root / README.txt @ 0f03076d
History | View | Annotate | Download (3.6 kB)
1 |
=========== |
---|---|
2 |
1. Tool requirements |
3 |
|
4 |
* python-django |
5 |
* python-django-extensions |
6 |
* python-mysqldb |
7 |
* mysql-client-5.1 |
8 |
* python-gevent |
9 |
* python-django-south |
10 |
* python-django-celery |
11 |
* python-yaml |
12 |
* python-paramiko (>= 1.7.7.1) |
13 |
* python-memcache |
14 |
* python-django-registration |
15 |
* python-ncclient |
16 |
* python-nxpy |
17 |
* python-lxml |
18 |
* python-ipaddr |
19 |
* apache2 |
20 |
* apache2-mod-proxy |
21 |
* apache2-mod-rewrite |
22 |
* apache2-shibboleth : The server should be setup as a Shibboleth SP |
23 |
* The tool requires an event supporting web server. It is suggested to deploy gunicorn |
24 |
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views. |
25 |
|
26 |
=========== |
27 |
2. Tool architecture |
28 |
|
29 |
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. |
30 |
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network |
31 |
address range that the user originates from. |
32 |
Components roles: |
33 |
- web server (gunicorn): server the tool to localhost:port and allows for events |
34 |
- memcached: Caches devices information and aids in syncing |
35 |
- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks |
36 |
|
37 |
=========== |
38 |
3. Operational requirements |
39 |
|
40 |
* Shibboleth authentication |
41 |
- Required shibboleth attributes: |
42 |
- HTTP_EPPN |
43 |
- HTTP_SHIB_HOMEORGANIZATION |
44 |
- HTTP_SHIB_INETORGPERSON_MAIL |
45 |
- An appropriate HTTP_SHIB_EP_ENTITLEMENT |
46 |
- Optional Attributes: |
47 |
- HTTP_SHIB_INETORGPERSON_GIVENNAME |
48 |
- HTTP_SHIB_PERSON_SURNAME |
49 |
* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION) |
50 |
|
51 |
=========== |
52 |
4. Installation Procedure |
53 |
|
54 |
4.1 Pre-installation |
55 |
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache |
56 |
Copy settings.py.dist to settings.py and urls.py.dist to urls.py. |
57 |
In settings.py set the following according to your configuration: |
58 |
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine |
59 |
* STATIC_URL (static media directory) |
60 |
* TEMPLATE_DIRS |
61 |
* CACHE_BACKEND |
62 |
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work) |
63 |
* NETCONF_USER (enable ssh and netconf on device) |
64 |
* NETCONF_PASS |
65 |
* BROKER_HOST (beanstalk host) |
66 |
* BROKER_PORT (beanstalk port) |
67 |
* SERVER_EMAIL |
68 |
* EMAIL_SUBJECT_PREFIX |
69 |
* BROKER_URL (beanstalk url) |
70 |
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication) |
71 |
* NOTIFY_ADMIN_MAILS (bcc mail addresses) |
72 |
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS) |
73 |
* PRIMARY_WHOIS |
74 |
* ALTERNATE_WHOIS |
75 |
|
76 |
4.2 Installation |
77 |
|
78 |
* Run: |
79 |
./manage.py syncdb |
80 |
to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info. |
81 |
* Then to allow for south migrations: |
82 |
./manage.py migration |
83 |
* If you have properly set the primary and alternate whois servers you could go for: |
84 |
./manage.py fetch_networks |
85 |
to automatically fill network info. |
86 |
Alternatively you could fill those info manually via the admin interface. |
87 |
* Via the admin interface, modify as required the existing (example.com) Site instance |
88 |
* Modify flatpages to suit your needs |
89 |
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts. |
90 |
|