root / README.txt @ c491c6f8
History | View | Annotate | Download (4.2 kB)
| 1 |
=========== |
|---|---|
| 2 |
1. Tool requirements |
| 3 |
|
| 4 |
* python-django |
| 5 |
* python-django-extensions |
| 6 |
* python-mysqldb |
| 7 |
* mysql-client-5.1 |
| 8 |
* python-gevent |
| 9 |
* python-django-south |
| 10 |
* python-django-celery |
| 11 |
* python-yaml |
| 12 |
* python-paramiko (>= 1.7.7.1) |
| 13 |
* python-memcache |
| 14 |
* python-django-registration |
| 15 |
* python-ncclient |
| 16 |
* python-nxpy |
| 17 |
* python-lxml |
| 18 |
* python-ipaddr |
| 19 |
* python-django-tinymce |
| 20 |
* apache2 |
| 21 |
* apache2-mod-proxy |
| 22 |
* apache2-mod-rewrite |
| 23 |
* apache2-shibboleth : The server should be setup as a Shibboleth SP |
| 24 |
* The tool requires an event supporting web server. It is suggested to deploy gunicorn |
| 25 |
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views. |
| 26 |
|
| 27 |
=========== |
| 28 |
2. Tool architecture |
| 29 |
|
| 30 |
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. |
| 31 |
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network |
| 32 |
address range that the user originates from. |
| 33 |
Components roles: |
| 34 |
- web server (gunicorn): server the tool to localhost:port and allows for events |
| 35 |
- memcached: Caches devices information and aids in syncing |
| 36 |
- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks |
| 37 |
|
| 38 |
=========== |
| 39 |
3. Operational requirements |
| 40 |
|
| 41 |
* Shibboleth authentication |
| 42 |
- Required shibboleth attributes: |
| 43 |
- HTTP_EPPN |
| 44 |
- HTTP_SHIB_INETORGPERSON_MAIL |
| 45 |
- An appropriate HTTP_SHIB_EP_ENTITLEMENT |
| 46 |
- Optional Attributes: |
| 47 |
- HTTP_SHIB_INETORGPERSON_GIVENNAME |
| 48 |
- HTTP_SHIB_PERSON_SURNAME |
| 49 |
* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION) |
| 50 |
|
| 51 |
=========== |
| 52 |
4. Installation Procedure |
| 53 |
|
| 54 |
4.1 Pre-installation |
| 55 |
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache |
| 56 |
Copy settings.py.dist to settings.py and urls.py.dist to urls.py. |
| 57 |
In settings.py set the following according to your configuration: |
| 58 |
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine |
| 59 |
* STATIC_URL (static media directory) |
| 60 |
* TEMPLATE_DIRS |
| 61 |
* CACHE_BACKEND |
| 62 |
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work) |
| 63 |
* NETCONF_USER (enable ssh and netconf on device) |
| 64 |
* NETCONF_PASS |
| 65 |
* BROKER_HOST (beanstalk host) |
| 66 |
* BROKER_PORT (beanstalk port) |
| 67 |
* SERVER_EMAIL |
| 68 |
* EMAIL_SUBJECT_PREFIX |
| 69 |
* BROKER_URL (beanstalk url) |
| 70 |
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication) |
| 71 |
* NOTIFY_ADMIN_MAILS (bcc mail addresses) |
| 72 |
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS) |
| 73 |
* PRIMARY_WHOIS |
| 74 |
* ALTERNATE_WHOIS |
| 75 |
|
| 76 |
4.2 Branding |
| 77 |
|
| 78 |
4.2.1 Logos |
| 79 |
|
| 80 |
Inside the static folder you will find two empty png files: logo.dist.png (172x80) and shib_login.dist.png (98x80). |
| 81 |
Edit those two with your favourite image processing software and save them as logo.png and shib_login.png under the same folder. Image sizes are optimized to operate without any |
| 82 |
other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well. |
| 83 |
|
| 84 |
4.2.2 Footer |
| 85 |
|
| 86 |
Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc. |
| 87 |
|
| 88 |
4.3 Installation |
| 89 |
|
| 90 |
* Run: |
| 91 |
./manage.py syncdb |
| 92 |
to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info. |
| 93 |
* Then to allow for south migrations: |
| 94 |
./manage.py migration |
| 95 |
* If you have properly set the primary and alternate whois servers you could go for: |
| 96 |
./manage.py fetch_networks |
| 97 |
to automatically fill network info. |
| 98 |
Alternatively you could fill those info manually via the admin interface. |
| 99 |
* Via the admin interface, modify as required the existing (example.com) Site instance |
| 100 |
* Modify flatpages to suit your needs |
| 101 |
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts. |
| 102 |
|
| 103 |
5. UPDATING: |
| 104 |
* from 0.9.1 to 0.9.2: |
| 105 |
- Check diff between urls |
| 106 |
- run ./manage.py migrate accounts (data migration for perms) |