Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changed "transactions.md" to correct typos. #1782

Open
wants to merge 51 commits into
base: main
Choose a base branch
from
Open
Changes from 6 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
bae657d
updated dev setup for ubuntu 16 and setup-dev.md
pSchlarb Aug 19, 2021
953cace
fix uploading of deb files with the same name but different distribution
udosson Sep 13, 2021
1b22499
Merge pull request #1695 from udosson/restructure-debs-upload
WadeBarnes Sep 13, 2021
b78c1e6
Merge pull request #1688 from pSchlarb/devSetup
WadeBarnes Sep 13, 2021
75c1351
Update version of Indy SKD
udosson Sep 13, 2021
b5183ac
Merge pull request #1696 from udosson/udosson-patch-update-sdk
WadeBarnes Sep 14, 2021
2a19753
added tag to pull of lint image
udosson Oct 14, 2021
8b49410
Merge pull request #1701 from udosson/fix-linting-image-pull
WadeBarnes Oct 14, 2021
0aff581
LF Endings
pSchlarb Oct 28, 2021
5ff852b
pinned dependencies because of missing support for python 3.5
udosson Nov 2, 2021
5d2cafc
Merge pull request #1706 from udosson/fix-gha-jenkins
WadeBarnes Nov 3, 2021
3c015ca
re-added the adjustment of packages for the cannonical archive
udosson Nov 3, 2021
70dc76c
Merge pull request #1707 from udosson/cannonical-archive
WadeBarnes Nov 3, 2021
5994b3f
updated version of setup-jfrog-cli to v2
udosson Nov 4, 2021
9b8ee78
Merge pull request #1704 from pSchlarb/master
WadeBarnes Nov 4, 2021
fe113e3
Merge pull request #1708 from udosson/cannonical-archive
WadeBarnes Nov 4, 2021
d785d0a
bump indy-plenum to version 1.13.0.dev169
udosson Nov 8, 2021
ac25186
Merge pull request #1710 from udosson/master
WadeBarnes Nov 9, 2021
6bd7f20
prepares indy-plenum package version of debian version depedency
udosson Nov 9, 2021
1eca095
Merge pull request #1711 from udosson/master
WadeBarnes Nov 9, 2021
9c3d0e4
Baseimage changes as discussed in #1684
pSchlarb Nov 4, 2021
305adee
Merge pull request #1705 from pSchlarb/baseimage-0.0.4
udosson Nov 25, 2021
1da2405
FIX wrong Slicing and SLICE_TOTAL_SLICES
pSchlarb Nov 29, 2021
d38f463
Merge pull request #1716 from pSchlarb/gha_slice_fix
WadeBarnes Nov 29, 2021
d73baf1
Added documentation for creating a new network from scratch
pSchlarb Aug 27, 2021
36c3f88
Indy-Test-Automation workflow
udosson Jan 13, 2022
fe1632e
Merge pull request #1689 from pSchlarb/newNetworkDoc
WadeBarnes Jan 13, 2022
fd9ae51
Merge pull request #1725 from udosson/master
WadeBarnes Jan 13, 2022
25f2814
fixed typo in uploading detailed test failure results
udosson Jan 14, 2022
aa073e6
Merge pull request #1727 from udosson/master
WadeBarnes Jan 14, 2022
2afb24a
Removed pip imports
pSchlarb Nov 29, 2021
0a1b2f8
Moved some steps into the correct order in the Hand on Walkthrough an…
lynnbendixsen Feb 10, 2022
3194c1f
Corrected initial checkin with consistency and typo and line feeds.
lynnbendixsen Feb 10, 2022
5ab942a
Merge pull request #1734 from lynnbendixsen/newnetdocrepair
WadeBarnes Feb 10, 2022
4947fc7
Merge pull request #1684 from pSchlarb/Remove-pip-imports
udosson Mar 25, 2022
7229c7a
Update setup_iptables script
WadeBarnes May 27, 2022
656b797
Update setup_iptables
WadeBarnes Jun 13, 2022
69374ee
Update setup_iptables script
WadeBarnes Aug 3, 2022
b894cc0
Update settings.yml
ryjones Aug 4, 2022
572162f
Update setup_iptables script
WadeBarnes Aug 18, 2022
07a7f3f
Refactor pool upgrade handler
WadeBarnes May 6, 2022
94b984b
Additional updates to upgrade txn handling
WadeBarnes May 30, 2022
6c11c53
Switch string formatting to python 3.5 supported syntax.
WadeBarnes Jul 21, 2022
9603118
Fix apt update issues affecting NodeControlUtil.update_package_cache
WadeBarnes Aug 16, 2022
6215b99
Fix exception type in update_package_cache
WadeBarnes Aug 18, 2022
fe50747
Merge pull request from GHSA-r6v9-p59m-gj2p
WadeBarnes Sep 2, 2022
7559c4e
Fix linting errors
WadeBarnes Sep 2, 2022
6a06237
Merge pull request #1772 from WadeBarnes/main
WadeBarnes Sep 2, 2022
300be0b
Update the setup-iptables documentation.
WadeBarnes Sep 9, 2022
53a2a1b
Merge pull request from GHSA-x996-7qh9-7ff7
WadeBarnes Sep 9, 2022
030f87e
Update transactions.md
oMFDOo Sep 22, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 48 additions & 47 deletions docs/source/setup-iptables.md
Original file line number Diff line number Diff line change
@@ -1,70 +1,71 @@
# Setup iptables rules (recommended)

It is strongly recommended to add iptables (or some other firewall) rule that limits the number of simultaneous clients
connections for client port.
There are at least two important reasons for this:
- preventing the indy-node process from reaching of open file descriptors limit caused by clients connections
- preventing the indy-node process from large memory usage as ZeroMQ creates the separate queue for each TCP connection.
It is strongly recommended to add iptables (or some other firewall) rules to limit the number of simultaneous clients
connections to your node's client port.

NOTE: limitation of the number of *simultaneous clients connections* does not mean that we limit the
number of *simultaneous clients* the indy-node works with in any time. The IndySDK client does not keep
connection infinitely, it uses the same connection for request-response session with some optimisations,
so it's just about **connections**, **not** about **clients**.
There are at least two important reasons for this:
- preventing the indy-node process from exceeding the limit of open file descriptors due to an excessive number of clients connections.
- controlling the indy-node process's memory use, as ZeroMQ creates a separate queue for each TCP connection.

Also iptables can be used to deal with various DoS attacks (e.g. syn flood) but rules' parameters are not estimated yet.
NOTE: The limitation of the number of *simultaneous clients connections* does not mean that we limit the
number of *simultaneous clients* indy-node works with in any time. Connections are not left open infinitely. The same connection is used for a request-response session with some optimisations and then closed, therefore it's just about **connections**, **not** about **clients**.

NOTE: you should be a root to operate with iptables.
NOTE: You will need to have sudo privileges to work with iptables.

## Using indy scripts

## Setting up clients connections limit
For ease of use and for people that are not familiar with iptables we've added two scripts:
- [`setup_iptables`](https://github.com/hyperledger/indy-node/blob/main/scripts/setup_iptables):
- By default this scripts adds rules to iptables to limit the number of simultaneous clients connections for a specified port.
- To get a full list of options run `./setup_iptables -h` from the scripts directory.

#### Using raw iptables command or iptables front-end
- [`setup_indy_node_iptables`](https://github.com/hyperledger/indy-node/blob/main/scripts/setup_indy_node_iptables):
- A wrapper around `setup_iptables` which gets client port and connection limit settings from the `/etc/indy/indy.env` that is created by the `init_indy_node` script.

In case of deb installation the indy-node environment file /etc/indy/indy.env is created by `init_indy_node` script.
This environment file contains client port (NODE_CLIENT_PORT) and recommended clients connections limit (CLIENT_CONNECTIONS_LIMIT).
This parameters can be used to add the iptables rule for chain INPUT:
Which one you use depends on how you installed indy-node on your server. Refer to the [For deb package based installations](#for-deb-package-based-installations), and [For pip based installations](#for-pip-based-installations) sections below.

```
# iptables -I INPUT -p tcp --syn --dport 9702 -m connlimit --connlimit-above 500 --connlimit-mask 0 -j REJECT --reject-with tcp-reset
```
Some key options:
- --dport - a port for which limit is set
- --connlimit-above - connections limit, exceeding new connections will be rejected using TCP reset
- --connlimit-mask - group hosts using the prefix length, 0 means "all subnets"
### Updating the scripts and configuration

Corresponding fields should be set in case of some iptables front-end usage.
Before you run the scripts you should ensure you are using the latest scripts and recommended settings by following these steps while logged into your node:

1. Make a backup copy of the existing `setup_iptables` script by executing the command:
```
sudo cp /usr/local/bin/setup_iptables /usr/local/bin/setup_iptables_$(date "+%Y%m%d-%H%M%S")
```

#### Using indy scripts
1. Update the default client connection limit to 15000 in `/etc/indy/indy.env`.
- NOTE:
- `/etc/indy/indy.env` only exists for deb package based installations.
- `\1` is an excape sequence `\115000` is not a typo.
```
sudo sed -i -re "s/(^CLIENT_CONNECTIONS_LIMIT=).*$/\115000/" /etc/indy/indy.env
```

For ease of use and for people that are not familiar with iptables we've
added two scripts:
- setup_iptables: adds a rule to iptables to limit the number of simultaneous
clients connections for specified port;
- setup_indy_node_iptables: a wrapper for setup_iptables script which gets client
port and recommended connections limit from indy-node environment file that is created by init_indy_node script.
1. Download the latest version of the script.
```
sudo curl -o /usr/local/bin/setup_iptables https://raw.githubusercontent.com/hyperledger/indy-node/main/scripts/setup_iptables
```
The sha256 checksum for the current version of the script is `a0e4451cc49897dc38946091b245368c1f1360201f374a3ad121925f9aa80664`

Links to these scripts:

- https://github.com/hyperledger/indy-node/blob/master/scripts/setup_iptables
- https://github.com/hyperledger/indy-node/blob/master/scripts/setup_indy_node_iptables

NOTE: for now the iptables chain for which the rule is added is not parameterized,
the rule is always added for INPUT chain, we can parameterize it in future if needed.
### For deb package based installations

###### For deb installation
To setup the limit of the number of simultaneous clients connections it is enough to run the following script without parameters
Run:
```
# setup_indy_node_iptables
setup_indy_node_iptables
```
This script gets client port and recommended connections limit from the indy-node environment file.
NOTE:
- This script should only be called *after* your node has been initialized using `init_indy_node`, to ensure `/etc/indy/indy.env` has been created.

NOTE: this script should be called *after* `init_indy_node` script.
### For pip based installations

###### For pip installation
The `setup_indy_node_iptables` script can not be used in case of pip installation as indy-node environment file does not exist,
use the `setup_iptables` script instead (9702 is a client port, 500 is recommended limit for now)
For pip based installations `/etc/indy/indy.env` does not exist, therefore `setup_indy_node_iptables` cannot be used. Instead you run `setup_iptables` directly.

For example, if your client port is 9702, you would run:
```
# setup_iptables 9702 500
setup_iptables 9702 15000
```
In fact, the `setup_indy_node_iptables` script is just a wrapper for the `setup_iptables` script.

## Using raw iptables command or iptables front-end

If you are confident with using iptables, you may add additional rules as you see fit using iptables directly.
Loading