/doc/source/install.rst - Annotate - Firewall on Demand - Greek Research and Technology Network's projects

root / doc / source / install.rst @ b54374b9

History | View | Annotate | Download (19.2 kB)

1	51ce199a	Leonidas Poulopoulos	************
2	51ce199a	Leonidas Poulopoulos	Installation
3	51ce199a	Leonidas Poulopoulos	************
4	51ce199a	Leonidas Poulopoulos
5	51ce199a	Leonidas Poulopoulos	.. toctree::
6	f8938aca	Leonidas Poulopoulos	:maxdepth: 2
7	51ce199a	Leonidas Poulopoulos
8	b7566dcc	Leonidas Poulopoulos	Debian Wheezy (x64) - Django 1.4.x
9	51ce199a	Leonidas Poulopoulos	==================================
10	51ce199a	Leonidas Poulopoulos	This guide assumes that installation is carried out in /srv/flowspy directory. If other directory is to be used, please change the corresponding configuration files. It is also assumed that the root user will perform every action.
11	51ce199a	Leonidas Poulopoulos
12	b54374b9	Leonidas Poulopoulos
13	b54374b9	Leonidas Poulopoulos	Upgrading from v<1.1.x
14	b54374b9	Leonidas Poulopoulos	----------------------
15	b54374b9	Leonidas Poulopoulos	If upgrading from flowspy version <1.1.x pay attention to settings.py changes. Also, do not forget to run::
16	b54374b9	Leonidas Poulopoulos
17	b54374b9	Leonidas Poulopoulos	./manage.py migrate
18	b54374b9	Leonidas Poulopoulos
19	b54374b9	Leonidas Poulopoulos	to catch-up with latest database changes.
20	b54374b9	Leonidas Poulopoulos
21	0bf16f7f	Leonidas Poulopoulos	Upgrading from v<1.0.x
22	0bf16f7f	Leonidas Poulopoulos	----------------------
23	0bf16f7f	Leonidas Poulopoulos	If upgrading from flowspy version <1.0.x pay attention to settings.py changes. Also, do not forget to run::
24	f8938aca	Leonidas Poulopoulos
25	f8938aca	Leonidas Poulopoulos	./manage.py migrate
26	f8938aca	Leonidas Poulopoulos
27	0bf16f7f	Leonidas Poulopoulos	to catch-up with latest database changes.
28	0bf16f7f	Leonidas Poulopoulos
29	51ce199a	Leonidas Poulopoulos	Required system packages
30	51ce199a	Leonidas Poulopoulos	------------------------
31	51ce199a	Leonidas Poulopoulos	Update and install the required packages::
32	51ce199a	Leonidas Poulopoulos
33	f8938aca	Leonidas Poulopoulos	apt-get update
34	f8938aca	Leonidas Poulopoulos	apt-get upgrade
35	f8938aca	Leonidas Poulopoulos	apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim
36	51ce199a	Leonidas Poulopoulos
37	51ce199a	Leonidas Poulopoulos	.. note::
38	f8938aca	Leonidas Poulopoulos	Set username and password for mysql if used
39	51ce199a	Leonidas Poulopoulos
40	51ce199a	Leonidas Poulopoulos	.. note::
41	f8938aca	Leonidas Poulopoulos	If you wish to deploy an outgoing mail server, now it is time to do it. Otherwise you could set FoD to send out mails via a third party account
42	51ce199a	Leonidas Poulopoulos
43	93f99c86	Leonidas Poulopoulos	Create a database
44	93f99c86	Leonidas Poulopoulos	-----------------
45	93f99c86	Leonidas Poulopoulos	If you are using mysql, you should create a database::
46	93f99c86	Leonidas Poulopoulos
47	f8938aca	Leonidas Poulopoulos	mysql -u root -p -e 'create database fod'
48	93f99c86	Leonidas Poulopoulos
49	51ce199a	Leonidas Poulopoulos	Required application packages
50	51ce199a	Leonidas Poulopoulos	-----------------------------
51	f8938aca	Leonidas Poulopoulos	Get the required packages and their dependencies and install them::
52	f8938aca	Leonidas Poulopoulos
53	f8938aca	Leonidas Poulopoulos	apt-get install libxml2-dev libxslt-dev gcc python-dev
54	51ce199a	Leonidas Poulopoulos
55	51ce199a	Leonidas Poulopoulos	- ncclient: NETCONF python client::
56	51ce199a	Leonidas Poulopoulos
57	f8938aca	Leonidas Poulopoulos	cd ~
58	f8938aca	Leonidas Poulopoulos	git clone https://github.com/leopoul/ncclient.git
59	f8938aca	Leonidas Poulopoulos	cd ncclient
60	f8938aca	Leonidas Poulopoulos	python setup.py install
61	51ce199a	Leonidas Poulopoulos
62	51ce199a	Leonidas Poulopoulos	- nxpy: Python Objects from/to XML proxy::
63	51ce199a	Leonidas Poulopoulos
64	f8938aca	Leonidas Poulopoulos	cd ~
65	f8938aca	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/nxpy
66	f8938aca	Leonidas Poulopoulos	cd nxpy
67	f8938aca	Leonidas Poulopoulos	python setup.py install
68	51ce199a	Leonidas Poulopoulos
69	51ce199a	Leonidas Poulopoulos	- flowspy: core application. Installation is done at /srv/flowspy::
70	51ce199a	Leonidas Poulopoulos
71	f8938aca	Leonidas Poulopoulos	cd /srv
72	f8938aca	Leonidas Poulopoulos	git clone https://code.grnet.gr/git/flowspy
73	f8938aca	Leonidas Poulopoulos	cd flowspy
74	51ce199a	Leonidas Poulopoulos
75	51ce199a	Leonidas Poulopoulos	Application configuration
76	51ce199a	Leonidas Poulopoulos	=========================
77	51ce199a	Leonidas Poulopoulos	Copy settings.py.dist to settings.py::
78	f8938aca	Leonidas Poulopoulos
79	f8938aca	Leonidas Poulopoulos	cd flowspy
80	f8938aca	Leonidas Poulopoulos	cp settings.py.dist settings.py
81	51ce199a	Leonidas Poulopoulos
82	51ce199a	Leonidas Poulopoulos	Edit settings.py file and set the following according to your configuration::
83	51ce199a	Leonidas Poulopoulos
84	f8938aca	Leonidas Poulopoulos	ADMINS: set your admin name and email (assuming that your server can send notifications)
85	f8938aca	Leonidas Poulopoulos	DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine
86	f8938aca	Leonidas Poulopoulos	SECRET_KEY : Make this unique, and don't share it with anybody
87	f8938aca	Leonidas Poulopoulos	STATIC_ROOT: /srv/flowspy/static (or your installation directory)
88	f8938aca	Leonidas Poulopoulos	STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static
89	f8938aca	Leonidas Poulopoulos	TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates
90	f8938aca	Leonidas Poulopoulos	CACHE_BACKEND: Enable Memcached for production or leave to DummyCache for development environments
91	f8938aca	Leonidas Poulopoulos	Alternatively you could go for redis with the corresponding Django client lib.
92	f8938aca	Leonidas Poulopoulos	NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device
93	f8938aca	Leonidas Poulopoulos	NETCONF_USER (enable ssh and netconf on device)
94	f8938aca	Leonidas Poulopoulos	NETCONF_PASS
95	f8938aca	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
96	f8938aca	Leonidas Poulopoulos	BROKER_HOST (beanstalk host)
97	f8938aca	Leonidas Poulopoulos	BROKER_PORT (beanstalk port)
98	f8938aca	Leonidas Poulopoulos	SERVER_EMAIL
99	f8938aca	Leonidas Poulopoulos	EMAIL_SUBJECT_PREFIX
100	f8938aca	Leonidas Poulopoulos	If beanstalk is selected the following should be left intact.
101	f8938aca	Leonidas Poulopoulos	BROKER_URL (beanstalk url)
102	f8938aca	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication)
103	f8938aca	Leonidas Poulopoulos	NOTIFY_ADMIN_MAILS (bcc mail addresses)
104	f8938aca	Leonidas Poulopoulos	PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS)
105	f8938aca	Leonidas Poulopoulos	The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner.
106	f8938aca	Leonidas Poulopoulos	PRIMARY_WHOIS
107	f8938aca	Leonidas Poulopoulos	ALTERNATE_WHOIS
108	f8938aca	Leonidas Poulopoulos	If you wish to deploy FoD with Shibboleth change the following attributes according to your setup:
109	f8938aca	Leonidas Poulopoulos	SHIB_AUTH_ENTITLEMENT = 'urn:mace'
110	f8938aca	Leonidas Poulopoulos	SHIB_ADMIN_DOMAIN = 'example.com'
111	f8938aca	Leonidas Poulopoulos	SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout'
112	f8938aca	Leonidas Poulopoulos	SHIB_USERNAME = ['HTTP_EPPN']
113	f8938aca	Leonidas Poulopoulos	SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL']
114	f8938aca	Leonidas Poulopoulos	SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME']
115	f8938aca	Leonidas Poulopoulos	SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME']
116	f8938aca	Leonidas Poulopoulos	SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT']
117	51ce199a	Leonidas Poulopoulos
118	51ce199a	Leonidas Poulopoulos	If you have not installed an outgoing mail server you can always use your own account (either corporate or gmail, hotmail ,etc) by adding the following lines in settings.py::
119	51ce199a	Leonidas Poulopoulos
120	f8938aca	Leonidas Poulopoulos	EMAIL_USE_TLS = True #(or False)
121	f8938aca	Leonidas Poulopoulos	EMAIL_HOST = 'smtp.example.com'
122	f8938aca	Leonidas Poulopoulos	EMAIL_HOST_USER = 'username'
123	f8938aca	Leonidas Poulopoulos	EMAIL_HOST_PASSWORD = 'yourpassword'
124	f8938aca	Leonidas Poulopoulos	EMAIL_PORT = 587 #(outgoing)
125	f8938aca	Leonidas Poulopoulos
126	f8938aca	Leonidas Poulopoulos	It is strongly advised that you do not change the following to False values unless, you want to integrate FoD with you CRM or members database. This implies that you are able/have the rights to create database views between the two databases::
127	51ce199a	Leonidas Poulopoulos
128	f8938aca	Leonidas Poulopoulos	PEER_MANAGED_TABLE = True
129	f8938aca	Leonidas Poulopoulos	PEER_RANGE_MANAGED_TABLE = True
130	f8938aca	Leonidas Poulopoulos	PEER_TECHC_MANAGED_TABLE = True
131	f8938aca	Leonidas Poulopoulos
132	f8938aca	Leonidas Poulopoulos	By doing that the corresponding tables as defined in peers/models will not be created. As noted above, you have to create the views that the tables will rely on.
133	51ce199a	Leonidas Poulopoulos
134	51ce199a	Leonidas Poulopoulos	.. note::
135	f8938aca	Leonidas Poulopoulos	Soon we will release a version with django-registration as a means to add users and Shibboleth will become an alternative
136	51ce199a	Leonidas Poulopoulos
137	51ce199a	Leonidas Poulopoulos	Let's move on with some copies and dir creations::
138	51ce199a	Leonidas Poulopoulos
139	f8938aca	Leonidas Poulopoulos	mkdir /var/log/fod
140	f8938aca	Leonidas Poulopoulos	chown www-data.www-data /var/log/fod
141	f8938aca	Leonidas Poulopoulos	cp urls.py.dist urls.py
142	f8938aca	Leonidas Poulopoulos	cd ..
143	51ce199a	Leonidas Poulopoulos
144	51ce199a	Leonidas Poulopoulos	System configuration
145	51ce199a	Leonidas Poulopoulos	====================
146	51ce199a	Leonidas Poulopoulos	Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules enabled.
147	51ce199a	Leonidas Poulopoulos	Depending on the setup the apache configuration may vary::
148	51ce199a	Leonidas Poulopoulos
149	f8938aca	Leonidas Poulopoulos	a2enmod rewrite
150	f8938aca	Leonidas Poulopoulos	a2enmod proxy
151	f8938aca	Leonidas Poulopoulos	a2enmod ssl
152	f8938aca	Leonidas Poulopoulos	a2enmod proxy_http
153	51ce199a	Leonidas Poulopoulos
154	51ce199a	Leonidas Poulopoulos	If shibboleth is to be used::
155	51ce199a	Leonidas Poulopoulos
156	f8938aca	Leonidas Poulopoulos	apt-get install libapache2-mod-shib2
157	f8938aca	Leonidas Poulopoulos	a2enmod shib2
158	51ce199a	Leonidas Poulopoulos
159	51ce199a	Leonidas Poulopoulos	Now it is time to configure beanstalk, gunicorn, celery and apache.
160	51ce199a	Leonidas Poulopoulos
161	51ce199a	Leonidas Poulopoulos	beanstalkd
162	51ce199a	Leonidas Poulopoulos	----------
163	51ce199a	Leonidas Poulopoulos	Enable beanstalk by editting /etc/default/beanstalkd::
164	51ce199a	Leonidas Poulopoulos
165	f8938aca	Leonidas Poulopoulos	vim /etc/default/beanstalkd
166	51ce199a	Leonidas Poulopoulos
167	51ce199a	Leonidas Poulopoulos	Uncomment the line START=yes to enable beanstalk
168	51ce199a	Leonidas Poulopoulos
169	51ce199a	Leonidas Poulopoulos	Start beanstalkd::
170	51ce199a	Leonidas Poulopoulos
171	f8938aca	Leonidas Poulopoulos	service beanstalkd start
172	51ce199a	Leonidas Poulopoulos
173	51ce199a	Leonidas Poulopoulos	gunicorn.d
174	51ce199a	Leonidas Poulopoulos	----------
175	0bf16f7f	Leonidas Poulopoulos	Create and edit /etc/gunicorn.d/fod::
176	51ce199a	Leonidas Poulopoulos
177	f8938aca	Leonidas Poulopoulos	vim /etc/gunicorn.d/fod
178	51ce199a	Leonidas Poulopoulos
179	51ce199a	Leonidas Poulopoulos	FoD is served via gunicorn and is then proxied by Apache. If the above directory conventions have been followed so far, then your configuration should be::
180	51ce199a	Leonidas Poulopoulos
181	f8938aca	Leonidas Poulopoulos	CONFIG = {
182	f8938aca	Leonidas Poulopoulos	'mode': 'django',
183	f8938aca	Leonidas Poulopoulos	'working_dir': '/srv/flowspy',
184	f8938aca	Leonidas Poulopoulos	'args': (
185	f8938aca	Leonidas Poulopoulos	'--bind=127.0.0.1:8081',
186	f8938aca	Leonidas Poulopoulos	'--workers=1',
187	f8938aca	Leonidas Poulopoulos	'--worker-class=egg:gunicorn#gevent',
188	f8938aca	Leonidas Poulopoulos	'--timeout=30',
189	ca345a18	Leonidas Poulopoulos	'--debug',
190	f8938aca	Leonidas Poulopoulos	'--log-level=debug',
191	f8938aca	Leonidas Poulopoulos	'--log-file=/var/log/gunicorn/fod.log',
192	f8938aca	Leonidas Poulopoulos	),
193	f8938aca	Leonidas Poulopoulos	}
194	b7566dcc	Leonidas Poulopoulos
195	51ce199a	Leonidas Poulopoulos
196	0bf16f7f	Leonidas Poulopoulos	celeryd
197	0bf16f7f	Leonidas Poulopoulos	-------
198	51ce199a	Leonidas Poulopoulos	Celery is used over beanstalkd to apply firewall rules in a serial manner so that locks are avoided on the flowspec capable device. In our setup celery runs via django. That is why the python-django-celery package was installed.
199	51ce199a	Leonidas Poulopoulos
200	0bf16f7f	Leonidas Poulopoulos	Create the celeryd daemon at /etc/init.d/celeryd if it does not already exist::
201	0bf16f7f	Leonidas Poulopoulos
202	f8938aca	Leonidas Poulopoulos	vim /etc/init.d/celeryd
203	0bf16f7f	Leonidas Poulopoulos
204	0bf16f7f	Leonidas Poulopoulos	The configuration should be::
205	0bf16f7f	Leonidas Poulopoulos
206	f8938aca	Leonidas Poulopoulos	#!/bin/sh -e
207	f8938aca	Leonidas Poulopoulos	# ============================================
208	f8938aca	Leonidas Poulopoulos	# celeryd - Starts the Celery worker daemon.
209	f8938aca	Leonidas Poulopoulos	# ============================================
210	f8938aca	Leonidas Poulopoulos	#
211	f8938aca	Leonidas Poulopoulos	# :Usage: /etc/init.d/celeryd {start\|stop\|force-reload\|restart\|try-restart\|status}
212	f8938aca	Leonidas Poulopoulos	# :Configuration file: /etc/default/celeryd
213	f8938aca	Leonidas Poulopoulos	#
214	f8938aca	Leonidas Poulopoulos	# See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd
215	f8938aca	Leonidas Poulopoulos
216	f8938aca	Leonidas Poulopoulos
217	f8938aca	Leonidas Poulopoulos	### BEGIN INIT INFO
218	f8938aca	Leonidas Poulopoulos	# Provides: celeryd
219	f8938aca	Leonidas Poulopoulos	# Required-Start: $network $local_fs $remote_fs
220	f8938aca	Leonidas Poulopoulos	# Required-Stop: $network $local_fs $remote_fs
221	f8938aca	Leonidas Poulopoulos	# Default-Start: 2 3 4 5
222	f8938aca	Leonidas Poulopoulos	# Default-Stop: 0 1 6
223	f8938aca	Leonidas Poulopoulos	# Short-Description: celery task worker daemon
224	f8938aca	Leonidas Poulopoulos	# Description: Starts the Celery worker daemon for a single project.
225	f8938aca	Leonidas Poulopoulos	### END INIT INFO
226	f8938aca	Leonidas Poulopoulos
227	f8938aca	Leonidas Poulopoulos	#set -e
228	f8938aca	Leonidas Poulopoulos
229	f8938aca	Leonidas Poulopoulos	DEFAULT_PID_FILE="/var/run/celery/%n.pid"
230	f8938aca	Leonidas Poulopoulos	DEFAULT_LOG_FILE="/var/log/celery/%n.log"
231	f8938aca	Leonidas Poulopoulos	DEFAULT_LOG_LEVEL="INFO"
232	f8938aca	Leonidas Poulopoulos	DEFAULT_NODES="celery"
233	f8938aca	Leonidas Poulopoulos	DEFAULT_CELERYD="-m celery.bin.celeryd_detach"
234	f8938aca	Leonidas Poulopoulos	ENABLED="false"
235	f8938aca	Leonidas Poulopoulos
236	f8938aca	Leonidas Poulopoulos	[ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS"
237	f8938aca	Leonidas Poulopoulos
238	f8938aca	Leonidas Poulopoulos	[ -r /etc/default/celeryd ] && . /etc/default/celeryd
239	f8938aca	Leonidas Poulopoulos
240	f8938aca	Leonidas Poulopoulos	if [ "$ENABLED" != "true" ]; then
241	f8938aca	Leonidas Poulopoulos	echo "celery daemon disabled - see /etc/default/celeryd."
242	f8938aca	Leonidas Poulopoulos	exit 0
243	f8938aca	Leonidas Poulopoulos	fi
244	f8938aca	Leonidas Poulopoulos
245	f8938aca	Leonidas Poulopoulos
246	f8938aca	Leonidas Poulopoulos	CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}}
247	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}}
248	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}}
249	f8938aca	Leonidas Poulopoulos	CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"}
250	f8938aca	Leonidas Poulopoulos	CELERYD=${CELERYD:-$DEFAULT_CELERYD}
251	f8938aca	Leonidas Poulopoulos	CELERYCTL=${CELERYCTL:="celeryctl"}
252	f8938aca	Leonidas Poulopoulos	CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES}
253	f8938aca	Leonidas Poulopoulos
254	f8938aca	Leonidas Poulopoulos	export CELERY_LOADER
255	f8938aca	Leonidas Poulopoulos
256	f8938aca	Leonidas Poulopoulos	if [ -n "$2" ]; then
257	f8938aca	Leonidas Poulopoulos	CELERYD_OPTS="$CELERYD_OPTS $2"
258	f8938aca	Leonidas Poulopoulos	fi
259	f8938aca	Leonidas Poulopoulos
260	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE`
261	f8938aca	Leonidas Poulopoulos	CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE`
262	f8938aca	Leonidas Poulopoulos	if [ ! -d "$CELERYD_LOG_DIR" ]; then
263	f8938aca	Leonidas Poulopoulos	mkdir -p $CELERYD_LOG_DIR
264	f8938aca	Leonidas Poulopoulos	fi
265	f8938aca	Leonidas Poulopoulos	if [ ! -d "$CELERYD_PID_DIR" ]; then
266	f8938aca	Leonidas Poulopoulos	mkdir -p $CELERYD_PID_DIR
267	f8938aca	Leonidas Poulopoulos	fi
268	f8938aca	Leonidas Poulopoulos
269	f8938aca	Leonidas Poulopoulos	# Extra start-stop-daemon options, like user/group.
270	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_USER" ]; then
271	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER"
272	f8938aca	Leonidas Poulopoulos	chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR
273	f8938aca	Leonidas Poulopoulos	fi
274	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_GROUP" ]; then
275	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP"
276	f8938aca	Leonidas Poulopoulos	chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR
277	f8938aca	Leonidas Poulopoulos	fi
278	f8938aca	Leonidas Poulopoulos
279	f8938aca	Leonidas Poulopoulos	if [ -n "$CELERYD_CHDIR" ]; then
280	f8938aca	Leonidas Poulopoulos	DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\""
281	f8938aca	Leonidas Poulopoulos	fi
282	f8938aca	Leonidas Poulopoulos
283	f8938aca	Leonidas Poulopoulos
284	f8938aca	Leonidas Poulopoulos	check_dev_null() {
285	f8938aca	Leonidas Poulopoulos	if [ ! -c /dev/null ]; then
286	f8938aca	Leonidas Poulopoulos	echo "/dev/null is not a character device!"
287	f8938aca	Leonidas Poulopoulos	exit 1
288	f8938aca	Leonidas Poulopoulos	fi
289	f8938aca	Leonidas Poulopoulos	}
290	f8938aca	Leonidas Poulopoulos
291	f8938aca	Leonidas Poulopoulos
292	f8938aca	Leonidas Poulopoulos	export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
293	f8938aca	Leonidas Poulopoulos
294	f8938aca	Leonidas Poulopoulos
295	f8938aca	Leonidas Poulopoulos	stop_workers () {
296	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE"
297	f8938aca	Leonidas Poulopoulos	}
298	f8938aca	Leonidas Poulopoulos
299	f8938aca	Leonidas Poulopoulos
300	f8938aca	Leonidas Poulopoulos	start_workers () {
301	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS \
302	f8938aca	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
303	f8938aca	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
304	f8938aca	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
305	f8938aca	Leonidas Poulopoulos	--cmd="$CELERYD" \
306	f8938aca	Leonidas Poulopoulos	$CELERYD_OPTS
307	f8938aca	Leonidas Poulopoulos	}
308	f8938aca	Leonidas Poulopoulos
309	f8938aca	Leonidas Poulopoulos
310	f8938aca	Leonidas Poulopoulos	restart_workers () {
311	f8938aca	Leonidas Poulopoulos	$CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS \
312	f8938aca	Leonidas Poulopoulos	--pidfile="$CELERYD_PID_FILE" \
313	f8938aca	Leonidas Poulopoulos	--logfile="$CELERYD_LOG_FILE" \
314	f8938aca	Leonidas Poulopoulos	--loglevel="$CELERYD_LOG_LEVEL" \
315	f8938aca	Leonidas Poulopoulos	--cmd="$CELERYD" \
316	f8938aca	Leonidas Poulopoulos	$CELERYD_OPTS
317	f8938aca	Leonidas Poulopoulos	}
318	f8938aca	Leonidas Poulopoulos
319	f8938aca	Leonidas Poulopoulos
320	f8938aca	Leonidas Poulopoulos
321	f8938aca	Leonidas Poulopoulos	case "$1" in
322	f8938aca	Leonidas Poulopoulos	start)
323	f8938aca	Leonidas Poulopoulos	check_dev_null
324	f8938aca	Leonidas Poulopoulos	start_workers
325	f8938aca	Leonidas Poulopoulos	;;
326	f8938aca	Leonidas Poulopoulos
327	f8938aca	Leonidas Poulopoulos	stop)
328	f8938aca	Leonidas Poulopoulos	check_dev_null
329	f8938aca	Leonidas Poulopoulos	stop_workers
330	f8938aca	Leonidas Poulopoulos	;;
331	f8938aca	Leonidas Poulopoulos
332	f8938aca	Leonidas Poulopoulos	reload\|force-reload)
333	f8938aca	Leonidas Poulopoulos	echo "Use restart"
334	f8938aca	Leonidas Poulopoulos	;;
335	f8938aca	Leonidas Poulopoulos
336	f8938aca	Leonidas Poulopoulos	status)
337	f8938aca	Leonidas Poulopoulos	$CELERYCTL status $CELERYCTL_OPTS
338	f8938aca	Leonidas Poulopoulos	;;
339	f8938aca	Leonidas Poulopoulos
340	f8938aca	Leonidas Poulopoulos	restart)
341	f8938aca	Leonidas Poulopoulos	check_dev_null
342	f8938aca	Leonidas Poulopoulos	restart_workers
343	f8938aca	Leonidas Poulopoulos	;;
344	f8938aca	Leonidas Poulopoulos
345	f8938aca	Leonidas Poulopoulos	try-restart)
346	f8938aca	Leonidas Poulopoulos	check_dev_null
347	f8938aca	Leonidas Poulopoulos	restart_workers
348	f8938aca	Leonidas Poulopoulos	;;
349	f8938aca	Leonidas Poulopoulos
350	f8938aca	Leonidas Poulopoulos	*)
351	f8938aca	Leonidas Poulopoulos	echo "Usage: /etc/init.d/celeryd {start\|stop\|restart\|try-restart\|kill}"
352	f8938aca	Leonidas Poulopoulos	exit 1
353	f8938aca	Leonidas Poulopoulos	;;
354	f8938aca	Leonidas Poulopoulos	esac
355	f8938aca	Leonidas Poulopoulos
356	f8938aca	Leonidas Poulopoulos	exit 0
357	0bf16f7f	Leonidas Poulopoulos
358	0bf16f7f	Leonidas Poulopoulos	celeryd configuration
359	0bf16f7f	Leonidas Poulopoulos	---------------------
360	51ce199a	Leonidas Poulopoulos	celeryd requires a /etc/default/celeryd file to be in place.
361	51ce199a	Leonidas Poulopoulos	Thus we are going to create this file (/etc/default/celeryd)::
362	51ce199a	Leonidas Poulopoulos
363	f8938aca	Leonidas Poulopoulos	vim /etc/default/celeryd
364	51ce199a	Leonidas Poulopoulos
365	e7fc07ea	Leonidas Poulopoulos	Again if the directory conventions have been followed the file is (pay attention to the CELERYD_USER, CELERYD_GROUP and change accordingly) ::
366	51ce199a	Leonidas Poulopoulos
367	f8938aca	Leonidas Poulopoulos	# Default: false
368	f8938aca	Leonidas Poulopoulos	ENABLED="true"
369	f8938aca	Leonidas Poulopoulos
370	f8938aca	Leonidas Poulopoulos	# Name of nodes to start, here we have a single node
371	f8938aca	Leonidas Poulopoulos	CELERYD_NODES="w1"
372	f8938aca	Leonidas Poulopoulos	# or we could have three nodes:
373	f8938aca	Leonidas Poulopoulos	#CELERYD_NODES="w1 w2 w3"
374	f8938aca	Leonidas Poulopoulos
375	f8938aca	Leonidas Poulopoulos	# Where to chdir at start.
376	f8938aca	Leonidas Poulopoulos	CELERYD_CHDIR="/srv/flowspy"
377	f8938aca	Leonidas Poulopoulos	# How to call "manage.py celeryd_multi"
378	f8938aca	Leonidas Poulopoulos	CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi"
379	f8938aca	Leonidas Poulopoulos
380	f8938aca	Leonidas Poulopoulos	# How to call "manage.py celeryctl"
381	f8938aca	Leonidas Poulopoulos	CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl"
382	f8938aca	Leonidas Poulopoulos
383	f8938aca	Leonidas Poulopoulos	# Extra arguments to celeryd
384	f8938aca	Leonidas Poulopoulos	#CELERYD_OPTS="--time-limit=300 --concurrency=8"
385	ca345a18	Leonidas Poulopoulos	CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800"
386	f8938aca	Leonidas Poulopoulos	# Name of the celery config module.
387	f8938aca	Leonidas Poulopoulos	CELERY_CONFIG_MODULE="celeryconfig"
388	f8938aca	Leonidas Poulopoulos
389	f8938aca	Leonidas Poulopoulos	# %n will be replaced with the nodename.
390	f8938aca	Leonidas Poulopoulos	CELERYD_LOG_FILE="/var/log/celery/fod_%n.log"
391	f8938aca	Leonidas Poulopoulos	CELERYD_PID_FILE="/var/run/celery/%n.pid"
392	f8938aca	Leonidas Poulopoulos
393	f8938aca	Leonidas Poulopoulos	# Workers should run as an unprivileged user.
394	f8938aca	Leonidas Poulopoulos	CELERYD_USER="celery"
395	f8938aca	Leonidas Poulopoulos	CELERYD_GROUP="celery"
396	f8938aca	Leonidas Poulopoulos
397	f8938aca	Leonidas Poulopoulos	# Name of the projects settings module.
398	f8938aca	Leonidas Poulopoulos	export DJANGO_SETTINGS_MODULE="flowspy.settings"
399	51ce199a	Leonidas Poulopoulos
400	51ce199a	Leonidas Poulopoulos	Apache
401	51ce199a	Leonidas Poulopoulos	------
402	51ce199a	Leonidas Poulopoulos	Apache proxies gunicorn. Things are more flexible here as you may follow your own configuration and conventions. Create and edit /etc/apache2/sites-available/fod. You should set <server_name> and <admin_mail> along with your certificates. If under testing environment, you can use the provided snakeoil certs. If you do not intent to use Shibboleth delete or comment the corresponding configuration parts inside Shibboleth configuration ::
403	51ce199a	Leonidas Poulopoulos
404	f8938aca	Leonidas Poulopoulos	vim /etc/apache2/sites-available/fod
405	51ce199a	Leonidas Poulopoulos
406	51ce199a	Leonidas Poulopoulos	Again if the directory conventions have been followed the file should be::
407	51ce199a	Leonidas Poulopoulos
408	f8938aca	Leonidas Poulopoulos	<VirtualHost *:80>
409	f8938aca	Leonidas Poulopoulos	ServerAdmin webmaster@localhost
410	f8938aca	Leonidas Poulopoulos	ServerName fod.example.com
411	f8938aca	Leonidas Poulopoulos	DocumentRoot /var/www
412	f8938aca	Leonidas Poulopoulos
413	f8938aca	Leonidas Poulopoulos	ErrorLog ${APACHE_LOG_DIR}/fod_error.log
414	f8938aca	Leonidas Poulopoulos
415	f8938aca	Leonidas Poulopoulos	# Possible values include: debug, info, notice, warn, error, crit,
416	f8938aca	Leonidas Poulopoulos	# alert, emerg.
417	f8938aca	Leonidas Poulopoulos	LogLevel debug
418	f8938aca	Leonidas Poulopoulos
419	f8938aca	Leonidas Poulopoulos	CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
420	f8938aca	Leonidas Poulopoulos
421	f8938aca	Leonidas Poulopoulos	Alias /static /srv/flowspy/static
422	f8938aca	Leonidas Poulopoulos	RewriteEngine On
423	f8938aca	Leonidas Poulopoulos	RewriteCond %{HTTPS} off
424	f8938aca	Leonidas Poulopoulos	RewriteRule ^/(.*) https://fod.example.com/$1 [L,R]
425	f8938aca	Leonidas Poulopoulos	</VirtualHost>
426	f8938aca	Leonidas Poulopoulos
427	f8938aca	Leonidas Poulopoulos	<VirtualHost *:443>
428	f8938aca	Leonidas Poulopoulos	ServerName fod.example.com
429	f8938aca	Leonidas Poulopoulos	ServerAdmin webmaster@localhost
430	f8938aca	Leonidas Poulopoulos	ServerSignature On
431	f8938aca	Leonidas Poulopoulos
432	f8938aca	Leonidas Poulopoulos	SSLEngine on
433	f8938aca	Leonidas Poulopoulos	SSLCertificateFile /etc/ssl/certs/fod.example.com.crt
434	f8938aca	Leonidas Poulopoulos	SSLCertificateChainFile /etc/ssl/certs/example-chain.pem
435	f8938aca	Leonidas Poulopoulos	SSLCertificateKeyFile /etc/ssl/private/fod.example.com.key
436	f8938aca	Leonidas Poulopoulos
437	f8938aca	Leonidas Poulopoulos	AddDefaultCharset UTF-8
438	f8938aca	Leonidas Poulopoulos	IndexOptions +Charset=UTF-8
439	f8938aca	Leonidas Poulopoulos
440	f8938aca	Leonidas Poulopoulos	ShibConfig /etc/shibboleth/shibboleth2.xml
441	f8938aca	Leonidas Poulopoulos	Alias /shibboleth-sp /usr/share/shibboleth
442	f8938aca	Leonidas Poulopoulos
443	f8938aca	Leonidas Poulopoulos
444	f8938aca	Leonidas Poulopoulos	<Location /login>
445	f8938aca	Leonidas Poulopoulos	AuthType shibboleth
446	f8938aca	Leonidas Poulopoulos	ShibRequireSession On
447	f8938aca	Leonidas Poulopoulos	ShibUseHeaders On
448	f8938aca	Leonidas Poulopoulos	ShibRequestSetting entityID https://idp.example.com/idp/shibboleth
449	f8938aca	Leonidas Poulopoulos	require valid-user
450	f8938aca	Leonidas Poulopoulos	</Location>
451	f8938aca	Leonidas Poulopoulos
452	f8938aca	Leonidas Poulopoulos	# Shibboleth debugging CGI script
453	f8938aca	Leonidas Poulopoulos	ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi
454	f8938aca	Leonidas Poulopoulos	<Location /shibboleth/test>
455	f8938aca	Leonidas Poulopoulos	AuthType shibboleth
456	f8938aca	Leonidas Poulopoulos	ShibRequireSession On
457	f8938aca	Leonidas Poulopoulos	ShibUseHeaders On
458	f8938aca	Leonidas Poulopoulos	require valid-user
459	f8938aca	Leonidas Poulopoulos	</Location>
460	f8938aca	Leonidas Poulopoulos
461	f8938aca	Leonidas Poulopoulos	<Location /Shibboleth.sso>
462	f8938aca	Leonidas Poulopoulos	SetHandler shib
463	f8938aca	Leonidas Poulopoulos	</Location>
464	f8938aca	Leonidas Poulopoulos
465	f8938aca	Leonidas Poulopoulos	# Shibboleth SP configuration
466	f8938aca	Leonidas Poulopoulos
467	f8938aca	Leonidas Poulopoulos	#SetEnv proxy-sendchunked
468	f8938aca	Leonidas Poulopoulos
469	f8938aca	Leonidas Poulopoulos	<Proxy *>
470	f8938aca	Leonidas Poulopoulos	Order allow,deny
471	f8938aca	Leonidas Poulopoulos	Allow from all
472	f8938aca	Leonidas Poulopoulos	</Proxy>
473	f8938aca	Leonidas Poulopoulos
474	f8938aca	Leonidas Poulopoulos	SSLProxyEngine off
475	f8938aca	Leonidas Poulopoulos	ProxyErrorOverride off
476	f8938aca	Leonidas Poulopoulos	ProxyTimeout 28800
477	f8938aca	Leonidas Poulopoulos	ProxyPass /static !
478	f8938aca	Leonidas Poulopoulos	ProxyPass /shibboleth !
479	f8938aca	Leonidas Poulopoulos	ProxyPass /Shibboleth.sso !
480	f8938aca	Leonidas Poulopoulos
481	f8938aca	Leonidas Poulopoulos	ProxyPass / http://localhost:8081/ retry=0
482	f8938aca	Leonidas Poulopoulos	ProxyPassReverse / http://localhost:8081/
483	f8938aca	Leonidas Poulopoulos
484	f8938aca	Leonidas Poulopoulos	Alias /static /srv/flowspy/static
485	f8938aca	Leonidas Poulopoulos
486	f8938aca	Leonidas Poulopoulos	LogLevel warn
487	f8938aca	Leonidas Poulopoulos
488	f8938aca	Leonidas Poulopoulos	ErrorLog ${APACHE_LOG_DIR}/fod_error.log
489	f8938aca	Leonidas Poulopoulos	CustomLog ${APACHE_LOG_DIR}/fod_access.log combined
490	f8938aca	Leonidas Poulopoulos
491	f8938aca	Leonidas Poulopoulos	</VirtualHost>
492	51ce199a	Leonidas Poulopoulos
493	1e40c2f5	Leonidas Poulopoulos	Now, enable your site. You might want to disable the default site if fod is the only site you host on your server::
494	1e40c2f5	Leonidas Poulopoulos
495	f8938aca	Leonidas Poulopoulos	a2dissite default
496	f8938aca	Leonidas Poulopoulos	a2ensite fod
497	1e40c2f5	Leonidas Poulopoulos
498	51ce199a	Leonidas Poulopoulos	You are not far away from deploying FoD. When asked for a super user, create one::
499	51ce199a	Leonidas Poulopoulos
500	f8938aca	Leonidas Poulopoulos	cd /srv/flowspy
501	f8938aca	Leonidas Poulopoulos	python manage.py syncdb
502	b54374b9	Leonidas Poulopoulos	python manage.py migrate longerusername
503	f8938aca	Leonidas Poulopoulos	python manage.py migrate flowspec
504	f8938aca	Leonidas Poulopoulos	python manage.py migrate djcelery
505	f8938aca	Leonidas Poulopoulos	python manage.py migrate accounts
506	f8938aca	Leonidas Poulopoulos
507	f8938aca	Leonidas Poulopoulos	If you have not changed the values of the PEER\_\\_TABLE variables to False and thus you are going for a default installation (that is PEER\_\\_TABLE variables are set to True) , then run::
508	f8938aca	Leonidas Poulopoulos
509	f8938aca	Leonidas Poulopoulos	python manage.py migrate peers
510	f8938aca	Leonidas Poulopoulos
511	f8938aca	Leonidas Poulopoulos	If however you have set the PEER\_\\_TABLE variables to False and by accident you have ran the command above, then you have to cleanup you database manually by dropping the peer\ tables plus the techc_email table. For MySQL the command is::
512	f8938aca	Leonidas Poulopoulos
513	f8938aca	Leonidas Poulopoulos	DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email;
514	51ce199a	Leonidas Poulopoulos
515	51ce199a	Leonidas Poulopoulos	Restart, gunicorn and apache::
516	51ce199a	Leonidas Poulopoulos
517	f8938aca	Leonidas Poulopoulos	service gunicorn restart && service apache2 restart
518	51ce199a	Leonidas Poulopoulos
519	0bf16f7f	Leonidas Poulopoulos
520	0bf16f7f	Leonidas Poulopoulos	Propagate the flatpages
521	0bf16f7f	Leonidas Poulopoulos	=======================
522	0bf16f7f	Leonidas Poulopoulos	Inside the initial_data/fixtures_manual.xml file we have placed 4 flatpages (2 for Greek, 2 for English) with Information and Terms of Service about the service.
523	0bf16f7f	Leonidas Poulopoulos	To import the flatpages, run from root folder::
524	0bf16f7f	Leonidas Poulopoulos
525	f8938aca	Leonidas Poulopoulos	python manage.py loaddata initial_data/fixtures_manual.xml
526	0bf16f7f	Leonidas Poulopoulos
527	0bf16f7f	Leonidas Poulopoulos
528	0bf16f7f	Leonidas Poulopoulos
529	51ce199a	Leonidas Poulopoulos	Testing the platform
530	51ce199a	Leonidas Poulopoulos	====================
531	f8938aca	Leonidas Poulopoulos	Log in to the admin interface via https:\/\/<hostname>\/admin. Go to Peer ranges and add a new range (part of/or a complete subnet), eg. 10.20.0.0/19
532	f8938aca	Leonidas Poulopoulos	Go to Peers and add a new peer, eg. id: 1, name: Test, AS: 16503, tag: TEST and move the network you have created from Avalable to Chosen. From the admin front, go to User, and edit your user. From the bottom of the page, select the TEST peer and save.
533	f8938aca	Leonidas Poulopoulos	Last but not least, modify as required the existing (example.com) Site instance (admin home->Sites). You are done. As you are logged-in via the admin, there is no need to go through Shibboleth at this time. Go to https:\/\/<hostname>\/ and create a new rule. Your rule should be applied on the flowspec capable device after aprox. 10 seconds. If no Shibboleth authentication is available, a https:\/\/<hostname>\/altlogin is provided.
534	51ce199a	Leonidas Poulopoulos
535	51ce199a	Leonidas Poulopoulos	Branding
536	51ce199a	Leonidas Poulopoulos	========
537	51ce199a	Leonidas Poulopoulos	Via the admin interface you can modify flatpages to suit your needs
538	51ce199a	Leonidas Poulopoulos
539	51ce199a	Leonidas Poulopoulos	Footer
540	51ce199a	Leonidas Poulopoulos	------
541	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc.
542	51ce199a	Leonidas Poulopoulos
543	51ce199a	Leonidas Poulopoulos	Welcome Page
544	51ce199a	Leonidas Poulopoulos	------------
545	51ce199a	Leonidas Poulopoulos	Under the templates folder (templates), you can alter the welcome page - welcome.html with your own images, carousel, videos, etc.