root / doc / index.md @ f6015c0e
History | View | Annotate | Download (21.2 kB)
1 | f6015c0e | Stauros Kroustouris | Firewall on Demand |
---|---|---|---|
2 | f6015c0e | Stauros Kroustouris | ================== |
3 | f6015c0e | Stauros Kroustouris | |
4 | f6015c0e | Stauros Kroustouris | Description |
5 | f6015c0e | Stauros Kroustouris | ----------- |
6 | f6015c0e | Stauros Kroustouris | |
7 | f6015c0e | Stauros Kroustouris | Firewall on Demand applies, via Netconf, flow rules to a network device. |
8 | f6015c0e | Stauros Kroustouris | These rules are then propagated via e-bgp to peering routers. Each user |
9 | f6015c0e | Stauros Kroustouris | is authenticated against shibboleth. Authorization is performed via a |
10 | f6015c0e | Stauros Kroustouris | combination of a Shibboleth attribute and the peer network address range |
11 | f6015c0e | Stauros Kroustouris | that the user originates from. FoD is meant to operate over this |
12 | f6015c0e | Stauros Kroustouris | architecture: |
13 | f6015c0e | Stauros Kroustouris | |
14 | f6015c0e | Stauros Kroustouris | +-----------+ +------------+ +------------+ |
15 | f6015c0e | Stauros Kroustouris | | FoD | NETCONF | flowspec | ebgp | router | |
16 | f6015c0e | Stauros Kroustouris | | web app +----------> device +--------> | |
17 | f6015c0e | Stauros Kroustouris | +-----------+ +------+-----+ +------------+ |
18 | f6015c0e | Stauros Kroustouris | | ebgp |
19 | f6015c0e | Stauros Kroustouris | | |
20 | f6015c0e | Stauros Kroustouris | +------v-----+ |
21 | f6015c0e | Stauros Kroustouris | | router | |
22 | f6015c0e | Stauros Kroustouris | | | |
23 | f6015c0e | Stauros Kroustouris | +------------+ |
24 | f6015c0e | Stauros Kroustouris | |
25 | f6015c0e | Stauros Kroustouris | NETCONF is chosen as the mgmt protocol to apply rules to a single |
26 | f6015c0e | Stauros Kroustouris | flowspec capable device. Rules are then propagated via igbp to all |
27 | f6015c0e | Stauros Kroustouris | flowspec capable routers. Of course FoD could apply rules directly (via |
28 | f6015c0e | Stauros Kroustouris | NETCONF always) to a router and then ibgp would do the rest. In GRNET’s |
29 | f6015c0e | Stauros Kroustouris | case the flowspec capable device is an EX4200. |
30 | f6015c0e | Stauros Kroustouris | |
31 | f6015c0e | Stauros Kroustouris | > **attention** |
32 | f6015c0e | Stauros Kroustouris | > |
33 | f6015c0e | Stauros Kroustouris | > Make sure your FoD server has ssh access to your flowspec device. |
34 | f6015c0e | Stauros Kroustouris | |
35 | f6015c0e | Stauros Kroustouris | > **attention** |
36 | f6015c0e | Stauros Kroustouris | > |
37 | f6015c0e | Stauros Kroustouris | > Installation instructions assume a clean Debian Wheezy with Django 1.4 |
38 | f6015c0e | Stauros Kroustouris | |
39 | f6015c0e | Stauros Kroustouris | Contact |
40 | f6015c0e | Stauros Kroustouris | ------- |
41 | f6015c0e | Stauros Kroustouris | |
42 | f6015c0e | Stauros Kroustouris | You can find more about FoD or raise your issues at [GRNET FoD |
43 | f6015c0e | Stauros Kroustouris | repository][]. |
44 | f6015c0e | Stauros Kroustouris | |
45 | f6015c0e | Stauros Kroustouris | You can contact us directly at staurosk{at}noc[dot]grnet(.)gr |
46 | f6015c0e | Stauros Kroustouris | |
47 | f6015c0e | Stauros Kroustouris | Repositories |
48 | f6015c0e | Stauros Kroustouris | ------------ |
49 | f6015c0e | Stauros Kroustouris | |
50 | f6015c0e | Stauros Kroustouris | [GRNET FoD repository]: https://code.grnet.gr/projects/flowspy |
51 | f6015c0e | Stauros Kroustouris | [Github FoD repository]: https://github.com/grnet/flowspy |
52 | f6015c0e | Stauros Kroustouris | |
53 | f6015c0e | Stauros Kroustouris | Installation |
54 | f6015c0e | Stauros Kroustouris | ============ |
55 | f6015c0e | Stauros Kroustouris | |
56 | f6015c0e | Stauros Kroustouris | Debian Wheezy (x64) - Django 1.4.x |
57 | f6015c0e | Stauros Kroustouris | ---------------------------------- |
58 | f6015c0e | Stauros Kroustouris | |
59 | f6015c0e | Stauros Kroustouris | This guide assumes that installation is carried out in /srv/flowspy |
60 | f6015c0e | Stauros Kroustouris | directory. If other directory is to be used, please change the |
61 | f6015c0e | Stauros Kroustouris | corresponding configuration files. It is also assumed that the root user |
62 | f6015c0e | Stauros Kroustouris | will perform every action. |
63 | f6015c0e | Stauros Kroustouris | |
64 | f6015c0e | Stauros Kroustouris | ### Upgrading from v\<1.1.x |
65 | f6015c0e | Stauros Kroustouris | |
66 | f6015c0e | Stauros Kroustouris | > **note** |
67 | f6015c0e | Stauros Kroustouris | > |
68 | f6015c0e | Stauros Kroustouris | > If PEER\_\*\_TABLE tables are set to FALSE in settings.py, you need to |
69 | f6015c0e | Stauros Kroustouris | > perform the south migrations per application: |
70 | f6015c0e | Stauros Kroustouris | > |
71 | f6015c0e | Stauros Kroustouris | > ./manage.py migrate longerusername |
72 | f6015c0e | Stauros Kroustouris | > ./manage.py migrate flowspec |
73 | f6015c0e | Stauros Kroustouris | > ./manage.py migrate accounts |
74 | f6015c0e | Stauros Kroustouris | |
75 | f6015c0e | Stauros Kroustouris | If upgrading from flowspy version \<1.1.x pay attention to settings.py |
76 | f6015c0e | Stauros Kroustouris | changes. Also, do not forget to run if PEER\_\*\_TABLE tables are set to |
77 | f6015c0e | Stauros Kroustouris | TRUE in settings.py: |
78 | f6015c0e | Stauros Kroustouris | |
79 | f6015c0e | Stauros Kroustouris | ./manage.py migrate |
80 | f6015c0e | Stauros Kroustouris | |
81 | f6015c0e | Stauros Kroustouris | to catch-up with latest database changes. |
82 | f6015c0e | Stauros Kroustouris | |
83 | f6015c0e | Stauros Kroustouris | ### Upgrading from v\<1.0.x |
84 | f6015c0e | Stauros Kroustouris | |
85 | f6015c0e | Stauros Kroustouris | If upgrading from flowspy version \<1.0.x pay attention to settings.py |
86 | f6015c0e | Stauros Kroustouris | changes. Also, do not forget to run: |
87 | f6015c0e | Stauros Kroustouris | |
88 | f6015c0e | Stauros Kroustouris | ./manage.py migrate |
89 | f6015c0e | Stauros Kroustouris | |
90 | f6015c0e | Stauros Kroustouris | to catch-up with latest database changes. |
91 | f6015c0e | Stauros Kroustouris | |
92 | f6015c0e | Stauros Kroustouris | ### Required system packages |
93 | f6015c0e | Stauros Kroustouris | |
94 | f6015c0e | Stauros Kroustouris | Update and install the required packages: |
95 | f6015c0e | Stauros Kroustouris | |
96 | f6015c0e | Stauros Kroustouris | apt-get update |
97 | f6015c0e | Stauros Kroustouris | apt-get upgrade |
98 | f6015c0e | Stauros Kroustouris | apt-get install mysql-server apache2 memcached libapache2-mod-proxy-html gunicorn beanstalkd python-django python-django-south python-django-tinymce tinymce python-mysqldb python-yaml python-memcache python-django-registration python-ipaddr python-lxml mysql-client git python-django-celery python-paramiko python-gevent vim |
99 | f6015c0e | Stauros Kroustouris | |
100 | f6015c0e | Stauros Kroustouris | Also, django rest framework package is required. In debian Wheezy it is |
101 | f6015c0e | Stauros Kroustouris | not available, but one can install it via pip. |
102 | f6015c0e | Stauros Kroustouris | |
103 | f6015c0e | Stauros Kroustouris | > **note** |
104 | f6015c0e | Stauros Kroustouris | > |
105 | f6015c0e | Stauros Kroustouris | > Set username and password for mysql if used |
106 | f6015c0e | Stauros Kroustouris | |
107 | f6015c0e | Stauros Kroustouris | > **note** |
108 | f6015c0e | Stauros Kroustouris | > |
109 | f6015c0e | Stauros Kroustouris | > If you wish to deploy an outgoing mail server, now it is time to do |
110 | f6015c0e | Stauros Kroustouris | > it. Otherwise you could set FoD to send out mails via a third party |
111 | f6015c0e | Stauros Kroustouris | > account |
112 | f6015c0e | Stauros Kroustouris | |
113 | f6015c0e | Stauros Kroustouris | ### Create a database |
114 | f6015c0e | Stauros Kroustouris | |
115 | f6015c0e | Stauros Kroustouris | If you are using mysql, you should create a database: |
116 | f6015c0e | Stauros Kroustouris | |
117 | f6015c0e | Stauros Kroustouris | mysql -u root -p -e 'create database fod' |
118 | f6015c0e | Stauros Kroustouris | |
119 | f6015c0e | Stauros Kroustouris | ### Required application packages |
120 | f6015c0e | Stauros Kroustouris | |
121 | f6015c0e | Stauros Kroustouris | Get the required packages and their dependencies and install them: |
122 | f6015c0e | Stauros Kroustouris | |
123 | f6015c0e | Stauros Kroustouris | apt-get install libxml2-dev libxslt-dev gcc python-dev |
124 | f6015c0e | Stauros Kroustouris | |
125 | f6015c0e | Stauros Kroustouris | - ncclient: NETCONF python client: |
126 | f6015c0e | Stauros Kroustouris | |
127 | f6015c0e | Stauros Kroustouris | cd ~ |
128 | f6015c0e | Stauros Kroustouris | git clone https://github.com/leopoul/ncclient.git |
129 | f6015c0e | Stauros Kroustouris | cd ncclient |
130 | f6015c0e | Stauros Kroustouris | python setup.py install |
131 | f6015c0e | Stauros Kroustouris | |
132 | f6015c0e | Stauros Kroustouris | - nxpy: Python Objects from/to XML proxy: |
133 | f6015c0e | Stauros Kroustouris | |
134 | f6015c0e | Stauros Kroustouris | cd ~ |
135 | f6015c0e | Stauros Kroustouris | git clone https://code.grnet.gr/git/nxpy |
136 | f6015c0e | Stauros Kroustouris | cd nxpy |
137 | f6015c0e | Stauros Kroustouris | python setup.py install |
138 | f6015c0e | Stauros Kroustouris | |
139 | f6015c0e | Stauros Kroustouris | - flowspy: core application. Installation is done at /srv/flowspy: |
140 | f6015c0e | Stauros Kroustouris | |
141 | f6015c0e | Stauros Kroustouris | cd /srv |
142 | f6015c0e | Stauros Kroustouris | git clone https://code.grnet.gr/git/flowspy |
143 | f6015c0e | Stauros Kroustouris | cd flowspy |
144 | f6015c0e | Stauros Kroustouris | |
145 | f6015c0e | Stauros Kroustouris | Application configuration |
146 | f6015c0e | Stauros Kroustouris | ========================= |
147 | f6015c0e | Stauros Kroustouris | |
148 | f6015c0e | Stauros Kroustouris | Copy settings.py.dist to settings.py: |
149 | f6015c0e | Stauros Kroustouris | |
150 | f6015c0e | Stauros Kroustouris | cd flowspy |
151 | f6015c0e | Stauros Kroustouris | cp settings.py.dist settings.py |
152 | f6015c0e | Stauros Kroustouris | |
153 | f6015c0e | Stauros Kroustouris | Edit settings.py file and set the following according to your |
154 | f6015c0e | Stauros Kroustouris | configuration: |
155 | f6015c0e | Stauros Kroustouris | |
156 | f6015c0e | Stauros Kroustouris | ADMINS: set your admin name and email (assuming that your server can send notifications) |
157 | f6015c0e | Stauros Kroustouris | DATABASES (to point to your local database). You could use views instead of tables for models: peer, peercontacts, peernetworks. For this to work we suggest MySQL with MyISAM db engine |
158 | f6015c0e | Stauros Kroustouris | SECRET_KEY : Make this unique, and don't share it with anybody |
159 | f6015c0e | Stauros Kroustouris | STATIC_ROOT: /srv/flowspy/static (or your installation directory) |
160 | f6015c0e | Stauros Kroustouris | STATIC_URL (static media directory) . If you have followed the above this should be: /srv/flowspy/static |
161 | f6015c0e | Stauros Kroustouris | TEMPLATE_DIRS : If you have followed the above this should be: /srv/flowspy/templates |
162 | f6015c0e | Stauros Kroustouris | CACHE_BACKEND: Enable Memcached for production or leave to DummyCache for development environments |
163 | f6015c0e | Stauros Kroustouris | Alternatively you could go for redis with the corresponding Django client lib. |
164 | f6015c0e | Stauros Kroustouris | NETCONF_DEVICE (tested with Juniper EX4200 but any BGP enabled Juniper should work). This is the flowspec capable device |
165 | f6015c0e | Stauros Kroustouris | NETCONF_USER (enable ssh and netconf on device) |
166 | f6015c0e | Stauros Kroustouris | NETCONF_PASS |
167 | f6015c0e | Stauros Kroustouris | If beanstalk is selected the following should be left intact. |
168 | f6015c0e | Stauros Kroustouris | BROKER_HOST (beanstalk host) |
169 | f6015c0e | Stauros Kroustouris | BROKER_PORT (beanstalk port) |
170 | f6015c0e | Stauros Kroustouris | SERVER_EMAIL |
171 | f6015c0e | Stauros Kroustouris | EMAIL_SUBJECT_PREFIX |
172 | f6015c0e | Stauros Kroustouris | If beanstalk is selected the following should be left intact. |
173 | f6015c0e | Stauros Kroustouris | BROKER_URL (beanstalk url) |
174 | f6015c0e | Stauros Kroustouris | SHIB_AUTH_ENTITLEMENT (if you go for Shibboleth authentication) |
175 | f6015c0e | Stauros Kroustouris | NOTIFY_ADMIN_MAILS (bcc mail addresses) |
176 | f6015c0e | Stauros Kroustouris | PROTECTED_SUBNETS (subnets for which source or destination address will prevent rule creation and notify the NOTIFY_ADMIN_MAILS) |
177 | f6015c0e | Stauros Kroustouris | The whois client is meant to be used in case you have inserted peers with their ASes in the peers table and wish to get network info for each one in an automated manner. |
178 | f6015c0e | Stauros Kroustouris | PRIMARY_WHOIS |
179 | f6015c0e | Stauros Kroustouris | ALTERNATE_WHOIS |
180 | f6015c0e | Stauros Kroustouris | If you wish to deploy FoD with Shibboleth change the following attributes according to your setup: |
181 | f6015c0e | Stauros Kroustouris | SHIB_AUTH_ENTITLEMENT = 'urn:mace' |
182 | f6015c0e | Stauros Kroustouris | SHIB_ADMIN_DOMAIN = 'example.com' |
183 | f6015c0e | Stauros Kroustouris | SHIB_LOGOUT_URL = 'https://example.com/Shibboleth.sso/Logout' |
184 | f6015c0e | Stauros Kroustouris | SHIB_USERNAME = ['HTTP_EPPN'] |
185 | f6015c0e | Stauros Kroustouris | SHIB_MAIL = ['mail', 'HTTP_MAIL', 'HTTP_SHIB_INETORGPERSON_MAIL'] |
186 | f6015c0e | Stauros Kroustouris | SHIB_FIRSTNAME = ['HTTP_SHIB_INETORGPERSON_GIVENNAME'] |
187 | f6015c0e | Stauros Kroustouris | SHIB_LASTNAME = ['HTTP_SHIB_PERSON_SURNAME'] |
188 | f6015c0e | Stauros Kroustouris | SHIB_ENTITLEMENT = ['HTTP_SHIB_EP_ENTITLEMENT'] |
189 | f6015c0e | Stauros Kroustouris | |
190 | f6015c0e | Stauros Kroustouris | If you have not installed an outgoing mail server you can always use |
191 | f6015c0e | Stauros Kroustouris | your own account (either corporate or gmail, hotmail ,etc) by adding the |
192 | f6015c0e | Stauros Kroustouris | following lines in settings.py: |
193 | f6015c0e | Stauros Kroustouris | |
194 | f6015c0e | Stauros Kroustouris | EMAIL_USE_TLS = True #(or False) |
195 | f6015c0e | Stauros Kroustouris | EMAIL_HOST = 'smtp.example.com' |
196 | f6015c0e | Stauros Kroustouris | EMAIL_HOST_USER = 'username' |
197 | f6015c0e | Stauros Kroustouris | EMAIL_HOST_PASSWORD = 'yourpassword' |
198 | f6015c0e | Stauros Kroustouris | EMAIL_PORT = 587 #(outgoing) |
199 | f6015c0e | Stauros Kroustouris | |
200 | f6015c0e | Stauros Kroustouris | It is strongly advised that you do not change the following to False |
201 | f6015c0e | Stauros Kroustouris | values unless, you want to integrate FoD with you CRM or members |
202 | f6015c0e | Stauros Kroustouris | database. This implies that you are able/have the rights to create |
203 | f6015c0e | Stauros Kroustouris | database views between the two databases: |
204 | f6015c0e | Stauros Kroustouris | |
205 | f6015c0e | Stauros Kroustouris | PEER_MANAGED_TABLE = True |
206 | f6015c0e | Stauros Kroustouris | PEER_RANGE_MANAGED_TABLE = True |
207 | f6015c0e | Stauros Kroustouris | PEER_TECHC_MANAGED_TABLE = True |
208 | f6015c0e | Stauros Kroustouris | |
209 | f6015c0e | Stauros Kroustouris | By doing that the corresponding tables as defined in peers/models will |
210 | f6015c0e | Stauros Kroustouris | not be created. As noted above, you have to create the views that the |
211 | f6015c0e | Stauros Kroustouris | tables will rely on. |
212 | f6015c0e | Stauros Kroustouris | |
213 | f6015c0e | Stauros Kroustouris | > **note** |
214 | f6015c0e | Stauros Kroustouris | > |
215 | f6015c0e | Stauros Kroustouris | > Soon we will release a version with django-registration as a means to |
216 | f6015c0e | Stauros Kroustouris | > add users and Shibboleth will become an alternative |
217 | f6015c0e | Stauros Kroustouris | |
218 | f6015c0e | Stauros Kroustouris | Let’s move on with some copies and dir creations: |
219 | f6015c0e | Stauros Kroustouris | |
220 | f6015c0e | Stauros Kroustouris | mkdir /var/log/fod |
221 | f6015c0e | Stauros Kroustouris | chown www-data.www-data /var/log/fod |
222 | f6015c0e | Stauros Kroustouris | cp urls.py.dist urls.py |
223 | f6015c0e | Stauros Kroustouris | cd .. |
224 | f6015c0e | Stauros Kroustouris | |
225 | f6015c0e | Stauros Kroustouris | > **note** |
226 | f6015c0e | Stauros Kroustouris | > |
227 | f6015c0e | Stauros Kroustouris | > LOG\_FILE\_LOCATION in settings.py is set to **/var/log/fod**. Adjust |
228 | f6015c0e | Stauros Kroustouris | > the chown command above to your selected dir. |
229 | f6015c0e | Stauros Kroustouris | |
230 | f6015c0e | Stauros Kroustouris | System configuration |
231 | f6015c0e | Stauros Kroustouris | ==================== |
232 | f6015c0e | Stauros Kroustouris | |
233 | f6015c0e | Stauros Kroustouris | Apache operates as a gunicorn Proxy with WSGI and Shibboleth modules |
234 | f6015c0e | Stauros Kroustouris | enabled. Depending on the setup the apache configuration may vary: |
235 | f6015c0e | Stauros Kroustouris | |
236 | f6015c0e | Stauros Kroustouris | a2enmod rewrite |
237 | f6015c0e | Stauros Kroustouris | a2enmod proxy |
238 | f6015c0e | Stauros Kroustouris | a2enmod ssl |
239 | f6015c0e | Stauros Kroustouris | a2enmod proxy_http |
240 | f6015c0e | Stauros Kroustouris | |
241 | f6015c0e | Stauros Kroustouris | If shibboleth is to be used: |
242 | f6015c0e | Stauros Kroustouris | |
243 | f6015c0e | Stauros Kroustouris | apt-get install libapache2-mod-shib2 |
244 | f6015c0e | Stauros Kroustouris | a2enmod shib2 |
245 | f6015c0e | Stauros Kroustouris | |
246 | f6015c0e | Stauros Kroustouris | Now it is time to configure beanstalk, gunicorn, celery and apache. |
247 | f6015c0e | Stauros Kroustouris | |
248 | f6015c0e | Stauros Kroustouris | beanstalkd |
249 | f6015c0e | Stauros Kroustouris | ---------- |
250 | f6015c0e | Stauros Kroustouris | |
251 | f6015c0e | Stauros Kroustouris | Enable beanstalk by editting /etc/default/beanstalkd: |
252 | f6015c0e | Stauros Kroustouris | |
253 | f6015c0e | Stauros Kroustouris | vim /etc/default/beanstalkd |
254 | f6015c0e | Stauros Kroustouris | |
255 | f6015c0e | Stauros Kroustouris | Uncomment the line **START=yes** to enable beanstalk |
256 | f6015c0e | Stauros Kroustouris | |
257 | f6015c0e | Stauros Kroustouris | Start beanstalkd: |
258 | f6015c0e | Stauros Kroustouris | |
259 | f6015c0e | Stauros Kroustouris | service beanstalkd start |
260 | f6015c0e | Stauros Kroustouris | |
261 | f6015c0e | Stauros Kroustouris | gunicorn.d |
262 | f6015c0e | Stauros Kroustouris | ---------- |
263 | f6015c0e | Stauros Kroustouris | |
264 | f6015c0e | Stauros Kroustouris | Create and edit /etc/gunicorn.d/fod: |
265 | f6015c0e | Stauros Kroustouris | |
266 | f6015c0e | Stauros Kroustouris | vim /etc/gunicorn.d/fod |
267 | f6015c0e | Stauros Kroustouris | |
268 | f6015c0e | Stauros Kroustouris | FoD is served via gunicorn and is then proxied by Apache. If the above |
269 | f6015c0e | Stauros Kroustouris | directory conventions have been followed so far, then your configuration |
270 | f6015c0e | Stauros Kroustouris | should be: |
271 | f6015c0e | Stauros Kroustouris | |
272 | f6015c0e | Stauros Kroustouris | CONFIG = { |
273 | f6015c0e | Stauros Kroustouris | 'mode': 'django', |
274 | f6015c0e | Stauros Kroustouris | 'working_dir': '/srv/flowspy', |
275 | f6015c0e | Stauros Kroustouris | 'args': ( |
276 | f6015c0e | Stauros Kroustouris | '--bind=127.0.0.1:8081', |
277 | f6015c0e | Stauros Kroustouris | '--workers=1', |
278 | f6015c0e | Stauros Kroustouris | '--worker-class=egg:gunicorn#gevent', |
279 | f6015c0e | Stauros Kroustouris | '--timeout=30', |
280 | f6015c0e | Stauros Kroustouris | '--debug', |
281 | f6015c0e | Stauros Kroustouris | '--log-level=debug', |
282 | f6015c0e | Stauros Kroustouris | '--log-file=/var/log/gunicorn/fod.log', |
283 | f6015c0e | Stauros Kroustouris | ), |
284 | f6015c0e | Stauros Kroustouris | } |
285 | f6015c0e | Stauros Kroustouris | |
286 | f6015c0e | Stauros Kroustouris | celeryd |
287 | f6015c0e | Stauros Kroustouris | ======= |
288 | f6015c0e | Stauros Kroustouris | |
289 | f6015c0e | Stauros Kroustouris | Celery is used over beanstalkd to apply firewall rules in a serial |
290 | f6015c0e | Stauros Kroustouris | manner so that locks are avoided on the flowspec capable device. In our |
291 | f6015c0e | Stauros Kroustouris | setup celery runs via django. That is why the python-django-celery |
292 | f6015c0e | Stauros Kroustouris | package was installed. |
293 | f6015c0e | Stauros Kroustouris | |
294 | f6015c0e | Stauros Kroustouris | Create the celeryd daemon at /etc/init.d/celeryd **if it does not |
295 | f6015c0e | Stauros Kroustouris | already exist**: |
296 | f6015c0e | Stauros Kroustouris | |
297 | f6015c0e | Stauros Kroustouris | vim /etc/init.d/celeryd |
298 | f6015c0e | Stauros Kroustouris | |
299 | f6015c0e | Stauros Kroustouris | The configuration should be: |
300 | f6015c0e | Stauros Kroustouris | |
301 | f6015c0e | Stauros Kroustouris | #!/bin/sh -e |
302 | f6015c0e | Stauros Kroustouris | # ============================================ |
303 | f6015c0e | Stauros Kroustouris | # celeryd - Starts the Celery worker daemon. |
304 | f6015c0e | Stauros Kroustouris | # ============================================ |
305 | f6015c0e | Stauros Kroustouris | # |
306 | f6015c0e | Stauros Kroustouris | # :Usage: /etc/init.d/celeryd {start|stop|force-reload|restart|try-restart|status} |
307 | f6015c0e | Stauros Kroustouris | # :Configuration file: /etc/default/celeryd |
308 | f6015c0e | Stauros Kroustouris | # |
309 | f6015c0e | Stauros Kroustouris | # See http://docs.celeryq.org/en/latest/cookbook/daemonizing.html#init-script-celeryd |
310 | f6015c0e | Stauros Kroustouris | |
311 | f6015c0e | Stauros Kroustouris | |
312 | f6015c0e | Stauros Kroustouris | ### BEGIN INIT INFO |
313 | f6015c0e | Stauros Kroustouris | # Provides: celeryd |
314 | f6015c0e | Stauros Kroustouris | # Required-Start: $network $local_fs $remote_fs |
315 | f6015c0e | Stauros Kroustouris | # Required-Stop: $network $local_fs $remote_fs |
316 | f6015c0e | Stauros Kroustouris | # Default-Start: 2 3 4 5 |
317 | f6015c0e | Stauros Kroustouris | # Default-Stop: 0 1 6 |
318 | f6015c0e | Stauros Kroustouris | # Short-Description: celery task worker daemon |
319 | f6015c0e | Stauros Kroustouris | # Description: Starts the Celery worker daemon for a single project. |
320 | f6015c0e | Stauros Kroustouris | ### END INIT INFO |
321 | f6015c0e | Stauros Kroustouris | |
322 | f6015c0e | Stauros Kroustouris | #set -e |
323 | f6015c0e | Stauros Kroustouris | |
324 | f6015c0e | Stauros Kroustouris | DEFAULT_PID_FILE="/var/run/celery/%n.pid" |
325 | f6015c0e | Stauros Kroustouris | DEFAULT_LOG_FILE="/var/log/celery/%n.log" |
326 | f6015c0e | Stauros Kroustouris | DEFAULT_LOG_LEVEL="INFO" |
327 | f6015c0e | Stauros Kroustouris | DEFAULT_NODES="celery" |
328 | f6015c0e | Stauros Kroustouris | DEFAULT_CELERYD="-m celery.bin.celeryd_detach" |
329 | f6015c0e | Stauros Kroustouris | ENABLED="false" |
330 | f6015c0e | Stauros Kroustouris | |
331 | f6015c0e | Stauros Kroustouris | [ -r "$CELERY_DEFAULTS" ] && . "$CELERY_DEFAULTS" |
332 | f6015c0e | Stauros Kroustouris | |
333 | f6015c0e | Stauros Kroustouris | [ -r /etc/default/celeryd ] && . /etc/default/celeryd |
334 | f6015c0e | Stauros Kroustouris | |
335 | f6015c0e | Stauros Kroustouris | if [ "$ENABLED" != "true" ]; then |
336 | f6015c0e | Stauros Kroustouris | echo "celery daemon disabled - see /etc/default/celeryd." |
337 | f6015c0e | Stauros Kroustouris | exit 0 |
338 | f6015c0e | Stauros Kroustouris | fi |
339 | f6015c0e | Stauros Kroustouris | |
340 | f6015c0e | Stauros Kroustouris | |
341 | f6015c0e | Stauros Kroustouris | CELERYD_PID_FILE=${CELERYD_PID_FILE:-${CELERYD_PIDFILE:-$DEFAULT_PID_FILE}} |
342 | f6015c0e | Stauros Kroustouris | CELERYD_LOG_FILE=${CELERYD_LOG_FILE:-${CELERYD_LOGFILE:-$DEFAULT_LOG_FILE}} |
343 | f6015c0e | Stauros Kroustouris | CELERYD_LOG_LEVEL=${CELERYD_LOG_LEVEL:-${CELERYD_LOGLEVEL:-$DEFAULT_LOG_LEVEL}} |
344 | f6015c0e | Stauros Kroustouris | CELERYD_MULTI=${CELERYD_MULTI:-"celeryd-multi"} |
345 | f6015c0e | Stauros Kroustouris | CELERYD=${CELERYD:-$DEFAULT_CELERYD} |
346 | f6015c0e | Stauros Kroustouris | CELERYCTL=${CELERYCTL:="celeryctl"} |
347 | f6015c0e | Stauros Kroustouris | CELERYD_NODES=${CELERYD_NODES:-$DEFAULT_NODES} |
348 | f6015c0e | Stauros Kroustouris | |
349 | f6015c0e | Stauros Kroustouris | export CELERY_LOADER |
350 | f6015c0e | Stauros Kroustouris | |
351 | f6015c0e | Stauros Kroustouris | if [ -n "$2" ]; then |
352 | f6015c0e | Stauros Kroustouris | CELERYD_OPTS="$CELERYD_OPTS $2" |
353 | f6015c0e | Stauros Kroustouris | fi |
354 | f6015c0e | Stauros Kroustouris | |
355 | f6015c0e | Stauros Kroustouris | CELERYD_LOG_DIR=`dirname $CELERYD_LOG_FILE` |
356 | f6015c0e | Stauros Kroustouris | CELERYD_PID_DIR=`dirname $CELERYD_PID_FILE` |
357 | f6015c0e | Stauros Kroustouris | if [ ! -d "$CELERYD_LOG_DIR" ]; then |
358 | f6015c0e | Stauros Kroustouris | mkdir -p $CELERYD_LOG_DIR |
359 | f6015c0e | Stauros Kroustouris | fi |
360 | f6015c0e | Stauros Kroustouris | if [ ! -d "$CELERYD_PID_DIR" ]; then |
361 | f6015c0e | Stauros Kroustouris | mkdir -p $CELERYD_PID_DIR |
362 | f6015c0e | Stauros Kroustouris | fi |
363 | f6015c0e | Stauros Kroustouris | |
364 | f6015c0e | Stauros Kroustouris | # Extra start-stop-daemon options, like user/group. |
365 | f6015c0e | Stauros Kroustouris | if [ -n "$CELERYD_USER" ]; then |
366 | f6015c0e | Stauros Kroustouris | DAEMON_OPTS="$DAEMON_OPTS --uid=$CELERYD_USER" |
367 | f6015c0e | Stauros Kroustouris | chown "$CELERYD_USER" $CELERYD_LOG_DIR $CELERYD_PID_DIR |
368 | f6015c0e | Stauros Kroustouris | fi |
369 | f6015c0e | Stauros Kroustouris | if [ -n "$CELERYD_GROUP" ]; then |
370 | f6015c0e | Stauros Kroustouris | DAEMON_OPTS="$DAEMON_OPTS --gid=$CELERYD_GROUP" |
371 | f6015c0e | Stauros Kroustouris | chgrp "$CELERYD_GROUP" $CELERYD_LOG_DIR $CELERYD_PID_DIR |
372 | f6015c0e | Stauros Kroustouris | fi |
373 | f6015c0e | Stauros Kroustouris | |
374 | f6015c0e | Stauros Kroustouris | if [ -n "$CELERYD_CHDIR" ]; then |
375 | f6015c0e | Stauros Kroustouris | DAEMON_OPTS="$DAEMON_OPTS --workdir=\"$CELERYD_CHDIR\"" |
376 | f6015c0e | Stauros Kroustouris | fi |
377 | f6015c0e | Stauros Kroustouris | |
378 | f6015c0e | Stauros Kroustouris | |
379 | f6015c0e | Stauros Kroustouris | check_dev_null() { |
380 | f6015c0e | Stauros Kroustouris | if [ ! -c /dev/null ]; then |
381 | f6015c0e | Stauros Kroustouris | echo "/dev/null is not a character device!" |
382 | f6015c0e | Stauros Kroustouris | exit 1 |
383 | f6015c0e | Stauros Kroustouris | fi |
384 | f6015c0e | Stauros Kroustouris | } |
385 | f6015c0e | Stauros Kroustouris | |
386 | f6015c0e | Stauros Kroustouris | |
387 | f6015c0e | Stauros Kroustouris | export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" |
388 | f6015c0e | Stauros Kroustouris | |
389 | f6015c0e | Stauros Kroustouris | |
390 | f6015c0e | Stauros Kroustouris | stop_workers () { |
391 | f6015c0e | Stauros Kroustouris | $CELERYD_MULTI stop $CELERYD_NODES --pidfile="$CELERYD_PID_FILE" |
392 | f6015c0e | Stauros Kroustouris | } |
393 | f6015c0e | Stauros Kroustouris | |
394 | f6015c0e | Stauros Kroustouris | |
395 | f6015c0e | Stauros Kroustouris | start_workers () { |
396 | f6015c0e | Stauros Kroustouris | $CELERYD_MULTI start $CELERYD_NODES $DAEMON_OPTS \ |
397 | f6015c0e | Stauros Kroustouris | --pidfile="$CELERYD_PID_FILE" \ |
398 | f6015c0e | Stauros Kroustouris | --logfile="$CELERYD_LOG_FILE" \ |
399 | f6015c0e | Stauros Kroustouris | --loglevel="$CELERYD_LOG_LEVEL" \ |
400 | f6015c0e | Stauros Kroustouris | --cmd="$CELERYD" \ |
401 | f6015c0e | Stauros Kroustouris | $CELERYD_OPTS |
402 | f6015c0e | Stauros Kroustouris | } |
403 | f6015c0e | Stauros Kroustouris | |
404 | f6015c0e | Stauros Kroustouris | |
405 | f6015c0e | Stauros Kroustouris | restart_workers () { |
406 | f6015c0e | Stauros Kroustouris | $CELERYD_MULTI restart $CELERYD_NODES $DAEMON_OPTS \ |
407 | f6015c0e | Stauros Kroustouris | --pidfile="$CELERYD_PID_FILE" \ |
408 | f6015c0e | Stauros Kroustouris | --logfile="$CELERYD_LOG_FILE" \ |
409 | f6015c0e | Stauros Kroustouris | --loglevel="$CELERYD_LOG_LEVEL" \ |
410 | f6015c0e | Stauros Kroustouris | --cmd="$CELERYD" \ |
411 | f6015c0e | Stauros Kroustouris | $CELERYD_OPTS |
412 | f6015c0e | Stauros Kroustouris | } |
413 | f6015c0e | Stauros Kroustouris | |
414 | f6015c0e | Stauros Kroustouris | |
415 | f6015c0e | Stauros Kroustouris | |
416 | f6015c0e | Stauros Kroustouris | case "$1" in |
417 | f6015c0e | Stauros Kroustouris | start) |
418 | f6015c0e | Stauros Kroustouris | check_dev_null |
419 | f6015c0e | Stauros Kroustouris | start_workers |
420 | f6015c0e | Stauros Kroustouris | ;; |
421 | f6015c0e | Stauros Kroustouris | |
422 | f6015c0e | Stauros Kroustouris | stop) |
423 | f6015c0e | Stauros Kroustouris | check_dev_null |
424 | f6015c0e | Stauros Kroustouris | stop_workers |
425 | f6015c0e | Stauros Kroustouris | ;; |
426 | f6015c0e | Stauros Kroustouris | |
427 | f6015c0e | Stauros Kroustouris | reload|force-reload) |
428 | f6015c0e | Stauros Kroustouris | echo "Use restart" |
429 | f6015c0e | Stauros Kroustouris | ;; |
430 | f6015c0e | Stauros Kroustouris | |
431 | f6015c0e | Stauros Kroustouris | status) |
432 | f6015c0e | Stauros Kroustouris | $CELERYCTL status $CELERYCTL_OPTS |
433 | f6015c0e | Stauros Kroustouris | ;; |
434 | f6015c0e | Stauros Kroustouris | |
435 | f6015c0e | Stauros Kroustouris | restart) |
436 | f6015c0e | Stauros Kroustouris | check_dev_null |
437 | f6015c0e | Stauros Kroustouris | restart_workers |
438 | f6015c0e | Stauros Kroustouris | ;; |
439 | f6015c0e | Stauros Kroustouris | |
440 | f6015c0e | Stauros Kroustouris | try-restart) |
441 | f6015c0e | Stauros Kroustouris | check_dev_null |
442 | f6015c0e | Stauros Kroustouris | restart_workers |
443 | f6015c0e | Stauros Kroustouris | ;; |
444 | f6015c0e | Stauros Kroustouris | |
445 | f6015c0e | Stauros Kroustouris | *) |
446 | f6015c0e | Stauros Kroustouris | echo "Usage: /etc/init.d/celeryd {start|stop|restart|try-restart|kill}" |
447 | f6015c0e | Stauros Kroustouris | exit 1 |
448 | f6015c0e | Stauros Kroustouris | ;; |
449 | f6015c0e | Stauros Kroustouris | esac |
450 | f6015c0e | Stauros Kroustouris | |
451 | f6015c0e | Stauros Kroustouris | exit 0 |
452 | f6015c0e | Stauros Kroustouris | |
453 | f6015c0e | Stauros Kroustouris | celeryd configuration |
454 | f6015c0e | Stauros Kroustouris | ===================== |
455 | f6015c0e | Stauros Kroustouris | |
456 | f6015c0e | Stauros Kroustouris | celeryd requires a /etc/default/celeryd file to be in place. Thus we are |
457 | f6015c0e | Stauros Kroustouris | going to create this file (/etc/default/celeryd): |
458 | f6015c0e | Stauros Kroustouris | |
459 | f6015c0e | Stauros Kroustouris | vim /etc/default/celeryd |
460 | f6015c0e | Stauros Kroustouris | |
461 | f6015c0e | Stauros Kroustouris | Again if the directory conventions have been followed the file is (pay |
462 | f6015c0e | Stauros Kroustouris | attention to the CELERYD\_USER, CELERYD\_GROUP and change accordingly) : |
463 | f6015c0e | Stauros Kroustouris | |
464 | f6015c0e | Stauros Kroustouris | # Default: false |
465 | f6015c0e | Stauros Kroustouris | ENABLED="true" |
466 | f6015c0e | Stauros Kroustouris | |
467 | f6015c0e | Stauros Kroustouris | # Name of nodes to start, here we have a single node |
468 | f6015c0e | Stauros Kroustouris | CELERYD_NODES="w1" |
469 | f6015c0e | Stauros Kroustouris | # or we could have three nodes: |
470 | f6015c0e | Stauros Kroustouris | #CELERYD_NODES="w1 w2 w3" |
471 | f6015c0e | Stauros Kroustouris | |
472 | f6015c0e | Stauros Kroustouris | # Where to chdir at start. |
473 | f6015c0e | Stauros Kroustouris | CELERYD_CHDIR="/srv/flowspy" |
474 | f6015c0e | Stauros Kroustouris | # How to call "manage.py celeryd_multi" |
475 | f6015c0e | Stauros Kroustouris | CELERYD_MULTI="python $CELERYD_CHDIR/manage.py celeryd_multi" |
476 | f6015c0e | Stauros Kroustouris | |
477 | f6015c0e | Stauros Kroustouris | # How to call "manage.py celeryctl" |
478 | f6015c0e | Stauros Kroustouris | CELERYCTL="python $CELERYD_CHDIR/manage.py celeryctl" |
479 | f6015c0e | Stauros Kroustouris | |
480 | f6015c0e | Stauros Kroustouris | # Extra arguments to celeryd |
481 | f6015c0e | Stauros Kroustouris | #CELERYD_OPTS="--time-limit=300 --concurrency=8" |
482 | f6015c0e | Stauros Kroustouris | CELERYD_OPTS="-E -B --schedule=/var/run/celery/celerybeat-schedule --concurrency=1 --soft-time-limit=180 --time-limit=1800" |
483 | f6015c0e | Stauros Kroustouris | # Name of the celery config module. |
484 | f6015c0e | Stauros Kroustouris | CELERY_CONFIG_MODULE="celeryconfig" |
485 | f6015c0e | Stauros Kroustouris | |
486 | f6015c0e | Stauros Kroustouris | # %n will be replaced with the nodename. |
487 | f6015c0e | Stauros Kroustouris | CELERYD_LOG_FILE="/var/log/celery/fod_%n.log" |
488 | f6015c0e | Stauros Kroustouris | CELERYD_PID_FILE="/var/run/celery/%n.pid" |
489 | f6015c0e | Stauros Kroustouris | |
490 | f6015c0e | Stauros Kroustouris | CELERYD_USER="root" |
491 | f6015c0e | Stauros Kroustouris | CELERYD_GROUP="root" |
492 | f6015c0e | Stauros Kroustouris | |
493 | f6015c0e | Stauros Kroustouris | # Name of the projects settings module. |
494 | f6015c0e | Stauros Kroustouris | export DJANGO_SETTINGS_MODULE="flowspy.settings" |
495 | f6015c0e | Stauros Kroustouris | |
496 | f6015c0e | Stauros Kroustouris | Apache |
497 | f6015c0e | Stauros Kroustouris | ====== |
498 | f6015c0e | Stauros Kroustouris | |
499 | f6015c0e | Stauros Kroustouris | Apache proxies gunicorn. Things are more flexible here as you may follow |
500 | f6015c0e | Stauros Kroustouris | your own configuration and conventions. Create and edit |
501 | f6015c0e | Stauros Kroustouris | /etc/apache2/sites-available/fod. You should set \<server\_name\> and |
502 | f6015c0e | Stauros Kroustouris | \<admin\_mail\> along with your certificates. If under testing |
503 | f6015c0e | Stauros Kroustouris | environment, you can use the provided snakeoil certs. If you do not |
504 | f6015c0e | Stauros Kroustouris | intent to use Shibboleth delete or comment the corresponding |
505 | f6015c0e | Stauros Kroustouris | configuration parts inside **Shibboleth configuration** : |
506 | f6015c0e | Stauros Kroustouris | |
507 | f6015c0e | Stauros Kroustouris | vim /etc/apache2/sites-available/fod |
508 | f6015c0e | Stauros Kroustouris | |
509 | f6015c0e | Stauros Kroustouris | Again if the directory conventions have been followed the file should |
510 | f6015c0e | Stauros Kroustouris | be: |
511 | f6015c0e | Stauros Kroustouris | |
512 | f6015c0e | Stauros Kroustouris | <VirtualHost *:80> |
513 | f6015c0e | Stauros Kroustouris | ServerAdmin webmaster@localhost |
514 | f6015c0e | Stauros Kroustouris | ServerName fod.example.com |
515 | f6015c0e | Stauros Kroustouris | DocumentRoot /var/www |
516 | f6015c0e | Stauros Kroustouris | |
517 | f6015c0e | Stauros Kroustouris | ErrorLog ${APACHE_LOG_DIR}/fod_error.log |
518 | f6015c0e | Stauros Kroustouris | |
519 | f6015c0e | Stauros Kroustouris | # Possible values include: debug, info, notice, warn, error, crit, |
520 | f6015c0e | Stauros Kroustouris | # alert, emerg. |
521 | f6015c0e | Stauros Kroustouris | LogLevel debug |
522 | f6015c0e | Stauros Kroustouris | |
523 | f6015c0e | Stauros Kroustouris | CustomLog ${APACHE_LOG_DIR}/fod_access.log combined |
524 | f6015c0e | Stauros Kroustouris | |
525 | f6015c0e | Stauros Kroustouris | Alias /static /srv/flowspy/static |
526 | f6015c0e | Stauros Kroustouris | RewriteEngine On |
527 | f6015c0e | Stauros Kroustouris | RewriteCond %{HTTPS} off |
528 | f6015c0e | Stauros Kroustouris | RewriteRule ^/(.*) https://fod.example.com/$1 [L,R] |
529 | f6015c0e | Stauros Kroustouris | </VirtualHost> |
530 | f6015c0e | Stauros Kroustouris | |
531 | f6015c0e | Stauros Kroustouris | <VirtualHost *:443> |
532 | f6015c0e | Stauros Kroustouris | ServerName fod.example.com |
533 | f6015c0e | Stauros Kroustouris | ServerAdmin webmaster@localhost |
534 | f6015c0e | Stauros Kroustouris | ServerSignature On |
535 | f6015c0e | Stauros Kroustouris | |
536 | f6015c0e | Stauros Kroustouris | SSLEngine on |
537 | f6015c0e | Stauros Kroustouris | SSLCertificateFile /etc/ssl/certs/fod.example.com.crt |
538 | f6015c0e | Stauros Kroustouris | SSLCertificateChainFile /etc/ssl/certs/example-chain.pem |
539 | f6015c0e | Stauros Kroustouris | SSLCertificateKeyFile /etc/ssl/private/fod.example.com.key |
540 | f6015c0e | Stauros Kroustouris | |
541 | f6015c0e | Stauros Kroustouris | AddDefaultCharset UTF-8 |
542 | f6015c0e | Stauros Kroustouris | IndexOptions +Charset=UTF-8 |
543 | f6015c0e | Stauros Kroustouris | |
544 | f6015c0e | Stauros Kroustouris | ShibConfig /etc/shibboleth/shibboleth2.xml |
545 | f6015c0e | Stauros Kroustouris | Alias /shibboleth-sp /usr/share/shibboleth |
546 | f6015c0e | Stauros Kroustouris | |
547 | f6015c0e | Stauros Kroustouris | |
548 | f6015c0e | Stauros Kroustouris | <Location /login> |
549 | f6015c0e | Stauros Kroustouris | AuthType shibboleth |
550 | f6015c0e | Stauros Kroustouris | ShibRequireSession On |
551 | f6015c0e | Stauros Kroustouris | ShibUseHeaders On |
552 | f6015c0e | Stauros Kroustouris | ShibRequestSetting entityID https://idp.example.com/idp/shibboleth |
553 | f6015c0e | Stauros Kroustouris | require valid-user |
554 | f6015c0e | Stauros Kroustouris | </Location> |
555 | f6015c0e | Stauros Kroustouris | |
556 | f6015c0e | Stauros Kroustouris | # Shibboleth debugging CGI script |
557 | f6015c0e | Stauros Kroustouris | ScriptAlias /shibboleth/test /usr/lib/cgi-bin/shibtest.cgi |
558 | f6015c0e | Stauros Kroustouris | <Location /shibboleth/test> |
559 | f6015c0e | Stauros Kroustouris | AuthType shibboleth |
560 | f6015c0e | Stauros Kroustouris | ShibRequireSession On |
561 | f6015c0e | Stauros Kroustouris | ShibUseHeaders On |
562 | f6015c0e | Stauros Kroustouris | require valid-user |
563 | f6015c0e | Stauros Kroustouris | </Location> |
564 | f6015c0e | Stauros Kroustouris | |
565 | f6015c0e | Stauros Kroustouris | <Location /Shibboleth.sso> |
566 | f6015c0e | Stauros Kroustouris | SetHandler shib |
567 | f6015c0e | Stauros Kroustouris | </Location> |
568 | f6015c0e | Stauros Kroustouris | |
569 | f6015c0e | Stauros Kroustouris | # Shibboleth SP configuration |
570 | f6015c0e | Stauros Kroustouris | |
571 | f6015c0e | Stauros Kroustouris | #SetEnv proxy-sendchunked |
572 | f6015c0e | Stauros Kroustouris | |
573 | f6015c0e | Stauros Kroustouris | <Proxy *> |
574 | f6015c0e | Stauros Kroustouris | Order allow,deny |
575 | f6015c0e | Stauros Kroustouris | Allow from all |
576 | f6015c0e | Stauros Kroustouris | </Proxy> |
577 | f6015c0e | Stauros Kroustouris | |
578 | f6015c0e | Stauros Kroustouris | SSLProxyEngine off |
579 | f6015c0e | Stauros Kroustouris | ProxyErrorOverride off |
580 | f6015c0e | Stauros Kroustouris | ProxyTimeout 28800 |
581 | f6015c0e | Stauros Kroustouris | ProxyPass /static ! |
582 | f6015c0e | Stauros Kroustouris | ProxyPass /shibboleth ! |
583 | f6015c0e | Stauros Kroustouris | ProxyPass /Shibboleth.sso ! |
584 | f6015c0e | Stauros Kroustouris | |
585 | f6015c0e | Stauros Kroustouris | ProxyPass / http://localhost:8081/ retry=0 |
586 | f6015c0e | Stauros Kroustouris | ProxyPassReverse / http://localhost:8081/ |
587 | f6015c0e | Stauros Kroustouris | |
588 | f6015c0e | Stauros Kroustouris | Alias /static /srv/flowspy/static |
589 | f6015c0e | Stauros Kroustouris | |
590 | f6015c0e | Stauros Kroustouris | LogLevel warn |
591 | f6015c0e | Stauros Kroustouris | |
592 | f6015c0e | Stauros Kroustouris | Now, enable your site. You might want to disable the default site if fod |
593 | f6015c0e | Stauros Kroustouris | is the only site you host on your server: |
594 | f6015c0e | Stauros Kroustouris | |
595 | f6015c0e | Stauros Kroustouris | a2dissite default |
596 | f6015c0e | Stauros Kroustouris | a2ensite fod |
597 | f6015c0e | Stauros Kroustouris | |
598 | f6015c0e | Stauros Kroustouris | You are not far away from deploying FoD. When asked for a super user, |
599 | f6015c0e | Stauros Kroustouris | create one: |
600 | f6015c0e | Stauros Kroustouris | |
601 | f6015c0e | Stauros Kroustouris | cd /srv/flowspy |
602 | f6015c0e | Stauros Kroustouris | python manage.py syncdb |
603 | f6015c0e | Stauros Kroustouris | python manage.py migrate longerusername |
604 | f6015c0e | Stauros Kroustouris | python manage.py migrate flowspec |
605 | f6015c0e | Stauros Kroustouris | python manage.py migrate djcelery |
606 | f6015c0e | Stauros Kroustouris | python manage.py migrate accounts |
607 | f6015c0e | Stauros Kroustouris | python manage.py migrate |
608 | f6015c0e | Stauros Kroustouris | |
609 | f6015c0e | Stauros Kroustouris | If you have not changed the values of the PEER\_\*\_TABLE variables to |
610 | f6015c0e | Stauros Kroustouris | False and thus you are going for a default installation (that is |
611 | f6015c0e | Stauros Kroustouris | PEER\_\*\_TABLE variables are set to True) , then run: |
612 | f6015c0e | Stauros Kroustouris | |
613 | f6015c0e | Stauros Kroustouris | python manage.py migrate peers |
614 | f6015c0e | Stauros Kroustouris | |
615 | f6015c0e | Stauros Kroustouris | If however you have set the PEER\_\*\_TABLE variables to False and by |
616 | f6015c0e | Stauros Kroustouris | accident you have ran the command above, then you have to cleanup you |
617 | f6015c0e | Stauros Kroustouris | database manually by dropping the peer\* tables plus the techc\_email |
618 | f6015c0e | Stauros Kroustouris | table. For MySQL the command is: |
619 | f6015c0e | Stauros Kroustouris | |
620 | f6015c0e | Stauros Kroustouris | DROP TABLE `peer`, `peer_networks`, `peer_range`, `peer_techc_emails`, techc_email; |
621 | f6015c0e | Stauros Kroustouris | |
622 | f6015c0e | Stauros Kroustouris | Restart, gunicorn and apache: |
623 | f6015c0e | Stauros Kroustouris | |
624 | f6015c0e | Stauros Kroustouris | service gunicorn restart && service apache2 restart |
625 | f6015c0e | Stauros Kroustouris | |
626 | f6015c0e | Stauros Kroustouris | Propagate the flatpages |
627 | f6015c0e | Stauros Kroustouris | ======================= |
628 | f6015c0e | Stauros Kroustouris | |
629 | f6015c0e | Stauros Kroustouris | Inside the initial\_data/fixtures\_manual.xml file we have placed 4 |
630 | f6015c0e | Stauros Kroustouris | flatpages (2 for Greek, 2 for English) with Information and Terms of |
631 | f6015c0e | Stauros Kroustouris | Service about the service. To import the flatpages, run from root |
632 | f6015c0e | Stauros Kroustouris | folder: |
633 | f6015c0e | Stauros Kroustouris | |
634 | f6015c0e | Stauros Kroustouris | python manage.py loaddata initial_data/fixtures_manual.xml |
635 | f6015c0e | Stauros Kroustouris | |
636 | f6015c0e | Stauros Kroustouris | Testing the platform |
637 | f6015c0e | Stauros Kroustouris | ==================== |
638 | f6015c0e | Stauros Kroustouris | |
639 | f6015c0e | Stauros Kroustouris | Log in to the admin interface via [https:\\/\\/][]\<hostname\>/admin. Go |
640 | f6015c0e | Stauros Kroustouris | to Peer ranges and add a new range (part of/or a complete subnet), eg. |
641 | f6015c0e | Stauros Kroustouris | 10.20.0.0/19 Go to Peers and add a new peer, eg. id: 1, name: Test, AS: |
642 | f6015c0e | Stauros Kroustouris | 16503, tag: TEST and move the network you have created from Avalable to |
643 | f6015c0e | Stauros Kroustouris | Chosen. From the admin front, go to User, and edit your user. From the |
644 | f6015c0e | Stauros Kroustouris | bottom of the page, select the TEST peer and save. Last but not least, |
645 | f6015c0e | Stauros Kroustouris | modify as required the existing (example.com) Site instance (admin |
646 | f6015c0e | Stauros Kroustouris | home-\>Sites). You are done. As you are logged-in via the admin, there |
647 | f6015c0e | Stauros Kroustouris | is no need to go through Shibboleth at this time. Go to |
648 | f6015c0e | Stauros Kroustouris | [https:\\/\\/][]\<hostname\>/ and create a new rule. Your rule should be |
649 | f6015c0e | Stauros Kroustouris | applied on the flowspec capable device after aprox. 10 seconds. If no |
650 | f6015c0e | Stauros Kroustouris | Shibboleth authentication is available, a |
651 | f6015c0e | Stauros Kroustouris | [https:\\/\\/][]\<hostname\>/altlogin is provided. |
652 | f6015c0e | Stauros Kroustouris | |
653 | f6015c0e | Stauros Kroustouris | Branding |
654 | f6015c0e | Stauros Kroustouris | ======== |
655 | f6015c0e | Stauros Kroustouris | |
656 | f6015c0e | Stauros Kroustouris | Via the admin interface you can modify flatpages to suit your needs |
657 | f6015c0e | Stauros Kroustouris | |
658 | f6015c0e | Stauros Kroustouris | Footer |
659 | f6015c0e | Stauros Kroustouris | ------ |
660 | f6015c0e | Stauros Kroustouris | |
661 | f6015c0e | Stauros Kroustouris | Under the templates folder (templates), you can alter the footer.html |
662 | f6015c0e | Stauros Kroustouris | file to include your own footer messages, badges, etc. |
663 | f6015c0e | Stauros Kroustouris | |
664 | f6015c0e | Stauros Kroustouris | Welcome Page |
665 | f6015c0e | Stauros Kroustouris | ------------ |
666 | f6015c0e | Stauros Kroustouris | |
667 | f6015c0e | Stauros Kroustouris | Under the templates folder (templates), you can alter the welcome page - |
668 | f6015c0e | Stauros Kroustouris | welcome.html with your own images, carousel, videos, etc. |
669 | f6015c0e | Stauros Kroustouris | |
670 | f6015c0e | Stauros Kroustouris | Usage |
671 | f6015c0e | Stauros Kroustouris | ====== |
672 | f6015c0e | Stauros Kroustouris | |
673 | f6015c0e | Stauros Kroustouris | Web interface |
674 | f6015c0e | Stauros Kroustouris | ------------------------- |
675 | f6015c0e | Stauros Kroustouris | FoD comes with a web interface, in which one can edit and apply new routes. |
676 | f6015c0e | Stauros Kroustouris | |
677 | f6015c0e | Stauros Kroustouris | Rest Api |
678 | f6015c0e | Stauros Kroustouris | -------------- |
679 | f6015c0e | Stauros Kroustouris | |
680 | f6015c0e | Stauros Kroustouris | There is a rest api available in /api/v1/. One can set new rules or see the applied ones by using it. |
681 | f6015c0e | Stauros Kroustouris | |
682 | f6015c0e | Stauros Kroustouris |