--- /dev/null
+===========
+1. Tool requirements
+
+* python-django
+* python-django-extensions
+* python-mysqldb
+* mysql-client-5.1
+* python-gevent
+* python-django-south
+* python-django-celery
+* python-yaml
+* python-paramiko (>= 1.7.7.1)
+* python-memcache
+* python-django-registration
+* python-ncclient
+* python-nxpy
+* python-lxml
+* python-ipaddr
+* apache2
+* apache2-mod-proxy
+* apache2-mod-rewrite
+* apache2-shibboleth : The server should be setup as a Shibboleth SP
+* The tool requires an event supporting web server. It is suggested to deploy gunicorn
+* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views.
+
+===========
+2. Tool architecture
+
+Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers.
+Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network
+address range that the user originates from.
+Components roles:
+ - web server (gunicorn): server the tool to localhost:port and allows for events
+ - memcached: Caches devices information and aids in syncing
+ - gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks
+
+===========
+3. Operational requirements
+
+* Shibboleth authentication
+ - Required shibboleth attributes:
+ - HTTP_EPPN
+ - HTTP_SHIB_HOMEORGANIZATION
+ - HTTP_SHIB_INETORGPERSON_MAIL
+ - An appropriate HTTP_SHIB_EP_ENTITLEMENT
+ - Optional Attributes:
+ - HTTP_SHIB_INETORGPERSON_GIVENNAME
+ - HTTP_SHIB_PERSON_SURNAME
+* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION)
+
+===========
+4. Installation Procedure
+
+4.1 Pre-installation
+Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache
+Copy settings.py.dist to settings.py and urls.py.dist to urls.py.
+In settings.py set the following according to your configuration:
+* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
+* STATIC_URL (static media directory)
+* TEMPLATE_DIRS
+* CACHE_BACKEND
+* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work)
+* NETCONF_USER (enable ssh and netconf on device)
+* NETCONF_PASS
+* BROKER_HOST (beanstalk host)
+* BROKER_PORT (beanstalk port)
+* SERVER_EMAIL
+* EMAIL_SUBJECT_PREFIX
+* BROKER_URL (beanstalk url)
+* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
+* NOTIFY_ADMIN_MAILS (bcc mail addresses)
+* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
+* PRIMARY_WHOIS
+* ALTERNATE_WHOIS
+
+4.2 Installation
+
+* Run:
+ ./manage.py syncdb
+ to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info.
+* Then to allow for south migrations:
+ ./manage.py migration
+* If you have properly set the primary and alternate whois servers you could go for:
+ ./manage.py fetch_networks
+ to automatically fill network info.
+ Alternatively you could fill those info manually via the admin interface.
+* Via the admin interface, modify as required the existing (example.com) Site instance
+* Modify flatpages to suit your needs
+* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts.
+
projects / flowspy / blobdiff