mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-09 21:44:13 +02:00
c495307027
* Fix DigitalOcean cloud-init compatibility issue causing SSH timeout on port 4160 This commit addresses the issue described in GitHub issue #14800 where DigitalOcean deployments fail during the "Wait until SSH becomes ready..." step due to cloud-init not processing the write_files directive correctly. ## Problem - DigitalOcean's cloud-init shows "Unhandled non-multipart (text/x-not-multipart) userdata" warning - write_files module gets skipped, leaving SSH on default port 22 instead of port 4160 - Algo deployment times out when trying to connect to port 4160 ## Solution Added proactive detection and remediation to the DigitalOcean role: 1. Check if SSH is listening on the expected port (4160) after droplet creation 2. If not, automatically apply the SSH configuration manually via SSH on port 22 3. Verify SSH is now listening on the correct port before proceeding ## Changes - Added SSH port check with 30-second timeout - Added fallback remediation block that: - Connects via SSH on port 22 to apply Algo's SSH configuration - Backs up the original sshd_config - Applies the correct SSH settings (port 4160, security hardening) - Restarts the SSH service - Verifies the fix worked This ensures DigitalOcean deployments succeed even when cloud-init fails to process the user_data correctly, maintaining backward compatibility and reliability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Implement cleaner fix for DigitalOcean cloud-init encoding issue This replaces the previous workaround with two targeted fixes that address the root cause of the "Unhandled non-multipart (text/x-not-multipart) userdata" issue that prevents write_files from being processed. ## Root Cause Cloud-init receives user_data as binary/bytes instead of UTF-8 string, causing it to fail parsing and skip the write_files directive that configures SSH on port 4160. ## Cleaner Solutions Implemented ### Fix 1: String Encoding (user_data | string) - Added explicit string conversion to user_data template lookup - Ensures DigitalOcean API receives proper UTF-8 string, not bytes - Minimal change with maximum compatibility ### Fix 2: Use runcmd Instead of write_files - Replaced write_files approach with runcmd shell commands - Bypasses the cloud-init parsing issue entirely - More reliable as it executes direct shell commands - Includes automatic SSH config backup for safety ## Changes Made - `roles/cloud-digitalocean/tasks/main.yml`: Added | string filter to user_data - `files/cloud-init/base.yml`: Replaced write_files with runcmd approach - Removed complex SSH detection/remediation workaround (no longer needed) ## Benefits - ✅ Fixes root cause instead of working around symptoms - ✅ Much simpler and more maintainable code - ✅ Backward compatible - no API changes required - ✅ Handles both potential failure modes (encoding + parsing) - ✅ All tests pass, linters clean This should resolve DigitalOcean SSH timeout issues while being much cleaner than the previous workaround approach. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix cloud-init header format for DigitalOcean compatibility The space in '# cloud-config' (introduced in PR #14775) breaks cloud-init YAML parsing on DigitalOcean, causing SSH configuration to be skipped. Cloud-init documentation requires '#cloud-config' without a space. Fixes #14800 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Revert to write_files approach for SSH configuration Using write_files is more maintainable and Ansible-native than runcmd. The root cause was the cloud-config header format, not write_files itself. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Ansible deprecation and variable warnings - Replace deprecated network filters with ansible.utils equivalents: - ipaddr → ansible.utils.ipaddr - ipmath → ansible.utils.ipmath - ipv4 → ansible.utils.ipv4 - ipv6 → ansible.utils.ipv6 - next_nth_usable → ansible.utils.next_nth_usable - Fix reserved variable name: no_log → algo_no_log - Fix SSH user groups warning by explicitly specifying groups parameter Addresses deprecation warnings that would become errors after 2024-01-01. All linter checks pass with only cosmetic warnings remaining. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add comprehensive protection for cloud-config header format - Add inline documentation explaining critical #cloud-config format requirement - Exclude files/cloud-init/ from yamllint and ansible-lint to prevent automatic 'fixes' - Create detailed README.md documenting the issue and protection measures - Reference GitHub issue #14800 for future maintainers This prevents regression of the critical cloud-init header format that causes deployment failures when changed from '#cloud-config' to '# cloud-config'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add test for cloud-init header format to prevent regression This test ensures the cloud-init header remains exactly ''#cloud-config'' without a space. The regression in PR #14775 that added a space broke DigitalOcean deployments by causing cloud-init YAML parsing to fail, resulting in SSH timeouts on port 4160. Co-authored-by: Dan Guido <dguido@users.noreply.github.com> * Refactor SSH config template and fix MOTD task permissions - Use dedicated sshd_config template instead of inline content - Add explicit become: true to MOTD task to fix permissions warning 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix no_log variable references after renaming to algo_no_log Update all remaining references from old 'no_log' variable to 'algo_no_log' in WireGuard, SSH tunneling, and StrongSwan roles. This fixes deployment failures caused by undefined variable references. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Correct YAML indentation in cloud-init template for DigitalOcean The indent filter was not indenting the first line of the sshd_config content, causing invalid YAML structure that cloud-init couldn't parse. This resulted in SSH timeouts during deployment as the port was never changed from 22 to 4160. - Add first=True parameter to indent filter to ensure all lines are indented - Remove extra indentation in base template to prevent double-indentation - Add comprehensive test suite to validate template rendering and prevent regressions Fixes deployment failures where cloud-init would show: "Invalid format at line X: expected <block end>, but found '<scalar>'" 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Dan Guido <dguido@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| fixtures | ||
| legacy-lxd | ||
| unit | ||
| README.md | ||
| test-local-config.sh | ||
| test_cloud_init_template.py | ||
Algo VPN Test Suite
Current Test Coverage
What We Test Now
-
Basic Sanity (
test_basic_sanity.py)- Python version >= 3.10
- requirements.txt exists
- config.cfg is valid YAML
- Ansible playbook syntax
- Shell scripts pass shellcheck
- Dockerfile exists and is valid
-
Docker Build (
test_docker_build.py)- Docker image builds successfully
- Container can start
- Ansible is available in container
-
Configuration Generation (
test-local-config.sh)- Ansible templates render without errors
- Basic configuration can be generated
-
Config Validation (
test_config_validation.py)- WireGuard config format validation
- Base64 key format checking
- IP address and CIDR notation
- Mobile config XML validation
- Port range validation
-
Certificate Validation (
test_certificate_validation.py)- OpenSSL availability
- Certificate subject formats
- Key file permissions (600)
- Password complexity
- IPsec cipher suite security
-
User Management (
test_user_management.py) - Addresses #14745, #14746, #14738, #14726- User list parsing from config
- Server selection string parsing
- SSH key preservation
- CA password handling
- User config path generation
- Duplicate user detection
-
OpenSSL Compatibility (
test_openssl_compatibility.py) - Addresses #14755, #14718- OpenSSL version detection
- Legacy flag support detection
- Apple device key format compatibility
- Certificate generation compatibility
- PKCS#12 export for mobile devices
-
Cloud Provider Configs (
test_cloud_provider_configs.py) - Addresses #14752, #14730, #14762- Cloud provider configuration validation
- Hetzner server type updates (cx11 → cx22)
- Azure dependency compatibility
- Region format validation
- Server size naming conventions
- OS image naming validation
What We DON'T Test Yet
1. VPN Functionality
- WireGuard configuration validation
- Private/public key generation
- Client config file format
- QR code generation
- Mobile config profiles
- IPsec configuration validation
- Certificate generation and validation
- StrongSwan config format
- Apple profile generation
- SSH tunnel configuration
- Key generation
- SSH config file format
2. Cloud Provider Integrations
- DigitalOcean API interactions
- AWS EC2/Lightsail deployments
- Azure deployments
- Google Cloud deployments
- Other providers (Vultr, Hetzner, etc.)
3. User Management
- Adding new users
- Removing users
- Updating user configurations
4. Advanced Features
- DNS ad-blocking configuration
- On-demand VPN settings
- MTU calculations
- IPv6 configuration
5. Security Validations
- Certificate constraints
- Key permissions
- Password generation
- Firewall rules
Potential Improvements
Short Term (Easy Wins)
-
Add job names to fix zizmor warnings
-
Test configuration file generation without deployment:
def test_wireguard_config_format(): # Generate a test config # Validate it has required sections # Check key format with regex -
Test user management scripts in isolation:
# Test that update-users generates valid YAML ./algo update-users --dry-run -
Add XML validation for mobile configs:
xmllint --noout generated_configs/*.mobileconfig
Medium Term
- Mock cloud provider APIs to test deployment logic
- Container-based integration tests using Docker Compose
- Test certificate generation without full deployment
- Validate generated configs against schemas
Long Term
- End-to-end tests with actual VPN connections (using network namespaces)
- Performance testing for large user counts
- Upgrade path testing (old configs → new configs)
- Multi-platform client testing
Security Improvements (from zizmor)
Current status: ✅ No security issues found
Recommendations:
- Add explicit job names for better workflow clarity
- Consider pinning Ubuntu runner versions to specific releases
- Add GITHUB_TOKEN with minimal permissions when needed for API checks
Test Philosophy
Our approach focuses on:
- Fast feedback - Tests run in < 3 minutes
- No flaky tests - Avoid complex networking setups
- Test what matters - Config generation, not VPN protocols
- Progressive enhancement - Start simple, add coverage gradually