Skip to content
Snippets Groups Projects
Commit 51ce199a authored by Leonidas Poulopoulos's avatar Leonidas Poulopoulos
Browse files

Re-wrote installation documentation for Ubuntu 12.04.3

parent aa1e16e6
No related branches found
No related tags found
No related merge requests found
......@@ -2,11 +2,49 @@ flowspytag = $(shell git describe --abbrev=0)
flowspyver = $(shell git describe --abbrev=0 | egrep -o '([0-9]+\.){1,10}[0-9]+' | sed -e 's/\./_/g')
name = $(shell basename $(shell pwd))
.PHONY: dist distclean
# You can set these variables from the command line.
SPHINXOPTS =
SPHINXBUILD = sphinx-build
PAPER =
BUILDDIR = doc/build
# Internal variables.
PAPEROPT_a4 = -D latex_paper_size=a4
PAPEROPT_letter = -D latex_paper_size=letter
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) doc/source
.PHONY: help dist distclean docclean html latex text
help:
@echo "Please use \`make <target>' where <target> is one of"
@echo " html to make standalone HTML files"
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
@echo " text to make standalone txt files"
dist:
git archive --format tar --prefix $(name)-$(flowspyver)/ -o $(name)-$(flowspyver).tar $(flowspytag)
gzip -f $(name)-$(flowspyver).tar
distclean:
@rm -f *tar.gz
docclean:
-rm -rf $(BUILDDIR)/*
html:
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
@echo
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
latex:
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
@echo
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
@echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \
"run these through (pdf)latex."
text:
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
@echo
@echo "Done"
===========
1. Tool requirements
Note: Depending on your setup each of the following
may depend on other packages
* python-django
* python-django-extensions
* python-mysqldb
* mysql-client-5.1
* python-gevent
* python-django-south
* python-django-celery
* python-yaml
* python-paramiko (>= 1.7.7.1)
* python-memcache
* python-django-registration
* ncclient (http://ncclient.grnet.gr/, http://github.com/leopoul/ncclient)
* nxpy (https://code.grnet.gr/projects/nxpy)
* python-lxml
* python-ipaddr
* python-django-tinymce
* apache2
* apache2-mod-proxy
* apache2-mod-rewrite
* apache2-shibboleth : The server should be setup as a Shibboleth SP
* The tool requires an event supporting web server. It is suggested to deploy gunicorn
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views.
===========
2. Tool architecture
Firewall on Demand
******************
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers.
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network
address range that the user originates from.
Components roles:
- web server (gunicorn): server the tool to localhost:port and allows for events
- memcached: Caches devices information and aids in syncing
- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks
===========
3. Operational requirements
* Shibboleth authentication
- Shibboleth attributes:
- eduPersonPrincipalName: Provides a string that uniquely identifies an administrator in the management application.
- eduPersonEntitlement: A specific URN value must be provided to authorize an administrator: urn:mace:grnet.gr:fod:admin
- mail: The e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication, with prior consent.
- givenName (optional): The person's first name.
- sn (optional): The person's last name.
Description
===========
4. Installation Procedure
4.1 Pre-installation
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache
Copy settings.py.dist to settings.py and urls.py.dist to urls.py.
In settings.py set the following according to your configuration:
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
* STATIC_URL (static media directory)
* TEMPLATE_DIRS
* CACHE_BACKEND
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work)
* NETCONF_USER (enable ssh and netconf on device)
* NETCONF_PASS
* BROKER_HOST (beanstalk host)
* BROKER_PORT (beanstalk port)
* SERVER_EMAIL
* EMAIL_SUBJECT_PREFIX
* BROKER_URL (beanstalk url)
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
* NOTIFY_ADMIN_MAILS (bcc mail addresses)
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
* PRIMARY_WHOIS
* ALTERNATE_WHOIS
4.2 Branding
4.2.1 Logos
Inside the static folder you will find two empty png files: fod_logo.xcf (Gimp file) and shib_login.dist.png.
Edit those two with your favourite image processing software and save them as fod_logo.png (under static/img/) and shib_login.png (under static/). Image sizes are optimized to operate without any
other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well.
4.2.2 Footer
Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
4.2.3 Welcome Page
Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.
4.3 Configuration Examples
* Gunicorn configuration
/etc/gunicorn.d/project:
CONFIG = {
'mode': 'django',
'working_dir': '/path/to/flowspy',
#'python': '/usr/bin/python',
'args': (
'--bind=localhost:port',
'--workers=1',
'--timeout=360',
#'--keepalive=90',
'--worker-class=egg:gunicorn#gevent',
'--log-level=debug',
'--log-file=/path/to/fod.log',
'settings.py',
),
}
* Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
Depending on the setup the apache configuration may vary.
* Celeryd example configuration:
/etc/default/celeryd:
# Name of nodes to start, here we have a single node
CELERYD_NODES="w1"
# or we could have three nodes:
#CELERYD_NODES="w1 w2 w3"
# Where to chdir at start.
CELERYD_CHDIR="/path/to/flowspy/"
# How to call "manage.py celeryd_multi"
CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
# How to call "manage.py celeryctl"
CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
# Extra arguments to celeryd
#CELERYD_OPTS="--time-limit=300 --concurrency=8"
CELERYD_OPTS="-E -B"
# Name of the celery config module.
CELERY_CONFIG_MODULE="celeryconfig"
# %n will be replaced with the nodename.
CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
# Workers should run as an unprivileged user.
CELERYD_USER="user"
CELERYD_GROUP="usergroup"
# Name of the projects settings module.
export DJANGO_SETTINGS_MODULE="settings"
4.4 Installation
* Run:
./manage.py syncdb
to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info.
* Then to allow for south migrations:
./manage.py migration
* Only if you wish to obtain info for your peers from a whois server:
If you have properly set the primary and alternate whois servers you could go for:
./manage.py fetch_networks
to automatically fill network info.
Alternatively you could fill those info manually via the admin interface.
* Via the admin interface, modify as required the existing (example.com) Site instance
* Modify flatpages to suit your needs
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts.
** To share ideas and ask questions drop an email at: leopoul-at-noc(dot)grnet{dot}gr
Firewall on Demand applies, via Netconf, flow rules to a network
device. These rules are then propagated via e-bgp to peering routers.
Each user is authenticated against shibboleth. Authorization is
performed via a combination of a Shibboleth attribute and the peer
network address range that the user originates from. FoD is meant to
operate over this architecture:
+-----------+ +------------+ +------------+
| FoD | NETCONF | flowspec | ebgp | router |
| web app +----------> device +--------> |
+-----------+ +------+-----+ +------------+
| ebgp
|
+------v-----+
| router |
| |
+------------+
NETCONF is chosen as the mgmt protocol to apply rules to a single
flowspec capable device. Rules are then propagated via igbp to all
flowspec capable routers. Of course FoD could apply rules directly
(via NETCONF always) to a router and then ibgp would do the rest. In
GRNET's case the flowspec capable device is an EX4200.
Attention: Make sure your FoD server has ssh access to your flowspec device.
Installation Considerations
===========================
You can find the installation instructions for Ubuntu 12.04.3 (64)
with Django 1.3.x in install.txt file. FoD depends on a bunch of
packages. Installing in Debian Squeeze proved to be really tough as
the majority of the required packages are not provided by any repos
and need to be installed manually. This guide presents the
installation procedures for Ubuntu 12.04.3 (64) with Django 1.3.x.
Really soon, we will provide a guide for Debian Wheezy. However, users
who wish to go for Wheezy, need to read the Django 1.4 changelist. One
of the most significant changes in Django 1.4 is that the application
dir layout has to be restructured. Also bear in mind that Django 1.4
introduces new aspects when it comes to application library
inclussions.
Soon we will post a branch of FoD tailored for Django 1.4.
Contact
=======
You can find more about FoD or raise your issues at GRNET FoD
repository: https://code.grnet.gr/fod.
You can contactus directly at leopoul{at}noc[dot]grnet(.)gr
# -*- coding: utf-8 -*-
#
# fod documentation build configuration file, created by
# sphinx-quickstart on Wed Oct 16 17:20:20 2013.
#
# This file is execfile()d with the current directory set to its containing dir.
#
# Note that not all possible configuration values are present in this
# autogenerated file.
#
# All configuration values have a default; values that are commented out
# serve to show the default.
import sys, os
# If extensions (or modules to document with autodoc) are in another directory,
# add these directories to sys.path here. If the directory is relative to the
# documentation root, use os.path.abspath to make it absolute, like shown here.
#sys.path.append(os.path.abspath('.'))
# -- General configuration -----------------------------------------------------
# Add any Sphinx extension module names here, as strings. They can be extensions
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = []
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
# The suffix of source filenames.
source_suffix = '.rst'
# The encoding of source files.
#source_encoding = 'utf-8'
# The master toctree document.
master_doc = 'index'
# General information about the project.
project = u'fod'
copyright = u'2013, Leonidas Poulopoulos'
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
# built documents.
#
# The short X.Y version.
version = '0.9.9'
# The full version, including alpha/beta/rc tags.
release = '0.9.9'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
#language = None
# There are two options for replacing |today|: either, you set today to some
# non-false value, then it is used:
#today = ''
# Else, today_fmt is used as the format for a strftime call.
#today_fmt = '%B %d, %Y'
# List of documents that shouldn't be included in the build.
#unused_docs = []
# List of directories, relative to source directory, that shouldn't be searched
# for source files.
exclude_trees = []
# The reST default role (used for this markup: `text`) to use for all documents.
#default_role = None
# If true, '()' will be appended to :func: etc. cross-reference text.
#add_function_parentheses = True
# If true, the current module name will be prepended to all description
# unit titles (such as .. function::).
#add_module_names = True
# If true, sectionauthor and moduleauthor directives will be shown in the
# output. They are ignored by default.
#show_authors = False
# The name of the Pygments (syntax highlighting) style to use.
pygments_style = 'sphinx'
# A list of ignored prefixes for module index sorting.
#modindex_common_prefix = []
# -- Options for HTML output ---------------------------------------------------
# The theme to use for HTML and HTML Help pages. Major themes that come with
# Sphinx are currently 'default' and 'sphinxdoc'.
html_theme = 'default'
# Theme options are theme-specific and customize the look and feel of a theme
# further. For a list of options available for each theme, see the
# documentation.
#html_theme_options = {}
# Add any paths that contain custom themes here, relative to this directory.
#html_theme_path = []
# The name for this set of Sphinx documents. If None, it defaults to
# "<project> v<release> documentation".
#html_title = None
# A shorter title for the navigation bar. Default is the same as html_title.
#html_short_title = None
# The name of an image file (relative to this directory) to place at the top
# of the sidebar.
#html_logo = None
# The name of an image file (within the static path) to use as favicon of the
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
# pixels large.
#html_favicon = None
# Add any paths that contain custom static files (such as style sheets) here,
# relative to this directory. They are copied after the builtin static files,
# so a file named "default.css" will overwrite the builtin "default.css".
html_static_path = ['_static']
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
# using the given strftime format.
#html_last_updated_fmt = '%b %d, %Y'
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
#html_use_smartypants = True
# Custom sidebar templates, maps document names to template names.
#html_sidebars = {}
# Additional templates that should be rendered to pages, maps page names to
# template names.
#html_additional_pages = {}
# If false, no module index is generated.
#html_use_modindex = True
# If false, no index is generated.
#html_use_index = True
# If true, the index is split into individual pages for each letter.
#html_split_index = False
# If true, links to the reST sources are added to the pages.
#html_show_sourcelink = True
# If true, an OpenSearch description file will be output, and all pages will
# contain a <link> tag referring to it. The value of this option must be the
# base URL from which the finished HTML is served.
#html_use_opensearch = ''
# If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
#html_file_suffix = ''
# Output file base name for HTML help builder.
htmlhelp_basename = 'foddoc'
# -- Options for LaTeX output --------------------------------------------------
# The paper size ('letter' or 'a4').
#latex_paper_size = 'letter'
# The font size ('10pt', '11pt' or '12pt').
#latex_font_size = '10pt'
# Grouping the document tree into LaTeX files. List of tuples
# (source start file, target name, title, author, documentclass [howto/manual]).
latex_documents = [
('index', 'fod.tex', u'fod Documentation',
u'Leonidas Poulopoulos', 'manual'),
]
# The name of an image file (relative to this directory) to place at the top of
# the title page.
#latex_logo = None
# For "manual" documents, if this is true, then toplevel headings are parts,
# not chapters.
#latex_use_parts = False
# Additional stuff for the LaTeX preamble.
#latex_preamble = ''
# Documents to append as an appendix to all manuals.
#latex_appendices = []
# If false, no module index is generated.
#latex_use_modindex = True
.. fod documentation master file, created by
sphinx-quickstart on Wed Oct 16 17:20:20 2013.
You can adapt this file completely to your liking, but it should at least
contain the root `toctree` directive.
******************
Firewall on Demand
******************
Description
===========
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network address range that the user originates from.
FoD is meant to operate over this architecture::
+-----------+ +------------+ +------------+
| FoD | NETCONF | flowspec | ebgp | router |
| web app +----------> device +--------> |
+-----------+ +------+-----+ +------------+
| ebgp
|
+------v-----+
| router |
| |
+------------+
NETCONF is chosen as the mgmt protocol to apply rules to a single flowspec capable device. Rules are then propagated via igbp to all flowspec capable routers. Of course FoD could apply rules directly (via NETCONF always) to a router and then ibgp would do the rest.
In GRNET's case the flowspec capable device is an EX4200.
.. attention::
Make sure your FoD server has ssh access to your flowspec device.
Installation Considerations
===========================
You can find the installation instructions for Ubuntu 12.04.3 (64) with Django 1.3.x here: :doc:`Install FoD <install>`.
FoD depends on a bunch of packages. Installing in Debian Squeeze proved to be really tough as the majority of the required packages are not provided by any repos and need to be installed manually. This guide presents the installation procedures for Ubuntu 12.04.3 (64) with Django 1.3.x. Really soon, we will provide a guide for Debian Wheezy.
However, users who wish to go for Wheezy, need to read the Django 1.4 changelist. One of the most significant changes in Django 1.4 is that the application dir layout has to be restructured.
Also bear in mind that Django 1.4 introduces new aspects when it comes to application library inclussions.
Soon we will post a branch of FoD tailored for Django 1.4.
Contact
=======
You can find more about FoD or raise your issues at `GRNET FoD repository <https://code.grnet.gr/projects/flowspy>`_.
You can contact us directly at leopoul{at}noc[dot]grnet(.)gr
Install
=======
.. toctree::
:maxdepth: 2
install
************
Installation
************
.. toctree::
:maxdepth: 2
Ubuntu 12.04.3 (64) - Django 1.3.x
==================================
This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
Required system packages
------------------------
Update and install the required packages::
apt-get update
apt-get upgrade
apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-extensions python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
.. note::
Set username and password for mysql if used
.. note::
If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
Required application packages
-----------------------------
Get the required packages and install them
- ncclient: NETCONF python client::
cd ~
git clone https://github.com/leopoul/ncclient.git
cd ncclient
python setup.py install
- nxpy: Python Objects from/to XML proxy::
cd ~
git clone https://code.grnet.gr/git/nxpy
cd nxpy
python setup.py install
- flowspy: core application. Installation is done at /srv/flowspy::
cd /srv
git clone https://code.grnet.gr/git/flowspy
cd flowspy
Application configuration
=========================
Copy settings.py.dist to settings.py::
cp settings.py.dist settings.py
Edit settings.py file and set the following according to your configuration::
ADMINS: set your admin name and email (assuming that your server can send notifications)
DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
SECRET_KEY : Make this unique, and don't share it with anybody
STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
CACHE_BACKEND: If you have followed the above this should be: memcached://127.0.0.1:11211/?timeout=3600
Alternatively you could go for redis with the corresponding Django client lib.
NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
NETCONF_USER (enable ssh and netconf on device)
NETCONF_PASS
If beanstalk is selected the following should be left intact.
BROKER_HOST (beanstalk host)
BROKER_PORT (beanstalk port)
SERVER_EMAIL
EMAIL_SUBJECT_PREFIX
If beanstalk is selected the following should be left intact.
BROKER_URL (beanstalk url)
SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
NOTIFY_ADMIN_MAILS (bcc mail addresses)
PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
PRIMARY_WHOIS
ALTERNATE_WHOIS
If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
SHIB_AUTH_ENTITLEMENT = 'urn:mace'
SHIB_ADMIN_DOMAIN = 'example.com'
SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
SHIB_USERNAME = ['HTTP_EPPN']
SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
EMAIL_USE_TLS = True #(or False)
EMAIL_HOST = 'smtp.example.com'
EMAIL_HOST_USER = 'username'
EMAIL_HOST_PASSWORD = 'yourpassword'
EMAIL_PORT = 587 #(outgoing)
.. note::
Soon we will release a version with django-registration as a means to add users and Shibboleth as an alternative
Let's move on with some copies and dir creations::
cp urls.py.dist urls.py
mkdir log
chown -R root:www-data log/
chmod -R g+w log
System configuration
====================
Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
Depending on the setup the apache configuration may vary::
a2enmod rewrite
a2enmod proxy
a2enmod ssl
a2enmod proxy_http
If shibboleth is to be used::
apt-get install libapache2-mod-shib2
a2enmod shib2
Now it is time to configure beanstalk, gunicorn, celery and apache.
beanstalkd
----------
Enable beanstalk by editting /etc/default/beanstalkd::
vim /etc/default/beanstalkd
Uncomment the line **START=yes** to enable beanstalk
Start beanstalkd::
service beanstalkd start
gunicorn.d
----------
create and edit /etc/gunicorn.d/fod::
vim /etc/gunicorn.d/fod
FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
CONFIG = {
'mode': 'django',
'working_dir': '/srv/flowspy',
'args': (
'--bind=127.0.0.1:8081',
'--workers=1',
'--timeout=360',
'--worker-class=egg:gunicorn#gevent',
'--log-level=debug',
'settings.py',
),
}
celery.d
--------
Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
.. note::
Make sure that /etc/init.d/celeryd exists.
celeryd requires a /etc/default/celeryd file to be in place.
Thus we are going to create this file (/etc/default/celeryd)::
vim /etc/default/celeryd
Again if the directory conventions have been followed the file should be::
# Name of nodes to start, here we have a single node
CELERYD_NODES="w1"
# or we could have three nodes:
#CELERYD_NODES="w1 w2 w3"
# Where to chdir at start.
CELERYD_CHDIR="/srv/flowspy/"
# How to call "manage.py celeryd_multi"
CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
# How to call "manage.py celeryctl"
CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
# Extra arguments to celeryd
#CELERYD_OPTS="--time-limit=300 --concurrency=8"
CELERYD_OPTS="-E -B"
# Name of the celery config module.
CELERY_CONFIG_MODULE="celeryconfig"
# %n will be replaced with the nodename.
CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
# Workers should run as an unprivileged user.
CELERYD_USER="root"
CELERYD_GROUP="root"
# Name of the projects settings module.
export DJANGO_SETTINGS_MODULE="settings"
Apache
------
Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside **Shibboleth configuration** ::
vim /etc/apache2/sites-available/fod
Again if the directory conventions have been followed the file should be::
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName <server_name>
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/(.*) https://<server_name>/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName <server_name>
ServerAdmin <admin_mail>
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateChainFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
AddDefaultCharset UTF-8
IndexOptions +Charset=UTF-8
# Shibboleth configuration
ShibConfig /etc/shibboleth/shibboleth2.xml
Alias /shibboleth-sp /usr/share/shibboleth
<Location /fod/login>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
# Shibboleth debugging CGI script
ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
<Location /shibboleth/test>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
# End of Shibboleth configuration
<Location /admin/media/>
SetHandler None
</Location>
Alias /admin/media /usr/share/pyshared/django/contrib/admin/media
Alias /media /usr/share/pyshared/django/contrib/admin/media
DocumentRoot /var/www
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
SSLProxyEngine off
ProxyErrorOverride off
ProxyTimeout 28800
ProxyPass /fod http://localhost:8081/fod retry=0
ProxyPassReverse /fod http://localhost:8081/fod
LogLevel warn
ErrorLog /var/log/apache2/ssl-error.log
CustomLog /var/log/apache2/ssl-access.log combined
Alias /fodstatic /srv/flowspy/static
</VirtualHost>
You are not far away from deploying FoD. When asked for a super user, create one::
cd /srv/flowspy
python manage.py syncdb
python manage.py migrate
Restart, gunicorn and apache::
service gunicorn restart && service apache2 restart
Testing the platform
====================
Log in to the admin interface via https://<your ip>/fod/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 83.212.0.0/19
Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have crteated from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
Last but not least, modify as required the existing (example.com) Site instance. You are done. As you are logged-n via the admin, there is no need for Shibboleth. Go to https://<your ip>/fod/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds.
Branding
========
Via the admin interface you can modify flatpages to suit your needs
Logos
-----
Inside the static folder you will find two empty png files: fod_logo.xcf (Gimp file) and shib_login.dist.png. Edit those two with your favourite image processing software and save them as fod_logo.png (under static/img/) and shib_login.png (under static/). Image sizes are optimized to operate without any other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well.
Footer
------
Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
Welcome Page
------------
Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.
Installation
************
Ubuntu 12.04.3 (64) - Django 1.3.x
==================================
This guide assumes that installation is carried out in /srv/flowspy
directory. If other directory is to be used, please change the
corresponding configuration files. It is also assumed that the root
user will perform every action.
Required system packages
------------------------
Update and install the required packages:
apt-get update
apt-get upgrade
apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-extensions python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
Note: Set username and password for mysql if used
Note: If you wish to deploy an outgoing mail server, now it is time to do
it. Otherwise you could set FoD to send out mails via a third party
account
Required application packages
-----------------------------
Get the required packages and install them
* ncclient: NETCONF python client:
cd ~
git clone https://github.com/leopoul/ncclient.git
cd ncclient
python setup.py install
* nxpy: Python Objects from/to XML proxy:
cd ~
git clone https://code.grnet.gr/git/nxpy
cd nxpy
python setup.py install
* flowspy: core application. Installation is done at /srv/flowspy:
cd /srv
git clone https://code.grnet.gr/git/flowspy
cd flowspy
Application configuration
=========================
Copy settings.py.dist to settings.py:
cp settings.py.dist settings.py
Edit settings.py file and set the following according to your
configuration:
ADMINS: set your admin name and email (assuming that your server can send notifications)
DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
SECRET_KEY : Make this unique, and don't share it with anybody
STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
CACHE_BACKEND: If you have followed the above this should be: memcached://127.0.0.1:11211/?timeout=3600
Alternatively you could go for redis with the corresponding Django client lib.
NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
NETCONF_USER (enable ssh and netconf on device)
NETCONF_PASS
If beanstalk is selected the following should be left intact.
BROKER_HOST (beanstalk host)
BROKER_PORT (beanstalk port)
SERVER_EMAIL
EMAIL_SUBJECT_PREFIX
If beanstalk is selected the following should be left intact.
BROKER_URL (beanstalk url)
SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
NOTIFY_ADMIN_MAILS (bcc mail addresses)
PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
PRIMARY_WHOIS
ALTERNATE_WHOIS
If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
SHIB_AUTH_ENTITLEMENT = 'urn:mace'
SHIB_ADMIN_DOMAIN = 'example.com'
SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
SHIB_USERNAME = ['HTTP_EPPN']
SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
If you have not installed an outgoing mail server you can always use
your own account (either corporate or gmail, hotmail ,etc) by adding
the following lines in settings.py:
EMAIL_USE_TLS = True #(or False)
EMAIL_HOST = 'smtp.example.com'
EMAIL_HOST_USER = 'username'
EMAIL_HOST_PASSWORD = 'yourpassword'
EMAIL_PORT = 587 #(outgoing)
Note: Soon we will release a version with django-registration as a means
to add users and Shibboleth as an alternative
Let's move on with some copies and dir creations:
cp urls.py.dist urls.py
mkdir log
chown -R root:www-data log/
chmod -R g+w log
System configuration
====================
Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules
enabled. Depending on the setup the apache configuration may vary:
a2enmod rewrite
a2enmod proxy
a2enmod ssl
a2enmod proxy_http
If shibboleth is to be used:
apt-get install libapache2-mod-shib2
a2enmod shib2
Now it is time to configure beanstalk, gunicorn, celery and apache.
beanstalkd
----------
Enable beanstalk by editting /etc/default/beanstalkd:
vim /etc/default/beanstalkd
Uncomment the line **START=yes** to enable beanstalk
Start beanstalkd:
service beanstalkd start
gunicorn.d
----------
create and edit /etc/gunicorn.d/fod:
vim /etc/gunicorn.d/fod
FoD is served via gunicorn and is then proxied by Apache. If the above
directory conventions have been followed so far, then your
configuration should be:
CONFIG = {
'mode': 'django',
'working_dir': '/srv/flowspy',
'args': (
'--bind=127.0.0.1:8081',
'--workers=1',
'--timeout=360',
'--worker-class=egg:gunicorn#gevent',
'--log-level=debug',
'settings.py',
),
}
celery.d
--------
Celery is used over beanstalkd to apply firewall rules in a serial
manner so that locks are avoided on the flowspec capable device. In
our setup celery runs via django. That is why the python-django-celery
package was installed.
Note: Make sure that /etc/init.d/celeryd exists.
celeryd requires a /etc/default/celeryd file to be in place. Thus we
are going to create this file (/etc/default/celeryd):
vim /etc/default/celeryd
Again if the directory conventions have been followed the file should
be:
# Name of nodes to start, here we have a single node
CELERYD_NODES="w1"
# or we could have three nodes:
#CELERYD_NODES="w1 w2 w3"
# Where to chdir at start.
CELERYD_CHDIR="/srv/flowspy/"
# How to call "manage.py celeryd_multi"
CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
# How to call "manage.py celeryctl"
CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
# Extra arguments to celeryd
#CELERYD_OPTS="--time-limit=300 --concurrency=8"
CELERYD_OPTS="-E -B"
# Name of the celery config module.
CELERY_CONFIG_MODULE="celeryconfig"
# %n will be replaced with the nodename.
CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
# Workers should run as an unprivileged user.
CELERYD_USER="root"
CELERYD_GROUP="root"
# Name of the projects settings module.
export DJANGO_SETTINGS_MODULE="settings"
Apache
------
Apache proxies gunicorn. Things are more flexible here as you may
follow your own configuration and conventions. Create and edit
/etc/apache2/sites-available/fod. You should set <server_name> and
<admin_mail> along with your certificates. If under testing
environment, you can use the provided snakeoil certs. If you do not
intent to use Shibboleth delete or comment the corresponding
configuration parts inside **Shibboleth configuration**
vim /etc/apache2/sites-available/fod
Again if the directory conventions have been followed the file should
be:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName <server_name>
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^/(.*) https://<server_name>/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
ServerName <server_name>
ServerAdmin <admin_mail>
ServerSignature On
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateChainFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
AddDefaultCharset UTF-8
IndexOptions +Charset=UTF-8
# Shibboleth configuration
ShibConfig /etc/shibboleth/shibboleth2.xml
Alias /shibboleth-sp /usr/share/shibboleth
<Location /fod/login>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
# Shibboleth debugging CGI script
ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
<Location /shibboleth/test>
AuthType shibboleth
ShibRequireSession On
ShibUseHeaders On
require valid-user
</Location>
<Location /Shibboleth.sso>
SetHandler shib
</Location>
# End of Shibboleth configuration
<Location /admin/media/>
SetHandler None
</Location>
Alias /admin/media /usr/share/pyshared/django/contrib/admin/media
Alias /media /usr/share/pyshared/django/contrib/admin/media
DocumentRoot /var/www
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
SSLProxyEngine off
ProxyErrorOverride off
ProxyTimeout 28800
ProxyPass /fod http://localhost:8081/fod retry=0
ProxyPassReverse /fod http://localhost:8081/fod
LogLevel warn
ErrorLog /var/log/apache2/ssl-error.log
CustomLog /var/log/apache2/ssl-access.log combined
Alias /fodstatic /srv/flowspy/static
</VirtualHost>
You are not far away from deploying FoD. When asked for a super user,
create one:
cd /srv/flowspy
python manage.py syncdb
python manage.py migrate
Restart, gunicorn and apache:
service gunicorn restart && service apache2 restart
Testing the platform
====================
Log in to the admin interface via https://<your ip>/fod/admin. Go to
Peer ranges and add a new range (part of/or a complete subnet), eg.
83.212.0.0/19 Go to Peers and add a new peer, eg. id: 1, name: Test,
AS: 16503, tag: TEST and move the network you have crteated from
Avalable to Chosen. From the admin front, go to User, and edit your
user. From the bottom of the page, select the TEST peer and save. Last
but not least, modify as required the existing (example.com) Site
instance. You are done. As you are logged-n via the admin, there is no
need for Shibboleth. Go to https://<your ip>/fod/ and create a new
rule. Your rule should be applied on the flowspec capable device after
aprox. 10 seconds.
Branding
========
Via the admin interface you can modify flatpages to suit your needs
Logos
-----
Inside the static folder you will find two empty png files:
fod_logo.xcf (Gimp file) and shib_login.dist.png. Edit those two with
your favourite image processing software and save them as fod_logo.png
(under static/img/) and shib_login.png (under static/). Image sizes
are optimized to operate without any other code changes. In case you
want to incorporate images of different sizes you have to fine tune
css and/or html as well.
Footer
------
Under the templates folder (templates), you can alter the footer.html
file to include your own footer messages, badges, etc.
Welcome Page
------------
Under the templates folder (templates), you can alter the welcome page
- welcome.html with your own images, carousel, videos, etc.
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment