/doc/source/install.rst - Annotate - Firewall on Demand - Greek Research and Technology Network's projects

root / doc / source / install.rst @ ac2fbadf

History | View | Annotate | Download (19.6 kB)

1	51ce199a	Leonidas Poulopoulos	************
2	51ce199a	Leonidas Poulopoulos	Installation
3	51ce199a	Leonidas Poulopoulos	************
4	51ce199a	Leonidas Poulopoulos
5	51ce199a	Leonidas Poulopoulos	.. toctree::
6	f8938aca	Leonidas Poulopoulos	:maxdepth: 2
7	51ce199a	Leonidas Poulopoulos
8	b7566dcc	Leonidas Poulopoulos	Debian Wheezy (x64) - Django 1.4.x
9	51ce199a	Leonidas Poulopoulos	==================================
10	51ce199a	Leonidas Poulopoulos	This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
11	51ce199a	Leonidas Poulopoulos
12	b54374b9	Leonidas Poulopoulos
13	b54374b9	Leonidas Poulopoulos	Upgrading from v<1.1.x
14	b54374b9	Leonidas Poulopoulos	----------------------
15	ac2fbadf	Leonidas Poulopoulos
16	ac2fbadf	Leonidas Poulopoulos	.. note::
17	ac2fbadf	Leonidas Poulopoulos	If PEER\_\*\_TABLE tables are set to FALSE in settings.py, you need to perform the south migrations per application::
18	ac2fbadf	Leonidas Poulopoulos
19	ac2fbadf	Leonidas Poulopoulos	./manage.py migrate longerusername
20	ac2fbadf	Leonidas Poulopoulos	./manage.py migrate flowspec
21	ac2fbadf	Leonidas Poulopoulos	./manage.py migrate accounts
22	ac2fbadf	Leonidas Poulopoulos
23	ac2fbadf	Leonidas Poulopoulos
24	ac2fbadf	Leonidas Poulopoulos
25	ac2fbadf	Leonidas Poulopoulos	If upgrading from flowspy version <1.1.x pay attention to settings.py changes. Also, do not forget to run if PEER\_\*\_TABLE tables are set to TRUE in settings.py::
26	b54374b9	Leonidas Poulopoulos
27	b54374b9	Leonidas Poulopoulos	./manage.py migrate
28	b54374b9	Leonidas Poulopoulos
29	ac2fbadf	Leonidas Poulopoulos	to catch-up with latest database changes.
30	b54374b9	Leonidas Poulopoulos
31	0bf16f7f	Leonidas Poulopoulos	Upgrading from v<1.0.x
32	0bf16f7f	Leonidas Poulopoulos	----------------------
33	0bf16f7f	Leonidas Poulopoulos	If upgrading from flowspy version <1.0.x pay attention to settings.py changes. Also, do not forget to run::
34	f8938aca	Leonidas Poulopoulos
35	f8938aca	Leonidas Poulopoulos	./manage.py migrate
36	f8938aca	Leonidas Poulopoulos
37	0bf16f7f	Leonidas Poulopoulos	to catch-up with latest database changes.
38	0bf16f7f	Leonidas Poulopoulos
39	51ce199a	Leonidas Poulopoulos	Required system packages
40	51ce199a	Leonidas Poulopoulos	------------------------
41	51ce199a	Leonidas Poulopoulos	Update and install the required packages::
42	51ce199a	Leonidas Poulopoulos
43	f8938aca	Leonidas Poulopoulos	apt-get update
44	f8938aca	Leonidas Poulopoulos	apt-get upgrade
45	f8938aca	Leonidas Poulopoulos	apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
46	51ce199a	Leonidas Poulopoulos
47	51ce199a	Leonidas Poulopoulos	.. note::
48	f8938aca	Leonidas Poulopoulos	Set username and password for mysql if used
49	51ce199a	Leonidas Poulopoulos
50	51ce199a	Leonidas Poulopoulos	.. note::
51	f8938aca	Leonidas Poulopoulos	If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
52	51ce199a	Leonidas Poulopoulos
53	93f99c86	Leonidas Poulopoulos	Create a database
54	93f99c86	Leonidas Poulopoulos	-----------------
55	93f99c86	Leonidas Poulopoulos	If you are using mysql, you should create a database::
56	93f99c86	Leonidas Poulopoulos
57	f8938aca	Leonidas Poulopoulos	mysql -u root -p -e 'create database fod'
58	93f99c86	Leonidas Poulopoulos
59	51ce199a	Leonidas Poulopoulos	Required application packages
60	51ce199a	Leonidas Poulopoulos	-----------------------------
61	f8938aca	Leonidas Poulopoulos	Get the required packages and their dependencies and install them::
62	f8938aca	Leonidas Poulopoulos
63	f8938aca	Leonidas Poulopoulos	apt-get install libxml2-dev libxslt-dev gcc python-dev
64	51ce199a	Leonidas Poulopoulos
65	51ce199a	Leonidas Poulopoulos	- ncclient: NETCONF python client::
66	51ce199a	Leonidas Poulopoulos
67	f8938aca	Leonidas Poulopoulos	cd ~
68	f8938aca	Leonidas Poulopoulos	git clone https://github.com/leopoul/ncclient.git
69	f8938aca	Leonidas Poulopoulos	cd ncclient
70	f8938aca	Leonidas Poulopoulos	python setup.py install
71	51ce199a	Leonidas Poulopoulos
72	51ce199a	Leonidas Poulopoulos	- nxpy: Python Objects from/to XML proxy::
73	51ce199a	Leonidas Poulopoulos
74	f8938aca	Leonidas Poulopoulos	cd ~
75	f8938aca	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/nxpy
76	f8938aca	Leonidas Poulopoulos	cd nxpy
77	f8938aca	Leonidas Poulopoulos	python setup.py install
78	51ce199a	Leonidas Poulopoulos
79	51ce199a	Leonidas Poulopoulos	- flowspy: core application. Installation is done at /srv/flowspy::
80	51ce199a	Leonidas Poulopoulos
81	f8938aca	Leonidas Poulopoulos	cd /srv
82	f8938aca	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/flowspy
83	f8938aca	Leonidas Poulopoulos	cd flowspy
84	51ce199a	Leonidas Poulopoulos
85	51ce199a	Leonidas Poulopoulos	Application configuration
86	51ce199a	Leonidas Poulopoulos	=========================
87	51ce199a	Leonidas Poulopoulos	Copy settings.py.dist to settings.py::
88	f8938aca	Leonidas Poulopoulos
89	f8938aca	Leonidas Poulopoulos	cd flowspy
90	f8938aca	Leonidas Poulopoulos	cp settings.py.dist settings.py
91	51ce199a	Leonidas Poulopoulos
92	51ce199a	Leonidas Poulopoulos	Edit settings.py file and set the following according to your configuration::
93	51ce199a	Leonidas Poulopoulos
94	f8938aca	Leonidas Poulopoulos	ADMINS: set your admin name and email (assuming that your server can send notifications)
95	f8938aca	Leonidas Poulopoulos	DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
96	f8938aca	Leonidas Poulopoulos	SECRET_KEY : Make this unique, and don't share it with anybody
97	f8938aca	Leonidas Poulopoulos	STATIC_ROOT: /srv/flowspy/static (or your installation directory)
98	f8938aca	Leonidas Poulopoulos	STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
99	f8938aca	Leonidas Poulopoulos	TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
100	f8938aca	Leonidas Poulopoulos	CACHE_BACKEND: Enable Memcached for production or leave to DummyCache for development environments
101	f8938aca	Leonidas Poulopoulos	Alternatively you could go for redis with the corresponding Django client lib.
102	f8938aca	Leonidas Poulopoulos	NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
103	f8938aca	Leonidas Poulopoulos	NETCONF_USER (enable ssh and netconf on device)
104	f8938aca	Leonidas Poulopoulos	NETCONF_PASS
105	f8938aca	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
106	f8938aca	Leonidas Poulopoulos	BROKER_HOST (beanstalk host)
107	f8938aca	Leonidas Poulopoulos	BROKER_PORT (beanstalk port)
108	f8938aca	Leonidas Poulopoulos	SERVER_EMAIL
109	f8938aca	Leonidas Poulopoulos	EMAIL_SUBJECT_PREFIX
110	f8938aca	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
111	f8938aca	Leonidas Poulopoulos	BROKER_URL (beanstalk url)
112	f8938aca	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
113	f8938aca	Leonidas Poulopoulos	NOTIFY_ADMIN_MAILS (bcc mail addresses)
114	f8938aca	Leonidas Poulopoulos	PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
115	f8938aca	Leonidas Poulopoulos	The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
116	f8938aca	Leonidas Poulopoulos	PRIMARY_WHOIS
117	f8938aca	Leonidas Poulopoulos	ALTERNATE_WHOIS
118	f8938aca	Leonidas Poulopoulos	If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
119	f8938aca	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT = 'urn:mace'
120	f8938aca	Leonidas Poulopoulos	SHIB_ADMIN_DOMAIN = 'example.com'
121	f8938aca	Leonidas Poulopoulos	SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
122	f8938aca	Leonidas Poulopoulos	SHIB_USERNAME = ['HTTP_EPPN']
123	f8938aca	Leonidas Poulopoulos	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
124	f8938aca	Leonidas Poulopoulos	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
125	f8938aca	Leonidas Poulopoulos	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
126	f8938aca	Leonidas Poulopoulos	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
127	51ce199a	Leonidas Poulopoulos
128	51ce199a	Leonidas Poulopoulos	If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
129	51ce199a	Leonidas Poulopoulos
130	f8938aca	Leonidas Poulopoulos	EMAIL_USE_TLS = True #(or False)
131	f8938aca	Leonidas Poulopoulos	EMAIL_HOST = 'smtp.example.com'
132	f8938aca	Leonidas Poulopoulos	EMAIL_HOST_USER = 'username'
133	f8938aca	Leonidas Poulopoulos	EMAIL_HOST_PASSWORD = 'yourpassword'
134	f8938aca	Leonidas Poulopoulos	EMAIL_PORT = 587 #(outgoing)
135	f8938aca	Leonidas Poulopoulos
136	f8938aca	Leonidas Poulopoulos	It is strongly advised that you do not change the following to False values unless, you want to integrate FoD with you CRM or members database. This implies that you are able/have the rights to create database views between the two databases::
137	51ce199a	Leonidas Poulopoulos
138	f8938aca	Leonidas Poulopoulos	PEER_MANAGED_TABLE = True
139	f8938aca	Leonidas Poulopoulos	PEER_RANGE_MANAGED_TABLE = True
140	f8938aca	Leonidas Poulopoulos	PEER_TECHC_MANAGED_TABLE = True
141	f8938aca	Leonidas Poulopoulos
142	f8938aca	Leonidas Poulopoulos	By doing that the corresponding tables as defined in peers/models will not be created. As noted above, you have to create the views that the tables will rely on.
143	51ce199a	Leonidas Poulopoulos
144	51ce199a	Leonidas Poulopoulos	.. note::
145	f8938aca	Leonidas Poulopoulos	Soon we will release a version with django-registration as a means to add users and Shibboleth will become an alternative
146	51ce199a	Leonidas Poulopoulos
147	51ce199a	Leonidas Poulopoulos	Let's move on with some copies and dir creations::
148	51ce199a	Leonidas Poulopoulos
149	f8938aca	Leonidas Poulopoulos	mkdir /var/log/fod
150	f8938aca	Leonidas Poulopoulos	chown www-data.www-data /var/log/fod
151	f8938aca	Leonidas Poulopoulos	cp urls.py.dist urls.py
152	f8938aca	Leonidas Poulopoulos	cd ..
153	51ce199a	Leonidas Poulopoulos
154	ac2fbadf	Leonidas Poulopoulos	.. note::
155	ac2fbadf	Leonidas Poulopoulos	LOG_FILE_LOCATION in settings.py is set to /var/log/fod. Adjust the chown command above to your selected dir.
156	ac2fbadf	Leonidas Poulopoulos
157	51ce199a	Leonidas Poulopoulos	System configuration
158	51ce199a	Leonidas Poulopoulos	====================
159	51ce199a	Leonidas Poulopoulos	Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
160	51ce199a	Leonidas Poulopoulos	Depending on the setup the apache configuration may vary::
161	51ce199a	Leonidas Poulopoulos
162	f8938aca	Leonidas Poulopoulos	a2enmod rewrite
163	f8938aca	Leonidas Poulopoulos	a2enmod proxy
164	f8938aca	Leonidas Poulopoulos	a2enmod ssl
165	f8938aca	Leonidas Poulopoulos	a2enmod proxy_http
166	51ce199a	Leonidas Poulopoulos
167	51ce199a	Leonidas Poulopoulos	If shibboleth is to be used::
168	51ce199a	Leonidas Poulopoulos
169	f8938aca	Leonidas Poulopoulos	apt-get install libapache2-mod-shib2
170	f8938aca	Leonidas Poulopoulos	a2enmod shib2
171	51ce199a	Leonidas Poulopoulos
172	51ce199a	Leonidas Poulopoulos	Now it is time to configure beanstalk, gunicorn, celery and apache.
173	51ce199a	Leonidas Poulopoulos
174	51ce199a	Leonidas Poulopoulos	beanstalkd
175	51ce199a	Leonidas Poulopoulos	----------
176	51ce199a	Leonidas Poulopoulos	Enable beanstalk by editting /etc/default/beanstalkd::
177	51ce199a	Leonidas Poulopoulos
178	f8938aca	Leonidas Poulopoulos	vim /etc/default/beanstalkd
179	51ce199a	Leonidas Poulopoulos
180	51ce199a	Leonidas Poulopoulos	Uncomment the line START=yes to enable beanstalk
181	51ce199a	Leonidas Poulopoulos
182	51ce199a	Leonidas Poulopoulos	Start beanstalkd::
183	51ce199a	Leonidas Poulopoulos
184	f8938aca	Leonidas Poulopoulos	service beanstalkd start
185	51ce199a	Leonidas Poulopoulos
186	51ce199a	Leonidas Poulopoulos	gunicorn.d
187	51ce199a	Leonidas Poulopoulos	----------
188	0bf16f7f	Leonidas Poulopoulos	Create and edit /etc/gunicorn.d/fod::
189	51ce199a	Leonidas Poulopoulos
190	f8938aca	Leonidas Poulopoulos	vim /etc/gunicorn.d/fod
191	51ce199a	Leonidas Poulopoulos
192	51ce199a	Leonidas Poulopoulos	FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
193	51ce199a	Leonidas Poulopoulos
194	f8938aca	Leonidas Poulopoulos	CONFIG = {
195	f8938aca	Leonidas Poulopoulos	'mode': 'django',
196	f8938aca	Leonidas Poulopoulos	'working_dir': '/srv/flowspy',
197	f8938aca	Leonidas Poulopoulos	'args': (
198	f8938aca	Leonidas Poulopoulos	'--bind=127.0.0.1:8081',
199	f8938aca	Leonidas Poulopoulos	'--workers=1',
200	f8938aca	Leonidas Poulopoulos	'--worker-class=egg:gunicorn#gevent',
201	f8938aca	Leonidas Poulopoulos	'--timeout=30',
202	ca345a18	Leonidas Poulopoulos	'--debug',
203	f8938aca	Leonidas Poulopoulos	'--log-level=debug',
204	f8938aca	Leonidas Poulopoulos	'--log-file=/var/log/gunicorn/fod.log',
205	f8938aca	Leonidas Poulopoulos	),
206	f8938aca	Leonidas Poulopoulos	}
207	b7566dcc	Leonidas Poulopoulos
208	51ce199a	Leonidas Poulopoulos
209	0bf16f7f	Leonidas Poulopoulos	celeryd
210	0bf16f7f	Leonidas Poulopoulos	-------
211	51ce199a	Leonidas Poulopoulos	Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
212	51ce199a	Leonidas Poulopoulos
213	0bf16f7f	Leonidas Poulopoulos	Create the celeryd daemon at /etc/init.d/celeryd if it does not already exist::
214	0bf16f7f	Leonidas Poulopoulos
215	f8938aca	Leonidas Poulopoulos	vim /etc/init.d/celeryd
216	0bf16f7f	Leonidas Poulopoulos
217	0bf16f7f	Leonidas Poulopoulos	The configuration should be::
218	0bf16f7f	Leonidas Poulopoulos
219	f8938aca	Leonidas Poulopoulos	#!/bin/sh -e
220	f8938aca	Leonidas Poulopoulos	# ============================================
221	f8938aca	Leonidas Poulopoulos	# celeryd - Starts the Celery worker daemon.
222	f8938aca	Leonidas Poulopoulos	# ============================================
223	f8938aca	Leonidas Poulopoulos	#
224	f8938aca	Leonidas Poulopoulos	# :Usage: /etc/init.d/celeryd {start\|stop\|force-reload\|restart\|try-restart\|status}
225	f8938aca	Leonidas Poulopoulos	# :Configuration file: /etc/default/celeryd
226	f8938aca	Leonidas Poulopoulos	#
227	f8938aca	Leonidas Poulopoulos	# See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd
228	f8938aca	Leonidas Poulopoulos
229	f8938aca	Leonidas Poulopoulos
230	f8938aca	Leonidas Poulopoulos	### BEGIN INIT INFO
231	f8938aca	Leonidas Poulopoulos	# Provides: celeryd
232	f8938aca	Leonidas Poulopoulos	# Required-Start: $network $local_fs $remote_fs
233	f8938aca	Leonidas Poulopoulos	# Required-Stop: $network $local_fs $remote_fs
234	f8938aca	Leonidas Poulopoulos	# Default-Start: 2 3 4 5
235	f8938aca	Leonidas Poulopoulos	# Default-Stop: 0 1 6
236	f8938aca	Leonidas Poulopoulos	# Short-Description: celery task worker daemon
237	f8938aca	Leonidas Poulopoulos	# Description: Starts the Celery worker daemon for a single project.
238	f8938aca	Leonidas Poulopoulos	### END INIT INFO
239	f8938aca	Leonidas Poulopoulos
240	f8938aca	Leonidas Poulopoulos	#set -e
241	f8938aca	Leonidas Poulopoulos
242	f8938aca	Leonidas Poulopoulos	DEFAULT_PID_FILE="/var/run/celery/%n.pid"
243	f8938aca	Leonidas Poulopoulos	DEFAULT_LOG_FILE="/var/log/celery/%n.log"
244	f8938aca	Leonidas Poulopoulos	DEFAULT_LOG_LEVEL="INFO"
245	f8938aca	Leonidas Poulopoulos	DEFAULT_NODES="celery"
246	f8938aca	Leonidas Poulopoulos	DEFAULT_CELERYD="-m celery.bin.celeryd_detach"
247	f8938aca	Leonidas Poulopoulos	ENABLED="false"
248	f8938aca	Leonidas Poulopoulos
249	f8938aca	Leonidas Poulopoulos	[ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS"
250	f8938aca	Leonidas Poulopoulos
251	f8938aca	Leonidas Poulopoulos	[ -r /etc/default/celeryd ] && . /etc/default/celeryd
252	f8938aca	Leonidas Poulopoulos
253	f8938aca	Leonidas Poulopoulos	if [ "$ENABLED" != "true" ]; then
254	f8938aca	Leonidas Poulopoulos	echo "celery daemon disabled - see /etc/default/celeryd."
255	f8938aca	Leonidas Poulopoulos	exit 0
256	f8938aca	Leonidas Poulopoulos	fi
257	f8938aca	Leonidas Poulopoulos
258	f8938aca	Leonidas Poulopoulos
259	f8938aca	Leonidas Poulopoulos	CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}
260	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}
261	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}
262	f8938aca	Leonidas Poulopoulos	CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}
263	f8938aca	Leonidas Poulopoulos	CELERYD=${CELERYD:-$DEFAULT_CELERYD}
264	f8938aca	Leonidas Poulopoulos	CELERYCTL=${CELERYCTL:="celeryctl"}
265	f8938aca	Leonidas Poulopoulos	CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}
266	f8938aca	Leonidas Poulopoulos
267	f8938aca	Leonidas Poulopoulos	export CELERY_LOADER
268	f8938aca	Leonidas Poulopoulos
269	f8938aca	Leonidas Poulopoulos	if [ -n "$2" ]; then
270	f8938aca	Leonidas Poulopoulos	CELERYD_OPTS="$CELERYD_OPTS $2"
271	f8938aca	Leonidas Poulopoulos	fi
272	f8938aca	Leonidas Poulopoulos
273	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`
274	f8938aca	Leonidas Poulopoulos	CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`
275	f8938aca	Leonidas Poulopoulos	if [ ! -d "$CELERYD_LOG_DIR" ]; then
276	f8938aca	Leonidas Poulopoulos	mkdir -p $CELERYD_LOG_DIR
277	f8938aca	Leonidas Poulopoulos	fi
278	f8938aca	Leonidas Poulopoulos	if [ ! -d "$CELERYD_PID_DIR" ]; then
279	f8938aca	Leonidas Poulopoulos	mkdir -p $CELERYD_PID_DIR
280	f8938aca	Leonidas Poulopoulos	fi
281	f8938aca	Leonidas Poulopoulos
282	f8938aca	Leonidas Poulopoulos	# Extra start-stop-daemon options, like user/group.
283	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_USER" ]; then
284	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"
285	f8938aca	Leonidas Poulopoulos	chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR
286	f8938aca	Leonidas Poulopoulos	fi
287	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_GROUP" ]; then
288	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"
289	f8938aca	Leonidas Poulopoulos	chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR
290	f8938aca	Leonidas Poulopoulos	fi
291	f8938aca	Leonidas Poulopoulos
292	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_CHDIR" ]; then
293	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""
294	f8938aca	Leonidas Poulopoulos	fi
295	f8938aca	Leonidas Poulopoulos
296	f8938aca	Leonidas Poulopoulos
297	f8938aca	Leonidas Poulopoulos	check_dev_null() {
298	f8938aca	Leonidas Poulopoulos	if [ ! -c /dev/null ]; then
299	f8938aca	Leonidas Poulopoulos	echo "/dev/null is not a character device!"
300	f8938aca	Leonidas Poulopoulos	exit 1
301	f8938aca	Leonidas Poulopoulos	fi
302	f8938aca	Leonidas Poulopoulos	}
303	f8938aca	Leonidas Poulopoulos
304	f8938aca	Leonidas Poulopoulos
305	f8938aca	Leonidas Poulopoulos	export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
306	f8938aca	Leonidas Poulopoulos
307	f8938aca	Leonidas Poulopoulos
308	f8938aca	Leonidas Poulopoulos	stop_workers () {
309	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"
310	f8938aca	Leonidas Poulopoulos	}
311	f8938aca	Leonidas Poulopoulos
312	f8938aca	Leonidas Poulopoulos
313	f8938aca	Leonidas Poulopoulos	start_workers () {
314	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS \
315	f8938aca	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
316	f8938aca	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
317	f8938aca	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
318	f8938aca	Leonidas Poulopoulos	--cmd="$CELERYD" \
319	f8938aca	Leonidas Poulopoulos	$CELERYD_OPTS
320	f8938aca	Leonidas Poulopoulos	}
321	f8938aca	Leonidas Poulopoulos
322	f8938aca	Leonidas Poulopoulos
323	f8938aca	Leonidas Poulopoulos	restart_workers () {
324	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS \
325	f8938aca	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
326	f8938aca	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
327	f8938aca	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
328	f8938aca	Leonidas Poulopoulos	--cmd="$CELERYD" \
329	f8938aca	Leonidas Poulopoulos	$CELERYD_OPTS
330	f8938aca	Leonidas Poulopoulos	}
331	f8938aca	Leonidas Poulopoulos
332	f8938aca	Leonidas Poulopoulos
333	f8938aca	Leonidas Poulopoulos
334	f8938aca	Leonidas Poulopoulos	case "$1" in
335	f8938aca	Leonidas Poulopoulos	start)
336	f8938aca	Leonidas Poulopoulos	check_dev_null
337	f8938aca	Leonidas Poulopoulos	start_workers
338	f8938aca	Leonidas Poulopoulos	;;
339	f8938aca	Leonidas Poulopoulos
340	f8938aca	Leonidas Poulopoulos	stop)
341	f8938aca	Leonidas Poulopoulos	check_dev_null
342	f8938aca	Leonidas Poulopoulos	stop_workers
343	f8938aca	Leonidas Poulopoulos	;;
344	f8938aca	Leonidas Poulopoulos
345	f8938aca	Leonidas Poulopoulos	reload\|force-reload)
346	f8938aca	Leonidas Poulopoulos	echo "Use restart"
347	f8938aca	Leonidas Poulopoulos	;;
348	f8938aca	Leonidas Poulopoulos
349	f8938aca	Leonidas Poulopoulos	status)
350	f8938aca	Leonidas Poulopoulos	$CELERYCTL status $CELERYCTL_OPTS
351	f8938aca	Leonidas Poulopoulos	;;
352	f8938aca	Leonidas Poulopoulos
353	f8938aca	Leonidas Poulopoulos	restart)
354	f8938aca	Leonidas Poulopoulos	check_dev_null
355	f8938aca	Leonidas Poulopoulos	restart_workers
356	f8938aca	Leonidas Poulopoulos	;;
357	f8938aca	Leonidas Poulopoulos
358	f8938aca	Leonidas Poulopoulos	try-restart)
359	f8938aca	Leonidas Poulopoulos	check_dev_null
360	f8938aca	Leonidas Poulopoulos	restart_workers
361	f8938aca	Leonidas Poulopoulos	;;
362	f8938aca	Leonidas Poulopoulos
363	f8938aca	Leonidas Poulopoulos	*)
364	f8938aca	Leonidas Poulopoulos	echo "Usage: /etc/init.d/celeryd {start\|stop\|restart\|try-restart\|kill}"
365	f8938aca	Leonidas Poulopoulos	exit 1
366	f8938aca	Leonidas Poulopoulos	;;
367	f8938aca	Leonidas Poulopoulos	esac
368	f8938aca	Leonidas Poulopoulos
369	f8938aca	Leonidas Poulopoulos	exit 0
370	0bf16f7f	Leonidas Poulopoulos
371	0bf16f7f	Leonidas Poulopoulos	celeryd configuration
372	0bf16f7f	Leonidas Poulopoulos	---------------------
373	51ce199a	Leonidas Poulopoulos	celeryd requires a /etc/default/celeryd file to be in place.
374	51ce199a	Leonidas Poulopoulos	Thus we are going to create this file (/etc/default/celeryd)::
375	51ce199a	Leonidas Poulopoulos
376	f8938aca	Leonidas Poulopoulos	vim /etc/default/celeryd
377	51ce199a	Leonidas Poulopoulos
378	e7fc07ea	Leonidas Poulopoulos	Again if the directory conventions have been followed the file is (pay attention to the CELERYD_USER, CELERYD_GROUP and change accordingly) ::
379	51ce199a	Leonidas Poulopoulos
380	f8938aca	Leonidas Poulopoulos	# Default: false
381	f8938aca	Leonidas Poulopoulos	ENABLED="true"
382	f8938aca	Leonidas Poulopoulos
383	f8938aca	Leonidas Poulopoulos	# Name of nodes to start, here we have a single node
384	f8938aca	Leonidas Poulopoulos	CELERYD_NODES="w1"
385	f8938aca	Leonidas Poulopoulos	# or we could have three nodes:
386	f8938aca	Leonidas Poulopoulos	#CELERYD_NODES="w1 w2 w3"
387	f8938aca	Leonidas Poulopoulos
388	f8938aca	Leonidas Poulopoulos	# Where to chdir at start.
389	f8938aca	Leonidas Poulopoulos	CELERYD_CHDIR="/srv/flowspy"
390	f8938aca	Leonidas Poulopoulos	# How to call "manage.py celeryd_multi"
391	f8938aca	Leonidas Poulopoulos	CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"
392	f8938aca	Leonidas Poulopoulos
393	f8938aca	Leonidas Poulopoulos	# How to call "manage.py celeryctl"
394	f8938aca	Leonidas Poulopoulos	CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"
395	f8938aca	Leonidas Poulopoulos
396	f8938aca	Leonidas Poulopoulos	# Extra arguments to celeryd
397	f8938aca	Leonidas Poulopoulos	#CELERYD_OPTS="--time-limit=300 --concurrency=8"
398	ca345a18	Leonidas Poulopoulos	CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800"
399	f8938aca	Leonidas Poulopoulos	# Name of the celery config module.
400	f8938aca	Leonidas Poulopoulos	CELERY_CONFIG_MODULE="celeryconfig"
401	f8938aca	Leonidas Poulopoulos
402	f8938aca	Leonidas Poulopoulos	# %n will be replaced with the nodename.
403	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_FILE="/var/log/celery/fod_%n.log"
404	f8938aca	Leonidas Poulopoulos	CELERYD_PID_FILE="/var/run/celery/%n.pid"
405	f8938aca	Leonidas Poulopoulos
406	ac2fbadf	Leonidas Poulopoulos	CELERYD_USER="root"
407	ac2fbadf	Leonidas Poulopoulos	CELERYD_GROUP="root"
408	f8938aca	Leonidas Poulopoulos
409	f8938aca	Leonidas Poulopoulos	# Name of the projects settings module.
410	f8938aca	Leonidas Poulopoulos	export DJANGO_SETTINGS_MODULE="flowspy.settings"
411	51ce199a	Leonidas Poulopoulos
412	51ce199a	Leonidas Poulopoulos	Apache
413	51ce199a	Leonidas Poulopoulos	------
414	51ce199a	Leonidas Poulopoulos	Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside Shibboleth configuration ::
415	51ce199a	Leonidas Poulopoulos
416	f8938aca	Leonidas Poulopoulos	vim /etc/apache2/sites-available/fod
417	51ce199a	Leonidas Poulopoulos
418	51ce199a	Leonidas Poulopoulos	Again if the directory conventions have been followed the file should be::
419	51ce199a	Leonidas Poulopoulos
420	f8938aca	Leonidas Poulopoulos	<VirtualHost *:80>
421	f8938aca	Leonidas Poulopoulos	ServerAdmin webmaster@localhost
422	f8938aca	Leonidas Poulopoulos	ServerName fod.example.com
423	f8938aca	Leonidas Poulopoulos	DocumentRoot /var/www
424	f8938aca	Leonidas Poulopoulos
425	f8938aca	Leonidas Poulopoulos	ErrorLog ${APACHE_LOG_DIR}/fod_error.log
426	f8938aca	Leonidas Poulopoulos
427	f8938aca	Leonidas Poulopoulos	# Possible values include: debug, info, notice, warn, error, crit,
428	f8938aca	Leonidas Poulopoulos	# alert, emerg.
429	f8938aca	Leonidas Poulopoulos	LogLevel debug
430	f8938aca	Leonidas Poulopoulos
431	f8938aca	Leonidas Poulopoulos	CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
432	f8938aca	Leonidas Poulopoulos
433	f8938aca	Leonidas Poulopoulos	Alias /static /srv/flowspy/static
434	f8938aca	Leonidas Poulopoulos	RewriteEngine On
435	f8938aca	Leonidas Poulopoulos	RewriteCond %{HTTPS} off
436	f8938aca	Leonidas Poulopoulos	RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]
437	f8938aca	Leonidas Poulopoulos	</VirtualHost>
438	f8938aca	Leonidas Poulopoulos
439	f8938aca	Leonidas Poulopoulos	<VirtualHost *:443>
440	f8938aca	Leonidas Poulopoulos	ServerName fod.example.com
441	f8938aca	Leonidas Poulopoulos	ServerAdmin webmaster@localhost
442	f8938aca	Leonidas Poulopoulos	ServerSignature On
443	f8938aca	Leonidas Poulopoulos
444	f8938aca	Leonidas Poulopoulos	SSLEngine on
445	f8938aca	Leonidas Poulopoulos	SSLCertificateFile /etc/ssl/certs/fod.example.com.crt
446	f8938aca	Leonidas Poulopoulos	SSLCertificateChainFile /etc/ssl/certs/example-chain.pem
447	f8938aca	Leonidas Poulopoulos	SSLCertificateKeyFile /etc/ssl/private/fod.example.com.key
448	f8938aca	Leonidas Poulopoulos
449	f8938aca	Leonidas Poulopoulos	AddDefaultCharset UTF-8
450	f8938aca	Leonidas Poulopoulos	IndexOptions +Charset=UTF-8
451	f8938aca	Leonidas Poulopoulos
452	f8938aca	Leonidas Poulopoulos	ShibConfig /etc/shibboleth/shibboleth2.xml
453	f8938aca	Leonidas Poulopoulos	Alias /shibboleth-sp /usr/share/shibboleth
454	f8938aca	Leonidas Poulopoulos
455	f8938aca	Leonidas Poulopoulos
456	f8938aca	Leonidas Poulopoulos	<Location /login>
457	f8938aca	Leonidas Poulopoulos	AuthType shibboleth
458	f8938aca	Leonidas Poulopoulos	ShibRequireSession On
459	f8938aca	Leonidas Poulopoulos	ShibUseHeaders On
460	f8938aca	Leonidas Poulopoulos	ShibRequestSetting entityID https://idp.example.com/idp/shibboleth
461	f8938aca	Leonidas Poulopoulos	require valid-user
462	f8938aca	Leonidas Poulopoulos	</Location>
463	f8938aca	Leonidas Poulopoulos
464	f8938aca	Leonidas Poulopoulos	# Shibboleth debugging CGI script
465	f8938aca	Leonidas Poulopoulos	ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
466	f8938aca	Leonidas Poulopoulos	<Location /shibboleth/test>
467	f8938aca	Leonidas Poulopoulos	AuthType shibboleth
468	f8938aca	Leonidas Poulopoulos	ShibRequireSession On
469	f8938aca	Leonidas Poulopoulos	ShibUseHeaders On
470	f8938aca	Leonidas Poulopoulos	require valid-user
471	f8938aca	Leonidas Poulopoulos	</Location>
472	f8938aca	Leonidas Poulopoulos
473	f8938aca	Leonidas Poulopoulos	<Location /Shibboleth.sso>
474	f8938aca	Leonidas Poulopoulos	SetHandler shib
475	f8938aca	Leonidas Poulopoulos	</Location>
476	f8938aca	Leonidas Poulopoulos
477	f8938aca	Leonidas Poulopoulos	# Shibboleth SP configuration
478	f8938aca	Leonidas Poulopoulos
479	f8938aca	Leonidas Poulopoulos	#SetEnv proxy-sendchunked
480	f8938aca	Leonidas Poulopoulos
481	f8938aca	Leonidas Poulopoulos	<Proxy *>
482	f8938aca	Leonidas Poulopoulos	Order allow,deny
483	f8938aca	Leonidas Poulopoulos	Allow from all
484	f8938aca	Leonidas Poulopoulos	</Proxy>
485	f8938aca	Leonidas Poulopoulos
486	f8938aca	Leonidas Poulopoulos	SSLProxyEngine off
487	f8938aca	Leonidas Poulopoulos	ProxyErrorOverride off
488	f8938aca	Leonidas Poulopoulos	ProxyTimeout 28800
489	f8938aca	Leonidas Poulopoulos	ProxyPass /static !
490	f8938aca	Leonidas Poulopoulos	ProxyPass /shibboleth !
491	f8938aca	Leonidas Poulopoulos	ProxyPass /Shibboleth.sso !
492	f8938aca	Leonidas Poulopoulos
493	f8938aca	Leonidas Poulopoulos	ProxyPass / http://localhost:8081/ retry=0
494	f8938aca	Leonidas Poulopoulos	ProxyPassReverse / http://localhost:8081/
495	f8938aca	Leonidas Poulopoulos
496	f8938aca	Leonidas Poulopoulos	Alias /static /srv/flowspy/static
497	f8938aca	Leonidas Poulopoulos
498	f8938aca	Leonidas Poulopoulos	LogLevel warn
499	f8938aca	Leonidas Poulopoulos
500	f8938aca	Leonidas Poulopoulos	ErrorLog ${APACHE_LOG_DIR}/fod_error.log
501	f8938aca	Leonidas Poulopoulos	CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
502	f8938aca	Leonidas Poulopoulos
503	f8938aca	Leonidas Poulopoulos	</VirtualHost>
504	51ce199a	Leonidas Poulopoulos
505	1e40c2f5	Leonidas Poulopoulos	Now, enable your site. You might want to disable the default site if fod is the only site you host on your server::
506	1e40c2f5	Leonidas Poulopoulos
507	f8938aca	Leonidas Poulopoulos	a2dissite default
508	f8938aca	Leonidas Poulopoulos	a2ensite fod
509	1e40c2f5	Leonidas Poulopoulos
510	51ce199a	Leonidas Poulopoulos	You are not far away from deploying FoD. When asked for a super user, create one::
511	51ce199a	Leonidas Poulopoulos
512	f8938aca	Leonidas Poulopoulos	cd /srv/flowspy
513	f8938aca	Leonidas Poulopoulos	python manage.py syncdb
514	b54374b9	Leonidas Poulopoulos	python manage.py migrate longerusername
515	f8938aca	Leonidas Poulopoulos	python manage.py migrate flowspec
516	f8938aca	Leonidas Poulopoulos	python manage.py migrate djcelery
517	f8938aca	Leonidas Poulopoulos	python manage.py migrate accounts
518	f8938aca	Leonidas Poulopoulos
519	f8938aca	Leonidas Poulopoulos	If you have not changed the values of the PEER\_\\_TABLE variables to False and thus you are going for a default installation (that is PEER\_\\_TABLE variables are set to True) , then run::
520	f8938aca	Leonidas Poulopoulos
521	f8938aca	Leonidas Poulopoulos	python manage.py migrate peers
522	f8938aca	Leonidas Poulopoulos
523	f8938aca	Leonidas Poulopoulos	If however you have set the PEER\_\\_TABLE variables to False and by accident you have ran the command above, then you have to cleanup you database manually by dropping the peer\ tables plus the techc_email table. For MySQL the command is::
524	f8938aca	Leonidas Poulopoulos
525	f8938aca	Leonidas Poulopoulos	DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email;
526	51ce199a	Leonidas Poulopoulos
527	51ce199a	Leonidas Poulopoulos	Restart, gunicorn and apache::
528	51ce199a	Leonidas Poulopoulos
529	f8938aca	Leonidas Poulopoulos	service gunicorn restart && service apache2 restart
530	51ce199a	Leonidas Poulopoulos
531	0bf16f7f	Leonidas Poulopoulos
532	0bf16f7f	Leonidas Poulopoulos	Propagate the flatpages
533	0bf16f7f	Leonidas Poulopoulos	=======================
534	0bf16f7f	Leonidas Poulopoulos	Inside the initial_data/fixtures_manual.xml file we have placed 4 flatpages (2 for Greek, 2 for English) with Information and Terms of Service about the service.
535	0bf16f7f	Leonidas Poulopoulos	To import the flatpages, run from root folder::
536	0bf16f7f	Leonidas Poulopoulos
537	f8938aca	Leonidas Poulopoulos	python manage.py loaddata initial_data/fixtures_manual.xml
538	0bf16f7f	Leonidas Poulopoulos
539	0bf16f7f	Leonidas Poulopoulos
540	0bf16f7f	Leonidas Poulopoulos
541	51ce199a	Leonidas Poulopoulos	Testing the platform
542	51ce199a	Leonidas Poulopoulos	====================
543	f8938aca	Leonidas Poulopoulos	Log in to the admin interface via https:\/\/<hostname>\/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 10.20.0.0/19
544	f8938aca	Leonidas Poulopoulos	Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have created from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
545	f8938aca	Leonidas Poulopoulos	Last but not least, modify as required the existing (example.com) Site instance (admin home->Sites). You are done. As you are logged-in via the admin, there is no need to go through Shibboleth at this time. Go to https:\/\/<hostname>\/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds. If no Shibboleth authentication is available, a https:\/\/<hostname>\/altlogin is provided.
546	51ce199a	Leonidas Poulopoulos
547	51ce199a	Leonidas Poulopoulos	Branding
548	51ce199a	Leonidas Poulopoulos	========
549	51ce199a	Leonidas Poulopoulos	Via the admin interface you can modify flatpages to suit your needs
550	51ce199a	Leonidas Poulopoulos
551	51ce199a	Leonidas Poulopoulos	Footer
552	51ce199a	Leonidas Poulopoulos	------
553	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
554	51ce199a	Leonidas Poulopoulos
555	51ce199a	Leonidas Poulopoulos	Welcome Page
556	51ce199a	Leonidas Poulopoulos	------------
557	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.