upgrade/ retire psychz exit node #28
Comments
jhpoelen
changed the title
|
@Juul is planning to not renew psychz subscription very soon, so it's time to retire the exitnode. IPs connected to psychz at time of posting:
|
|
@jhpoelen is there anything that should be saved/rescued from the psychz server before it goes away forever? Not sure if there are any old configurations that might be worth backing up. |
|
great to hear that the psychz exit node is getting retired - it took us quite some work to be able to do this without bringing the network down and losing the connection to our existing nodes. Some suggestions:
|
|
I think work might have been done on that in the upgrade babeld branch and has been an open PR for sometime, sudomesh/exitnode#15, which also includes the ability to redeploy the exitnode by re-running create_exitnode.sh. Also, maybe before psychz is turned off, we should test rebuilding HE by running create_exitnode.sh, just in case it goes horribly, irreparably wrong? |
|
Also, good idea about at least deploying the exitnode script on one of the backup servers. For reference, here's the potential servers that could be used, https://github.com/sudomesh/sudowrt-firmware/blob/master/files/opt/mesh/templates/etc/config/tunneldigger not sure about the configuration on any of them other than builds.sudomesh.org, which already has a ton of things running/stored on it. |
|
re: builds.sudomesh.org - I imagine that the dns would be relatively easy to point to another machine |
|
good points about builds.sudomesh.org! Committing to moving builds.sudomesh.org would encourage us to cleanup that server and make sure everything on it is update to date, documented, and re-deployable. I like that idea so much that I'm going to open a new bug to document services currently running on it. And agreed on PRs, I almost forgot that one existed, I encourage @bennlich to go ahead and merge it. |
|
So after copying the sudomesh server to a new droplet and new IP address, 107.170.221.27, I've realized that there is no way to decrease the size of the old sudomesh server, which way bigger than it needs to be for a back up exit node, and keep the old IP address, 107.170.219.5. @jhpoelen or @bennlich any ideas on how to preserve our precious IP address and downsize the droplet, I can't seem to find any way of doing this in digital ocean. |
|
Yep, I think you're right. From https://www.digitalocean.com/docs/droplets/how-to/resize/
In retrospect, we should have created a "digitalocean floating ip", which is a static ip address that you can move around between droplets, and use that IP in our tunneldigger configs. Woops. Let's do this and patch some nodes? Doesn't really make sense to leave ourselves tied to a droplet with specs we don't really want IMO. |
|
From my patching experience last year, I've learned that patching nodes is a risky, time intensive process that I wouldn't wish on anyone to have to repeat. Rather that spending time on this, I'd favor to keep the droplet around, install tunnneldigger on it, and spent the time to work on ways to either get rid of exit nodes or figure out a more dynamic approach to connect to exit nodes. Meanwhile, would it be worth trying to convince digitalocean to turn our existing ip into one of these floating IPs? |
|
I opened a ticket with DO asking them to convert the static IP to a floating IP. We'll see what they say. Here's a question, is there any reason we couldn't run all the sudomesh server and exit node services on the same droplet? I know it's not ideal, but it seems like the only solution at this point. I second @jhpoelen on exploring new ideas of how to host exit nodes, or if they are even necessary. |
Thank you!
Yeah, it's really not ideal. We want to be able to bring down the services server without negatively affecting the mesh.
Can't we just pay for two droplets--one for services, one for exitnode-ing? -- I don't see the need to patch nodes going away. Might be worth figuring out how to make this less of a headache. -- A dynamic but centralized solution would be to point tunneldigger to some kind of load balancer IP that routed to different registered exitnodes. |
|
Digital Ocean has been giving me the run around. I would like to stop using their service. We should put more energy into acquiring rack space that we have physical access to and actual control of. We can keep the old server up temporarily as a backup exit node, since it is cheaper than psychz. Ultimately, we should work more on #39 and redeploy the sudomesh server once we have a local rack space. Likewise, exploring the possibilities of an exitnode-less mesh, alternatives to tunneldigger, and an easier node patching system seem more useful than attempting to communicate with Digital Ocean. |
|
Hey, I just thought of something? Can tunneldigger take a domain name instead of an IP address? If it can't by default, it would be fairly easy to write a hook script that retrieves the IP address of say "builds.sudomesh.org" and enters it into the tunneldigger conf before attemtping to open a tunnel. This still locks us into a owning that domain, but it seems more flexible than an IP address and would be good as a backup option. |
|
in responding to #28 (comment) - @paidforby thanks for taking the initiative to try and get digital ocean to convert the static ip into a "floating" ip. I can imagine it can be frustrating to deal with (probably overworked) customer service folks. I see how a long term plan to get more agency and control over our server hardware / ip addresses as well as simplifying the architecture is in line with sudomesh's values. I also agree with @bennlich short term solution to, for the time being, run a dedicated exit node droplet behind the ip address baked into most home nodes. I imagine we first move the existing services to a second, temporary, droplet until we move them to a place that better suit our long terms goals like the rack mounted hardware you suggested. |
|
re: #28 (comment) - Nice hack! |
|
We could even get a list of IPs, 'cause you can associated more than one ip to a domain name. |
|
re: #28 (comment) |
|
re: #28 (comment) |
|
Confirmed! tunneldigger does support hostnames instead of IP addresses. Used create_exitnode.sh and tunneldigger lab to test this theory. The following commands work equally as well, |
|
right before turning 107.170.219.5 into an exitnode, @paidforby and I remembered #23 ... :-/ We'll need to decomission psychz at the same time that we bring up 107.170.219.5, and transfer psychz' mesh ip to the new exitnode. |
|
@bennlich nice catch. Do you need help turning off psychz tunnel digger? |
As discussed in #8 (comment) and related threads, the current installation of the psychz exit node has to run an older version of Debian (without security patches) in order to allow unpatched home nodes to create exit node tunnels.
At time of writing (11 April 2018) 15 home nodes are connecting to the psychz exit node. These nodes need to be upgrade before being able to upgrade or retire this exit node.
If the exit node is upgraded/ retired before that, the home nodes will be unable to create tunnels without physical access to the nodes. This means that the home nodes would not able to provide open internet access unless they mesh with neighboring nodes with a route to the internet.
The text was updated successfully, but these errors were encountered: