8 Debian Wheezy (x64) - Django 1.4.x
9 ==================================
10 This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
13 Upgrading from v<1.1.x
14 ----------------------
15 If upgrading from flowspy version <1.1.x pay attention to settings.py changes. Also, do not forget to run::
19 to catch-up with latest database changes.
21 Upgrading from v<1.0.x
22 ----------------------
23 If upgrading from flowspy version <1.0.x pay attention to settings.py changes. Also, do not forget to run::
27 to catch-up with latest database changes.
29 Required system packages
30 ------------------------
31 Update and install the required packages::
35 apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
38 Set username and password for mysql if used
41 If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
45 If you are using mysql, you should create a database::
47 mysql -u root -p -e 'create database fod'
49 Required application packages
50 -----------------------------
51 Get the required packages and their dependencies and install them::
53 apt-get install libxml2-dev libxslt-dev gcc python-dev
55 - ncclient: NETCONF python client::
58 git clone https://github.com/leopoul/ncclient.git
60 python setup.py install
62 - nxpy: Python Objects from/to XML proxy::
65 git clone https://code.grnet.gr/git/nxpy
67 python setup.py install
69 - flowspy: core application. Installation is done at /srv/flowspy::
72 git clone https://code.grnet.gr/git/flowspy
75 Application configuration
76 =========================
77 Copy settings.py.dist to settings.py::
80 cp settings.py.dist settings.py
82 Edit settings.py file and set the following according to your configuration::
84 ADMINS: set your admin name and email (assuming that your server can send notifications)
85 DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
86 SECRET_KEY : Make this unique, and don't share it with anybody
87 STATIC_ROOT: /srv/flowspy/static (or your installation directory)
88 STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
89 TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
90 CACHE_BACKEND: Enable Memcached for production or leave to DummyCache for development environments
91 Alternatively you could go for redis with the corresponding Django client lib.
92 NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
93 NETCONF_USER (enable ssh and netconf on device)
95 If beanstalk is selected the following should be left intact.
96 BROKER_HOST (beanstalk host)
97 BROKER_PORT (beanstalk port)
100 If beanstalk is selected the following should be left intact.
101 BROKER_URL (beanstalk url)
102 SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
103 NOTIFY_ADMIN_MAILS (bcc mail addresses)
104 PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
105 The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
108 If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
109 SHIB_AUTH_ENTITLEMENT = 'urn:mace'
110 SHIB_ADMIN_DOMAIN = 'example.com'
111 SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
112 SHIB_USERNAME = ['HTTP_EPPN']
113 SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
114 SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
115 SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
116 SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
118 If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
120 EMAIL_USE_TLS = True #(or False)
121 EMAIL_HOST = 'smtp.example.com'
122 EMAIL_HOST_USER = 'username'
123 EMAIL_HOST_PASSWORD = 'yourpassword'
124 EMAIL_PORT = 587 #(outgoing)
126 It is strongly advised that you do not change the following to False values unless, you want to integrate FoD with you CRM or members database. This implies that you are able/have the rights to create database views between the two databases::
128 PEER_MANAGED_TABLE = True
129 PEER_RANGE_MANAGED_TABLE = True
130 PEER_TECHC_MANAGED_TABLE = True
132 By doing that the corresponding tables as defined in peers/models will not be created. As noted above, you have to create the views that the tables will rely on.
135 Soon we will release a version with django-registration as a means to add users and Shibboleth will become an alternative
137 Let's move on with some copies and dir creations::
140 chown www-data.www-data /var/log/fod
141 cp urls.py.dist urls.py
146 Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
147 Depending on the setup the apache configuration may vary::
154 If shibboleth is to be used::
156 apt-get install libapache2-mod-shib2
159 Now it is time to configure beanstalk, gunicorn, celery and apache.
163 Enable beanstalk by editting /etc/default/beanstalkd::
165 vim /etc/default/beanstalkd
167 Uncomment the line **START=yes** to enable beanstalk
171 service beanstalkd start
175 Create and edit /etc/gunicorn.d/fod::
177 vim /etc/gunicorn.d/fod
179 FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
183 'working_dir': '/srv/flowspy',
185 '--bind=127.0.0.1:8081',
187 '--worker-class=egg:gunicorn#gevent',
191 '--log-file=/var/log/gunicorn/fod.log',
198 Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
200 Create the celeryd daemon at /etc/init.d/celeryd **if it does not already exist**::
202 vim /etc/init.d/celeryd
204 The configuration should be::
207 # ============================================
208 # celeryd - Starts the Celery worker daemon.
209 # ============================================
211 # :Usage: /etc/init.d/celeryd {start|stop|force-reload|restart|try-restart|status}
212 # :Configuration file: /etc/default/celeryd
214 # See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd
219 # Required-Start: $network $local_fs $remote_fs
220 # Required-Stop: $network $local_fs $remote_fs
221 # Default-Start: 2 3 4 5
222 # Default-Stop: 0 1 6
223 # Short-Description: celery task worker daemon
224 # Description: Starts the Celery worker daemon for a single project.
229 DEFAULT_PID_FILE="/var/run/celery/%n.pid"
230 DEFAULT_LOG_FILE="/var/log/celery/%n.log"
231 DEFAULT_LOG_LEVEL="INFO"
232 DEFAULT_NODES="celery"
233 DEFAULT_CELERYD="-m celery.bin.celeryd_detach"
236 [ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS"
238 [ -r /etc/default/celeryd ] && . /etc/default/celeryd
240 if [ "$ENABLED" != "true" ]; then
241 echo "celery daemon disabled - see /etc/default/celeryd."
246 CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}
247 CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}
248 CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}
249 CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}
250 CELERYD=${CELERYD:-$DEFAULT_CELERYD}
251 CELERYCTL=${CELERYCTL:="celeryctl"}
252 CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}
257 CELERYD_OPTS="$CELERYD_OPTS $2"
260 CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`
261 CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`
262 if [ ! -d "$CELERYD_LOG_DIR" ]; then
263 mkdir -p $CELERYD_LOG_DIR
265 if [ ! -d "$CELERYD_PID_DIR" ]; then
266 mkdir -p $CELERYD_PID_DIR
269 # Extra start-stop-daemon options, like user/group.
270 if [ -n "$CELERYD_USER" ]; then
271 DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"
272 chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR
274 if [ -n "$CELERYD_GROUP" ]; then
275 DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"
276 chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR
279 if [ -n "$CELERYD_CHDIR" ]; then
280 DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""
285 if [ ! -c /dev/null ]; then
286 echo "/dev/null is not a character device!"
292 export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
296 $CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"
301 $CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS \
302 --pidfile="$CELERYD_PID_FILE" \
303 --logfile="$CELERYD_LOG_FILE" \
304 --loglevel="$CELERYD_LOG_LEVEL" \
311 $CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS \
312 --pidfile="$CELERYD_PID_FILE" \
313 --logfile="$CELERYD_LOG_FILE" \
314 --loglevel="$CELERYD_LOG_LEVEL" \
337 $CELERYCTL status $CELERYCTL_OPTS
351 echo "Usage: /etc/init.d/celeryd {start|stop|restart|try-restart|kill}"
358 celeryd configuration
359 ---------------------
360 celeryd requires a /etc/default/celeryd file to be in place.
361 Thus we are going to create this file (/etc/default/celeryd)::
363 vim /etc/default/celeryd
365 Again if the directory conventions have been followed the file is (pay attention to the CELERYD_USER, CELERYD_GROUP and change accordingly) ::
370 # Name of nodes to start, here we have a single node
372 # or we could have three nodes:
373 #CELERYD_NODES="w1 w2 w3"
375 # Where to chdir at start.
376 CELERYD_CHDIR="/srv/flowspy"
377 # How to call "manage.py celeryd_multi"
378 CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"
380 # How to call "manage.py celeryctl"
381 CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"
383 # Extra arguments to celeryd
384 #CELERYD_OPTS="--time-limit=300 --concurrency=8"
385 CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800"
386 # Name of the celery config module.
387 CELERY_CONFIG_MODULE="celeryconfig"
389 # %n will be replaced with the nodename.
390 CELERYD_LOG_FILE="/var/log/celery/fod_%n.log"
391 CELERYD_PID_FILE="/var/run/celery/%n.pid"
393 # Workers should run as an unprivileged user.
394 CELERYD_USER="celery"
395 CELERYD_GROUP="celery"
397 # Name of the projects settings module.
398 export DJANGO_SETTINGS_MODULE="flowspy.settings"
402 Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside **Shibboleth configuration** ::
404 vim /etc/apache2/sites-available/fod
406 Again if the directory conventions have been followed the file should be::
409 ServerAdmin webmaster@localhost
410 ServerName fod.example.com
411 DocumentRoot /var/www
413 ErrorLog ${APACHE_LOG_DIR}/fod_error.log
415 # Possible values include: debug, info, notice, warn, error, crit,
419 CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
421 Alias /static /srv/flowspy/static
423 RewriteCond %{HTTPS} off
424 RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]
428 ServerName fod.example.com
429 ServerAdmin webmaster@localhost
433 SSLCertificateFile /etc/ssl/certs/fod.example.com.crt
434 SSLCertificateChainFile /etc/ssl/certs/example-chain.pem
435 SSLCertificateKeyFile /etc/ssl/private/fod.example.com.key
437 AddDefaultCharset UTF-8
438 IndexOptions +Charset=UTF-8
440 ShibConfig /etc/shibboleth/shibboleth2.xml
441 Alias /shibboleth-sp /usr/share/shibboleth
446 ShibRequireSession On
448 ShibRequestSetting entityID https://idp.example.com/idp/shibboleth
452 # Shibboleth debugging CGI script
453 ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
454 <Location /shibboleth/test>
456 ShibRequireSession On
461 <Location /Shibboleth.sso>
465 # Shibboleth SP configuration
467 #SetEnv proxy-sendchunked
475 ProxyErrorOverride off
478 ProxyPass /shibboleth !
479 ProxyPass /Shibboleth.sso !
481 ProxyPass / http://localhost:8081/ retry=0
482 ProxyPassReverse / http://localhost:8081/
484 Alias /static /srv/flowspy/static
488 ErrorLog ${APACHE_LOG_DIR}/fod_error.log
489 CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
493 Now, enable your site. You might want to disable the default site if fod is the only site you host on your server::
498 You are not far away from deploying FoD. When asked for a super user, create one::
501 python manage.py syncdb
502 python manage.py migrate longerusername
503 python manage.py migrate flowspec
504 python manage.py migrate djcelery
505 python manage.py migrate accounts
507 If you have not changed the values of the PEER\_\*\_TABLE variables to False and thus you are going for a default installation (that is PEER\_\*\_TABLE variables are set to True) , then run::
509 python manage.py migrate peers
511 If however you have set the PEER\_\*\_TABLE variables to False and by accident you have ran the command above, then you have to cleanup you database manually by dropping the peer\* tables plus the techc_email table. For MySQL the command is::
513 DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email;
515 Restart, gunicorn and apache::
517 service gunicorn restart && service apache2 restart
520 Propagate the flatpages
521 =======================
522 Inside the initial_data/fixtures_manual.xml file we have placed 4 flatpages (2 for Greek, 2 for English) with Information and Terms of Service about the service.
523 To import the flatpages, run from root folder::
525 python manage.py loaddata initial_data/fixtures_manual.xml
531 Log in to the admin interface via https:\/\/<hostname>\/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 10.20.0.0/19
532 Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have created from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
533 Last but not least, modify as required the existing (example.com) Site instance (admin home->Sites). You are done. As you are logged-in via the admin, there is no need to go through Shibboleth at this time. Go to https:\/\/<hostname>\/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds. If no Shibboleth authentication is available, a https:\/\/<hostname>\/altlogin is provided.
537 Via the admin interface you can modify flatpages to suit your needs
541 Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
545 Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.