0.0.0

.dockerignore

@@ -3,3 +3,4 @@ target/
 .private/
 .github/
 obsolete/
+.rclone.env

.gitignore

@@ -7,3 +7,5 @@ Cargo.lock
 log
 
 !src/target
+otel-data/
+.env

cdn_ips.txt

@@ -0,0 +1,46 @@
+# Cloudflare IPs
+173.245.48.0/20
+103.21.244.0/22
+103.22.200.0/22
+103.31.4.0/22
+141.101.64.0/18
+108.162.192.0/18
+190.93.240.0/20
+188.114.96.0/20
+197.234.240.0/22
+198.41.128.0/17
+162.158.0.0/15
+104.16.0.0/13
+104.24.0.0/14
+172.64.0.0/13
+131.0.72.0/22
+2400:cb00::/32
+2606:4700::/32
+2803:f800::/32
+2405:b500::/32
+2405:8100::/32
+2a06:98c0::/29
+2c0f:f248::/32
+
+# Fastly IPs
+23.235.32.0/20
+43.249.72.0/22
+103.244.50.0/24
+103.245.222.0/23
+103.245.224.0/24
+104.156.80.0/20
+140.248.64.0/18
+140.248.128.0/17
+146.75.0.0/17
+151.101.0.0/16
+157.52.64.0/18
+167.82.0.0/17
+167.82.128.0/20
+167.82.160.0/20
+167.82.224.0/20
+172.111.64.0/18
+185.31.16.0/22
+199.27.72.0/21
+199.232.0.0/16
+2a04:4e40::/32
+2a04:4e42::/32

docker-otel/.env.example

@@ -0,0 +1,5 @@
+ACCESS_KEY_ID=access_key_id
+SECRET_ACCESS_KEY=secret_access_key
+RCLONE_SERVER_NAME=dropbox-otel
+S3_ROOT=/
+S3_BUCKET_NAME=metrics # create bucket beforehand

docker-otel/docker-compose.yml

@@ -0,0 +1,131 @@
+services:
+  otel-collector:
+    image: otel/opentelemetry-collector-contrib:latest
+    container_name: otel-collector
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:4317:4317 # gRPC
+      - 127.0.0.1:13133:13133 # health check
+      - 127.0.0.1:1777:1777 # pprof
+      - 127.0.0.1:55679:55679 # zpages
+    expose:
+      - 4317 # OTLP gRPC
+      - 8889 # Prometheus exporter metrics
+      - 8888 # Prometheus metrics exposed by the collector
+    volumes:
+      - ./otel-config.yml:/etc/otel-config.yml
+      - /var/run/docker.sock:/var/run/docker.sock # docker env detector
+      # - ./client_crt:/client_crt:ro # Needed to deploy on the internet
+    command: ["--config=/etc/otel-config.yml"]
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    # healthcheck:
+    #   test: ["CMD-SHELL", "wget -nv -t1 otel-collector:13133 || exit 1"]
+    networks:
+      - net-otel
+
+  # Jaeger
+  jaeger:
+    image: jaegertracing/all-in-one:latest
+    container_name: jaeger
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:16686:16686 # frontend
+    expose:
+      - 4317 # OTLP
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    networks:
+      - net-otel
+
+  # Prometheus Remote Write Endpoint
+  mimir:
+    image: grafana/mimir:latest
+    container_name: mimir
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:9009:9009 # frontend
+    expose:
+      - 9009
+    command: ["--config.file=/etc/mimir.yml", "--config.expand-env=true"]
+    env_file: .env
+    volumes:
+      - ./otel-data/mimir:/data:rw
+      - ./mimir.yml:/etc/mimir.yml:ro
+      - ./mimir-alertmanager-fallback.yml:/etc/mimir-alertmanager-fallback.yml:ro
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    depends_on:
+      - rclone
+    networks:
+      - net-otel
+
+  # Prometheus Remote Write Endpoint Storage (S3)
+  rclone:
+    image: rclone/rclone:latest
+    expose:
+      - 58080
+    container_name: rclone
+    security_opt:
+      - apparmor:unconfined
+    cap_add:
+      - SYS_ADMIN
+    # devices:
+    #   - /dev/fuse
+    env_file: .env
+    entrypoint: |
+      sh -c "
+        rclone serve s3 --auth-key ${ACCESS_KEY_ID},${SECRET_ACCESS_KEY} ${RCLONE_SERVER_NAME}:${S3_ROOT} --vfs-cache-mode writes --addr 0.0.0.0:58080 & \
+        wait
+      "
+    restart: always
+    volumes:
+      - ~/.config/rclone/rclone.conf:/config/rclone/rclone.conf:ro
+      - /tmp/rclone-cache:/root/.cache/
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    networks:
+      net-otel:
+
+  # Visualize metrics
+  grafana:
+    image: grafana/grafana:latest
+    container_name: grafana
+    restart: unless-stopped
+    ports:
+      - 127.0.0.1:3000:3000 # frontend
+    volumes:
+      - ./otel-data/grafana:/var/lib/grafana
+    depends_on:
+      - mimir
+    logging:
+      options:
+        max-size: "10m"
+        max-file: "3"
+    networks:
+      - net-otel
+
+  # prometheus:
+  #   image: prom/prometheus:latest
+  #   container_name: prometheus
+  #   command: ["--config.file=/etc/prometheus/prometheus.yml"]
+  #   volumes:
+  #     # - ./data/prometheus:/prometheus
+  #     - ./prometheus.yml:/etc/prometheus/prometheus.yml
+  #   ports:
+  #     - "127.0.0.1:9090:9090" # frontend
+  #   networks:
+  #     - net-otel
+
+networks:
+  net-otel:
+    name: net-otel
+    driver: bridge

docker-otel/mimir-alertmanager-fallback.yml

@@ -0,0 +1,7 @@
+route:
+  group_wait: 0s
+  receiver: empty-receiver
+
+receivers:
+  # In this example we're not going to send any notification out of Alertmanager.
+  - name: "empty-receiver"

docker-otel/mimir.yml

@@ -0,0 +1,52 @@
+# Do not use this configuration in production.
+# It is for demonstration purposes only.
+
+# Run Mimir in single process mode, with all components running in 1 process.
+target: all,alertmanager,overrides-exporter
+
+common:
+  storage:
+    backend: s3
+    s3:
+      endpoint: rclone:58080
+      secret_access_key: "${SECRET_ACCESS_KEY}" # This is a secret injected via an environment variable
+      access_key_id: "${ACCESS_KEY_ID}" # This is a secret injected via an environment variable
+      bucket_name: "${S3_BUCKET_NAME}" # This is a secret injected via an environment variable
+      insecure: true
+
+# Blocks storage requires a prefix when using a common object storage bucket.
+blocks_storage:
+  storage_prefix: blocks
+  tsdb:
+    dir: /data/ingester
+
+# Use memberlist, a gossip-based protocol, to enable the 3 Mimir replicas to communicate
+memberlist:
+  join_members: [mimir]
+
+ruler:
+  rule_path: /data/ruler
+  alertmanager_url: http://127.0.0.1:9009/alertmanager
+  ring:
+    # Quickly detect unhealthy rulers to speed up the tutorial.
+    heartbeat_period: 2s
+    heartbeat_timeout: 10s
+
+alertmanager:
+  data_dir: /data/alertmanager
+  fallback_config_file: /etc/mimir-alertmanager-fallback.yml
+  external_url: http://localhost:9009/alertmanager
+  sharding_ring:
+    replication_factor: 1
+
+ingester:
+  ring:
+    replication_factor: 1
+
+server:
+  http_listen_port: 9009
+  log_level: info
+
+store_gateway:
+  sharding_ring:
+    replication_factor: 1

docker-otel/otel-config.yml

@@ -0,0 +1,97 @@
+receivers:
+  otlp: # the OTLP receiver the app is sending traces to
+    protocols:
+      grpc:
+        endpoint: "0.0.0.0:4317" # for docker
+  prometheus: # the Prometheus receiver the OTel Collector is sending its own metrics to
+    config:
+      scrape_configs:
+          - job_name: 'otel-collector'
+            scrape_interval: 5s
+            static_configs:
+              - targets: ['0.0.0.0:8888']
+  hostmetrics: # the hostmetrics receiver
+    collection_interval: 10s
+    scrapers:
+      cpu:
+      disk:
+      load:
+      filesystem:
+      memory:
+      network:
+      paging:
+      processes:
+      process:
+
+processors:
+  batch:
+  resourcedetection/docker: # resource detector for Docker
+    detectors: [env, docker]
+    timeout: 2s
+    override: false
+  resource/host_metadata: # resource attributes manipulator for host metadata
+    attributes:
+      - key: "deployment.environment"
+        value: "develop" # TODO: change this to your environment
+        action: upsert
+      - key: "host.name"
+        value: "example.com" # TODO: change this to your domain running the OTel Collector
+        action: upsert
+  attributes/host_metadata: # attributes manipulator for host metadata
+    actions:
+      - key: "host.name"
+        value: "example.com" # TODO: change this to your domain running the OTel Collector
+        action: upsert
+
+exporters:
+  debug:
+    verbosity: detailed
+    sampling_initial: 2 # default
+    sampling_thereafter: 500 # default
+  otlp/jaeger: # Jaeger supports OTLP directly
+    endpoint: http://jaeger:4317
+    tls:
+      insecure: true
+    # tls:  # need to connect to Jaeger deployed on the Internet with TLS
+    #   cert_file: /client_crt/otel-client.crt
+    #   key_file: /client_crt/otel-client.key
+  prometheusremotewrite:
+    endpoint: "http://mimir:9009/api/v1/push"
+    headers:
+      X-Scope-OrgID: "modoh" # TODO: change this to your org ID. This will be used to filter metrics in Mimir as tenant ID.
+    send_metadata: true
+    # tls: # need to connect to Mimir deployed on the Internet with TLS
+    #   cert_file: /client_crt/otel-client.crt
+    #   key_file: /client_crt/otel-client.key
+  # prometheus:
+  #   endpoint: 0.0.0.0:8889
+
+extensions:
+  zpages: # https://github.com/open-telemetry/opentelemetry-collector/blob/main/extension/zpagesextension
+    endpoint: 0.0.0.0:55679 # for docker
+  pprof: # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/pprofextension
+    endpoint: 0.0.0.0:1777 # for docker
+  health_check: # https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/healthcheckextension
+    endpoint: 0.0.0.0:13133 # for docker
+
+
+service:
+  pipelines:
+    traces/dev:
+      receivers: [otlp]
+      processors: [batch, resource/host_metadata] # for traces, we can see host meta in resource attributes
+      exporters: [debug, otlp/jaeger]
+    metrics/app:
+      receivers: [otlp]
+      processors: [resource/host_metadata, attributes/host_metadata, batch]
+      exporters: [debug, prometheusremotewrite]
+    metrics/host:
+      receivers: [hostmetrics]
+      processors: [resourcedetection/docker, resource/host_metadata, attributes/host_metadata, batch]
+      exporters: [debug, prometheusremotewrite]
+    metrics/otel-collector:
+      receivers: [prometheus]
+      processors: [resourcedetection/docker, resource/host_metadata, attributes/host_metadata, batch]
+      exporters: [debug, prometheusremotewrite]
+
+  extensions: [zpages, pprof, health_check]

docker-otel/prometheus.yml

@@ -0,0 +1,13 @@
+scrape_configs:
+  - job_name: 'otel-collector'
+    scrape_interval: 10s
+    static_configs:
+      - targets: ['otel-collector:8888']
+      - targets: ['otel-collector:8889']
+
+# - job_name: "prometheus"
+#     static_configs:
+#       - targets: ["localhost:9090"]
+#   - job_name: "app"
+#     static_configs:
+#       - targets: ["otel-collector:8889"]

docker/Dockerfile

@@ -17,11 +17,12 @@ ENV RUSTFLAGS "-C link-arg=-s"
 
 RUN update-ca-certificates 2> /dev/null || true
 
+# TODO: do not enable otel-evil-trace for production
 RUN apt-get update && apt-get install -qy --no-install-recommends $BUILD_DEPS && \
     curl -sSf https://sh.rustup.rs | bash -s -- -y --default-toolchain stable && \
     export PATH="$HOME/.cargo/bin:$PATH" && \
     echo "Building Mutualized Oblivious DNS relay and target from source" && \
-    cargo build --release --no-default-features --package modoh-server && \
+    cargo build --release --no-default-features --features=otel-full,otel-evil-trace --package modoh-server && \
     strip --strip-all /tmp/target/release/modoh-server
 
 ########################################