root / README.txt @ c491c6f8
History | View | Annotate | Download (4.2 kB)
1 |
=========== |
---|---|
2 |
1. Tool requirements |
3 |
|
4 |
* python-django |
5 |
* python-django-extensions |
6 |
* python-mysqldb |
7 |
* mysql-client-5.1 |
8 |
* python-gevent |
9 |
* python-django-south |
10 |
* python-django-celery |
11 |
* python-yaml |
12 |
* python-paramiko (>= 1.7.7.1) |
13 |
* python-memcache |
14 |
* python-django-registration |
15 |
* python-ncclient |
16 |
* python-nxpy |
17 |
* python-lxml |
18 |
* python-ipaddr |
19 |
* python-django-tinymce |
20 |
* apache2 |
21 |
* apache2-mod-proxy |
22 |
* apache2-mod-rewrite |
23 |
* apache2-shibboleth : The server should be setup as a Shibboleth SP |
24 |
* The tool requires an event supporting web server. It is suggested to deploy gunicorn |
25 |
* If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views. |
26 |
|
27 |
=========== |
28 |
2. Tool architecture |
29 |
|
30 |
Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. |
31 |
Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network |
32 |
address range that the user originates from. |
33 |
Components roles: |
34 |
- web server (gunicorn): server the tool to localhost:port and allows for events |
35 |
- memcached: Caches devices information and aids in syncing |
36 |
- gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks |
37 |
|
38 |
=========== |
39 |
3. Operational requirements |
40 |
|
41 |
* Shibboleth authentication |
42 |
- Required shibboleth attributes: |
43 |
- HTTP_EPPN |
44 |
- HTTP_SHIB_INETORGPERSON_MAIL |
45 |
- An appropriate HTTP_SHIB_EP_ENTITLEMENT |
46 |
- Optional Attributes: |
47 |
- HTTP_SHIB_INETORGPERSON_GIVENNAME |
48 |
- HTTP_SHIB_PERSON_SURNAME |
49 |
* A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION) |
50 |
|
51 |
=========== |
52 |
4. Installation Procedure |
53 |
|
54 |
4.1 Pre-installation |
55 |
Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache |
56 |
Copy settings.py.dist to settings.py and urls.py.dist to urls.py. |
57 |
In settings.py set the following according to your configuration: |
58 |
* DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine |
59 |
* STATIC_URL (static media directory) |
60 |
* TEMPLATE_DIRS |
61 |
* CACHE_BACKEND |
62 |
* NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work) |
63 |
* NETCONF_USER (enable ssh and netconf on device) |
64 |
* NETCONF_PASS |
65 |
* BROKER_HOST (beanstalk host) |
66 |
* BROKER_PORT (beanstalk port) |
67 |
* SERVER_EMAIL |
68 |
* EMAIL_SUBJECT_PREFIX |
69 |
* BROKER_URL (beanstalk url) |
70 |
* SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication) |
71 |
* NOTIFY_ADMIN_MAILS (bcc mail addresses) |
72 |
* PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS) |
73 |
* PRIMARY_WHOIS |
74 |
* ALTERNATE_WHOIS |
75 |
|
76 |
4.2 Branding |
77 |
|
78 |
4.2.1 Logos |
79 |
|
80 |
Inside the static folder you will find two empty png files: logo.dist.png (172x80) and shib_login.dist.png (98x80). |
81 |
Edit those two with your favourite image processing software and save them as logo.png and shib_login.png under the same folder. Image sizes are optimized to operate without any |
82 |
other code changes. In case you want to incorporate images of different sizes you have to fine tune css and/or html as well. |
83 |
|
84 |
4.2.2 Footer |
85 |
|
86 |
Under the templates folder (templates), you can alter the footer.html file to include your own footer messages, badges, etc. |
87 |
|
88 |
4.3 Installation |
89 |
|
90 |
* Run: |
91 |
./manage.py syncdb |
92 |
to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info. |
93 |
* Then to allow for south migrations: |
94 |
./manage.py migration |
95 |
* If you have properly set the primary and alternate whois servers you could go for: |
96 |
./manage.py fetch_networks |
97 |
to automatically fill network info. |
98 |
Alternatively you could fill those info manually via the admin interface. |
99 |
* Via the admin interface, modify as required the existing (example.com) Site instance |
100 |
* Modify flatpages to suit your needs |
101 |
* Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts. |
102 |
|
103 |
5. UPDATING: |
104 |
* from 0.9.1 to 0.9.2: |
105 |
- Check diff between urls |
106 |
- run ./manage.py migrate accounts (data migration for perms) |