Changes

Page history
expand donate service docs authored by anarcat's avatar anarcat 
Missing bits documented in tpo/web/donate-neo#79 as well.
Show whitespace changes
Inline Side-by-side
service/donate.md
View page @ d3adde67
Donate-review is a GitLab runner and Review App deployment target for
[donate-neo](gitlab.torproject.org/tpo/web/donate-neo).
Donate-neo is the new Django-based donation site that is the frontend
for <https://donate.torproject.org>.
[[_TOC_]]
......@@ -22,37 +22,101 @@ branch is deleted.
## Pager playbook
TODO: how do we deal with high latency and exceptions?
TODO: card testing playbook. see [service/crm](service/crm) for now.
## Disaster recovery
In the event that the box is compromised, it should be rebuilt from scratch.
See [Installation](#installation) below.
A disaster, for the donation site, can take two major forms:
- complete hardware failure or data loss
- security intrusion or leak
In the event that the production donation server (currently
`donate-01`) server or the "review server" (`donate-review-01`) fail,
they must be rebuilt from scratch and restored from backups. See
[Installation](#installation) below.
If there's an intrusion on the server, that is a much more severe
situation. The machine should immediately be cut off from the network,
and a full secrets rotation (Stripe, Paypal) should be started. An
audit of the backend CiviCRM server should also be started.
# Reference
## Installation
1. bootstrap a new vm, and set up puppet
1. add the `role: donate_review` parameter to the new machine in hiera-enc
1. run puppet
### main donation server
To build a new donation server:
1. bootstrap a new virtual machine (see [new-machine](howto/new-machine) up to Puppet
2. add the `role: donate` parameter to the new machine in `hiera-enc`
on `tor-puppet.git`
3. run Puppet on the machine
TODO: anything not in Puppet?
### donate review server
To setup a new donate-review server
1. bootstrap a new virtual machine (see [new-machine](howto/new-machine) up to Puppet
1. add the `role: donate_review` parameter to the new machine in
`hiera-enc` on `tor-puppet.git`
1. run puppet on the machine
This should register a new runner in GitLab and start processing jobs.
## Upgrades
Upgrades are performed automatically through Debian packages. `gitlab-runner` is
excluded from unattended-upgrades and must be upgraded manually.
Most upgrades are performed automatically through Debian packages.
On the staging servers (currently `donate-review-01`), `gitlab-runner`
is excluded from unattended-upgrades and must be upgraded manually.
The review apps are not upgraded unless new commits appear in their branch to
trigger a rebuild.
TODO: The `renovate-cron` project should be enabled here to ensure timely
upgrades to the staging and production deployments.
## SLA
<!-- this describes an acceptable level of service for this service -->
There is not formal SLA for this service, but it's one of the most
critical services in our fleet, and outages should probably be
prioritized over any other task.
## Design and architecture
There are three major pieces to donate-review:
The donation site is built of two main parts:
- a django frontend AKA [donate-neo][]
- a CiviCRM backend
[donate-neo]: https://gitlab.torproject.org/tpo/web/donate-neo
Those two are interconnected with a Redis server protected by an
[IPsec](howto/ipsec) tunnel.
The documentation here covers only the frontend, and barely the Redis
tunnel.
The frontend is a Django site that's also been called "donate-neo" in
the past. Inversely, the *old* site has been called "donate paleo" as
well, to disambiguate the "donate site" name.
The site is deployed with containers ran by podman and built in
GitLab.
The main donate site is running on a production server (`donate-01`),
where the containers and podman are deployed by Puppet.
There is a staging server and development "review apps"
(`donate-review-01`) that is managed by a `gitlab-runner` and driven
by GitLab CI.
### Review apps
Those are made of three parts:
- the donate-neo [.gitlab-ci.yml file][]
- the `review-app.conf` apache2 configuration file
......@@ -74,31 +138,41 @@ listening.
[.gitlab-ci.yml file]: <https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/main/.gitlab-ci.yml>
### Subdomains and TLS Certs
A wildcard certificate for `*.donate-review.torproject.net` is used for all
review apps virtual host configurations.
## Services
- gitlab-runner
- apache
- podman containers (one per review app)
- apache acts as a reverse proxy for TLS termination and basic
authentication
- podman containers deploy the code, one container per review app
- `gitlab-runner` deploys review apps
## Storage
<!-- databases? plain text file? the frigging blockchain? memory? -->
Django stores data in SQLite database, in
`/home/tordonate/app/db.sqlite3` inside the container. In typical
Django fashion, it stores information about user sessions, users,
logs, and CAPTCHA tokens.
## Queues
<!-- email queues, job queues, schedulers -->
Redis is used as a queue.
TODO: describe better the resque stuff.
## Interfaces
<!-- e.g. web APIs, commandline clients, etc -->
Most of the interactions with donate happen over HTTP. Payment
providers ping back the site with webhook endpoints which have to
bypass CSRF protections.
## Authentication
TODO: do we have users in django, is the admin interface visible?
### review apps
The donate-review *runner* uses token authentication to pick up jobs from
GitLab. To access the review apps, HTTP basic authentication is required to
prevent passers-by from stumbling onto the review apps and to keep indexing
......@@ -116,16 +190,21 @@ do this is:
## Implementation
<!-- programming languages, frameworks, versions, license -->
Donate is implemented using Django, version 4.2.13 at the time of
writing (2024-08-22). A relatively small number of dependencies are
documented in the [pyproject.toml](https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/465041dfd92e0ec09613c897f32e54a76f7e4f80/pyproject.toml#L8-21) file and the [latest
poetry.lock](https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/main/poetry.lock?ref_type=heads) file contains actual versions currently deployed.
Poetry is used to manage dependencies and builds. The frontend CSS /
JS code is managed with NVM. The [README file](https://gitlab.torproject.org/tpo/web/donate-neo/-/tree/main?ref_type=heads) has more information
about the development setup.
## Related services
<!-- dependent services (e.g. authenticates against LDAP, or requires -->
<!-- git pushes) -->
See mainly the [CiviCRM server](service/crm).
## Issues
There is no issue tracker specifically for this the donate-review runner.
[File][] or [search][] for issues in the donate-neo repository.
[File]: https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/new
......@@ -133,19 +212,29 @@ There is no issue tracker specifically for this the donate-review runner.
## Maintainer
[TPA](https://gitlab.torproject.org/tpo/tpa/team)
Mostly [TPA](https://gitlab.torproject.org/tpo/tpa/team) (especially for the review apps and production
server), the django site was built by a consultant.
## Users
Anyone contributing to [tpo/web/donate-neo][].
[tpo/web/donate-neo]: https://gitlab.torproject.org/tpo/web/donate-neo
Anyone doing donations to the Tor Project over the main website is
bound to use the donate site.
## Upstream
<!-- who the upstreams are, if they are still active, -->
<!-- collaborative, how do we keep up to date, support channels, see -->
<!-- also the "Issues" section above -->
Django should probably be considered the upstream here. [According to
Wikipedia](https://en.wikipedia.org/wiki/Django_(web_framework)), "is a free and open-source, Python-based web framework
that runs on a web server. It follows the model–template–views (MTV)
architectural pattern. It is maintained by the Django Software
Foundation (DSF), an independent organization established in the US as
a 501(c)(3) non-profit. Some well-known sites that use Django include
Instagram, Mozilla, Disqus, Bitbucket, Nextdoor and Clubhouse."
LTS releases are supported for "typically 3 years", see [their release
process](https://docs.djangoproject.com/en/5.1/internals/release-process/) for more background.
Support mostly happens over the [communnity section](https://www.djangoproject.com/community/) of the main
website, and through Discord, a forum, and GitHub issues.
## Monitoring and metrics
......@@ -157,45 +246,55 @@ Anyone contributing to [tpo/web/donate-neo][].
<!-- how the service can be tested, for example after major changes -->
<!-- like IP address changes or upgrades. describe CI, test suites, linting -->
TODO: how do we run the test suite or test that things are still working after an upgrade? (@stephen) also cross-ref with @mattlav's checklist
## Logs
The review app logs may be accessed using the `podman logs <container>` command
as the `gitlab-runner` user.
The logs may be accessed using the `podman logs <container>` command,
as the `gitlab-runner` user for review apps.
## Backups
This service has no special backup needs. All the donate-neo instances are
ephemeral, and a new system can be bootstrapped solely from puppet.
This service has no special backup needs. In particular, all of the
donate-review instances are ephemeral, and a new system can be
bootstrapped solely from puppet.
## Other documentation
<!-- references to upstream documentation, if relevant -->
* [Django documentation](https://docs.djangoproject.com/), [direct link to 4.1](https://docs.djangoproject.com/en/4.1/)
* [CiviCRM internal docs](service/crm)
# Discussion
<!-- the "discussion" section is where you put any longer conversation -->
<!-- about the project that you will not need in a casual -->
<!-- review. history of the project, why it was done the way it was -->
<!-- (as opposed to how), alternatives, and other proposals are -->
<!-- relevant here. -->
<!-- this at least partly overlaps with the TPA-RFC process (see -->
<!-- policy.md), but in general should defer to proposals when -->
<!-- available -->
## Overview
donate-review was created as part of tpo/web/donate-neo#6,
tpo/tpa/team#41108 and refactored as part of tpo/web/donate-neo#21.
donate-review was created as part of [tpo/web/donate-neo#6,](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/6,)
[tpo/tpa/team#41108](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41108) and refactored as part of [tpo/web/donate-neo#21.](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/21.)
Donate-review's purpose is to provide a review app deploy target for
tpo/web/donate-neo. Most of the other tpo/web sites are static lektor sites,
and can be easily deployed to a review app target as simple static sites
fronted by Apache. But because donate-neo is a django application, it needs a
specially-created deploy target for review apps.
[donate-neo][]. Most of the other tpo/web sites are static lektor
sites, and can be easily deployed to a review app target as simple
static sites fronted by Apache. But because donate-neo is a Django
application, it needs a specially-created deploy target for review
apps.
## Security and risk assessment
### django
Django has a relatively good security record and a good security
team. Our challenge will be mainly to keep it up to date.
### production site
The production server is separate from the review apps to isolate it
from the GitLab attack surface. It was felt that doing full
"continuous deployment" was dangerous, and we require manual
deployments and reviews before GitLab-generated code can be deployed
in that sensitive environment.
### donate-review
donate-review is a shell executor, which means each CI job is executed with no
real sandboxing or containerization. There was an attempt to set up the runner
using systemd-nspawn, but it was taking too long and we
......@@ -211,14 +310,30 @@ ensure no untrusted party is allowed to gain this privilege.
## Technical debt and next steps
### Dependencies chase
The `renovate-cron` project should be used on the donate-neo codebase
to ensure timely upgrades to the staging and production
deployments. See [tpo/web/donate-neo#46](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/46). The [upgrades](#upgrades) section
should be fixed when that is done.
### Django upgrades
We are running Django 4, released in April 2023, an LTS release
supported until April 2026. The upgrade to Django 5 will carefully
require reviewing release notes for deprecations and removals, see
[how to upgrade](https://docs.djangoproject.com/en/5.1/howto/upgrade-version/) for details.
### donate-review
The next step here is to make the donate-review service fully generic to allow
other web projects with special runtime requirements to deploy review apps in
the same manner.
## Proposed Solution
<!-- Link to RFC -->
No formal proposal was established to build this service.
## Other alternatives
<!-- include benchmarks and procedure if relevant -->
None discussed so far, but see [tpo/web/donate-neo#20](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/20).