/doc/source/install.rst - Annotate - Firewall on Demand - Greek Research and Technology Network's projects

root / doc / source / install.rst @ 7aa06e71

History | View | Annotate | Download (16.1 kB)

1	51ce199a	Leonidas Poulopoulos	************
2	51ce199a	Leonidas Poulopoulos	Installation
3	51ce199a	Leonidas Poulopoulos	************
4	51ce199a	Leonidas Poulopoulos
5	51ce199a	Leonidas Poulopoulos	.. toctree::
6	51ce199a	Leonidas Poulopoulos	:maxdepth: 2
7	51ce199a	Leonidas Poulopoulos
8	51ce199a	Leonidas Poulopoulos	Ubuntu 12.04.3 (64) - Django 1.3.x
9	51ce199a	Leonidas Poulopoulos	==================================
10	51ce199a	Leonidas Poulopoulos
11	51ce199a	Leonidas Poulopoulos	This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
12	51ce199a	Leonidas Poulopoulos
13	51ce199a	Leonidas Poulopoulos	Required system packages
14	51ce199a	Leonidas Poulopoulos	------------------------
15	51ce199a	Leonidas Poulopoulos
16	51ce199a	Leonidas Poulopoulos	Update and install the required packages::
17	51ce199a	Leonidas Poulopoulos
18	51ce199a	Leonidas Poulopoulos	apt-get update
19	51ce199a	Leonidas Poulopoulos	apt-get upgrade
20	51ce199a	Leonidas Poulopoulos	apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-extensions python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
21	51ce199a	Leonidas Poulopoulos
22	51ce199a	Leonidas Poulopoulos	.. note::
23	51ce199a	Leonidas Poulopoulos	Set username and password for mysql if used
24	51ce199a	Leonidas Poulopoulos
25	51ce199a	Leonidas Poulopoulos	.. note::
26	51ce199a	Leonidas Poulopoulos	If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
27	51ce199a	Leonidas Poulopoulos
28	93f99c86	Leonidas Poulopoulos	Create a database
29	93f99c86	Leonidas Poulopoulos	-----------------
30	93f99c86	Leonidas Poulopoulos	If you are using mysql, you should create a database::
31	93f99c86	Leonidas Poulopoulos
32	93f99c86	Leonidas Poulopoulos	mysql -u root -p -e 'create database fod'
33	93f99c86	Leonidas Poulopoulos
34	93f99c86	Leonidas Poulopoulos
35	51ce199a	Leonidas Poulopoulos	Required application packages
36	51ce199a	Leonidas Poulopoulos	-----------------------------
37	51ce199a	Leonidas Poulopoulos	Get the required packages and install them
38	51ce199a	Leonidas Poulopoulos
39	51ce199a	Leonidas Poulopoulos	- ncclient: NETCONF python client::
40	51ce199a	Leonidas Poulopoulos
41	51ce199a	Leonidas Poulopoulos	cd ~
42	51ce199a	Leonidas Poulopoulos	git clone https://github.com/leopoul/ncclient.git
43	51ce199a	Leonidas Poulopoulos	cd ncclient
44	51ce199a	Leonidas Poulopoulos	python setup.py install
45	51ce199a	Leonidas Poulopoulos
46	51ce199a	Leonidas Poulopoulos	- nxpy: Python Objects from/to XML proxy::
47	51ce199a	Leonidas Poulopoulos
48	51ce199a	Leonidas Poulopoulos	cd ~
49	51ce199a	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/nxpy
50	51ce199a	Leonidas Poulopoulos	cd nxpy
51	51ce199a	Leonidas Poulopoulos	python setup.py install
52	51ce199a	Leonidas Poulopoulos
53	51ce199a	Leonidas Poulopoulos	- flowspy: core application. Installation is done at /srv/flowspy::
54	51ce199a	Leonidas Poulopoulos
55	51ce199a	Leonidas Poulopoulos	cd /srv
56	51ce199a	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/flowspy
57	51ce199a	Leonidas Poulopoulos	cd flowspy
58	51ce199a	Leonidas Poulopoulos
59	51ce199a	Leonidas Poulopoulos	Application configuration
60	51ce199a	Leonidas Poulopoulos	=========================
61	51ce199a	Leonidas Poulopoulos
62	51ce199a	Leonidas Poulopoulos	Copy settings.py.dist to settings.py::
63	51ce199a	Leonidas Poulopoulos
64	51ce199a	Leonidas Poulopoulos	cp settings.py.dist settings.py
65	51ce199a	Leonidas Poulopoulos
66	51ce199a	Leonidas Poulopoulos	Edit settings.py file and set the following according to your configuration::
67	51ce199a	Leonidas Poulopoulos
68	51ce199a	Leonidas Poulopoulos	ADMINS: set your admin name and email (assuming that your server can send notifications)
69	51ce199a	Leonidas Poulopoulos	DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
70	51ce199a	Leonidas Poulopoulos	SECRET_KEY : Make this unique, and don't share it with anybody
71	51ce199a	Leonidas Poulopoulos	STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
72	51ce199a	Leonidas Poulopoulos	TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
73	51ce199a	Leonidas Poulopoulos	CACHE_BACKEND: If you have followed the above this should be: memcached://127.0.0.1:11211/?timeout=3600
74	51ce199a	Leonidas Poulopoulos	Alternatively you could go for redis with the corresponding Django client lib.
75	51ce199a	Leonidas Poulopoulos	NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
76	51ce199a	Leonidas Poulopoulos	NETCONF_USER (enable ssh and netconf on device)
77	51ce199a	Leonidas Poulopoulos	NETCONF_PASS
78	51ce199a	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
79	51ce199a	Leonidas Poulopoulos	BROKER_HOST (beanstalk host)
80	51ce199a	Leonidas Poulopoulos	BROKER_PORT (beanstalk port)
81	51ce199a	Leonidas Poulopoulos	SERVER_EMAIL
82	51ce199a	Leonidas Poulopoulos	EMAIL_SUBJECT_PREFIX
83	51ce199a	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
84	51ce199a	Leonidas Poulopoulos	BROKER_URL (beanstalk url)
85	51ce199a	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
86	51ce199a	Leonidas Poulopoulos	NOTIFY_ADMIN_MAILS (bcc mail addresses)
87	51ce199a	Leonidas Poulopoulos	PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
88	51ce199a	Leonidas Poulopoulos	The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
89	51ce199a	Leonidas Poulopoulos	PRIMARY_WHOIS
90	51ce199a	Leonidas Poulopoulos	ALTERNATE_WHOIS
91	51ce199a	Leonidas Poulopoulos	If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
92	51ce199a	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT = 'urn:mace'
93	51ce199a	Leonidas Poulopoulos	SHIB_ADMIN_DOMAIN = 'example.com'
94	51ce199a	Leonidas Poulopoulos	SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
95	51ce199a	Leonidas Poulopoulos	SHIB_USERNAME = ['HTTP_EPPN']
96	51ce199a	Leonidas Poulopoulos	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
97	51ce199a	Leonidas Poulopoulos	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
98	51ce199a	Leonidas Poulopoulos	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
99	51ce199a	Leonidas Poulopoulos	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
100	51ce199a	Leonidas Poulopoulos
101	51ce199a	Leonidas Poulopoulos	If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
102	51ce199a	Leonidas Poulopoulos
103	51ce199a	Leonidas Poulopoulos	EMAIL_USE_TLS = True #(or False)
104	51ce199a	Leonidas Poulopoulos	EMAIL_HOST = 'smtp.example.com'
105	51ce199a	Leonidas Poulopoulos	EMAIL_HOST_USER = 'username'
106	51ce199a	Leonidas Poulopoulos	EMAIL_HOST_PASSWORD = 'yourpassword'
107	51ce199a	Leonidas Poulopoulos	EMAIL_PORT = 587 #(outgoing)
108	51ce199a	Leonidas Poulopoulos
109	51ce199a	Leonidas Poulopoulos
110	51ce199a	Leonidas Poulopoulos	.. note::
111	51ce199a	Leonidas Poulopoulos	Soon we will release a version with django-registration as a means to add users and Shibboleth as an alternative
112	51ce199a	Leonidas Poulopoulos
113	51ce199a	Leonidas Poulopoulos	Let's move on with some copies and dir creations::
114	51ce199a	Leonidas Poulopoulos
115	51ce199a	Leonidas Poulopoulos	cp urls.py.dist urls.py
116	51ce199a	Leonidas Poulopoulos	mkdir log
117	51ce199a	Leonidas Poulopoulos	chown -R root:www-data log/
118	51ce199a	Leonidas Poulopoulos	chmod -R g+w log
119	51ce199a	Leonidas Poulopoulos
120	51ce199a	Leonidas Poulopoulos	System configuration
121	51ce199a	Leonidas Poulopoulos	====================
122	51ce199a	Leonidas Poulopoulos	Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
123	51ce199a	Leonidas Poulopoulos	Depending on the setup the apache configuration may vary::
124	51ce199a	Leonidas Poulopoulos
125	51ce199a	Leonidas Poulopoulos	a2enmod rewrite
126	51ce199a	Leonidas Poulopoulos	a2enmod proxy
127	51ce199a	Leonidas Poulopoulos	a2enmod ssl
128	51ce199a	Leonidas Poulopoulos	a2enmod proxy_http
129	51ce199a	Leonidas Poulopoulos
130	51ce199a	Leonidas Poulopoulos	If shibboleth is to be used::
131	51ce199a	Leonidas Poulopoulos
132	51ce199a	Leonidas Poulopoulos	apt-get install libapache2-mod-shib2
133	51ce199a	Leonidas Poulopoulos	a2enmod shib2
134	51ce199a	Leonidas Poulopoulos
135	51ce199a	Leonidas Poulopoulos	Now it is time to configure beanstalk, gunicorn, celery and apache.
136	51ce199a	Leonidas Poulopoulos
137	51ce199a	Leonidas Poulopoulos	beanstalkd
138	51ce199a	Leonidas Poulopoulos	----------
139	51ce199a	Leonidas Poulopoulos
140	51ce199a	Leonidas Poulopoulos	Enable beanstalk by editting /etc/default/beanstalkd::
141	51ce199a	Leonidas Poulopoulos
142	51ce199a	Leonidas Poulopoulos	vim /etc/default/beanstalkd
143	51ce199a	Leonidas Poulopoulos
144	51ce199a	Leonidas Poulopoulos	Uncomment the line START=yes to enable beanstalk
145	51ce199a	Leonidas Poulopoulos
146	51ce199a	Leonidas Poulopoulos	Start beanstalkd::
147	51ce199a	Leonidas Poulopoulos
148	51ce199a	Leonidas Poulopoulos	service beanstalkd start
149	51ce199a	Leonidas Poulopoulos
150	51ce199a	Leonidas Poulopoulos	gunicorn.d
151	51ce199a	Leonidas Poulopoulos	----------
152	51ce199a	Leonidas Poulopoulos
153	51ce199a	Leonidas Poulopoulos	create and edit /etc/gunicorn.d/fod::
154	51ce199a	Leonidas Poulopoulos
155	51ce199a	Leonidas Poulopoulos	vim /etc/gunicorn.d/fod
156	51ce199a	Leonidas Poulopoulos
157	51ce199a	Leonidas Poulopoulos	FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
158	51ce199a	Leonidas Poulopoulos
159	51ce199a	Leonidas Poulopoulos	CONFIG = {
160	51ce199a	Leonidas Poulopoulos	'mode': 'django',
161	51ce199a	Leonidas Poulopoulos	'working_dir': '/srv/flowspy',
162	51ce199a	Leonidas Poulopoulos	'args': (
163	51ce199a	Leonidas Poulopoulos	'--bind=127.0.0.1:8081',
164	51ce199a	Leonidas Poulopoulos	'--workers=1',
165	51ce199a	Leonidas Poulopoulos	'--timeout=360',
166	51ce199a	Leonidas Poulopoulos	'--worker-class=egg:gunicorn#gevent',
167	51ce199a	Leonidas Poulopoulos	'--log-level=debug',
168	51ce199a	Leonidas Poulopoulos	'settings.py',
169	51ce199a	Leonidas Poulopoulos	),
170	51ce199a	Leonidas Poulopoulos	}
171	51ce199a	Leonidas Poulopoulos
172	51ce199a	Leonidas Poulopoulos	celery.d
173	51ce199a	Leonidas Poulopoulos	--------
174	51ce199a	Leonidas Poulopoulos
175	51ce199a	Leonidas Poulopoulos	Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
176	51ce199a	Leonidas Poulopoulos
177	c657a994	Leonidas Poulopoulos	Create the celeryd daemon at /etc/init.d/celeryd::
178	cccef23d	Leonidas Poulopoulos
179	1c6c3dad	Leonidas Poulopoulos	vim /etc/init.d/celeryd
180	1c6c3dad	Leonidas Poulopoulos
181	1c6c3dad	Leonidas Poulopoulos	The configuration should be::
182	1c6c3dad	Leonidas Poulopoulos
183	c657a994	Leonidas Poulopoulos	#!/bin/sh -e
184	c657a994	Leonidas Poulopoulos	# ============================================
185	c657a994	Leonidas Poulopoulos	# celeryd - Starts the Celery worker daemon.
186	c657a994	Leonidas Poulopoulos	# ============================================
187	c657a994	Leonidas Poulopoulos	#
188	c657a994	Leonidas Poulopoulos	# :Usage: /etc/init.d/celeryd {start\|stop\|force-reload\|restart\|try-restart\|status}
189	c657a994	Leonidas Poulopoulos	# :Configuration file: /etc/default/celeryd
190	c657a994	Leonidas Poulopoulos	#
191	c657a994	Leonidas Poulopoulos	# See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd
192	c657a994	Leonidas Poulopoulos
193	c657a994	Leonidas Poulopoulos
194	c657a994	Leonidas Poulopoulos	### BEGIN INIT INFO
195	c657a994	Leonidas Poulopoulos	# Provides: celeryd
196	c657a994	Leonidas Poulopoulos	# Required-Start: $network $local_fs $remote_fs
197	c657a994	Leonidas Poulopoulos	# Required-Stop: $network $local_fs $remote_fs
198	c657a994	Leonidas Poulopoulos	# Default-Start: 2 3 4 5
199	c657a994	Leonidas Poulopoulos	# Default-Stop: 0 1 6
200	c657a994	Leonidas Poulopoulos	# Short-Description: celery task worker daemon
201	c657a994	Leonidas Poulopoulos	### END INIT INFO
202	c657a994	Leonidas Poulopoulos
203	c657a994	Leonidas Poulopoulos	#set -e
204	c657a994	Leonidas Poulopoulos
205	c657a994	Leonidas Poulopoulos	DEFAULT_PID_FILE="/var/run/celeryd@%n.pid"
206	c657a994	Leonidas Poulopoulos	DEFAULT_LOG_FILE="/var/log/celeryd@%n.log"
207	c657a994	Leonidas Poulopoulos	DEFAULT_LOG_LEVEL="INFO"
208	c657a994	Leonidas Poulopoulos	DEFAULT_NODES="celery"
209	c657a994	Leonidas Poulopoulos	DEFAULT_CELERYD="-m celery.bin.celeryd_detach"
210	c657a994	Leonidas Poulopoulos
211	c657a994	Leonidas Poulopoulos	# /etc/init.d/celeryd: start and stop the celery task worker daemon.
212	c657a994	Leonidas Poulopoulos
213	c657a994	Leonidas Poulopoulos	CELERY_DEFAULTS=${CELERY_DEFAULTS:-"/etc/default/celeryd"}
214	c657a994	Leonidas Poulopoulos
215	c657a994	Leonidas Poulopoulos	test -f "$CELERY_DEFAULTS" && . "$CELERY_DEFAULTS"
216	c657a994	Leonidas Poulopoulos	if [ -f "/etc/default/celeryd" ]; then
217	c657a994	Leonidas Poulopoulos	. /etc/default/celeryd
218	c657a994	Leonidas Poulopoulos	fi
219	c657a994	Leonidas Poulopoulos
220	c657a994	Leonidas Poulopoulos	CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}
221	c657a994	Leonidas Poulopoulos	CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}
222	c657a994	Leonidas Poulopoulos	CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}
223	c657a994	Leonidas Poulopoulos	CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}
224	c657a994	Leonidas Poulopoulos	CELERYD=${CELERYD:-$DEFAULT_CELERYD}
225	c657a994	Leonidas Poulopoulos	CELERYCTL=${CELERYCTL:="celeryctl"}
226	c657a994	Leonidas Poulopoulos	CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}
227	c657a994	Leonidas Poulopoulos
228	c657a994	Leonidas Poulopoulos	export CELERY_LOADER
229	c657a994	Leonidas Poulopoulos
230	c657a994	Leonidas Poulopoulos	if [ -n "$2" ]; then
231	c657a994	Leonidas Poulopoulos	CELERYD_OPTS="$CELERYD_OPTS $2"
232	c657a994	Leonidas Poulopoulos	fi
233	c657a994	Leonidas Poulopoulos
234	c657a994	Leonidas Poulopoulos	CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`
235	c657a994	Leonidas Poulopoulos	CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`
236	c657a994	Leonidas Poulopoulos	if [ ! -d "$CELERYD_LOG_DIR" ]; then
237	c657a994	Leonidas Poulopoulos	mkdir -p $CELERYD_LOG_DIR
238	c657a994	Leonidas Poulopoulos	fi
239	c657a994	Leonidas Poulopoulos	if [ ! -d "$CELERYD_PID_DIR" ]; then
240	c657a994	Leonidas Poulopoulos	mkdir -p $CELERYD_PID_DIR
241	c657a994	Leonidas Poulopoulos	fi
242	c657a994	Leonidas Poulopoulos
243	c657a994	Leonidas Poulopoulos	# Extra start-stop-daemon options, like user/group.
244	c657a994	Leonidas Poulopoulos	if [ -n "$CELERYD_USER" ]; then
245	c657a994	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"
246	c657a994	Leonidas Poulopoulos	chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR
247	c657a994	Leonidas Poulopoulos	fi
248	c657a994	Leonidas Poulopoulos	if [ -n "$CELERYD_GROUP" ]; then
249	c657a994	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"
250	c657a994	Leonidas Poulopoulos	chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR
251	c657a994	Leonidas Poulopoulos	fi
252	c657a994	Leonidas Poulopoulos
253	c657a994	Leonidas Poulopoulos	if [ -n "$CELERYD_CHDIR" ]; then
254	c657a994	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""
255	c657a994	Leonidas Poulopoulos	fi
256	c657a994	Leonidas Poulopoulos
257	c657a994	Leonidas Poulopoulos
258	c657a994	Leonidas Poulopoulos	check_dev_null() {
259	c657a994	Leonidas Poulopoulos	if [ ! -c /dev/null ]; then
260	c657a994	Leonidas Poulopoulos	echo "/dev/null is not a character device!"
261	c657a994	Leonidas Poulopoulos	exit 1
262	c657a994	Leonidas Poulopoulos	fi
263	c657a994	Leonidas Poulopoulos	}
264	c657a994	Leonidas Poulopoulos
265	c657a994	Leonidas Poulopoulos
266	c657a994	Leonidas Poulopoulos	export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
267	c657a994	Leonidas Poulopoulos
268	c657a994	Leonidas Poulopoulos
269	c657a994	Leonidas Poulopoulos	stop_workers () {
270	c657a994	Leonidas Poulopoulos	$CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"
271	c657a994	Leonidas Poulopoulos	}
272	c657a994	Leonidas Poulopoulos
273	c657a994	Leonidas Poulopoulos
274	c657a994	Leonidas Poulopoulos	start_workers () {
275	c657a994	Leonidas Poulopoulos	$CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS \
276	c657a994	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
277	c657a994	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
278	c657a994	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
279	c657a994	Leonidas Poulopoulos	--cmd="$CELERYD" \
280	c657a994	Leonidas Poulopoulos	$CELERYD_OPTS
281	c657a994	Leonidas Poulopoulos	}
282	c657a994	Leonidas Poulopoulos
283	c657a994	Leonidas Poulopoulos
284	c657a994	Leonidas Poulopoulos	restart_workers () {
285	c657a994	Leonidas Poulopoulos	$CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS \
286	c657a994	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
287	c657a994	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
288	c657a994	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
289	c657a994	Leonidas Poulopoulos	--cmd="$CELERYD" \
290	c657a994	Leonidas Poulopoulos	$CELERYD_OPTS
291	c657a994	Leonidas Poulopoulos	}
292	c657a994	Leonidas Poulopoulos
293	c657a994	Leonidas Poulopoulos
294	c657a994	Leonidas Poulopoulos
295	c657a994	Leonidas Poulopoulos	case "$1" in
296	c657a994	Leonidas Poulopoulos	start)
297	c657a994	Leonidas Poulopoulos	check_dev_null
298	c657a994	Leonidas Poulopoulos	start_workers
299	c657a994	Leonidas Poulopoulos	;;
300	c657a994	Leonidas Poulopoulos
301	c657a994	Leonidas Poulopoulos	stop)
302	c657a994	Leonidas Poulopoulos	check_dev_null
303	c657a994	Leonidas Poulopoulos	stop_workers
304	c657a994	Leonidas Poulopoulos	;;
305	c657a994	Leonidas Poulopoulos
306	c657a994	Leonidas Poulopoulos	reload\|force-reload)
307	c657a994	Leonidas Poulopoulos	echo "Use restart"
308	c657a994	Leonidas Poulopoulos	;;
309	c657a994	Leonidas Poulopoulos
310	c657a994	Leonidas Poulopoulos	status)
311	c657a994	Leonidas Poulopoulos	$CELERYCTL status $CELERYCTL_OPTS
312	c657a994	Leonidas Poulopoulos	;;
313	c657a994	Leonidas Poulopoulos
314	c657a994	Leonidas Poulopoulos	restart)
315	c657a994	Leonidas Poulopoulos	check_dev_null
316	c657a994	Leonidas Poulopoulos	restart_workers
317	c657a994	Leonidas Poulopoulos	;;
318	c657a994	Leonidas Poulopoulos
319	c657a994	Leonidas Poulopoulos	try-restart)
320	c657a994	Leonidas Poulopoulos	check_dev_null
321	c657a994	Leonidas Poulopoulos	restart_workers
322	c657a994	Leonidas Poulopoulos	;;
323	c657a994	Leonidas Poulopoulos
324	c657a994	Leonidas Poulopoulos	*)
325	c657a994	Leonidas Poulopoulos	echo "Usage: /etc/init.d/celeryd {start\|stop\|restart\|try-restart\|kill}"
326	c657a994	Leonidas Poulopoulos	exit 1
327	c657a994	Leonidas Poulopoulos	;;
328	c657a994	Leonidas Poulopoulos	esac
329	c657a994	Leonidas Poulopoulos
330	c657a994	Leonidas Poulopoulos	exit 0
331	c657a994	Leonidas Poulopoulos
332	c657a994	Leonidas Poulopoulos	and make it executable::
333	c657a994	Leonidas Poulopoulos
334	c657a994	Leonidas Poulopoulos	chmod +x /etc/init.d/celeryd
335	51ce199a	Leonidas Poulopoulos
336	51ce199a	Leonidas Poulopoulos	celeryd requires a /etc/default/celeryd file to be in place.
337	51ce199a	Leonidas Poulopoulos	Thus we are going to create this file (/etc/default/celeryd)::
338	51ce199a	Leonidas Poulopoulos
339	51ce199a	Leonidas Poulopoulos	vim /etc/default/celeryd
340	51ce199a	Leonidas Poulopoulos
341	51ce199a	Leonidas Poulopoulos	Again if the directory conventions have been followed the file should be::
342	51ce199a	Leonidas Poulopoulos
343	51ce199a	Leonidas Poulopoulos	# Name of nodes to start, here we have a single node
344	51ce199a	Leonidas Poulopoulos	CELERYD_NODES="w1"
345	51ce199a	Leonidas Poulopoulos	# or we could have three nodes:
346	51ce199a	Leonidas Poulopoulos	#CELERYD_NODES="w1 w2 w3"
347	51ce199a	Leonidas Poulopoulos
348	51ce199a	Leonidas Poulopoulos	# Where to chdir at start.
349	51ce199a	Leonidas Poulopoulos	CELERYD_CHDIR="/srv/flowspy/"
350	51ce199a	Leonidas Poulopoulos	# How to call "manage.py celeryd_multi"
351	51ce199a	Leonidas Poulopoulos	CELERYD_MULTI="$CELERYD_CHDIR/manage.py celeryd_multi"
352	51ce199a	Leonidas Poulopoulos
353	51ce199a	Leonidas Poulopoulos	# How to call "manage.py celeryctl"
354	51ce199a	Leonidas Poulopoulos	CELERYCTL="$CELERYD_CHDIR/manage.py celeryctl"
355	51ce199a	Leonidas Poulopoulos
356	51ce199a	Leonidas Poulopoulos	# Extra arguments to celeryd
357	51ce199a	Leonidas Poulopoulos	#CELERYD_OPTS="--time-limit=300 --concurrency=8"
358	51ce199a	Leonidas Poulopoulos	CELERYD_OPTS="-E -B"
359	51ce199a	Leonidas Poulopoulos	# Name of the celery config module.
360	51ce199a	Leonidas Poulopoulos	CELERY_CONFIG_MODULE="celeryconfig"
361	51ce199a	Leonidas Poulopoulos
362	51ce199a	Leonidas Poulopoulos	# %n will be replaced with the nodename.
363	51ce199a	Leonidas Poulopoulos	CELERYD_LOG_FILE="$CELERYD_CHDIR/celery_var/log/celery/%n.log"
364	51ce199a	Leonidas Poulopoulos	CELERYD_PID_FILE="$CELERYD_CHDIR/celery_var/run/celery/%n.pid"
365	51ce199a	Leonidas Poulopoulos
366	51ce199a	Leonidas Poulopoulos	# Workers should run as an unprivileged user.
367	51ce199a	Leonidas Poulopoulos	CELERYD_USER="root"
368	51ce199a	Leonidas Poulopoulos	CELERYD_GROUP="root"
369	51ce199a	Leonidas Poulopoulos
370	51ce199a	Leonidas Poulopoulos	# Name of the projects settings module.
371	51ce199a	Leonidas Poulopoulos	export DJANGO_SETTINGS_MODULE="settings"
372	51ce199a	Leonidas Poulopoulos
373	51ce199a	Leonidas Poulopoulos	Apache
374	51ce199a	Leonidas Poulopoulos	------
375	51ce199a	Leonidas Poulopoulos	Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside Shibboleth configuration ::
376	51ce199a	Leonidas Poulopoulos
377	51ce199a	Leonidas Poulopoulos	vim /etc/apache2/sites-available/fod
378	51ce199a	Leonidas Poulopoulos
379	51ce199a	Leonidas Poulopoulos	Again if the directory conventions have been followed the file should be::
380	51ce199a	Leonidas Poulopoulos
381	51ce199a	Leonidas Poulopoulos	<VirtualHost *:80>
382	51ce199a	Leonidas Poulopoulos	ServerAdmin webmaster@localhost
383	51ce199a	Leonidas Poulopoulos	ServerName <server_name>
384	51ce199a	Leonidas Poulopoulos	DocumentRoot /var/www
385	51ce199a	Leonidas Poulopoulos	<Directory />
386	51ce199a	Leonidas Poulopoulos	Options FollowSymLinks
387	51ce199a	Leonidas Poulopoulos	AllowOverride None
388	51ce199a	Leonidas Poulopoulos	</Directory>
389	51ce199a	Leonidas Poulopoulos	<Directory /var/www/>
390	51ce199a	Leonidas Poulopoulos	Options Indexes FollowSymLinks MultiViews
391	51ce199a	Leonidas Poulopoulos	AllowOverride None
392	51ce199a	Leonidas Poulopoulos	Order allow,deny
393	51ce199a	Leonidas Poulopoulos	allow from all
394	51ce199a	Leonidas Poulopoulos	</Directory>
395	51ce199a	Leonidas Poulopoulos
396	51ce199a	Leonidas Poulopoulos	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
397	51ce199a	Leonidas Poulopoulos	<Directory "/usr/lib/cgi-bin">
398	51ce199a	Leonidas Poulopoulos	AllowOverride None
399	51ce199a	Leonidas Poulopoulos	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
400	51ce199a	Leonidas Poulopoulos	Order allow,deny
401	51ce199a	Leonidas Poulopoulos	Allow from all
402	51ce199a	Leonidas Poulopoulos	</Directory>
403	51ce199a	Leonidas Poulopoulos
404	51ce199a	Leonidas Poulopoulos	ErrorLog ${APACHE_LOG_DIR}/error.log
405	51ce199a	Leonidas Poulopoulos
406	51ce199a	Leonidas Poulopoulos	# Possible values include: debug, info, notice, warn, error, crit,
407	51ce199a	Leonidas Poulopoulos	# alert, emerg.
408	51ce199a	Leonidas Poulopoulos	LogLevel warn
409	51ce199a	Leonidas Poulopoulos
410	51ce199a	Leonidas Poulopoulos	CustomLog ${APACHE_LOG_DIR}/access.log combined
411	51ce199a	Leonidas Poulopoulos
412	51ce199a	Leonidas Poulopoulos	Alias /doc/ "/usr/share/doc/"
413	51ce199a	Leonidas Poulopoulos	<Directory "/usr/share/doc/">
414	51ce199a	Leonidas Poulopoulos	Options Indexes MultiViews FollowSymLinks
415	51ce199a	Leonidas Poulopoulos	AllowOverride None
416	51ce199a	Leonidas Poulopoulos	Order deny,allow
417	51ce199a	Leonidas Poulopoulos	Deny from all
418	51ce199a	Leonidas Poulopoulos	Allow from 127.0.0.0/255.0.0.0 ::1/128
419	51ce199a	Leonidas Poulopoulos	</Directory>
420	51ce199a	Leonidas Poulopoulos
421	51ce199a	Leonidas Poulopoulos	RewriteEngine On
422	51ce199a	Leonidas Poulopoulos	RewriteCond %{HTTPS} off
423	51ce199a	Leonidas Poulopoulos	RewriteRule ^/(.*) https://<server_name>/$1 [L,R]
424	51ce199a	Leonidas Poulopoulos
425	51ce199a	Leonidas Poulopoulos	</VirtualHost>
426	51ce199a	Leonidas Poulopoulos	<VirtualHost *:443>
427	51ce199a	Leonidas Poulopoulos	ServerName <server_name>
428	51ce199a	Leonidas Poulopoulos	ServerAdmin <admin_mail>
429	51ce199a	Leonidas Poulopoulos	ServerSignature On
430	51ce199a	Leonidas Poulopoulos
431	51ce199a	Leonidas Poulopoulos	SSLEngine on
432	51ce199a	Leonidas Poulopoulos	SSLCertificateFile /etc/ssl/certs/example.com.crt
433	51ce199a	Leonidas Poulopoulos	SSLCertificateChainFile /etc/ssl/certs/example.com.crt
434	51ce199a	Leonidas Poulopoulos	SSLCertificateKeyFile /etc/ssl/private/example.com.key
435	51ce199a	Leonidas Poulopoulos
436	51ce199a	Leonidas Poulopoulos	AddDefaultCharset UTF-8
437	51ce199a	Leonidas Poulopoulos	IndexOptions +Charset=UTF-8
438	51ce199a	Leonidas Poulopoulos
439	51ce199a	Leonidas Poulopoulos	# Shibboleth configuration
440	51ce199a	Leonidas Poulopoulos	ShibConfig /etc/shibboleth/shibboleth2.xml
441	51ce199a	Leonidas Poulopoulos	Alias /shibboleth-sp /usr/share/shibboleth
442	51ce199a	Leonidas Poulopoulos
443	51ce199a	Leonidas Poulopoulos	<Location /fod/login>
444	51ce199a	Leonidas Poulopoulos	AuthType shibboleth
445	51ce199a	Leonidas Poulopoulos	ShibRequireSession On
446	51ce199a	Leonidas Poulopoulos	ShibUseHeaders On
447	51ce199a	Leonidas Poulopoulos	require valid-user
448	51ce199a	Leonidas Poulopoulos	</Location>
449	51ce199a	Leonidas Poulopoulos
450	51ce199a	Leonidas Poulopoulos	# Shibboleth debugging CGI script
451	51ce199a	Leonidas Poulopoulos	ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
452	51ce199a	Leonidas Poulopoulos	<Location /shibboleth/test>
453	51ce199a	Leonidas Poulopoulos	AuthType shibboleth
454	51ce199a	Leonidas Poulopoulos	ShibRequireSession On
455	51ce199a	Leonidas Poulopoulos	ShibUseHeaders On
456	51ce199a	Leonidas Poulopoulos	require valid-user
457	51ce199a	Leonidas Poulopoulos	</Location>
458	51ce199a	Leonidas Poulopoulos
459	51ce199a	Leonidas Poulopoulos	<Location /Shibboleth.sso>
460	51ce199a	Leonidas Poulopoulos	SetHandler shib
461	51ce199a	Leonidas Poulopoulos	</Location>
462	51ce199a	Leonidas Poulopoulos
463	51ce199a	Leonidas Poulopoulos	# End of Shibboleth configuration
464	51ce199a	Leonidas Poulopoulos
465	51ce199a	Leonidas Poulopoulos	<Location /admin/media/>
466	51ce199a	Leonidas Poulopoulos	SetHandler None
467	51ce199a	Leonidas Poulopoulos	</Location>
468	51ce199a	Leonidas Poulopoulos
469	51ce199a	Leonidas Poulopoulos	Alias /admin/media /usr/share/pyshared/django/contrib/admin/media
470	51ce199a	Leonidas Poulopoulos	Alias /media /usr/share/pyshared/django/contrib/admin/media
471	51ce199a	Leonidas Poulopoulos	DocumentRoot /var/www
472	51ce199a	Leonidas Poulopoulos	<Directory /var/www/>
473	51ce199a	Leonidas Poulopoulos	Options Indexes FollowSymLinks MultiViews
474	51ce199a	Leonidas Poulopoulos	AllowOverride None
475	51ce199a	Leonidas Poulopoulos	Order allow,deny
476	51ce199a	Leonidas Poulopoulos	allow from all
477	51ce199a	Leonidas Poulopoulos	</Directory>
478	51ce199a	Leonidas Poulopoulos
479	51ce199a	Leonidas Poulopoulos
480	51ce199a	Leonidas Poulopoulos
481	51ce199a	Leonidas Poulopoulos	<Proxy *>
482	51ce199a	Leonidas Poulopoulos	Order allow,deny
483	51ce199a	Leonidas Poulopoulos	Allow from all
484	51ce199a	Leonidas Poulopoulos	</Proxy>
485	51ce199a	Leonidas Poulopoulos
486	51ce199a	Leonidas Poulopoulos	SSLProxyEngine off
487	51ce199a	Leonidas Poulopoulos	ProxyErrorOverride off
488	51ce199a	Leonidas Poulopoulos	ProxyTimeout 28800
489	51ce199a	Leonidas Poulopoulos	ProxyPass /fod http://localhost:8081/fod retry=0
490	51ce199a	Leonidas Poulopoulos	ProxyPassReverse /fod http://localhost:8081/fod
491	51ce199a	Leonidas Poulopoulos
492	51ce199a	Leonidas Poulopoulos	LogLevel warn
493	51ce199a	Leonidas Poulopoulos	ErrorLog /var/log/apache2/ssl-error.log
494	51ce199a	Leonidas Poulopoulos	CustomLog /var/log/apache2/ssl-access.log combined
495	51ce199a	Leonidas Poulopoulos
496	51ce199a	Leonidas Poulopoulos
497	51ce199a	Leonidas Poulopoulos
498	51ce199a	Leonidas Poulopoulos
499	51ce199a	Leonidas Poulopoulos	Alias /fodstatic /srv/flowspy/static
500	51ce199a	Leonidas Poulopoulos
501	51ce199a	Leonidas Poulopoulos	</VirtualHost>
502	51ce199a	Leonidas Poulopoulos
503	1e40c2f5	Leonidas Poulopoulos	Now, enable your site. You might want to disable the default site if fod is the only site you host on your server::
504	1e40c2f5	Leonidas Poulopoulos
505	1e40c2f5	Leonidas Poulopoulos	a2dissite default
506	1e40c2f5	Leonidas Poulopoulos	a2ensite fod
507	1e40c2f5	Leonidas Poulopoulos
508	51ce199a	Leonidas Poulopoulos	You are not far away from deploying FoD. When asked for a super user, create one::
509	51ce199a	Leonidas Poulopoulos
510	51ce199a	Leonidas Poulopoulos	cd /srv/flowspy
511	51ce199a	Leonidas Poulopoulos	python manage.py syncdb
512	51ce199a	Leonidas Poulopoulos	python manage.py migrate
513	51ce199a	Leonidas Poulopoulos
514	51ce199a	Leonidas Poulopoulos	Restart, gunicorn and apache::
515	51ce199a	Leonidas Poulopoulos
516	51ce199a	Leonidas Poulopoulos	service gunicorn restart && service apache2 restart
517	51ce199a	Leonidas Poulopoulos
518	51ce199a	Leonidas Poulopoulos	Testing the platform
519	51ce199a	Leonidas Poulopoulos	====================
520	51ce199a	Leonidas Poulopoulos	Log in to the admin interface via https://<your ip>/fod/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 83.212.0.0/19
521	51ce199a	Leonidas Poulopoulos	Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have crteated from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
522	7aa06e71	Leonidas Poulopoulos	Last but not least, modify as required the existing (example.com) Site instance (admin home->Sites). You are done. As you are logged-in via the admin, there is no need for Shibboleth. Go to https://<your ip>/fod/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds.
523	51ce199a	Leonidas Poulopoulos
524	51ce199a	Leonidas Poulopoulos	Branding
525	51ce199a	Leonidas Poulopoulos	========
526	51ce199a	Leonidas Poulopoulos	Via the admin interface you can modify flatpages to suit your needs
527	51ce199a	Leonidas Poulopoulos
528	51ce199a	Leonidas Poulopoulos	Logos
529	51ce199a	Leonidas Poulopoulos	-----
530	51ce199a	Leonidas Poulopoulos	Inside the static folder you will find two empty png files: fod_logo.xcf (Gimp file) and shib_login.dist.png. Edit those two with your favourite image processing software and save them as fod_logo.png (under static/img/) and shib_login.png (under static/). Image sizes are optimized to operate without any other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well.
531	51ce199a	Leonidas Poulopoulos
532	51ce199a	Leonidas Poulopoulos	Footer
533	51ce199a	Leonidas Poulopoulos	------
534	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
535	51ce199a	Leonidas Poulopoulos
536	51ce199a	Leonidas Poulopoulos	Welcome Page
537	51ce199a	Leonidas Poulopoulos	------------
538	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.