Statistics
| Branch: | Tag: | Revision:

root / README.txt @ 0f03076d

History | View | Annotate | Download (3.6 kB)

1
===========
2
1. Tool requirements
3

    
4
* python-django
5
* python-django-extensions
6
* python-mysqldb
7
* mysql-client-5.1
8
* python-gevent
9
* python-django-south
10
* python-django-celery
11
* python-yaml
12
* python-paramiko (>= 1.7.7.1)
13
* python-memcache
14
* python-django-registration
15
* python-ncclient
16
* python-nxpy
17
* python-lxml
18
* python-ipaddr
19
* apache2
20
* apache2-mod-proxy
21
* apache2-mod-rewrite
22
* apache2-shibboleth : The server should be setup as a Shibboleth SP
23
* The tool requires an event supporting web server. It is suggested to deploy gunicorn
24
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views.
25

    
26
===========
27
2. Tool architecture
28

    
29
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers.
30
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network
31
address range that the user originates from.
32
Components roles:
33
	- web server (gunicorn): server the tool to localhost:port and allows for events
34
	- memcached: Caches devices information and aids in syncing
35
	- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks
36

    
37
===========
38
3. Operational requirements
39

    
40
* Shibboleth authentication
41
    - Required shibboleth attributes:
42
        - HTTP_EPPN
43
        - HTTP_SHIB_HOMEORGANIZATION
44
        - HTTP_SHIB_INETORGPERSON_MAIL
45
        - An appropriate HTTP_SHIB_EP_ENTITLEMENT
46
    - Optional Attributes:
47
        - HTTP_SHIB_INETORGPERSON_GIVENNAME
48
        - HTTP_SHIB_PERSON_SURNAME
49
* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION)
50

    
51
===========
52
4. Installation Procedure
53

    
54
4.1 Pre-installation
55
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache
56
Copy settings.py.dist to settings.py and urls.py.dist to urls.py.
57
In settings.py set the following according to your configuration:
58
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
59
* STATIC_URL (static media directory) 
60
* TEMPLATE_DIRS
61
* CACHE_BACKEND
62
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work)
63
* NETCONF_USER (enable ssh and netconf on device)
64
* NETCONF_PASS
65
* BROKER_HOST (beanstalk host)
66
* BROKER_PORT (beanstalk port)
67
* SERVER_EMAIL
68
* EMAIL_SUBJECT_PREFIX
69
* BROKER_URL (beanstalk url)
70
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
71
* NOTIFY_ADMIN_MAILS (bcc mail addresses)
72
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
73
* PRIMARY_WHOIS
74
* ALTERNATE_WHOIS
75

    
76
4.2 Installation
77

    
78
* Run:
79
	./manage.py syncdb
80
	to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info.
81
* Then to allow for south migrations:
82
	./manage.py migration
83
* If you have properly set the primary and alternate whois servers you could go for:
84
	./manage.py fetch_networks
85
	to automatically fill network info.
86
	Alternatively you could fill those info manually via the admin interface.
87
* Via the admin interface, modify as required the existing (example.com) Site instance
88
* Modify flatpages to suit your needs 
89
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts. 
90