Skip to content

feat: ufw firewall support, OpenRVDAS data port handling, and home-dir traversal fix#5

Merged
davidpablocohn merged 4 commits into
OceanDataTools:devfrom
davidpablocohn-claude-bot:dev
May 20, 2026
Merged

feat: ufw firewall support, OpenRVDAS data port handling, and home-dir traversal fix#5
davidpablocohn merged 4 commits into
OceanDataTools:devfrom
davidpablocohn-claude-bot:dev

Conversation

@davidpablocohn-claude-bot

Copy link
Copy Markdown
Contributor

Summary

  • ufw firewall support for Ubuntu/Debian — automatically opens SSH, the web console port, and the OpenRVDAS UDP instrument data ports (6224–6226); CachedDataServer (8766) is intentionally excluded since browser access is already proxied via nginx /cds-ws and logger processes connect via loopback. ufw_openrvdas_source controls whether UDP ports are open to the LAN (any) or localhost only (127.0.0.1 for laptop/dev). configure_and_install.sh prompts for ufw configuration on Ubuntu/Debian hosts and persists the answer to host_vars.

  • OpenRVDAS data port variablesopenrvdas_data_port (8766) and openrvdas_udp_ports ([6224, 6225, 6226]) added to all.yml; both supervisor templates (cached_data_server, logger_manager) now use {{ openrvdas_data_port }} instead of the hardcoded 8766.

  • Home/custom directory traversal fix — nginx (www-data) and supervisord need world-execute permission on every directory component of install_root to traverse the path. Ubuntu 24.04 creates home directories as chmod 750 by default; /root is 700. A generalised task in roles/common/tasks/directories.yml now runs chmod o+x on all parent components of install_root (idempotent on already-755 standard locations like /opt). The previous nginx-specific task that only fixed the top-level home dir has been removed.

  • .claude/settings.json — Claude Code project settings allowing common commands without prompts, useful for contributors using Claude Code on this repo. Can be omitted if not wanted.

Test plan

  • Syntax check passes: ansible-playbook site.yml --syntax-check
  • Docker tests pass on all 7 Linux platforms: ubuntu-20.04, ubuntu-22.04, ubuntu-24.04, debian-12, rocky-9, almalinux-9, void
  • Idempotency check passes on all platforms (≤1 changed task on second run)

🤖 Generated with Claude Code

davidpablocohn and others added 4 commits May 18, 2026 06:16
… configurable

Addresses issue 5 from CJ-Sandoz ubuntu_24_install log: ufw was
blocking CachedDataServer websocket (8766/tcp) and UDP instrument
data ports (6224-6226/udp), silently breaking logger communication.

Changes:
- Add openrvdas_data_port (8766), openrvdas_udp_ports ([6224,6225,6226]),
  and ufw_openrvdas_source ("any") to all.yml
- ufw.yml opens these ports automatically when install_ufw is true;
  ufw_openrvdas_source controls the allowed source — use "127.0.0.1"
  for localhost-only on laptop/dev, "any" for vessel LAN
- configure_and_install.sh prompts "Restrict OpenRVDAS data ports to
  localhost only?" when ufw is enabled, writes ufw_openrvdas_source to
  host_vars, persists answer in .configure_preferences
- Supervisor templates: replace hardcoded 8766 with {{ openrvdas_data_port }}
  in both cached_data_server and logger_manager configs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
CachedDataServer binds on all interfaces but 8766 does not need to be
open in ufw:
- Browser access is proxied through nginx /cds-ws (already open on
  server_port)
- Logger processes connect via loopback — no firewall rule needed
- host='' is hardcoded in cached_data_server.py, so --host 127.0.0.1
  is not available as a CLI option

The ufw rules now only open the UDP instrument data ports (6224-6226),
controlled by ufw_openrvdas_source ("any" for vessel LAN,
"127.0.0.1" for laptop/dev). Update configure_and_install.sh prompt
and all.yml comments accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nginx (www-data) and supervisord must traverse every directory component
of install_root. Restrictive defaults (/home dirs are 750 on Ubuntu 24.04,
/root is 700, custom paths may vary) cause EACCES on chdir and nginx 502s.

- Replace the /home/-specific fix in roles/nginx with a generalised task
  in roles/common/tasks/directories.yml that chmod o+x all parent
  directory components of install_root (from the filesystem root down to
  the parent of install_root, skipping install_root itself which is owned
  by rvdas). Idempotent on already-755 standard system directories.
- Remove the now-redundant nginx-specific home-dir task
- Broaden the configure_and_install.sh warning to cover any non-standard
  install location, not just /home

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…itignore

settings.json allows common read-only and test-runner Bash commands
without prompting, so background subagents (test-runner, etc.) can
run ansible-playbook, docker, git, and gh commands unattended.

.gitignore: add ci-test-runner.ini and hosts-docker-test.ini alongside
the existing ci-local.ini exclusion.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@davidpablocohn davidpablocohn merged commit 8200c71 into OceanDataTools:dev May 20, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants