feat: skeleton for remote-operator service

- README - Dockerfile - Compose service - Python requirements - FastAPI app with example endpoint
b-n-space · Nov 19, 2022 · 26977ab · 26977ab
1 parent d3a5f95
commit 26977ab
Show file tree

Hide file tree

Showing 9 changed files with 141 additions and 0 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,2 +1,5 @@
 Dockerfile
 README.md
+.env
+venv/
+__pycache__
diff --git a/.gitignore b/.gitignore
@@ -1 +1,3 @@
 .env
+venv/
+__pycache__
diff --git a/.python-version b/.python-version
@@ -0,0 +1 @@
+3.11.0
diff --git a/Taskfile.yml b/Taskfile.yml
@@ -6,6 +6,8 @@ vars:
     sh: grep -v '^#' .env | grep -e "OL_IMAGE" | sed -e 's/.*=//'
   BRANCH:
     sh: grep -v '^#' .env | grep -e "OL_BRANCH" | sed -e 's/.*=//'
+  TOOLS_IMAGE:
+    sh: grep -v '^#' .env | grep -e "OL_TOOLS_IMAGE" | sed -e 's/.*=//'
 
 tasks:
   docker:build:
@@ -25,6 +27,11 @@ tasks:
     cmds:
       - docker build --build-arg BRANCH={{.BRANCH}} --tag {{.IMAGE}}-builder --target builder .
 
+  docker:build:tools:
+    desc: "Build docker [tools] image"
+    cmds:
+      - docker build -f tools.Dockerfile --tag {{.TOOLS_IMAGE}} .
+
   docker:push:
     desc: "Push docker image"
     cmds:
@@ -40,6 +47,11 @@ tasks:
     cmds:
       - docker push {{.IMAGE}}-builder
 
+  docker:push:tools:
+    desc: "Push docker [tools] image"
+    cmds:
+      - docker push {{.TOOLS_IMAGE}}
+
   shell:
     desc: "Start a shell container"
     cmds:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -54,6 +54,15 @@ services:
     ports:
       - "3030:3030"
 
+  remote:
+    image: "${OL_TOOLS_IMAGE}"
+    container_name: 0l-remote-operator
+    restart: "on-failure"
+    ports:
+      - "3333:3333"
+    volumes:
+      - "./remote_operator:/code"
+
   ########## Utility services #############
 
   shell:

diff --git a/remote_operator/README.md b/remote_operator/README.md
@@ -0,0 +1,60 @@
+# 0L-Remote-Operator
+
+## Goal
+
+Allows 0L node operators to perform critical operations remotely.
+
+## Terms
+
+- Local operator: entity owning or running an 0L node
+- Remote operator: entity with permission to perform remote operations on an 0L node setup
+
+## Tech
+
+- Backend (Python)
+  - [FastAPI](https://fastapi.tiangolo.com/) for exposing API endpoints
+  - [pydantic](https://pydantic-docs.helpmanual.io/) for data validation and settings management
+- Frontend (Javascript)
+  - Single HTML page running [Vue](https://vuejs.org/) app
+  - Optional: [Buefy components](https://buefy.org/) based on[Bulma](http://bulma.io/)
+
+## Deployment
+
+- Extra service in 0l-operations' [docker-compose](../docker-compose.yml)
+- Based on [3.11.0-slim-bullseye](https://hub.docker.com/_/python/tags?page=1&name=3.11.0-slim-bullseye) docker image
+- Only python requirements are installed in the image
+- Source code resides in the repo and gets mounted as a host volume
+
+## Features
+
+- Restarting node and other services
+- Managing cron: start, stop
+- Updating specific values in `0L.toml`
+- Updating specific values in `validator.node.yaml`
+- else?
+
+## Security concerns and measures
+
+- Source code is always auditable by node operators
+  - Python is chosen to be clearly interpreted
+  - Docker image only provides runtime environment
+- Local operators must create firewall rules to only allow traffic from trusted sources to particular ports
+- Entire request bodies are validated not allowing any arbitrary payloads
+- All endpoints are auth protected; preferably JWT with short expiry
+  - Basic auth endpoint to acquire JWT token
+- Each operation must
+  - provide a reason
+  - creates a backup of files it has modified
+
+## Questions
+
+- How many are currently using the 0l-operations setup? in general, we want a statistic on different setups being used
+- What other security concerns do we have?
+
+## Tasks
+
+- [ ] Collect more info
+- [ ] Finalise features
+- [ ] Add basic auth
+- [ ] Publish initial version with restart feature
+- [ ] Implement logging and backups
diff --git a/remote_operator/main.py b/remote_operator/main.py
@@ -0,0 +1,33 @@
+from fastapi import FastAPI
+
+app = FastAPI()
+
+
+@app.get("/")
+def root():
+    return {"Hello": "0L Operator!"}
+
+
+@app.post("/restart")
+def restart():
+    return {"not": "implemented"}
+
+
+@app.post("/cron/on")
+def cron_on():
+    return {"not": "implemented"}
+
+
+@app.post("/cron/off")
+def cron_off():
+    return {"not": "implemented"}
+
+
+@app.patch("/ol-toml")
+def patch_ol_toml():
+    return {"not": "implemented"}
+
+
+@app.patch("/validator-yaml")
+def patch_validator_yaml():
+    return {"not": "implemented"}
diff --git a/tools.Dockerfile b/tools.Dockerfile
@@ -0,0 +1,17 @@
+FROM python:3.11-slim-bullseye
+
+ENV PYTHONUNBUFFERED 1
+
+# Install pip requirements
+COPY ./tools.requirements.txt /tmp/requirements.txt
+RUN pip install -r /tmp/requirements.txt
+
+# Define working directory
+RUN mkdir /code
+WORKDIR /code
+
+# Expose Uvicorn port
+EXPOSE 3333
+
+# Command to serve API
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "3333"]
diff --git a/tools.requirements.txt b/tools.requirements.txt
@@ -0,0 +1,4 @@
+fastapi==0.87.0
+pydantic==1.10.2
+python-dotenv==0.21.0
+uvicorn==0.19.0