search

Kickball / ooniprobe

Container image for the OONI Probe
GNU General Public License v3.0
0 stars 0 forks source link

Add parameter for persistent or one-off run of ooniprobe #5

Open Kickball opened 1 year ago

Kickball commented 1 year ago

Currently the container will run ooniprobe run unattended which performs a one off run of all the ooniprobe tests.

This would work well if the use case for the container is configured as a one off (e.g. Nomad periodics, Kubernetes jobs), but would not be suitable if the container is desired to be ran in a persistent way (e.g. Nomad services, Kubernetes pods).

The container should be rewritten to be configurable for either of these use-cases at run time.

Kickball commented 1 year ago

The automated execution of ooniprobe on Linux is managed by systemd files:

# cat /lib/systemd/system/ooniprobe-cli.service 
[Unit]
Description=OONI Probe CLI
Documentation=man:ooniprobe-cli
Documentation=https://ooni.org/
After=network.target tor.target
Wants=network-online.target
ConditionPathExists=/etc/ooniprobe/ooniprobe.conf

[Service]
Type=simple
ExecStart=/usr/bin/ooniprobe --config=/etc/ooniprobe/ooniprobe.conf run automated
TimeoutStopSec=5
KillMode=mixed

Environment="OONI_HOME=/var/lib/ooniprobe"
User=ooniprobe
PermissionsStartOnly=true
Restart=on-abnormal
RestartSec=2s
LimitNOFILE=65536
WorkingDirectory=/var/lib/ooniprobe
RuntimeDirectory=ooniprobe
StateDirectory=ooniprobe
LogsDirectory=ooniprobe
ConfigurationDirectory=ooniprobe

# Sandboxing
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/log/ooniprobe
ReadWriteDirectories=-/var/lib/ooniprobe
ReadWriteDirectories=-/var/run
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service

[Install]
WantedBy=multi-user.target

# cat /lib/systemd/system/ooniprobe-cli.timer   
[Unit]
Description=OONI Probe CLI
Requires=ooniprobe-cli.service

[Timer]
Unit=ooniprobe-cli.service
OnCalendar=daily
RandomizedDelaySec=12h

[Install]
WantedBy=timers.target