Errors template now render as base extension

[flowspy] / README.txt

===========
1. Tool requirements

* python-django
* python-django-extensions
* python-mysqldb
* mysql-client-5.1
* python-gevent
* python-django-south
* python-django-celery
* python-yaml
* python-paramiko (>= 1.7.7.1)
* python-memcache
* python-django-registration
* python-ncclient
* python-nxpy
* python-lxml
* python-ipaddr
* apache2
* apache2-mod-proxy
* apache2-mod-rewrite
* apache2-shibboleth : The server should be setup as a Shibboleth SP
* The tool requires an event supporting web server. It is suggested to deploy gunicorn
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views.

===========
2. Tool architecture

Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers.
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network
address range that the user originates from.
Components roles:
        - web server (gunicorn): server the tool to localhost:port and allows for events
        - memcached: Caches devices information and aids in syncing
        - gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks

===========
3. Operational requirements

* Shibboleth authentication
    - Required shibboleth attributes:
        - HTTP_EPPN
        - HTTP_SHIB_HOMEORGANIZATION
        - HTTP_SHIB_INETORGPERSON_MAIL
        - An appropriate HTTP_SHIB_EP_ENTITLEMENT
    - Optional Attributes:
        - HTTP_SHIB_INETORGPERSON_GIVENNAME
        - HTTP_SHIB_PERSON_SURNAME
* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION)

===========
4. Installation Procedure

4.1 Pre-installation
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache
Copy settings.py.dist to settings.py and urls.py.dist to urls.py.
In settings.py set the following according to your configuration:
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
* STATIC_URL (static media directory) 
* TEMPLATE_DIRS
* CACHE_BACKEND
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work)
* NETCONF_USER (enable ssh and netconf on device)
* NETCONF_PASS
* BROKER_HOST (beanstalk host)
* BROKER_PORT (beanstalk port)
* SERVER_EMAIL
* EMAIL_SUBJECT_PREFIX
* BROKER_URL (beanstalk url)
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
* NOTIFY_ADMIN_MAILS (bcc mail addresses)
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
* PRIMARY_WHOIS
* ALTERNATE_WHOIS

4.2 Installation

* Run:
        ./manage.py syncdb
        to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info.
* Then to allow for south migrations:
        ./manage.py migration
* If you have properly set the primary and alternate whois servers you could go for:
        ./manage.py fetch_networks
        to automatically fill network info.
        Alternatively you could fill those info manually via the admin interface.
* Via the admin interface, modify as required the existing (example.com) Site instance
* Modify flatpages to suit your needs 
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts.