/ - Diff - Firewall on Demand - Greek Research and Technology Network's projects

Revision 51ce199a

     flowspyver = $(shell git describe --abbrev=0 | egrep -o '([0-9]+\.){1,10}[0-9]+' | sed -e 's/\./_/g')
     name   	   = $(shell basename $(shell pwd))
     .PHONY: dist distclean
     # You can set these variables from the command line.
     SPHINXOPTS    =
     SPHINXBUILD   = sphinx-build
     PAPER         =
     BUILDDIR      = doc/build
     # Internal variables.
     PAPEROPT_a4     = -D latex_paper_size=a4
     PAPEROPT_letter = -D latex_paper_size=letter
     ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) doc/source
     .PHONY: help dist distclean docclean html latex text
     help:
     	@echo "Please use \`make <target>' where <target> is one of"
     	@echo "  html      to make standalone HTML files"
     	@echo "  latex     to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
     	@echo "  text      to make standalone txt files"
     dist:
     	git archive --format tar --prefix $(name)-$(flowspyver)/ -o $(name)-$(flowspyver).tar $(flowspytag)
     	gzip -f $(name)-$(flowspyver).tar
     distclean:
     	@rm -f *tar.gz
     docclean:
     	-rm -rf $(BUILDDIR)/*
     html:
     	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
     	@echo
     	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
     latex:
     	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
     	@echo
     	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
     	@echo "Run \`make all-pdf' or \`make all-ps' in that directory to" \
     	      "run these through (pdf)latex."
     text:
     	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
     	@echo
     	@echo "Done"

     ===========
 . Tool requirements
     Note: Depending on your setup each of the following
     may depend on other packages
     * python-django
     * python-django-extensions
     * python-mysqldb
     * mysql-client-5.1
     * python-gevent
     * python-django-south
     * python-django-celery
     * python-yaml
     * python-paramiko (>= 1.7.7.1)
     * python-memcache
     * python-django-registration
     * ncclient (http://ncclient.grnet.gr/,  http://github.com/leopoul/ncclient)
     * nxpy (https://code.grnet.gr/projects/nxpy)
     * python-lxml
     * python-ipaddr
     * python-django-tinymce
     * apache2
     * apache2-mod-proxy
     * apache2-mod-rewrite
     * apache2-shibboleth : The server should be setup as a Shibboleth SP
     * The tool requires an event supporting web server. It is suggested to deploy gunicorn
     * If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views.
     ===========
 . Tool architecture
     Firewall on Demand
     ******************
     Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers.
     Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network
     address range that the user originates from.
     Components roles:
     	- web server (gunicorn): server the tool to localhost:port and allows for events
     	- memcached: Caches devices information and aids in syncing
     	- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks
     ===========
 . Operational requirements
     * Shibboleth authentication
         - Shibboleth attributes:
             - eduPersonPrincipalName: Provides a string that uniquely identifies an administrator in the management application.
     		- eduPersonEntitlement: A specific URN value must be provided to authorize an administrator: urn:mace:grnet.gr:fod:admin
     		- mail: The e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication, with prior consent.
     		- givenName (optional): The person's first name.
     		- sn (optional): The person's last name.
     Description
     ===========
 . Installation Procedure
 .1 Pre-installation
     Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache
     Copy settings.py.dist to settings.py and urls.py.dist to urls.py.
     In settings.py set the following according to your configuration:
     * DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
     * STATIC_URL (static media directory)
     * TEMPLATE_DIRS
     * CACHE_BACKEND
     * NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work)
     * NETCONF_USER (enable ssh and netconf on device)
     * NETCONF_PASS
     * BROKER_HOST (beanstalk host)
     * BROKER_PORT (beanstalk port)
     * SERVER_EMAIL
     * EMAIL_SUBJECT_PREFIX
     * BROKER_URL (beanstalk url)
     * SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
     * NOTIFY_ADMIN_MAILS (bcc mail addresses)
     * PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
     * PRIMARY_WHOIS
     * ALTERNATE_WHOIS
 .2 Branding
 .2.1 Logos
     Inside the static folder you will find two empty png files: fod_logo.xcf (Gimp file) and shib_login.dist.png.
     Edit those two with your favourite image processing software and save them as fod_logo.png (under static/img/) and shib_login.png (under static/). Image sizes are optimized to operate without any
     other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well.
 .2.2 Footer
     Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
 .2.3 Welcome Page
     Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.
 .3 Configuration Examples
     * Gunicorn configuration
     	/etc/gunicorn.d/project:
     	CONFIG = {
         'mode': 'django',
         'working_dir': '/path/to/flowspy',
        #'python': '/usr/bin/python',
         'args': (
             '--bind=localhost:port',
             '--workers=1',
             '--timeout=360',
             #'--keepalive=90',
             '--worker-class=egg:gunicorn#gevent',
             '--log-level=debug',
             '--log-file=/path/to/fod.log',
             'settings.py',
         ),
+    }
     * Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
     Depending on the setup the apache configuration may vary.
     * Celeryd example configuration:
     	/etc/default/celeryd:
     	# Name of nodes to start, here we have a single node
     	CELERYD_NODES="w1"
     	# or we could have three nodes:
     	#CELERYD_NODES="w1 w2 w3"
     	# Where to chdir at start.
     	CELERYD_CHDIR="/path/to/flowspy/"
     	# How to call "manage.py celeryd_multi"
     	CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
     	# How to call "manage.py celeryctl"
     	CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
     	# Extra arguments to celeryd
     	#CELERYD_OPTS="--time-limit=300 --concurrency=8"
     	CELERYD_OPTS="-E -B"
     	# Name of the celery config module.
     	CELERY_CONFIG_MODULE="celeryconfig"
     	# %n will be replaced with the nodename.
     	CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
     	CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
     	# Workers should run as an unprivileged user.
     	CELERYD_USER="user"
     	CELERYD_GROUP="usergroup"
     	# Name of the projects settings module.
     	export DJANGO_SETTINGS_MODULE="settings"
 .4 Installation
     * Run:
     	./manage.py syncdb
     	to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info.
     * Then to allow for south migrations:
     	./manage.py migration
     * Only if you wish to obtain info for your peers from a whois server:
       If you have properly set the primary and alternate whois servers you could go for:
     	./manage.py fetch_networks
     	to automatically fill network info.
     	Alternatively you could fill those info manually via the admin interface.
     * Via the admin interface, modify as required the existing (example.com) Site instance
     * Modify flatpages to suit your needs
     * Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts.
     ** To share ideas and ask questions drop an email at: leopoul-at-noc(dot)grnet{dot}gr
     Firewall on Demand applies, via Netconf, flow rules to a network
     device. These rules are then propagated via e-bgp to peering routers.
     Each user is authenticated against shibboleth. Authorization is
     performed via a combination of a Shibboleth attribute and the peer
     network address range that the user originates from. FoD is meant to
     operate over this architecture:
        +-----------+          +------------+        +------------+
        |   FoD     | NETCONF  | flowspec   | ebgp   |   router   |
        | web app   +----------> device     +-------->            |
        +-----------+          +------+-----+        +------------+
                                      | ebgp
+                                     |
                               +------v-----+
                               |   router   |
                               |            |
                               +------------+
     NETCONF is chosen as the mgmt protocol to apply rules to a single
     flowspec capable device. Rules are then propagated via igbp to all
     flowspec capable routers. Of course FoD could apply rules directly
     (via NETCONF always) to a router and then ibgp would do the rest. In
     GRNET's case the flowspec capable device is an EX4200.
     Attention: Make sure your FoD server has ssh access to your flowspec device.
     Installation Considerations
     ===========================
     You can find the installation instructions for Ubuntu 12.04.3 (64)
     with Django 1.3.x in install.txt file. FoD depends on a bunch of
     packages. Installing in Debian Squeeze proved to be really tough as
     the majority of the required packages are not provided by any repos
     and need to be installed manually. This guide presents the
     installation procedures for Ubuntu 12.04.3 (64) with Django 1.3.x.
     Really soon, we will provide a guide for Debian Wheezy. However, users
     who wish to go for Wheezy, need to read the Django 1.4 changelist. One
     of the most significant changes in Django 1.4 is that the application
     dir layout has to be restructured. Also bear in mind that Django 1.4
     introduces new aspects when it comes to application library
     inclussions.
     Soon we will post a branch of FoD tailored for Django 1.4.
     Contact
     =======
     You can find more about FoD or raise your issues at GRNET FoD
     repository: https://code.grnet.gr/fod.
     You can contactus directly at leopoul{at}noc[dot]grnet(.)gr

     # -*- coding: utf-8 -*-
+    #
     # fod documentation build configuration file, created by
     # sphinx-quickstart on Wed Oct 16 17:20:20 2013.
+    #
     # This file is execfile()d with the current directory set to its containing dir.
+    #
     # Note that not all possible configuration values are present in this
     # autogenerated file.
+    #
     # All configuration values have a default; values that are commented out
     # serve to show the default.
     import sys, os
     # If extensions (or modules to document with autodoc) are in another directory,
     # add these directories to sys.path here. If the directory is relative to the
     # documentation root, use os.path.abspath to make it absolute, like shown here.
     #sys.path.append(os.path.abspath('.'))
     # -- General configuration -----------------------------------------------------
     # Add any Sphinx extension module names here, as strings. They can be extensions
     # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
     extensions = []
     # Add any paths that contain templates here, relative to this directory.
     templates_path = ['_templates']
     # The suffix of source filenames.
     source_suffix = '.rst'
     # The encoding of source files.
     #source_encoding = 'utf-8'
     # The master toctree document.
     master_doc = 'index'
     # General information about the project.
     project = u'fod'
     copyright = u'2013, Leonidas Poulopoulos'
     # The version info for the project you're documenting, acts as replacement for
     # |version| and |release|, also used in various other places throughout the
     # built documents.
+    #
     # The short X.Y version.
     version = '0.9.9'
     # The full version, including alpha/beta/rc tags.
     release = '0.9.9'
     # The language for content autogenerated by Sphinx. Refer to documentation
     # for a list of supported languages.
     #language = None
     # There are two options for replacing |today|: either, you set today to some
     # non-false value, then it is used:
     #today = ''
     # Else, today_fmt is used as the format for a strftime call.
     #today_fmt = '%B %d, %Y'
     # List of documents that shouldn't be included in the build.
     #unused_docs = []
     # List of directories, relative to source directory, that shouldn't be searched
     # for source files.
     exclude_trees = []
     # The reST default role (used for this markup: `text`) to use for all documents.
     #default_role = None
     # If true, '()' will be appended to :func: etc. cross-reference text.
     #add_function_parentheses = True
     # If true, the current module name will be prepended to all description
     # unit titles (such as .. function::).
     #add_module_names = True
     # If true, sectionauthor and moduleauthor directives will be shown in the
     # output. They are ignored by default.
     #show_authors = False
     # The name of the Pygments (syntax highlighting) style to use.
     pygments_style = 'sphinx'
     # A list of ignored prefixes for module index sorting.
     #modindex_common_prefix = []
     # -- Options for HTML output ---------------------------------------------------
     # The theme to use for HTML and HTML Help pages.  Major themes that come with
     # Sphinx are currently 'default' and 'sphinxdoc'.
     html_theme = 'default'
     # Theme options are theme-specific and customize the look and feel of a theme
     # further.  For a list of options available for each theme, see the
     # documentation.
     #html_theme_options = {}
     # Add any paths that contain custom themes here, relative to this directory.
     #html_theme_path = []
     # The name for this set of Sphinx documents.  If None, it defaults to
     # "<project> v<release> documentation".
     #html_title = None
     # A shorter title for the navigation bar.  Default is the same as html_title.
     #html_short_title = None
     # The name of an image file (relative to this directory) to place at the top
     # of the sidebar.
     #html_logo = None
     # The name of an image file (within the static path) to use as favicon of the
     # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
     # pixels large.
     #html_favicon = None
     # Add any paths that contain custom static files (such as style sheets) here,
     # relative to this directory. They are copied after the builtin static files,
     # so a file named "default.css" will overwrite the builtin "default.css".
     html_static_path = ['_static']
     # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
     # using the given strftime format.
     #html_last_updated_fmt = '%b %d, %Y'
     # If true, SmartyPants will be used to convert quotes and dashes to
     # typographically correct entities.
     #html_use_smartypants = True
     # Custom sidebar templates, maps document names to template names.
     #html_sidebars = {}
     # Additional templates that should be rendered to pages, maps page names to
     # template names.
     #html_additional_pages = {}
     # If false, no module index is generated.
     #html_use_modindex = True
     # If false, no index is generated.
     #html_use_index = True
     # If true, the index is split into individual pages for each letter.
     #html_split_index = False
     # If true, links to the reST sources are added to the pages.
     #html_show_sourcelink = True
     # If true, an OpenSearch description file will be output, and all pages will
     # contain a <link> tag referring to it.  The value of this option must be the
     # base URL from which the finished HTML is served.
     #html_use_opensearch = ''
     # If nonempty, this is the file name suffix for HTML files (e.g. ".xhtml").
     #html_file_suffix = ''
     # Output file base name for HTML help builder.
     htmlhelp_basename = 'foddoc'
     # -- Options for LaTeX output --------------------------------------------------
     # The paper size ('letter' or 'a4').
     #latex_paper_size = 'letter'
     # The font size ('10pt', '11pt' or '12pt').
     #latex_font_size = '10pt'
     # Grouping the document tree into LaTeX files. List of tuples
     # (source start file, target name, title, author, documentclass [howto/manual]).
     latex_documents = [
       ('index', 'fod.tex', u'fod Documentation',
        u'Leonidas Poulopoulos', 'manual'),
+    ]
     # The name of an image file (relative to this directory) to place at the top of
     # the title page.
     #latex_logo = None
     # For "manual" documents, if this is true, then toplevel headings are parts,
     # not chapters.
     #latex_use_parts = False
     # Additional stuff for the LaTeX preamble.
     #latex_preamble = ''
     # Documents to append as an appendix to all manuals.
     #latex_appendices = []
     # If false, no module index is generated.
     #latex_use_modindex = True

     .. fod documentation master file, created by
        sphinx-quickstart on Wed Oct 16 17:20:20 2013.
        You can adapt this file completely to your liking, but it should at least
        contain the root `toctree` directive.
     ******************
     Firewall on Demand
     ******************
     Description
     ===========
     Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network address range that the user originates from.
     FoD is meant to operate over this architecture::
               +-----------+          +------------+        +------------+
               |   FoD     | NETCONF  | flowspec   | ebgp   |   router   |
               | web app   +----------> device     +-------->            |
               +-----------+          +------+-----+        +------------+
                                             | ebgp
+                                            |
                                      +------v-----+
                                      |   router   |
                                      |            |
                                      +------------+
     NETCONF is chosen as the mgmt protocol to apply rules to a single flowspec capable device. Rules are then propagated via igbp to all flowspec capable routers. Of course FoD could apply rules directly (via NETCONF always) to a router and then ibgp would do the rest.
     In GRNET's case the flowspec capable device is an EX4200.
     .. attention::
     	Make sure your FoD server has ssh access to your flowspec device.
     Installation Considerations
     ===========================
     You can find the installation instructions for Ubuntu 12.04.3 (64) with Django 1.3.x here: :doc:`Install FoD <install>`.
     FoD depends on a bunch of packages. Installing in Debian Squeeze proved to be really tough as the majority of the required packages are not provided by any repos and need to be installed manually. This guide presents the installation procedures for Ubuntu 12.04.3 (64) with Django 1.3.x. Really soon, we will provide a guide for Debian Wheezy.
     However, users who wish to go for Wheezy, need to read the Django 1.4 changelist. One of the most significant changes in Django 1.4 is that the application dir layout has to be restructured.
     Also bear in mind that Django 1.4 introduces new aspects when it comes to application library inclussions.
     Soon we will post a branch of FoD tailored for Django 1.4.
     Contact
     =======
     You can find more about FoD or raise your issues at `GRNET FoD repository <https://code.grnet.gr/projects/flowspy>`_.
     You can contact us directly at leopoul{at}noc[dot]grnet(.)gr
     Install
     =======
     .. toctree::
        :maxdepth: 2
        install

     ************
     Installation
     ************
     .. toctree::
        :maxdepth: 2
     Ubuntu 12.04.3 (64) - Django 1.3.x
     ==================================
     This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
     Required system packages
     ------------------------
     Update and install the required packages::
     	apt-get update
     	apt-get upgrade
     	apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-extensions python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
     .. note::
      Set username and password for mysql if used
     .. note::
     	If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
     Required application packages
     -----------------------------
     Get the required packages and install them
     - ncclient: NETCONF python client::
     	cd ~
     	git clone https://github.com/leopoul/ncclient.git
     	cd ncclient
     	python setup.py install
     - nxpy: Python Objects from/to XML proxy::
     	cd ~
     	git clone https://code.grnet.gr/git/nxpy
     	cd nxpy
     	python setup.py install
     - flowspy: core application. Installation is done at /srv/flowspy::
     	cd /srv
     	git clone https://code.grnet.gr/git/flowspy
     	cd flowspy
     Application configuration
     =========================
     Copy settings.py.dist to settings.py::
     	cp settings.py.dist settings.py
     Edit settings.py file and set the following according to your configuration::
     	ADMINS: set your admin name and email (assuming that your server can send notifications)
     	DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
     	SECRET_KEY : Make this unique, and don't share it with anybody
     	STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
     	TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
     	CACHE_BACKEND:  If you have followed the above this should be: memcached://127.0.0.1:11211/?timeout=3600
     	Alternatively you could go for redis with the corresponding Django client lib.
     	NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
     	NETCONF_USER (enable ssh and netconf on device)
     	NETCONF_PASS
     	If beanstalk is selected the following should be left intact.
     	BROKER_HOST (beanstalk host)
     	BROKER_PORT (beanstalk port)
     	SERVER_EMAIL
     	EMAIL_SUBJECT_PREFIX
     	If beanstalk is selected the following should be left intact.
     	BROKER_URL (beanstalk url)
     	SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
     	NOTIFY_ADMIN_MAILS (bcc mail addresses)
     	PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
     	The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
     	PRIMARY_WHOIS
     	ALTERNATE_WHOIS
     	If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
     	SHIB_AUTH_ENTITLEMENT = 'urn:mace'
     	SHIB_ADMIN_DOMAIN = 'example.com'
     	SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
     	SHIB_USERNAME = ['HTTP_EPPN']
     	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
     	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
     	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
     	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
     If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
     	EMAIL_USE_TLS = True #(or False)
     	EMAIL_HOST = 'smtp.example.com'
     	EMAIL_HOST_USER = 'username'
     	EMAIL_HOST_PASSWORD = 'yourpassword'
     	EMAIL_PORT = 587 #(outgoing)
     .. note::
     	Soon we will release a version with django-registration as a means to add users and Shibboleth as an alternative
     Let's move on with some copies and dir creations::
     	cp urls.py.dist urls.py
     	mkdir log
     	chown -R root:www-data log/
     	chmod -R g+w log
     System configuration
     ====================
     Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
     Depending on the setup the apache configuration may vary::
     	a2enmod rewrite
     	a2enmod proxy
     	a2enmod ssl
     	a2enmod proxy_http
     If shibboleth is to be used::
     	apt-get install libapache2-mod-shib2
     	a2enmod shib2
     Now it is time to configure beanstalk, gunicorn, celery and apache.
     beanstalkd
     ----------
     Enable beanstalk by editting /etc/default/beanstalkd::
     	vim /etc/default/beanstalkd
     Uncomment the line **START=yes** to enable beanstalk
     Start beanstalkd::
     	service beanstalkd start
     gunicorn.d
     ----------
     create and edit /etc/gunicorn.d/fod::
     	vim /etc/gunicorn.d/fod
     FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
     	CONFIG = {
     	    'mode': 'django',
     	    'working_dir': '/srv/flowspy',
     	    'args': (
     	        '--bind=127.0.0.1:8081',
     	        '--workers=1',
     	        '--timeout=360',
     	        '--worker-class=egg:gunicorn#gevent',
     	        '--log-level=debug',
     	        'settings.py',
     	    ),
+    	}
     celery.d
     --------
     Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
     .. note::
     	Make sure that /etc/init.d/celeryd exists.
     celeryd requires a /etc/default/celeryd file to be in place.
     Thus we are going to create this file (/etc/default/celeryd)::
     	vim /etc/default/celeryd
     Again if the directory conventions have been followed the file should be::
     	# Name of nodes to start, here we have a single node
     	CELERYD_NODES="w1"
     	# or we could have three nodes:
     	#CELERYD_NODES="w1 w2 w3"
     	# Where to chdir at start.
     	CELERYD_CHDIR="/srv/flowspy/"
     	# How to call "manage.py celeryd_multi"
     	CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
     	# How to call "manage.py celeryctl"
     	CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
     	# Extra arguments to celeryd
     	#CELERYD_OPTS="--time-limit=300 --concurrency=8"
     	CELERYD_OPTS="-E -B"
     	# Name of the celery config module.
     	CELERY_CONFIG_MODULE="celeryconfig"
     	# %n will be replaced with the nodename.
     	CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
     	CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
     	# Workers should run as an unprivileged user.
     	CELERYD_USER="root"
     	CELERYD_GROUP="root"
     	# Name of the projects settings module.
     	export DJANGO_SETTINGS_MODULE="settings"
     Apache
     ------
     Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside **Shibboleth configuration** ::
     	vim /etc/apache2/sites-available/fod
     Again if the directory conventions have been followed the file should be::
     	<VirtualHost *:80>
     		ServerAdmin webmaster@localhost
     		ServerName	<server_name>
     		DocumentRoot /var/www
     		<Directory />
     			Options FollowSymLinks
     			AllowOverride None
     		</Directory>
     		<Directory /var/www/>
     			Options Indexes FollowSymLinks MultiViews
     			AllowOverride None
     			Order allow,deny
     			allow from all
     		</Directory>
     		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
     		<Directory "/usr/lib/cgi-bin">
     			AllowOverride None
     			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
     			Order allow,deny
     			Allow from all
     		</Directory>
     		ErrorLog ${APACHE_LOG_DIR}/error.log
     		# Possible values include: debug, info, notice, warn, error, crit,
     		# alert, emerg.
     		LogLevel warn
     		CustomLog ${APACHE_LOG_DIR}/access.log combined
     	    Alias /doc/ "/usr/share/doc/"
     	    <Directory "/usr/share/doc/">
     	        Options Indexes MultiViews FollowSymLinks
     	        AllowOverride None
     	        Order deny,allow
     	        Deny from all
     	        Allow from 127.0.0.0/255.0.0.0 ::1/128
     	    </Directory>
     		RewriteEngine On
     		RewriteCond %{HTTPS} off
     		RewriteRule ^/(.*) https://<server_name>/$1 [L,R]
     	</VirtualHost>
     	<VirtualHost *:443>
     		ServerName	 <server_name>
     		ServerAdmin		<admin_mail>
     		ServerSignature		On
     		SSLEngine on
     		SSLCertificateFile	/etc/ssl/certs/example.com.crt
     		SSLCertificateChainFile	/etc/ssl/certs/example.com.crt
     		SSLCertificateKeyFile	/etc/ssl/private/example.com.key
     		AddDefaultCharset	UTF-8
     		IndexOptions		+Charset=UTF-8
     		# Shibboleth configuration
     		ShibConfig		/etc/shibboleth/shibboleth2.xml
     		Alias			/shibboleth-sp	/usr/share/shibboleth
     		<Location /fod/login>
     	        AuthType shibboleth
     	        ShibRequireSession On
     	        ShibUseHeaders On
     	        require valid-user
     	    </Location>
     		# Shibboleth debugging CGI script
     		ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
     		<Location /shibboleth/test>
     			AuthType shibboleth
     			ShibRequireSession On
     			ShibUseHeaders On
     			require valid-user
     		</Location>
     		<Location /Shibboleth.sso>
     			SetHandler shib
     		</Location>
     		# End of Shibboleth configuration
     		<Location /admin/media/>
     			SetHandler      None
     		</Location>
     		Alias /admin/media	/usr/share/pyshared/django/contrib/admin/media
     		Alias /media  /usr/share/pyshared/django/contrib/admin/media
     			DocumentRoot /var/www
     	        <Directory /var/www/>
     	                Options Indexes FollowSymLinks MultiViews
     	                AllowOverride None
     	                Order allow,deny
     	                allow from all
     	        </Directory>
     		<Proxy *>
     	  	Order allow,deny
     		Allow from all
     		</Proxy>
     		SSLProxyEngine        off
     		ProxyErrorOverride    off
     	    ProxyTimeout    28800
     		ProxyPass        /fod http://localhost:8081/fod retry=0
     		ProxyPassReverse /fod http://localhost:8081/fod
     		LogLevel warn
     		ErrorLog /var/log/apache2/ssl-error.log
     		CustomLog /var/log/apache2/ssl-access.log combined
     		Alias /fodstatic	/srv/flowspy/static
     	</VirtualHost>
     You are not far away from deploying FoD. When asked for a super user, create one::
     	cd /srv/flowspy
     	python manage.py syncdb
     	python manage.py migrate
     Restart, gunicorn and apache::
     	service gunicorn restart && service apache2 restart
     Testing the platform
     ====================
     Log in to the admin interface via https://<your ip>/fod/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 83.212.0.0/19
     Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have crteated from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
     Last but not least, modify as required the existing (example.com) Site instance. You are done. As you are logged-n via the admin, there is no need for Shibboleth. Go to https://<your ip>/fod/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds.
     Branding
     ========
     Via the admin interface you can modify flatpages to suit your needs
     Logos
     -----
     Inside the static folder you will find two empty png files: fod_logo.xcf (Gimp file) and shib_login.dist.png. Edit those two with your favourite image processing software and save them as fod_logo.png (under static/img/) and shib_login.png (under static/). Image sizes are optimized to operate without any other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well.
     Footer
     ------
     Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
     Welcome Page
     ------------
     Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.

     Installation
     ************
     Ubuntu 12.04.3 (64) - Django 1.3.x
     ==================================
     This guide assumes that installation is carried out in /srv/flowspy
     directory. If other directory is to be used, please change the
     corresponding configuration files. It is also assumed that the root
     user will perform every action.
     Required system packages
     ------------------------
     Update and install the required packages:
        apt-get update
        apt-get upgrade
        apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-extensions python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
     Note: Set username and password for mysql if used
     Note: If you wish to deploy an outgoing mail server, now it is time to do
       it. Otherwise you could set FoD to send out mails via a third party
       account
     Required application packages
     -----------------------------
     Get the required packages and install them
     * ncclient: NETCONF python client:
          cd ~
          git clone https://github.com/leopoul/ncclient.git
          cd ncclient
          python setup.py install
     * nxpy: Python Objects from/to XML proxy:
          cd ~
          git clone https://code.grnet.gr/git/nxpy
          cd nxpy
          python setup.py install
     * flowspy: core application. Installation is done at /srv/flowspy:
          cd /srv
          git clone https://code.grnet.gr/git/flowspy
          cd flowspy
     Application configuration
     =========================
     Copy settings.py.dist to settings.py:
        cp settings.py.dist settings.py
     Edit settings.py file and set the following according to your
     configuration:
        ADMINS: set your admin name and email (assuming that your server can send notifications)
        DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
        SECRET_KEY : Make this unique, and don't share it with anybody
        STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
        TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
        CACHE_BACKEND:  If you have followed the above this should be: memcached://127.0.0.1:11211/?timeout=3600
        Alternatively you could go for redis with the corresponding Django client lib.
        NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
        NETCONF_USER (enable ssh and netconf on device)
        NETCONF_PASS
        If beanstalk is selected the following should be left intact.
        BROKER_HOST (beanstalk host)
        BROKER_PORT (beanstalk port)
        SERVER_EMAIL
        EMAIL_SUBJECT_PREFIX
        If beanstalk is selected the following should be left intact.
        BROKER_URL (beanstalk url)
        SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
        NOTIFY_ADMIN_MAILS (bcc mail addresses)
        PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
        The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
        PRIMARY_WHOIS
        ALTERNATE_WHOIS
        If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
        SHIB_AUTH_ENTITLEMENT = 'urn:mace'
        SHIB_ADMIN_DOMAIN = 'example.com'
        SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
        SHIB_USERNAME = ['HTTP_EPPN']
        SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
        SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
        SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
        SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
     If you have not installed an outgoing mail server you can always use
     your own account (either corporate or gmail, hotmail ,etc) by adding
     the following lines in settings.py:
        EMAIL_USE_TLS = True #(or False)
        EMAIL_HOST = 'smtp.example.com'
        EMAIL_HOST_USER = 'username'
        EMAIL_HOST_PASSWORD = 'yourpassword'
        EMAIL_PORT = 587 #(outgoing)
     Note: Soon we will release a version with django-registration as a means
       to add users and Shibboleth as an alternative
     Let's move on with some copies and dir creations:
        cp urls.py.dist urls.py
        mkdir log
        chown -R root:www-data log/
        chmod -R g+w log
     System configuration
     ====================
     Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules
     enabled. Depending on the setup the apache configuration may vary:
        a2enmod rewrite
        a2enmod proxy
        a2enmod ssl
        a2enmod proxy_http
     If shibboleth is to be used:
        apt-get install libapache2-mod-shib2
        a2enmod shib2
     Now it is time to configure beanstalk, gunicorn, celery and apache.
     beanstalkd
     ----------
     Enable beanstalk by editting /etc/default/beanstalkd:
        vim /etc/default/beanstalkd
     Uncomment the line **START=yes** to enable beanstalk
     Start beanstalkd:
        service beanstalkd start
     gunicorn.d
     ----------
     create and edit /etc/gunicorn.d/fod:
        vim /etc/gunicorn.d/fod
     FoD is served via gunicorn and is then proxied by Apache. If the above
     directory conventions have been followed so far, then your
     configuration should be:
        CONFIG = {
            'mode': 'django',
            'working_dir': '/srv/flowspy',
            'args': (
                '--bind=127.0.0.1:8081',
                '--workers=1',
                '--timeout=360',
                '--worker-class=egg:gunicorn#gevent',
                '--log-level=debug',
                'settings.py',
            ),
+       }
     celery.d
     --------
     Celery is used over beanstalkd to apply firewall rules in a serial
     manner so that locks are avoided on the flowspec capable device. In
     our setup celery runs via django. That is why the python-django-celery
     package was installed.
     Note: Make sure that /etc/init.d/celeryd exists.
     celeryd requires a /etc/default/celeryd file to be in place. Thus we
     are going to create this file (/etc/default/celeryd):
        vim /etc/default/celeryd
     Again if the directory conventions have been followed the file should
     be:
        # Name of nodes to start, here we have a single node
        CELERYD_NODES="w1"
        # or we could have three nodes:
        #CELERYD_NODES="w1 w2 w3"
        # Where to chdir at start.
        CELERYD_CHDIR="/srv/flowspy/"
        # How to call "manage.py celeryd_multi"
        CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
        # How to call "manage.py celeryctl"
        CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
        # Extra arguments to celeryd
        #CELERYD_OPTS="--time-limit=300 --concurrency=8"
        CELERYD_OPTS="-E -B"
        # Name of the celery config module.
        CELERY_CONFIG_MODULE="celeryconfig"
        # %n will be replaced with the nodename.
        CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
        CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
        # Workers should run as an unprivileged user.
        CELERYD_USER="root"
        CELERYD_GROUP="root"
        # Name of the projects settings module.
        export DJANGO_SETTINGS_MODULE="settings"
     Apache
     ------
     Apache proxies gunicorn. Things are more flexible here as you may
     follow your own configuration and conventions. Create and edit
     /etc/apache2/sites-available/fod. You should set <server_name> and
     <admin_mail> along with your certificates. If under testing
     environment, you can use the provided snakeoil certs. If you do not
     intent to use Shibboleth delete or comment the corresponding
     configuration parts inside **Shibboleth configuration**
        vim /etc/apache2/sites-available/fod
     Again if the directory conventions have been followed the file should
     be:
        <VirtualHost *:80>
                ServerAdmin webmaster@localhost
                ServerName      <server_name>
                DocumentRoot /var/www
                <Directory />
                        Options FollowSymLinks
                        AllowOverride None
                </Directory>
                <Directory /var/www/>
                        Options Indexes FollowSymLinks MultiViews
                        AllowOverride None
                        Order allow,deny
                        allow from all
                </Directory>
                ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
                <Directory "/usr/lib/cgi-bin">
                        AllowOverride None
                        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                        Order allow,deny
                        Allow from all
                </Directory>
                ErrorLog ${APACHE_LOG_DIR}/error.log
                # Possible values include: debug, info, notice, warn, error, crit,
                # alert, emerg.
                LogLevel warn
                CustomLog ${APACHE_LOG_DIR}/access.log combined
            Alias /doc/ "/usr/share/doc/"
            <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
            </Directory>
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule ^/(.*) https://<server_name>/$1 [L,R]
        </VirtualHost>
        <VirtualHost *:443>
                ServerName       <server_name>
                ServerAdmin             <admin_mail>
                ServerSignature         On
                SSLEngine on
                SSLCertificateFile      /etc/ssl/certs/example.com.crt
                SSLCertificateChainFile /etc/ssl/certs/example.com.crt
                SSLCertificateKeyFile   /etc/ssl/private/example.com.key
                AddDefaultCharset       UTF-8
                IndexOptions            +Charset=UTF-8
                # Shibboleth configuration
                ShibConfig              /etc/shibboleth/shibboleth2.xml
                Alias                   /shibboleth-sp  /usr/share/shibboleth
                <Location /fod/login>
                AuthType shibboleth
                ShibRequireSession On
                ShibUseHeaders On
                require valid-user
            </Location>
                # Shibboleth debugging CGI script
                ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
                <Location /shibboleth/test>
                        AuthType shibboleth
                        ShibRequireSession On
                        ShibUseHeaders On
                        require valid-user
                </Location>
                <Location /Shibboleth.sso>
                        SetHandler shib
                </Location>
                # End of Shibboleth configuration
                <Location /admin/media/>
                        SetHandler      None
                </Location>
                Alias /admin/media      /usr/share/pyshared/django/contrib/admin/media
                Alias /media  /usr/share/pyshared/django/contrib/admin/media
                        DocumentRoot /var/www
                <Directory /var/www/>
                        Options Indexes FollowSymLinks MultiViews
                        AllowOverride None
                        Order allow,deny
                        allow from all
                </Directory>
                <Proxy *>
                Order allow,deny
                Allow from all
                </Proxy>
                SSLProxyEngine        off
                ProxyErrorOverride    off
            ProxyTimeout    28800
                ProxyPass        /fod http://localhost:8081/fod retry=0
                ProxyPassReverse /fod http://localhost:8081/fod
                LogLevel warn
                ErrorLog /var/log/apache2/ssl-error.log
                CustomLog /var/log/apache2/ssl-access.log combined
                Alias /fodstatic        /srv/flowspy/static
        </VirtualHost>
     You are not far away from deploying FoD. When asked for a super user,
     create one:
        cd /srv/flowspy
        python manage.py syncdb
        python manage.py migrate
     Restart, gunicorn and apache:
        service gunicorn restart && service apache2 restart
     Testing the platform
     ====================
     Log in to the admin interface via https://<your ip>/fod/admin. Go to
     Peer ranges and add a new range (part of/or a complete subnet), eg.
 .212.0.0/19 Go to Peers and add a new peer, eg. id: 1, name: Test,
     AS: 16503, tag: TEST and move the network you have crteated from
     Avalable to Chosen. From the admin front, go to User, and edit your
     user. From the bottom of the page, select the TEST peer and save. Last
     but not least, modify as required the existing (example.com) Site
     instance. You are done. As you are logged-n via the admin, there is no
     need for Shibboleth. Go to https://<your ip>/fod/ and create a new
     rule. Your rule should be applied on the flowspec capable device after
     aprox. 10 seconds.
     Branding
     ========
     Via the admin interface you can modify flatpages to suit your needs
     Logos
     -----
     Inside the static folder you will find two empty png files:
     fod_logo.xcf (Gimp file) and shib_login.dist.png. Edit those two with
     your favourite image processing software and save them as fod_logo.png
     (under static/img/) and shib_login.png (under static/). Image sizes
     are optimized to operate without any other code changes. In case you
     want to incorporate images of different sizes you have to fine tune
     css and/or html as well.
     Footer
     ------
     Under the templates folder (templates), you can alter the footer.html
     file to include your own footer messages, badges, etc.
     Welcome Page
     ------------
     Under the templates folder (templates), you can alter the welcome page
     - welcome.html with your own images, carousel, videos, etc.

Also available in: Unified diff