root / README.txt @ d60db93b
History | View | Annotate | Download (3.6 kB)
1 | 93fc8356 | Leonidas Poulopoulos | =========== |
---|---|---|---|
2 | 93fc8356 | Leonidas Poulopoulos | 1. Tool requirements |
3 | 93fc8356 | Leonidas Poulopoulos | |
4 | 93fc8356 | Leonidas Poulopoulos | * python-django |
5 | 93fc8356 | Leonidas Poulopoulos | * python-django-extensions |
6 | 93fc8356 | Leonidas Poulopoulos | * python-mysqldb |
7 | 93fc8356 | Leonidas Poulopoulos | * mysql-client-5.1 |
8 | 93fc8356 | Leonidas Poulopoulos | * python-gevent |
9 | 93fc8356 | Leonidas Poulopoulos | * python-django-south |
10 | 93fc8356 | Leonidas Poulopoulos | * python-django-celery |
11 | 93fc8356 | Leonidas Poulopoulos | * python-yaml |
12 | 93fc8356 | Leonidas Poulopoulos | * python-paramiko (>= 1.7.7.1) |
13 | 93fc8356 | Leonidas Poulopoulos | * python-memcache |
14 | 93fc8356 | Leonidas Poulopoulos | * python-django-registration |
15 | 93fc8356 | Leonidas Poulopoulos | * python-ncclient |
16 | 93fc8356 | Leonidas Poulopoulos | * python-nxpy |
17 | 93fc8356 | Leonidas Poulopoulos | * python-lxml |
18 | 93fc8356 | Leonidas Poulopoulos | * python-ipaddr |
19 | 93fc8356 | Leonidas Poulopoulos | * apache2 |
20 | 93fc8356 | Leonidas Poulopoulos | * apache2-mod-proxy |
21 | 93fc8356 | Leonidas Poulopoulos | * apache2-mod-rewrite |
22 | 93fc8356 | Leonidas Poulopoulos | * apache2-shibboleth : The server should be setup as a Shibboleth SP |
23 | 93fc8356 | Leonidas Poulopoulos | * The tool requires an event supporting web server. It is suggested to deploy gunicorn |
24 | 93fc8356 | Leonidas Poulopoulos | * If you wish to link your own db tables (peers, networks, etc) with the tool, prefer MySQL MyISAM db engine and use views. |
25 | 93fc8356 | Leonidas Poulopoulos | |
26 | 93fc8356 | Leonidas Poulopoulos | =========== |
27 | 93fc8356 | Leonidas Poulopoulos | 2. Tool architecture |
28 | 93fc8356 | Leonidas Poulopoulos | |
29 | 93fc8356 | Leonidas Poulopoulos | Firewall on Demand applies, via Netconf, flow rules to a network device. These rules are then propagated via e-bgp to peering routers. |
30 | 93fc8356 | Leonidas Poulopoulos | Each user is authenticated against shibboleth. Authorization is performed via a combination of a Shibboleth attribute and the peer network |
31 | 93fc8356 | Leonidas Poulopoulos | address range that the user originates from. |
32 | 93fc8356 | Leonidas Poulopoulos | Components roles: |
33 | 93fc8356 | Leonidas Poulopoulos | - web server (gunicorn): server the tool to localhost:port and allows for events |
34 | 93fc8356 | Leonidas Poulopoulos | - memcached: Caches devices information and aids in syncing |
35 | 93fc8356 | Leonidas Poulopoulos | - gunicorn/beanstalk: Job queue that applies firewall rules in a serial manner to avoid locks |
36 | 93fc8356 | Leonidas Poulopoulos | |
37 | 93fc8356 | Leonidas Poulopoulos | =========== |
38 | 93fc8356 | Leonidas Poulopoulos | 3. Operational requirements |
39 | 93fc8356 | Leonidas Poulopoulos | |
40 | 93fc8356 | Leonidas Poulopoulos | * Shibboleth authentication |
41 | 93fc8356 | Leonidas Poulopoulos | - Required shibboleth attributes: |
42 | 93fc8356 | Leonidas Poulopoulos | - HTTP_EPPN |
43 | 93fc8356 | Leonidas Poulopoulos | - HTTP_SHIB_HOMEORGANIZATION |
44 | 93fc8356 | Leonidas Poulopoulos | - HTTP_SHIB_INETORGPERSON_MAIL |
45 | 93fc8356 | Leonidas Poulopoulos | - An appropriate HTTP_SHIB_EP_ENTITLEMENT |
46 | 93fc8356 | Leonidas Poulopoulos | - Optional Attributes: |
47 | 93fc8356 | Leonidas Poulopoulos | - HTTP_SHIB_INETORGPERSON_GIVENNAME |
48 | 93fc8356 | Leonidas Poulopoulos | - HTTP_SHIB_PERSON_SURNAME |
49 | 93fc8356 | Leonidas Poulopoulos | * A valid domain name in peer table (passed through HTTP_SHIB_HOMEORGANIZATION) |
50 | 93fc8356 | Leonidas Poulopoulos | |
51 | 93fc8356 | Leonidas Poulopoulos | =========== |
52 | 93fc8356 | Leonidas Poulopoulos | 4. Installation Procedure |
53 | 93fc8356 | Leonidas Poulopoulos | |
54 | 93fc8356 | Leonidas Poulopoulos | 4.1 Pre-installation |
55 | 93fc8356 | Leonidas Poulopoulos | Configure and setup celeryd, memcached, beanstalkd, web server (gunicorn mode: django), apache |
56 | 93fc8356 | Leonidas Poulopoulos | Copy settings.py.dist to settings.py and urls.py.dist to urls.py. |
57 | 93fc8356 | Leonidas Poulopoulos | In settings.py set the following according to your configuration: |
58 | 93fc8356 | Leonidas Poulopoulos | * DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine |
59 | 93fc8356 | Leonidas Poulopoulos | * STATIC_URL (static media directory) |
60 | 93fc8356 | Leonidas Poulopoulos | * TEMPLATE_DIRS |
61 | 93fc8356 | Leonidas Poulopoulos | * CACHE_BACKEND |
62 | 93fc8356 | Leonidas Poulopoulos | * NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work) |
63 | 93fc8356 | Leonidas Poulopoulos | * NETCONF_USER (enable ssh and netconf on device) |
64 | 93fc8356 | Leonidas Poulopoulos | * NETCONF_PASS |
65 | 93fc8356 | Leonidas Poulopoulos | * BROKER_HOST (beanstalk host) |
66 | 93fc8356 | Leonidas Poulopoulos | * BROKER_PORT (beanstalk port) |
67 | 93fc8356 | Leonidas Poulopoulos | * SERVER_EMAIL |
68 | 93fc8356 | Leonidas Poulopoulos | * EMAIL_SUBJECT_PREFIX |
69 | 93fc8356 | Leonidas Poulopoulos | * BROKER_URL (beanstalk url) |
70 | 93fc8356 | Leonidas Poulopoulos | * SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication) |
71 | 93fc8356 | Leonidas Poulopoulos | * NOTIFY_ADMIN_MAILS (bcc mail addresses) |
72 | 93fc8356 | Leonidas Poulopoulos | * PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS) |
73 | 93fc8356 | Leonidas Poulopoulos | * PRIMARY_WHOIS |
74 | 93fc8356 | Leonidas Poulopoulos | * ALTERNATE_WHOIS |
75 | 93fc8356 | Leonidas Poulopoulos | |
76 | 93fc8356 | Leonidas Poulopoulos | 4.2 Installation |
77 | 93fc8356 | Leonidas Poulopoulos | |
78 | 93fc8356 | Leonidas Poulopoulos | * Run: |
79 | 93fc8356 | Leonidas Poulopoulos | ./manage.py syncdb |
80 | 93fc8356 | Leonidas Poulopoulos | to create all the necessary tables in the database. Enable the admin account to insert initial data for peers and their contact info. |
81 | 93fc8356 | Leonidas Poulopoulos | * Then to allow for south migrations: |
82 | 93fc8356 | Leonidas Poulopoulos | ./manage.py migration |
83 | 93fc8356 | Leonidas Poulopoulos | * If you have properly set the primary and alternate whois servers you could go for: |
84 | 93fc8356 | Leonidas Poulopoulos | ./manage.py fetch_networks |
85 | 93fc8356 | Leonidas Poulopoulos | to automatically fill network info. |
86 | 93fc8356 | Leonidas Poulopoulos | Alternatively you could fill those info manually via the admin interface. |
87 | 93fc8356 | Leonidas Poulopoulos | * Via the admin interface, modify as required the existing (example.com) Site instance |
88 | 93fc8356 | Leonidas Poulopoulos | * Modify flatpages to suit your needs |
89 | 93fc8356 | Leonidas Poulopoulos | * Once Apache proxying and shibboleth modules are properly setup, login to the tool. If shibboleth SP is properly setup you should see a user pending activation message and an activation email should arrive at the NOTIFY_ADMIN_MAILS accounts. |