8 Debian Wheezy (x64) - Django 1.4.x
9 ==================================
11 This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
13 Required system packages
14 ------------------------
16 Update and install the required packages::
20 apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
23 Set username and password for mysql if used
26 If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
30 If you are using mysql, you should create a database::
32 mysql -u root -p -e 'create database fod'
35 Required application packages
36 -----------------------------
37 Get the required packages and install them
39 - ncclient: NETCONF python client::
42 git clone https://github.com/leopoul/ncclient.git
44 python setup.py install
46 - nxpy: Python Objects from/to XML proxy::
49 git clone https://code.grnet.gr/git/nxpy
51 python setup.py install
53 - flowspy: core application. Installation is done at /srv/flowspy::
56 git clone https://code.grnet.gr/git/flowspy
59 Application configuration
60 =========================
62 Copy settings.py.dist to settings.py::
65 cp settings.py.dist settings.py
67 Edit settings.py file and set the following according to your configuration::
69 ADMINS: set your admin name and email (assuming that your server can send notifications)
70 DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
71 SECRET_KEY : Make this unique, and don't share it with anybody
72 STATIC_ROOT: /srv/flowspy/static (or your installation directory)
73 STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
74 TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
75 CACHE_BACKEND: Enable Memcached for production or leave to DummyCache for development environments
76 Alternatively you could go for redis with the corresponding Django client lib.
77 NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
78 NETCONF_USER (enable ssh and netconf on device)
80 If beanstalk is selected the following should be left intact.
81 BROKER_HOST (beanstalk host)
82 BROKER_PORT (beanstalk port)
85 If beanstalk is selected the following should be left intact.
86 BROKER_URL (beanstalk url)
87 SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
88 NOTIFY_ADMIN_MAILS (bcc mail addresses)
89 PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
90 The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
93 If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
94 SHIB_AUTH_ENTITLEMENT = 'urn:mace'
95 SHIB_ADMIN_DOMAIN = 'example.com'
96 SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
97 SHIB_USERNAME = ['HTTP_EPPN']
98 SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
99 SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
100 SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
101 SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
103 If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
105 EMAIL_USE_TLS = True #(or False)
106 EMAIL_HOST = 'smtp.example.com'
107 EMAIL_HOST_USER = 'username'
108 EMAIL_HOST_PASSWORD = 'yourpassword'
109 EMAIL_PORT = 587 #(outgoing)
113 Soon we will release a version with django-registration as a means to add users and Shibboleth will become an alternative
115 Let's move on with some copies and dir creations::
117 cp urls.py.dist urls.py
120 chown -R root:www-data log/
125 Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
126 Depending on the setup the apache configuration may vary::
133 If shibboleth is to be used::
135 apt-get install libapache2-mod-shib2
138 Now it is time to configure beanstalk, gunicorn, celery and apache.
143 Enable beanstalk by editting /etc/default/beanstalkd::
145 vim /etc/default/beanstalkd
147 Uncomment the line **START=yes** to enable beanstalk
151 service beanstalkd start
156 create and edit /etc/gunicorn.d/fod::
158 vim /etc/gunicorn.d/fod
160 FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
164 'working_dir': '/srv/flowspy',
166 '--bind=127.0.0.1:8081',
168 '--worker-class=egg:gunicorn#gevent',
171 '--log-file=/tmp/fod.log',
179 Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
181 celeryd requires a /etc/default/celeryd file to be in place.
182 Thus we are going to create this file (/etc/default/celeryd)::
184 vim /etc/default/celeryd
186 Again if the directory conventions have been followed the file is (pay attention to the CELERYD_USER, CELERYD_GROUP and change accordingly) ::
191 # Name of nodes to start, here we have a single node
193 # or we could have three nodes:
194 #CELERYD_NODES="w1 w2 w3"
196 # Where to chdir at start.
197 CELERYD_CHDIR="/srv/flowspy"
198 # How to call "manage.py celeryd_multi"
199 CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"
201 # How to call "manage.py celeryctl"
202 CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"
204 # Extra arguments to celeryd
205 #CELERYD_OPTS="--time-limit=300 --concurrency=8"
207 # Name of the celery config module.
208 CELERY_CONFIG_MODULE="celeryconfig"
210 # %n will be replaced with the nodename.
211 CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
212 CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
214 # Workers should run as an unprivileged user.
216 CELERYD_GROUP="users"
218 # Name of the projects settings module.
219 export DJANGO_SETTINGS_MODULE="flowspy.settings"
224 Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside **Shibboleth configuration** ::
226 vim /etc/apache2/sites-available/fod
228 Again if the directory conventions have been followed the file should be::
231 ServerAdmin webmaster@localhost
232 ServerName fod.example.com
233 DocumentRoot /var/www
235 ErrorLog ${APACHE_LOG_DIR}/fod_error.log
237 # Possible values include: debug, info, notice, warn, error, crit,
241 CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
243 Alias /static /srv/flowspy/static
245 RewriteCond %{HTTPS} off
246 RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]
250 ServerName fod.example.com
251 ServerAdmin webmaster@localhost
255 SSLCertificateFile /etc/ssl/certs/fod.example.com.crt
256 SSLCertificateChainFile /etc/ssl/certs/example-chain.pem
257 SSLCertificateKeyFile /etc/ssl/private/fod.example.com.key
259 AddDefaultCharset UTF-8
260 IndexOptions +Charset=UTF-8
262 ShibConfig /etc/shibboleth/shibboleth2.xml
263 Alias /shibboleth-sp /usr/share/shibboleth
268 ShibRequireSession On
270 ShibRequestSetting entityID https://idp.example.com/idp/shibboleth
274 # Shibboleth debugging CGI script
275 ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
276 <Location /shibboleth/test>
278 ShibRequireSession On
283 <Location /Shibboleth.sso>
287 # Shibboleth SP configuration
289 #SetEnv proxy-sendchunked
297 ProxyErrorOverride off
300 ProxyPass /shibboleth !
301 ProxyPass /Shibboleth.sso !
303 ProxyPass / http://localhost:8081/ retry=0
304 ProxyPassReverse / http://localhost:8081/
306 Alias /static /srv/flowspy/static
310 ErrorLog ${APACHE_LOG_DIR}/fod_error.log
311 CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
315 Now, enable your site. You might want to disable the default site if fod is the only site you host on your server::
320 You are not far away from deploying FoD. When asked for a super user, create one::
323 python manage.py syncdb
324 python manage.py migrate
326 Restart, gunicorn and apache::
328 service gunicorn restart && service apache2 restart
332 Log in to the admin interface via https://<hostname>/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 10.20.0.0/19
333 Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have crteated from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
334 Last but not least, modify as required the existing (example.com) Site instance (admin home->Sites). You are done. As you are logged-in via the admin, there is no need for Shibboleth. Go to https://<hostname>/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds.
338 Via the admin interface you can modify flatpages to suit your needs
342 Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
346 Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.
projects / flowspy / blob