhost) but we should allow some customization here.

Refs MVP of AP-ALB demo with at least one way to share configurations created on run time across cluster #22

The #23 actually was less complicated to get and MVP up and running than I expected. So I will give a shot and try to see if , for the ALB v0.8.x and clustering related options #17 and not just on future, I will write an extension to https://github.com/GUI/lua-resty-auto-ssl to use Consul instead of localdisk or Redis.

Related:

• AP-ALB v0.8.x adaptations to support RHEL/CentOS 8 family and design changes to allow flexibility even for non-tested OSs #34
• https://pkgs.org/download/luarocks

RHEL/CentOS 8 is so new that some base repositories that are strong requisite, like luarocks for GUI/lua-resty-auto-ssl are not available for imediate use. This may need some work that very likely would need to be disabled later.

As for the OpenResty itself, from https://openresty.org/en/linux-packages.html we're setting as base the RHEL 8.x x86_64 (instead of the hardcoded CentOS 7.x x86_64).

Most big cloud load balancers assume health checks to not require any validation at all. They not even have option to basic auth. They assume the path between the health checker and the destiny is already on a private network, and if is not the case, I think very likely the end user would eventually just create a semi-secret public URL that will be reused for years

At templates/alb/strategy/partials/alb_health_check.conf.j2 at this moment we have a draft that allow the user to customize the prefixes (so, this somewhat would be equivalent of other cloud LBs would give to the user).

The big issue on AP-ALB is what is somewhat exception on cloud LBs, are very likely to be common on our users. So our defaults should assume this context of either heterogenic datacenters of allow work without VPN.

This actually is a very, very complicated topic to make it work both with low overhead (a strong requirement for health checks) and acceptable secure, even if the MVP implementation maybe not require much more code of what already exist.

Security considerations

• Is BASIC-Auth secure if done over HTTPS?
  • https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https

This issue started with AP-ALB v0.8.x adaptations to support RHEL/CentOS 8 family and design changes to allow flexibility even for non-tested OSs #34. This issue mostly likely to be a place to mention things on ALB that are different from the other systems and/or have a place to mention what is not implemented.

Note: I do not use BSDs systems in production, but this does not means that, when viable, at least made the base ALB have at least some bare minimum compatibility. Initially the ALB is tested on FreeBSD 12.

Aboud BSDs & BSDs & Ansible

• Ansible and BSD
  • https://docs.ansible.com/ansible/latest/user_guide/intro_bsd.html
• Ansible Community / BSD Working Group
  • https://github.com/ansible/community/wiki/BSD
• freebsd.org: Comparing BSD and Linux
  • https://www.freebsd.org/doc/en_US.ISO8859-1/articles/explaining-bsd/comparing-bsd-and-linux.html
• Wikipedia: Comparison of BSD operating systems
  • https://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems

Ansible Packages related to BSD

• Ansible Packaging modules OSs (full list)
  • https://docs.ansible.com/ansible/latest/modules/list_of_packaging_modules.html#os
• package – Generic OS package manager
  • https://docs.ansible.com/ansible/latest/modules/package_module.html
• pkgng – Package manager for FreeBSD >= 9.0
  • https://docs.ansible.com/ansible/latest/modules/pkgng_module.html
• portinstall – Installing packages from FreeBSD’s ports system
  • https://docs.ansible.com/ansible/latest/modules/portinstall_module.html
• openbsd_pkg – Manage packages on OpenBSD
  • https://docs.ansible.com/ansible/latest/modules/openbsd_pkg_module.html
• pkgin – Package manager for SmartOS, NetBSD, et al
  • https://docs.ansible.com/ansible/latest/modules/pkgin_module.html
• and others...

Ansible System modules related to BSD

• System modules (full list)
  • https://docs.ansible.com/ansible/latest/modules/list_of_system_modules.html?
• beadm – Manage ZFS boot environments on FreeBSD/Solaris/illumos systems
  • https://docs.ansible.com/ansible/latest/modules/beadm_module.html
• syspatch – Manage OpenBSD system patches
  • https://docs.ansible.com/ansible/latest/modules/syspatch_module.html#syspatch-module
• and others...

BSD service management

• 4. Inicialização do Sistema
  • https://www.freebsd.org/doc/pt_BR.ISO8859-1/articles/linux-users/startup.html
• Managing Services in FreeBSD
  • https://www.freebsd.org/doc/handbook/configtuning-rcd.html
• Problems with Systemd and Why I like BSD Init
  • https://www.textplain.net/blog/2015/problems-with-systemd-and-why-i-like-bsd-init/

Update 1:

• Created BSD service management section

• Related: #23 #25 #17

Bootstrapping an MVP of consul cluster using an external role, brianshumate.consul (https://github.com/brianshumate/ansible-consul) was initially less complicated than I imagined.

I accidentally discovered that rejoin a cluster after total destruction of a node (I erased old one, and recreated from scratch) may not be 100% automatic. Instead of going too deep now, I'm just marking this issue here to recheck later with more attention.

Potentially related to

• hashicorp/consul#719 (comment)
• voxpupuli/puppet-consul#256
• hashicorp/consul#719
• https://www.consul.io/docs/commands/keyring.html

One thing that I suspect could be related to quorum.

Previous #7 pre v0.5.0-alpha.

This is our round on trying to make the stats page integrated with with v0.7.x new options.

The #7 worked fine, but was not integrated with alb_dmz vars, for example, and need dedicated IPs. This issue could make it more intuitive.

• Arch Linux Main Website
  • https://www.archlinux.org/
• Pacman package mananger
  • https://wiki.archlinux.org/index.php/Pacman
• Official repositories
  • https://wiki.archlinux.org/index.php/Official_repositories
  • AUR https://aur.archlinux.org/
• UFW Uncomplicated Firewall
  • https://wiki.archlinux.org/index.php/Uncomplicated_Firewall
• pkgs.org (packages from several Linux distros)
  • https://pkgs.org/

This issue, like the ALB on BSD Systems #37 and the ALB on Debian distribution #41, may have specific comments related to this OS.

The initial state from Arch Linux on AP-ALB since release v0.8.x is similar OpenSUSE and FreeBSD. Actually, Arch Linux may be one of the easier that require compile OpenResty to add full support.

References:

• IETF
  • https://tools.ietf.org/id/draft-schwartz-tls-lb-00.html
  • https://tools.ietf.org/html/draft-jeong-eman-network-proxy-protocol-02
  • https://tools.ietf.org/html/rfc7239
• HAproxy
  • https://www.haproxy.com/blog/preserve-source-ip-address-despite-reverse-proxies/
  • https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt
• NGinx
  • https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
• SQUID
  • https://github.com/squid-cache/squid/blob/master/doc/rfc/proxy-protocol.txt
• Varnish
  • https://varnish-cache.org/trac/wiki/Future_Protocols
• AWS
  • https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html

This, considering we control both HAproxy and OpenResty, could potentially replace the X-Forwarded-For.

And yeah, this is pretty low level and advanced. But is likely to be better investigate this approach, and do it safely, than others.

The README.md have a lot of content [1536 lines (1262 sloc)] and we're running out of how many heading levels HTML/Markdown could support.

This issue is about improve this situation. And also start to care about be able to be found on search results outside GitHub (something that start to make sense when eventually we get out of alphas and betas releases).

After all this time, let's publish to Ansible Galaxy https://galaxy.ansible.com/.

This will be my first role published there. And it's already more sofisticated than average ones.

• Testinfra documentation:
  • https://testinfra.readthedocs.io/en/latest/
• Testinfra API (to reuse on other codes)
  • https://testinfra.readthedocs.io/en/latest/api.html
• Testinfra examples
  • https://testinfra.readthedocs.io/en/latest/examples.html

Is a fact that well written idempotent Ansible Roles/Playbooks are aready good for testing the infrastructure actual state. For just test without apply, there is even the Check Mode (“Dry Run”).

But here with AP-ALB is more complex than average individual Ansible Role, even when running in a single node. One of the implications of this is that, even if is just to check what ports are used by what service become important. We already have some drafts on files/alb-cli-tools but writing more complex shell scripts to do some quick testing may be less portable.

Because of the Implementation of Ansible Molecule on AP-ALB & travis-ci integration #2, we're already ideally would need to create some tests to check if all is ok, so I will take the oportunity to already use Testinfra on more than just the continuos integration testing.

On AP-ALB we have the concept of 'App' somewhat like a "OpenResty conf proxy rule related to one end user application". But there are some applications that we could use the very own AP-ALB App rules to proxy for internal administrative functions.

The idea with this MVP is for now somewhat copy the structure of what is done with Apps, but use different paths, folders, etc and eventually even allow implement some ACLs more specific to All sysapps than have to change each item of app to specify itself as system.

Related:

• Main issue: ALB v0.8.x and clustering related options #17
• Other old issues related to consul:
  • MVP of AP-ALB demo with at least one way to share configurations created on run time across cluster #22
  • Initial tests with Consul (external role) #23
  • MVP of Consul storage adapter to lua-resty-auto-ssl #25
  • More tests with ALB + Consul for scenarios with total reconstruction from an node from scratch #27
• External Ansible Role used:
  • https://github.com/brianshumate/ansible-consul
• Consul documentation:
  • https://www.consul.io/docs/index.html
• Ansible modules specific to consul:
  • https://docs.ansible.com/ansible/latest/modules/list_of_clustering_modules.html?highlight=consul

What is Consul?

Consul is a service mesh solution providing a full featured control plane with service discovery, configuration, and segmentation functionality.
(...)
KV Store: Applications can make use of Consul's hierarchical key/value store for any number of purposes, including dynamic configuration, feature flagging, coordination, leader election, and more. The simple HTTP API makes it easy to use.
(...)
Multi Datacenter: Consul supports multiple datacenters out of the box. This means users of Consul do not have to worry about building additional layers of abstraction to grow to multiple regions.
From https://www.consul.io/intro/index.html

Since the AP-ALB v0.8.x to work as a cluster need some way to share information, it means the underline solution should be reliable and is critical for High Availability.

Consul already implement features out of the box both for High Availability in a single datacenter, but also in multi datacenter. This is more than we want for the initial MVP of demo.

Also, by using Consul (or Etcd) the AP-ALB is much more aligned with trends of clustering common for example on Kubernetes Clusters. One advantage over the initial MVP using just Redis is that both Consul and Etcd does not require HAproxy.

Refs #17 (comment).

AP-ALB, since 3 august (~ 125 days) was only tested on Ubuntu/Debian systems. The Ansible roles used on the demo fititnt/ansible-linux-ha-cluster, with exception of the AP-ALB itself, already are compatible with RHEL/CentOS.

At least for Roles related to MariaDB/MySQL clusters, is easier to find well maintaned that works on RHEL/CentOS than recent ones for Debian/Ubuntu. So this is already good reason to make AP-ALB on very short term compatible with RHEL/CentOS.

At https://github.com/fititnt/ap-alb-demo we have https://github.com/fititnt/ap-alb-demo/tree/master/roles/common created just to do some very common tasks (like defining a hostname, setup timezones, etc).

This issue is for at least have one option to make it too on the AP-ALB. I'm not sure if enabled by default, but for sure should have one option to disable

Related:

• #11 (old)
• #15 (maybe near same strategy)
• 34#issuecomment-562796862

Instead of the optional common, since with more OSs things can get complicated, a new, this time strongly recommended, group of tasks could be responsible for tasks that are really, really need on very start of a node, and may not be required to run so often.

One example would be a user, with gather_facts: no, be able to install at least the python on remote host, or get basic info of that could go wrong.

After this, maybe the idea would be make sure that, for the packages one node is interested in setup, all repositories that would need to be prepared already exist.

And then, maybe, the tasks related to create directories, that today are on non-subfolders like the tasks/alb-init.yml, could be moved to this group.

The main reason for this repository is be a Application Load Balancer (since most people would likely to not use a full project like this for somethig that could maybe be done directly with HAproxy).

But some things (even if faster enough) could be more complex to do with NGinx server blocks that we use for our L7 LB and also put too much pression on logging.

This issue is for we consider to test or add some way to redirect ports. But, as my initial idea on #1, maybe this could the main reason for use the AP-ALB.

Issue related to AP-ALB v0.8.x adaptations to support RHEL/CentOS 8 family and design changes to allow flexibility even for non-tested OSs #34

This is also a topic similar to ALB on BSD Systems #37. So is likely to stay open forever.

This issue contain quick references about ALB on very specific Debian distribution. This does not include operational systems based on the Debian OS Family (like Ubuntu).

DontBreakDebian

• https://wiki.debian.org/DontBreakDebian

About APT and repositories

• Debian: AptConfiguration
  • https://wiki.debian.org/AptConfiguration
• A Short Introduction To Apt-Pinning
  • https://www.howtoforge.com/a-short-introduction-to-apt-pinning

Edit: added references about apt configuration

The most idealistic scenario any Application Load Balancer would only proxy request. Since is fairly easy to proxy local files, we're already do this, to avoid too much custom NGinx scripting for some common cases of ALBs for simpler setups.

This issue is to considering add, as extra feature, also template out PHP-FPM files if one or more serves actually run on the same server that the AP-ALB is running. Since we're already doing this, and to avoid recommend someone use as extra repository just for this, could makes sense to also allow installation of the PHP-FPM and some modules on this.

Maybe this will also require later add same equivalent to run Java or Tomcat. But for now I'm just avoinding add more Ansible roles to another repository that is mostly to handle data warehousing IaCs and creating for each submodule full PHP installation, full Java/Tomcat etc, would need some refactoring later.

• Main issue: #17
• Similar to: #18
• Some links
  • https://www.haproxy.com/blog/haproxy-advanced-redis-health-check/
  • https://www.serverlab.ca/tutorials/linux/network-services/how-to-configure-haproxy-health-checks/

This issue is not about create a role to install Redis without external dependencies (...not yet) but to allow some way to, via specifications under some alb_* variables, make changes on the HAProxy component of AP-ALB to deploy already well tested HAProxy Advanced Redis Health Check.

At the https://github.com/fititnt/ap-alb-cluster-demo we're testing role davidwittman.redis and could just make ALB play very nice with this and document very well.

For production environment the general (or at least initial and current for AP-ALB v.8.x) idea of is run on VPSs and bare metal. Actually, one of the main ideas behind the AP-ALB was be a frontend load balancer for non-container apps and (via ansible playbooks) containers backens, like kubernetes [*], but also helps with softwares that already implement high availability and could be better also not run inside containers (think MySQL/MariaDB, for example)

However, is possible to run ALB nodes inside containers. And since this actually is a requirement to Implementation of Ansible Molecule on AP-ALB & travis-ci integration #2 this is a issue to document non-production usage of AP-ALB inside docker containers.

*: One of the reasons to explicitly not want optimize AP-ALB for containers whas that production-grade ALB would require also production grade containers and the extra-moving parts because of the underlining infrastructure (the containers, not the AP-ALB itself) could in practice have less 9's of availability than less (or just one node stand by backup) of AP-ALB direct on VPSs or bare metal. Another reason is that already exist load balancers specialized on containers that would do similar job of what AP-ALB would do (like the Traefik, even if the non enterprise version does not offer high availability out of the box)

Allow (as option, not by default) HAProxy Stats Page https://www.haproxy.com/blog/exploring-the-haproxy-stats-page/.

This maybe also will be the start of have some types of apps that are mean to be for internal use, and not the alb_apps array

About the draft of backup-alb-full.yml / uninstall-alb-purge.yml

At /ad-hoc-alb/backup-alb-full.yml we already have one way to do a simply backup of main configuration files created by AP-ALB.

At this moment does not have option to not discard logs of applications, but as MVP it somewhat works. It also does not implement a script that could do the reverse.

That script was made mainly because of the ad-hoc-alb/uninstall-alb-purge.yml, that try to near unninstall all AP-ALB from a host and delete everyiting, but by default that purge will first call ad-hoc-alb/backup-alb-full.yml if the user did not explicitly disable backup before uninstall.

About this issue

On this issue, maybe is just some MVP about to document on YAML if one app, on a specific host, contains some directory that could handle data that worth to be saved from time to time or in a worst case scenario would be the one used to "move" apps from one node to another after total reconstruction of a node.

Note that this issue may not implement the full logistics (for example, may exist some external roles that could already sincronize encrypted backups from one directory to some remote source. But this MVP maybe could at least app new options to the Apps and Sysapps and then or create a Symlink, or copy the files to another directory, that this one is the one who should be handled by the backup strategy.

Default backup strategy

Since it could be simpler, maybe the default backup could be simple a copy of full directory without external dependencies.

Non-goals

For sake of simplicity, we will assume backup of files only. So if eventually have databases or some other storage, we could at best allow some hooks to be called before and after the actions, but the underline result should a file or a directory of files, preferable files that could be optimized by common backup strategies to use less bandwidth and remote space.

This issue is strongly related to ALB v0.8.x and clustering related options #17.

While I was working on the clustered AP-ALB demo, different from the version where nodes does not need talk with each other beyond the internal routing, the clustered version or would require lots of documentation related to security OR just at least give some option to implement any VPN. Both decisions would require time (and the second one maybe not really much, even in the short term) so this issue is about deliver one demo with this option.

I stopped a few hours yesterday and was looking for what to use to implement:

Some alternatives (at time of writting)

OpenVPN

No. Not for this. It's neither designed for "mesh networks" (it somewhat would require star networks, it means SPoF) and is not even easy to implement to worth the time.

IPSec++ (++ = with extensions)

This would be the most industry standard to implement. It's not trivial to get done right, but is one of the most efficient. Even if not done for now, is something to consider or at least leave room in the configurations to implement later.

• https://github.com/jkupferer/ansible-role-openshift-ipsec
• https://github.com/slgevens/ansible-libreswan
• https://github.com/kravietz/ansible-ipsec

Tinc

I actually liked the Tinc. It by design do something near of what we want. Not hard to implement as OPenVPN and IPSec++ (even have some playbooks with this). It also allows featues like if direct route from one node to another is blocked, it can decide on the fly to use other nodes until get to destiny.

• https://en.wikipedia.org/wiki/Tinc_(protocol)
• https://tinc-vpn.org/
• https://github.com/thisismitch/ansible-tinc
• https://github.com/debops/ansible-tinc
• https://github.com/evrardjp/ansible-tinc

Wireguard

Wireguard is both fast, have a very clean code base, is VPN at kernel level (like IPSec) and (this is very, very impressive) even the Linus Tovards make comparison saying this code base was much better than IPSec and OpenVPN and was interested to get it merged to the linux kernel. I even read the discussions thread, and the code was not implemented yet both because of some code refactoring was need (and the authors of Wireguard are working hard to make it) and also had complains that it was "not audited like the others". The main author of Wireguard complained that even the others where not audited (and maybe the Wireguard was getting more pression to refactoring than any other in the past).

Also, some complains about Wireguard was not merged was because he re-implementing some funcions already done by other parts of the kernel. Some he already is fixing but others he on the linux maillist literaly get references of the authors of other VPNs or algorithms admitting errors or have issues for years and noting getting done. Not that the Wireguard seems to be bullied in special, no, I'm not saying this, but the standard way people who approve code to be merged to the kernel is very perfectionist. This also maybe explain why the website of Wireguard, at this exact moment, make serious disclamer that even if is used for years it still cannot be called safe to use. Not that it was worse than alternatives, but for sure Jason Donenfeld is trying be from start better and more responsible than others.

Here some links. Note that there is a lot, even more than Tinc.

• https://github.com/iamckn/wireguard_ansible
• https://github.com/githubixx/ansible-role-wireguard
• https://github.com/mawalu/wireguard-private-networking
• https://github.com/adamruzicka/ansible-wireguard
• https://github.com/N0Cloud/ansible-wireguard
• https://github.com/StreisandEffect/streisand
• https://github.com/botto/ansible-wireguard
• https://github.com/rupertbg/aws-wireguard-linux
• https://github.com/turbotankist/wireguard_playbook
• https://github.com/angristan/ansible-wireguard
• https://courses.csail.mit.edu/6.857/2018/project/He-Xu-Xu-WireGuard.pdf
• https://lists.zx2c4.com/pipermail/wireguard/2017-November/001896.html

With #1 already working, this issue is about create one way to create some way to just mimic same variables used on https://docs.ansible.com/ansible/latest/modules/ufw_module.html.

• https://linux.die.net/man/8/logrotate

The current version of ALB does not rotate logs both for ALB itself and the apps. This issue if for implement at least one MVP of this for apps, and make good defaults for the logs of ALBs.

• References on Linux directory structure https://linuxhandbook.com/linux-directory-structure/
• Potential places for we use on ALB
  • /opt/alb/
    • Maybe ideal for ALB variables that (ideally) tend to be managed by Ansible playgooks and are less likely to change on running time.
    • Some of these values could override similar equivalents on other places.
  • /var/alb/
    • Maybe we use for data that could be changed on runtime but is not granteed that could be regenerated by Ansible Playbook
    • Could be a good place to use for features that we're would be likely to store on a Redis server, but some specific installation of ALB is not running redis or will not require updates
      • If ALB could somewhat both work with some data storage like Redis/Consul/etc we could still use this directory as fallback in case these directories does not exist
    • One or more folders on this path could be used to store backups

There are several reasons to store some variables on target servers. To start, one could be a way for other programs be aware of IPs, ports, etc that have some special meaning to ALB. This could be useful for know what domains could have SSL issued, what IPs can do some actions (like login in, or be on blacklist).

The documentation of AP-ALB, as v0.8.0-alpha, have this on the Shared options: for the DMZ:

alb_dmz:
 - ip: 203.0.113.1
   name: my_apps_server
 - ip: 203.0.113.2
   name: my_db_server
 - ip: 203.0.113.3
   name: any_other_server_inside_the_network

This is simple and works, but if we're about to implement #20, we will start to need some ways to at least specify public and private IPs.

• https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html
• https://letsencrypt.org/
• https://www.buypass.com/ssl/products/acme

We already have some variables with letsencrypt, but in fact we're dealing with a standard protocol that more vendors could implement (and actually, there is at least other alternative to letsencrypt, the buypass.

This issue is mostly about rename (or not create new variables) using hardcoded naming of letsencrypt.

• https://github.com/ansible/molecule
• https://molecule.readthedocs.io
• https://www.youtube.com/watch?v=DAnMyBZ8-Qs

The AP-ALB is an Ansible Role. And Ansible Molecule is one popular way to do unit testing of Ansible Roles. Eventually this could be added.

I'm testing way too many operational systems to test at same time Even if I could take notes and document each operational system way to dectect open ports, disk, permissions, etc, I would very likely not remember months or years later.

This issue is about create one minimum viable product of a group of tasks that could run to check status of a node (maybe cluster of nodes and their conections) that is aware of #34 (aka take in account cross platform)

The main idea behind the AP-ALB is be a Layer 7 load balancer, but even I at this moment would need setup in some place some firewall rules.

On the Ansible Playbooks from the Águia Pescadora, there is one firewall task https://github.com/EticaAI/aguia-pescadora-ansible-playbooks/tree/master/tarefa/firewall documented in Portuguese, but I guess could be used here too.

Related issue EticaAI/aguia-pescadora#34