Okupy/Installation

From Gentoo Wiki
< Okupy
Jump to: navigation, search
Warning
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles that need formatting improvements.

Development environment

Repositories

Dependencies

Get the dependencies (choose one of the followings):

With pip

  • Optional: setup virtualenv
  • Install the dependencies:
user $pip install -r requirements/base.txt --use-mirrors

With setup.py

  • Optional: setup virtualenv
  • Install the dependencies:
user $./setup.py install

With emerge (Gentoo-specific)

root #eselect repository add okupy git https://github.com/tampakrap/okupy-overlay.git
root #emerge --sync okupy
  • Install the dependencies:
root #ACCEPT_KEYWORDS="**" emerge --onlydeps okupy

Configuration

  • Copy the sample settings files:
user $cd identity.gentoo.org
user $cp okupy/settings/development.py.sample okupy/settings/development.py
user $cp okupy/settings/local_settings.py.sample okupy/settings/local_settings.py
  • Edit development.py:
    • In STATICFILES_DIRS, replace /path/to/gentoo-identity-bootstrap with the absolute path that you cloned the gentoo-identity-bootstrap repository earlier
  • Edit local_settings.py
  • Configure Memcached
  • Sync the database:
user $python manage.py syncdb

Production environment

  • Create the dedicated user that will run okupy
root #useradd -m okupy
  • Perform the same setup as for Development environment (using the okupy user)

uWSGI setup

  • Install www-servers/uwsgi with USE=python
  • Copy /etc/conf.d/uwsgi to /etc/conf.d/uwsgi.okupy
  • Put the following options in /etc/conf.d/uwsgi.okupy
FILE /etc/conf.d/uwsgi.okupy
  UWSGI_SOCKET=/home/okupy/okupy.wsgi
  UWSGI_LOG_FILE=/home/okupy/uwsgi.okupy.log
  UWSGI_DIR=/home/okupy/identity.gentoo.org
  UWSGI_USER=okupy
  UWSGI_GROUP=okupy
  # buffer-size is necessary to pass SSL certificates
  UWSGI_EXTRA_OPTIONS='--buffer-size 65536 --plugins python27 --wsgi okupy.wsgi'
  • Symlink to /etc/init.d/uwsgi from /etc/init.d/uwsgi.okupy, and start it:
root #ln -s /etc/init.d/uwsgi /etc/init.d/uwsgi.okupy
root #/etc/init.d/uwsgi.okupy start

NGINX setup

root #emerge --ask --verbose www-servers/nginx
  • Copy the server certificates and private keys to /etc/ssl/nginx/
  • Concatenate all the allowed CA certificates for client auth:
root #cat /etc/ssl/* > /etc/ssl/nginx/all_certs.pem
  • Add the following options in /etc/nginx/nginx.conf
FILE /etc/nginx/nginx.conf
 http {
     ssl_session_cache  shared:SSL:10m;
 
     upstream okupy {
       # connect to uWSGI
       server unix:///home/okupy/okupy.wsgi;
     }
 
     server {
         listen 0.0.0.0;
         server_name identity.tampakrap.gr;
 
         access_log /var/log/nginx/localhost.access_log main;
         error_log /var/log/nginx/localhost.error_log info;
 
         root /var/www/localhost/htdocs;
 
         # redirect all http traffic to https://
         location / {
             rewrite     ^ https://$http_HOST$request_uri permanent;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name identity.tampakrap.gr;
 
         ssl on;
         # certificates for the main domain
         ssl_certificate /etc/ssl/nginx/identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/identity_tampakrap_gr.key;
         ssl_session_timeout 10m;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
         }
     }
 
     server {
         listen 0.0.0.0:443;
         server_name auth.identity.tampakrap.gr;
 
         ssl on;
         # certificates for auth. subdomain
         ssl_certificate /etc/ssl/nginx/auth_identity_tampakrap_gr_cacert.crt;
         ssl_certificate_key /etc/ssl/nginx/auth_identity_tampakrap_gr.key;
         ssl_client_certificate /etc/ssl/nginx/all_certs.pem;
 
         # verify_client == ask for user certificate
         ssl_session_timeout 30s;
         ssl_verify_client optional;
 
         access_log /var/log/nginx/localhost.ssl_access_log main;
         error_log /var/log/nginx/localhost.ssl_error_log info;
 
         root /var/www/localhost/htdocs;
 
         location /static {
             alias /home/identity/identity.gentoo.org/static;
         }
 
         location / {
             uwsgi_pass okupy;
             include /etc/nginx/uwsgi_params;
 
             # pass certificate verification result
             # and the certificate (so we could extract e-mails)
             uwsgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
             uwsgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;
         }
     }
 }

Additional

virtualenv

  • Install virtualenv (replace the following command with an equivalent in case you are working in a non-Gentoo distro)
root #emerge -av dev-python/virtualenv
root #virtualenv .virtualenv
root #source .virtualenv/bin/activate
  • The .virtualenv directory is already in .gitignore, so please prefer this name
  • The deactivate command will exit the virtual environment

memcached

  • Copy /etc/conf.d/memcached to /etc/conf.d/memcached.okupy
root #cp /etc/conf.d/memcached /etc/conf.d/memcached.okupy
  • Symlink /etc/init.d/memcached.okupy to /etc/init.d/memcached
root #ln -s /etc/init.d/memcached /etc/init.d/memcached.okupy
  • Put the following data in /etc/conf.d/memcached.okupy:
FILE /etc/conf.d/memcached.okupy
# The user that will be running okupy
MEMCACHED_RUNAS="okupy"
# disable TCP/IP
LISTENON=""
PORT=""
# enable UNIX socket (put correct path here as well)
MISC_OPTS="-s /home/okupy/memcached.sock"
  • edit okupy/settings/local.py and put the same path in CACHES:
FILE okupy/settings/local.py
CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
        'LOCATION': 'unix://home/okupy/memcached.sock',
    }
}
  • Start memcached
root #/etc/init.d/memcached.okupy start

OpenLDAP

OpenLDAP Server

  • (TODO)

OpenLDAP client only

  • We have a testing instance on ldap://evidence.tampakrap.gr
  • Contact tampakrap to get the certificates and the rootDN credentials
  • Install OpenLDAP package:
    • In Gentoo:
root #echo net-nds/openldap minimal >> /etc/portage/package.use/okupy
root #emerge --ask --verbose openldap
  • Put the certificates in /etc/openldap/ssl
  • Put the following content in /etc/openldap/ldap.conf:
FILE /etc/openldap/ldap.conf
BASE        dc=tampakrap, dc=gr
SIZELIMIT   0
TIMELIMIT   10
TLS_REQCERT demand
TLS_CACERT  /etc/openldap/ssl/cacert.pem
TLS_CERT    /etc/openldap/ssl/evidence.tampakrap.gr.crt
TLS_KEY     /etc/openldap/ssl/evidence.tampakrap.gr.key
URI         ldap://evidence.tampakrap.gr
  • In settings/local.py:
FILE settings/local.py
AUTH_LDAP_SERVER_URI = 'ldap://evidence.tampakrap.gr'
 
AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_X_TLS_DEMAND: False,
}
 
AUTH_LDAP_BIND_DN = ''
AUTH_LDAP_BIND_PASSWORD = ''
 
AUTH_LDAP_ADMIN_BIND_DN = '(the rootDN you got from tampakrap)'
AUTH_LDAP_ADMIN_BIND_PASSWORD = '(the rootpw you got from tampakrap)'
 
AUTH_LDAP_USER_ATTR = 'uid'
AUTH_LDAP_USER_BASE_DN = 'ou=users,dc=tampakrap,dc=gr'
 
AUTH_LDAP_PERMIT_EMPTY_PASSWORD = False
 
AUTH_LDAP_START_TLS = True
 
# objectClasses that are used by any user
AUTH_LDAP_USER_OBJECTCLASS = ['top', 'person', 'organizationalPerson',
                               'inetOrgPerson', 'posixAccount', 'shadowAccount',
                               'ldapPublicKey', 'gentooGroup']
# additional objectClasses that are used by developers
AUTH_LDAP_DEV_OBJECTCLASS = ['gentooDevGroup']