Changes

Page history
expand donate service docs authored by anarcat's avatar anarcat 
Missing bits documented in tpo/web/donate-neo#79 as well.
Show whitespace changes
Inline Side-by-side
service/donate.md
View page @ d3adde67
Donate-review is a GitLab runner and Review App deployment target for Donate-neo is the new Django-based donation site that is the frontend
[donate-neo](gitlab.torproject.org/tpo/web/donate-neo). for <https://donate.torproject.org>.
[[_TOC_]] [[_TOC_]]
...@@ -22,37 +22,101 @@ branch is deleted. ...@@ -22,37 +22,101 @@ branch is deleted.
## Pager playbook ## Pager playbook
TODO: how do we deal with high latency and exceptions?
TODO: card testing playbook. see [service/crm](service/crm) for now.
## Disaster recovery ## Disaster recovery
In the event that the box is compromised, it should be rebuilt from scratch. A disaster, for the donation site, can take two major forms:
See [Installation](#installation) below.
- complete hardware failure or data loss
- security intrusion or leak
In the event that the production donation server (currently
`donate-01`) server or the "review server" (`donate-review-01`) fail,
they must be rebuilt from scratch and restored from backups. See
[Installation](#installation) below.
If there's an intrusion on the server, that is a much more severe
situation. The machine should immediately be cut off from the network,
and a full secrets rotation (Stripe, Paypal) should be started. An
audit of the backend CiviCRM server should also be started.
# Reference # Reference
## Installation ## Installation
1. bootstrap a new vm, and set up puppet ### main donation server
1. add the `role: donate_review` parameter to the new machine in hiera-enc
1. run puppet To build a new donation server:
1. bootstrap a new virtual machine (see [new-machine](howto/new-machine) up to Puppet
2. add the `role: donate` parameter to the new machine in `hiera-enc`
on `tor-puppet.git`
3. run Puppet on the machine
TODO: anything not in Puppet?
### donate review server
To setup a new donate-review server
1. bootstrap a new virtual machine (see [new-machine](howto/new-machine) up to Puppet
1. add the `role: donate_review` parameter to the new machine in
`hiera-enc` on `tor-puppet.git`
1. run puppet on the machine
This should register a new runner in GitLab and start processing jobs.
## Upgrades ## Upgrades
Upgrades are performed automatically through Debian packages. `gitlab-runner` is Most upgrades are performed automatically through Debian packages.
excluded from unattended-upgrades and must be upgraded manually.
On the staging servers (currently `donate-review-01`), `gitlab-runner`
is excluded from unattended-upgrades and must be upgraded manually.
The review apps are not upgraded unless new commits appear in their branch to The review apps are not upgraded unless new commits appear in their branch to
trigger a rebuild. trigger a rebuild.
TODO: The `renovate-cron` project should be enabled here to ensure timely
upgrades to the staging and production deployments.
## SLA ## SLA
<!-- this describes an acceptable level of service for this service --> There is not formal SLA for this service, but it's one of the most
critical services in our fleet, and outages should probably be
prioritized over any other task.
## Design and architecture ## Design and architecture
There are three major pieces to donate-review: The donation site is built of two main parts:
- a django frontend AKA [donate-neo][]
- a CiviCRM backend
[donate-neo]: https://gitlab.torproject.org/tpo/web/donate-neo
Those two are interconnected with a Redis server protected by an
[IPsec](howto/ipsec) tunnel.
The documentation here covers only the frontend, and barely the Redis
tunnel.
The frontend is a Django site that's also been called "donate-neo" in
the past. Inversely, the *old* site has been called "donate paleo" as
well, to disambiguate the "donate site" name.
The site is deployed with containers ran by podman and built in
GitLab.
The main donate site is running on a production server (`donate-01`),
where the containers and podman are deployed by Puppet.
There is a staging server and development "review apps"
(`donate-review-01`) that is managed by a `gitlab-runner` and driven
by GitLab CI.
### Review apps
Those are made of three parts:
- the donate-neo [.gitlab-ci.yml file][] - the donate-neo [.gitlab-ci.yml file][]
- the `review-app.conf` apache2 configuration file - the `review-app.conf` apache2 configuration file
...@@ -74,31 +138,41 @@ listening. ...@@ -74,31 +138,41 @@ listening.
[.gitlab-ci.yml file]: <https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/main/.gitlab-ci.yml> [.gitlab-ci.yml file]: <https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/main/.gitlab-ci.yml>
### Subdomains and TLS Certs
A wildcard certificate for `*.donate-review.torproject.net` is used for all A wildcard certificate for `*.donate-review.torproject.net` is used for all
review apps virtual host configurations. review apps virtual host configurations.
## Services ## Services
- gitlab-runner - apache acts as a reverse proxy for TLS termination and basic
- apache authentication
- podman containers (one per review app) - podman containers deploy the code, one container per review app
- `gitlab-runner` deploys review apps
## Storage ## Storage
<!-- databases? plain text file? the frigging blockchain? memory? --> Django stores data in SQLite database, in
`/home/tordonate/app/db.sqlite3` inside the container. In typical
Django fashion, it stores information about user sessions, users,
logs, and CAPTCHA tokens.
## Queues ## Queues
<!-- email queues, job queues, schedulers --> Redis is used as a queue.
TODO: describe better the resque stuff.
## Interfaces ## Interfaces
<!-- e.g. web APIs, commandline clients, etc --> Most of the interactions with donate happen over HTTP. Payment
providers ping back the site with webhook endpoints which have to
bypass CSRF protections.
## Authentication ## Authentication
TODO: do we have users in django, is the admin interface visible?
### review apps
The donate-review *runner* uses token authentication to pick up jobs from The donate-review *runner* uses token authentication to pick up jobs from
GitLab. To access the review apps, HTTP basic authentication is required to GitLab. To access the review apps, HTTP basic authentication is required to
prevent passers-by from stumbling onto the review apps and to keep indexing prevent passers-by from stumbling onto the review apps and to keep indexing
...@@ -116,16 +190,21 @@ do this is: ...@@ -116,16 +190,21 @@ do this is:
## Implementation ## Implementation
<!-- programming languages, frameworks, versions, license --> Donate is implemented using Django, version 4.2.13 at the time of
writing (2024-08-22). A relatively small number of dependencies are
documented in the [pyproject.toml](https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/465041dfd92e0ec09613c897f32e54a76f7e4f80/pyproject.toml#L8-21) file and the [latest
poetry.lock](https://gitlab.torproject.org/tpo/web/donate-neo/-/blob/main/poetry.lock?ref_type=heads) file contains actual versions currently deployed.
Poetry is used to manage dependencies and builds. The frontend CSS /
JS code is managed with NVM. The [README file](https://gitlab.torproject.org/tpo/web/donate-neo/-/tree/main?ref_type=heads) has more information
about the development setup.
## Related services ## Related services
<!-- dependent services (e.g. authenticates against LDAP, or requires --> See mainly the [CiviCRM server](service/crm).
<!-- git pushes) -->
## Issues ## Issues
There is no issue tracker specifically for this the donate-review runner.
[File][] or [search][] for issues in the donate-neo repository. [File][] or [search][] for issues in the donate-neo repository.
[File]: https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/new [File]: https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/new
...@@ -133,19 +212,29 @@ There is no issue tracker specifically for this the donate-review runner. ...@@ -133,19 +212,29 @@ There is no issue tracker specifically for this the donate-review runner.
## Maintainer ## Maintainer
[TPA](https://gitlab.torproject.org/tpo/tpa/team) Mostly [TPA](https://gitlab.torproject.org/tpo/tpa/team) (especially for the review apps and production
server), the django site was built by a consultant.
## Users ## Users
Anyone contributing to [tpo/web/donate-neo][]. Anyone doing donations to the Tor Project over the main website is
bound to use the donate site.
[tpo/web/donate-neo]: https://gitlab.torproject.org/tpo/web/donate-neo
## Upstream ## Upstream
<!-- who the upstreams are, if they are still active, --> Django should probably be considered the upstream here. [According to
<!-- collaborative, how do we keep up to date, support channels, see --> Wikipedia](https://en.wikipedia.org/wiki/Django_(web_framework)), "is a free and open-source, Python-based web framework
<!-- also the "Issues" section above --> that runs on a web server. It follows the model–template–views (MTV)
architectural pattern. It is maintained by the Django Software
Foundation (DSF), an independent organization established in the US as
a 501(c)(3) non-profit. Some well-known sites that use Django include
Instagram, Mozilla, Disqus, Bitbucket, Nextdoor and Clubhouse."
LTS releases are supported for "typically 3 years", see [their release
process](https://docs.djangoproject.com/en/5.1/internals/release-process/) for more background.
Support mostly happens over the [communnity section](https://www.djangoproject.com/community/) of the main
website, and through Discord, a forum, and GitHub issues.
## Monitoring and metrics ## Monitoring and metrics
...@@ -157,45 +246,55 @@ Anyone contributing to [tpo/web/donate-neo][]. ...@@ -157,45 +246,55 @@ Anyone contributing to [tpo/web/donate-neo][].
<!-- how the service can be tested, for example after major changes --> <!-- how the service can be tested, for example after major changes -->
<!-- like IP address changes or upgrades. describe CI, test suites, linting --> <!-- like IP address changes or upgrades. describe CI, test suites, linting -->
TODO: how do we run the test suite or test that things are still working after an upgrade? (@stephen) also cross-ref with @mattlav's checklist
## Logs ## Logs
The review app logs may be accessed using the `podman logs <container>` command The logs may be accessed using the `podman logs <container>` command,
as the `gitlab-runner` user. as the `gitlab-runner` user for review apps.
## Backups ## Backups
This service has no special backup needs. All the donate-neo instances are This service has no special backup needs. In particular, all of the
ephemeral, and a new system can be bootstrapped solely from puppet. donate-review instances are ephemeral, and a new system can be
bootstrapped solely from puppet.
## Other documentation ## Other documentation
<!-- references to upstream documentation, if relevant --> * [Django documentation](https://docs.djangoproject.com/), [direct link to 4.1](https://docs.djangoproject.com/en/4.1/)
* [CiviCRM internal docs](service/crm)
# Discussion # Discussion
<!-- the "discussion" section is where you put any longer conversation -->
<!-- about the project that you will not need in a casual -->
<!-- review. history of the project, why it was done the way it was -->
<!-- (as opposed to how), alternatives, and other proposals are -->
<!-- relevant here. -->
<!-- this at least partly overlaps with the TPA-RFC process (see -->
<!-- policy.md), but in general should defer to proposals when -->
<!-- available -->
## Overview ## Overview
donate-review was created as part of tpo/web/donate-neo#6, donate-review was created as part of [tpo/web/donate-neo#6,](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/6,)
tpo/tpa/team#41108 and refactored as part of tpo/web/donate-neo#21. [tpo/tpa/team#41108](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41108) and refactored as part of [tpo/web/donate-neo#21.](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/21.)
Donate-review's purpose is to provide a review app deploy target for Donate-review's purpose is to provide a review app deploy target for
tpo/web/donate-neo. Most of the other tpo/web sites are static lektor sites, [donate-neo][]. Most of the other tpo/web sites are static lektor
and can be easily deployed to a review app target as simple static sites sites, and can be easily deployed to a review app target as simple
fronted by Apache. But because donate-neo is a django application, it needs a static sites fronted by Apache. But because donate-neo is a Django
specially-created deploy target for review apps. application, it needs a specially-created deploy target for review
apps.
## Security and risk assessment ## Security and risk assessment
### django
Django has a relatively good security record and a good security
team. Our challenge will be mainly to keep it up to date.
### production site
The production server is separate from the review apps to isolate it
from the GitLab attack surface. It was felt that doing full
"continuous deployment" was dangerous, and we require manual
deployments and reviews before GitLab-generated code can be deployed
in that sensitive environment.
### donate-review
donate-review is a shell executor, which means each CI job is executed with no donate-review is a shell executor, which means each CI job is executed with no
real sandboxing or containerization. There was an attempt to set up the runner real sandboxing or containerization. There was an attempt to set up the runner
using systemd-nspawn, but it was taking too long and we using systemd-nspawn, but it was taking too long and we
...@@ -211,14 +310,30 @@ ensure no untrusted party is allowed to gain this privilege. ...@@ -211,14 +310,30 @@ ensure no untrusted party is allowed to gain this privilege.
## Technical debt and next steps ## Technical debt and next steps
### Dependencies chase
The `renovate-cron` project should be used on the donate-neo codebase
to ensure timely upgrades to the staging and production
deployments. See [tpo/web/donate-neo#46](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/46). The [upgrades](#upgrades) section
should be fixed when that is done.
### Django upgrades
We are running Django 4, released in April 2023, an LTS release
supported until April 2026. The upgrade to Django 5 will carefully
require reviewing release notes for deprecations and removals, see
[how to upgrade](https://docs.djangoproject.com/en/5.1/howto/upgrade-version/) for details.
### donate-review
The next step here is to make the donate-review service fully generic to allow The next step here is to make the donate-review service fully generic to allow
other web projects with special runtime requirements to deploy review apps in other web projects with special runtime requirements to deploy review apps in
the same manner. the same manner.
## Proposed Solution ## Proposed Solution
<!-- Link to RFC --> No formal proposal was established to build this service.
## Other alternatives ## Other alternatives
<!-- include benchmarks and procedure if relevant --> None discussed so far, but see [tpo/web/donate-neo#20](https://gitlab.torproject.org/tpo/web/donate-neo/-/issues/20).