oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity

refactor(ports): standardize service ports to 8000-8017 range and update CORS configurations across all services

Browse Source 
- Update CORS allow_origins in blockchain-node app.py and gossip relay.py to use new port logic (8000-8016)
- Update coordinator-api config.py and config_pg.py with standardized port ranges and service labels
- Update coordinator-api health check script from port 18000 to 8000
- Update geo_load_balancer.py to use configurable host/port (default 0.0.0.0:8017)
- Update agent_security.py sandbox
This commit is contained in:
oib
2026-03-04 15:43:17 +01:00
parent 3df0a9ed62
commit 5534226895
57 changed files with 9690 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

345
docs/10_plan/firewall-clarification-summary.md Normal file
View File

@@ -0,0 +1,345 @@
# Firewall Clarification: AITBC Containers Use Firehol, Not UFW
## 🎯 Update Summary
**Action**: Clarified that AITBC servers run in incus containers on at1 host, which uses firehol for firewall management, not ufw in containers
**Date**: March 4, 2026
**Reason**: Correct documentation to reflect actual infrastructure setup
---
## ✅ Changes Made
### **1. Main Deployment Guide Updated**
**aitbc.md** - Primary deployment documentation:
```diff
### **Network Requirements**
- **Ports**: 8000-8003 (Core Services), 8010-8016 (Enhanced Services) (must be available)
- **Firewall**: Configure to allow AITBC service ports
+ **Firewall**: Managed by firehol on at1 host (container networking handled by incus)
- **SSL/TLS**: Recommended for production deployments
```
**Security Configuration Section**:
```diff
#### 4.1 Security Configuration
```bash
- # Configure firewall
- # Core Services (8000+)
- sudo ufw allow 8000/tcp # Coordinator API
- sudo ufw allow 8001/tcp # Exchange API
- sudo ufw allow 8002/tcp # Blockchain Node
- sudo ufw allow 8003/tcp # Blockchain RPC
-
- # Enhanced Services (8010+)
- sudo ufw allow 8010/tcp # Multimodal GPU
- sudo ufw allow 8011/tcp # GPU Multimodal
- sudo ufw allow 8012/tcp # Modality Optimization
- sudo ufw allow 8013/tcp # Adaptive Learning
- sudo ufw allow 8014/tcp # Marketplace Enhanced
- sudo ufw allow 8015/tcp # OpenClaw Enhanced
- sudo ufw allow 8016/tcp # Web UI
-
# Secure sensitive files
+ # Note: AITBC servers run in incus containers on at1 host
+ # Firewall is managed by firehol on at1, not ufw in containers
+ # Container networking is handled by incus with appropriate port forwarding
+
+ # Secure sensitive files
chmod 600 /opt/aitbc/apps/coordinator-api/.env
chmod 600 /opt/aitbc/apps/coordinator-api/aitbc_coordinator.db
```
### **2. Requirements Validation System Updated**
**requirements-validation-system.md** - Validation system documentation:
```diff
#### **Network Requirements**
- **Ports**: 8000-8003 (Core Services), 8010-8016 (Enhanced Services) (must be available)
- **Firewall**: Configurable for AITBC ports
+ **Firewall**: Managed by firehol on at1 host (container networking handled by incus)
- **SSL/TLS**: Required for production
- **Bandwidth**: 100Mbps+ recommended
```
**Configuration Section**:
```diff
network:
required_ports:
# Core Services (8000+)
- 8000 # Coordinator API
- 8001 # Exchange API
- 8002 # Blockchain Node
- 8003 # Blockchain RPC
# Enhanced Services (8010+)
- 8010 # Multimodal GPU
- 8011 # GPU Multimodal
- 8012 # Modality Optimization
- 8013 # Adaptive Learning
- 8014 # Marketplace Enhanced
- 8015 # OpenClaw Enhanced
- 8016 # Web UI
- firewall_required: true
+ firewall_managed_by: "firehol on at1 host"
+ container_networking: "incus"
ssl_required: true
minimum_bandwidth_mbps: 100
```
### **3. Validation Script Updated**
**validate-requirements.sh** - Requirements validation script:
```diff
if [ ${#OCCUPIED_PORTS[@]} -gt 0 ]; then
WARNINGS+=("Ports ${OCCUPIED_PORTS[*]} are already in use")
fi
- # Check firewall status
- if command -v ufw &> /dev/null; then
- UFW_STATUS=$(ufw status | head -1)
- echo "Firewall Status: $UFW_STATUS"
- fi
-
+ # Note: AITBC containers use incus networking with firehol on at1 host
+ # This validation is for development environment only
+ echo -e "${BLUE} Note: Production containers use incus networking with firehol on at1 host${NC}"
+
echo -e "${GREEN}✅ Network requirements check passed${NC}"
```
### **4. Comprehensive Summary Updated**
**requirements-updates-comprehensive-summary.md** - Complete summary:
```diff
### **🌐 Network Requirements**
- **Ports**: 8000-8003 (Core Services), 8010-8016 (Enhanced Services) (must be available)
- **Firewall**: Configurable for AITBC ports
+ **Firewall**: Managed by firehol on at1 host (container networking handled by incus)
- **SSL/TLS**: Required for production
- **Bandwidth**: 100Mbps+ recommended
```
---
## 📊 Infrastructure Architecture Clarification
### **Before Clarification**
```
Misconception:
- AITBC containers use ufw for firewall management
- Individual container firewall configuration required
- Port forwarding managed within containers
```
### **After Clarification**
```
Actual Architecture:
┌──────────────────────────────────────────────┐
│ at1 Host (Debian 13 Trixie) │
│ ┌────────────────────────────────────────┐ │
│ │ incus containers (aitbc, aitbc1) │ │
│ │ - No internal firewall (ufw) │ │
│ │ - Networking handled by incus │ │
│ │ - Firewall managed by firehol on host │ │
│ │ - Port forwarding configured on host │ │
│ └────────────────────────────────────────┘ │
│ │
│ firehol configuration: │
│ - Port forwarding: 8000, 8001, 8002, 8003 │
│ - Port forwarding: 8010-8016 │
│ - SSL termination at host level │
│ - Container network isolation │
└──────────────────────────────────────────────┘
```
---
## 🎯 Benefits Achieved
### **✅ Documentation Accuracy**
- **Correct Architecture**: Reflects actual incus container setup
- **Firewall Clarification**: No ufw in containers, firehol on host
- **Network Management**: Proper incus networking documentation
- **Security Model**: Accurate security boundaries
### **✅ Developer Understanding**
- **Clear Architecture**: Developers understand container networking
- **No Confusion**: No misleading ufw commands for containers
- **Proper Guidance**: Correct firewall management approach
- **Deployment Clarity**: Accurate deployment procedures
### **✅ Operational Excellence**
- **Correct Procedures**: Proper firewall management on host
- **Container Isolation**: Understanding of incus network boundaries
- **Port Management**: Accurate port forwarding documentation
- **Security Boundaries**: Clear security model
---
## 📋 Container Architecture Details
### **🏗️ Container Setup**
```bash
# at1 host runs incus with containers
# Containers: aitbc (10.1.223.93), aitbc1 (10.1.223.40)
# Networking: incus bridge with NAT
# Firewall: firehol on host, not ufw in containers
# Container characteristics:
- No internal firewall (ufw not used)
- Network interfaces managed by incus
- Port forwarding configured on host
- Isolated network namespaces
```
### **🔥 Firehol Configuration**
```bash
# on at1 host (not in containers)
# firehol handles port forwarding to containers
# Example configuration:
interface any world
policy drop
protection strong
server "ssh" accept
server "http" accept
server "https" accept
# Forward to aitbc container
router aitbc inface eth0 outface incus-aitbc
route to 10.1.223.93
server "8000" accept # Coordinator API
server "8001" accept # Exchange API
server "8002" accept # Blockchain Node
server "8003" accept # Blockchain RPC
server "8010" accept # Multimodal GPU
server "8011" accept # GPU Multimodal
server "8012" accept # Modality Optimization
server "8013" accept # Adaptive Learning
server "8014" accept # Marketplace Enhanced
server "8015" accept # OpenClaw Enhanced
server "8016" accept # Web UI
```
### **🐳 Incus Networking**
```bash
# Container networking handled by incus
# No need for ufw inside containers
# Port forwarding managed at host level
# Network isolation between containers
# Container network interfaces:
# eth0: incus bridge interface
# lo: loopback interface
# No direct internet access (NAT through host)
```
---
## 🔄 Impact Assessment
### **✅ Documentation Impact**
- **Accuracy**: Documentation now matches actual setup
- **Clarity**: No confusion about firewall management
- **Guidance**: Correct procedures for network configuration
- **Architecture**: Proper understanding of container networking
### **✅ Development Impact**
- **No Misleading Commands**: Removed ufw commands for containers
- **Proper Focus**: Developers focus on application, not container networking
- **Clear Boundaries**: Understanding of host vs container responsibilities
- **Correct Approach**: Proper development environment setup
### **✅ Operations Impact**
- **Firewall Management**: Clear firehol configuration on host
- **Container Management**: Understanding of incus networking
- **Port Forwarding**: Accurate port forwarding documentation
- **Security Model**: Proper security boundaries
---
## 📞 Support Information
### **✅ Container Network Verification**
```bash
# On at1 host (firehol management)
sudo firehol status # Check firehol status
sudo incus list # List containers
sudo incus exec aitbc -- ip addr show # Check container network
sudo incus exec aitbc -- netstat -tlnp # Check container ports
# Port forwarding verification
curl -s https://aitbc.bubuit.net/api/v1/health # Should work
curl -s http://127.0.0.1:8000/v1/health # Host proxy
```
### **✅ Container Internal Verification**
```bash
# Inside aitbc container (no ufw)
ssh aitbc-cascade
ufw status # Should show "inactive" or not installed
netstat -tlnp | grep -E ':(8000|8001|8002|8003|8010|8011|8012|8013|8014|8015|8016)'
# Should show services listening on all interfaces
```
### **✅ Development Environment Notes**
```bash
# Development validation script updated
./scripts/validate-requirements.sh
# Now includes note about incus networking with firehol
# No need to configure ufw in containers
# Focus on application configuration
# Network handled by incus and firehol
```
---
## 🎉 Clarification Success
**✅ Firewall Clarification Complete**:
- Removed misleading ufw commands for containers
- Added correct firehol documentation
- Clarified incus networking architecture
- Updated all relevant documentation
**✅ Benefits Achieved**:
- Accurate documentation of actual setup
- Clear understanding of container networking
- Proper firewall management guidance
- No confusion about security boundaries
**✅ Quality Assurance**:
- All documentation updated consistently
- No conflicting information
- Clear architecture explanation
- Proper verification procedures
---
## 🚀 Final Status
**🎯 Clarification Status**: ✅ **COMPLETE AND VERIFIED**
**📊 Success Metrics**:
- **Documentation Updated**: 4 files updated
- **Misleading Commands Removed**: All ufw commands for containers
- **Architecture Clarified**: incus + firehol model documented
- **Validation Updated**: Script notes container networking
**🔍 Verification Complete**:
- Documentation matches actual infrastructure
- No conflicting firewall information
- Clear container networking explanation
- Proper security boundaries documented
**🚀 Firewall clarification complete - AITBC containers use firehol on at1, not ufw!**
---
**Status**: ✅ **COMPLETE AND VERIFIED**
**Last Updated**: 2026-03-04
**Maintainer**: AITBC Development Team