Okupy/Installation
From Gentoo Wiki
< Okupy
Warning
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles that need formatting improvements.
This article has been flagged as dirty for not conforming to the wiki guidelines. It is now grouped in the list of articles that need formatting improvements.
Development environment
Repositories
- Clone somewhere the gentoo-identity-bootstrap repository:
user $git clone git://github.com/dastergon/gentoo-identity-bootstrap- Clone (in a different directory) the identity.gentoo.org repository:
user $git clone git://github.com/gentoo/identity.gentoo.orgDependencies
Get the dependencies (choose one of the followings):
With pip
- Optional: setup virtualenv
- Install the dependencies:
user $pip install -r requirements/base.txt --use-mirrorsWith setup.py
- Optional: setup virtualenv
- Install the dependencies:
user $./setup.py installWith emerge (Gentoo-specific)
- Add the okupy overlay:
root #eselect repository add okupy git https://github.com/tampakrap/okupy-overlay.git
root #emerge --sync okupy- Install the dependencies:
root #ACCEPT_KEYWORDS="**" emerge --onlydeps okupyConfiguration
- Copy the sample settings files:
user $cd identity.gentoo.org
user $cp okupy/settings/development.py.sample okupy/settings/development.py
user $cp okupy/settings/local_settings.py.sample okupy/settings/local_settings.py
- Edit development.py:
- In STATICFILES_DIRS, replace /path/to/gentoo-identity-bootstrap with the absolute path that you cloned the gentoo-identity-bootstrap repository earlier
- Edit local_settings.py
- Add sqlite3 db (sufficient for testing)
- Add LDAP configuration (if applicable)
- Configure Memcached
- Sync the database:
user $python manage.py syncdbProduction environment
- Create the dedicated user that will run okupy
root #useradd -m okupy- Perform the same setup as for Development environment (using the okupy user)
uWSGI setup
- Install www-servers/uwsgi with USE=python
- Copy /etc/conf.d/uwsgi to /etc/conf.d/uwsgi.okupy
- Put the following options in /etc/conf.d/uwsgi.okupy
FILE
/etc/conf.d/uwsgi.okupyUWSGI_SOCKET=/home/okupy/okupy.wsgi UWSGI_LOG_FILE=/home/okupy/uwsgi.okupy.log UWSGI_DIR=/home/okupy/identity.gentoo.org UWSGI_USER=okupy UWSGI_GROUP=okupy # buffer-size is necessary to pass SSL certificates UWSGI_EXTRA_OPTIONS='--buffer-size 65536 --plugins python27 --wsgi okupy.wsgi'
- Symlink to /etc/init.d/uwsgi from /etc/init.d/uwsgi.okupy, and start it:
root #ln -s /etc/init.d/uwsgi /etc/init.d/uwsgi.okupy
root #/etc/init.d/uwsgi.okupy startNGINX setup
- Install www-servers/nginx
root #emerge --ask --verbose www-servers/nginx- Copy the server certificates and private keys to /etc/ssl/nginx/
- Concatenate all the allowed CA certificates for client auth:
root #cat /etc/ssl/* > /etc/ssl/nginx/all_certs.pem- Add the following options in /etc/nginx/nginx.conf
FILE
/etc/nginx/nginx.conf http {
ssl_session_cache shared:SSL:10m;
upstream okupy {
# connect to uWSGI
server unix:///home/okupy/okupy.wsgi;
}
server {
listen 0.0.0.0;
server_name identity.tampakrap.gr;
access_log /var/log/nginx/localhost.access_log main;
error_log /var/log/nginx/localhost.error_log info;
root /var/www/localhost/htdocs;
# redirect all http traffic to https://
location / {
rewrite ^ https://$http_HOST$request_uri permanent;
}
}
server {
listen 0.0.0.0:443;
server_name identity.tampakrap.gr;
ssl on;
# certificates for the main domain
ssl_certificate /etc/ssl/nginx/identity_tampakrap_gr_cacert.crt;
ssl_certificate_key /etc/ssl/nginx/identity_tampakrap_gr.key;
ssl_session_timeout 10m;
access_log /var/log/nginx/localhost.ssl_access_log main;
error_log /var/log/nginx/localhost.ssl_error_log info;
root /var/www/localhost/htdocs;
location /static {
alias /home/identity/identity.gentoo.org/static;
}
location / {
uwsgi_pass okupy;
include /etc/nginx/uwsgi_params;
}
}
server {
listen 0.0.0.0:443;
server_name auth.identity.tampakrap.gr;
ssl on;
# certificates for auth. subdomain
ssl_certificate /etc/ssl/nginx/auth_identity_tampakrap_gr_cacert.crt;
ssl_certificate_key /etc/ssl/nginx/auth_identity_tampakrap_gr.key;
ssl_client_certificate /etc/ssl/nginx/all_certs.pem;
# verify_client == ask for user certificate
ssl_session_timeout 30s;
ssl_verify_client optional;
access_log /var/log/nginx/localhost.ssl_access_log main;
error_log /var/log/nginx/localhost.ssl_error_log info;
root /var/www/localhost/htdocs;
location /static {
alias /home/identity/identity.gentoo.org/static;
}
location / {
uwsgi_pass okupy;
include /etc/nginx/uwsgi_params;
# pass certificate verification result
# and the certificate (so we could extract e-mails)
uwsgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;
}
}
}
Additional
virtualenv
- Install virtualenv (replace the following command with an equivalent in case you are working in a non-Gentoo distro)
root #emerge -av dev-python/virtualenv
root #virtualenv .virtualenv
root #source .virtualenv/bin/activate- The .virtualenv directory is already in .gitignore, so please prefer this name
- The deactivate command will exit the virtual environment
memcached
- Copy /etc/conf.d/memcached to /etc/conf.d/memcached.okupy
root #cp /etc/conf.d/memcached /etc/conf.d/memcached.okupy- Symlink /etc/init.d/memcached.okupy to /etc/init.d/memcached
root #ln -s /etc/init.d/memcached /etc/init.d/memcached.okupy- Put the following data in /etc/conf.d/memcached.okupy:
FILE
/etc/conf.d/memcached.okupy# The user that will be running okupy MEMCACHED_RUNAS="okupy" # disable TCP/IP LISTENON="" PORT="" # enable UNIX socket (put correct path here as well) MISC_OPTS="-s /home/okupy/memcached.sock"
- edit okupy/settings/local.py and put the same path in CACHES:
FILE
okupy/settings/local.pyCACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': 'unix://home/okupy/memcached.sock', } }
- Start memcached
root #/etc/init.d/memcached.okupy startOpenLDAP
OpenLDAP Server
- (TODO)
OpenLDAP client only
- We have a testing instance on ldap://evidence.tampakrap.gr
- Contact tampakrap to get the certificates and the rootDN credentials
- Install OpenLDAP package:
- In Gentoo:
root #echo net-nds/openldap minimal >> /etc/portage/package.use/okupy
root #emerge --ask --verbose openldap- Put the certificates in /etc/openldap/ssl
- Put the following content in /etc/openldap/ldap.conf:
FILE
/etc/openldap/ldap.confBASE dc=tampakrap, dc=gr SIZELIMIT 0 TIMELIMIT 10 TLS_REQCERT demand TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_CERT /etc/openldap/ssl/evidence.tampakrap.gr.crt TLS_KEY /etc/openldap/ssl/evidence.tampakrap.gr.key URI ldap://evidence.tampakrap.gr
- In settings/local.py:
FILE
settings/local.pyAUTH_LDAP_SERVER_URI = 'ldap://evidence.tampakrap.gr' AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_X_TLS_DEMAND: False, } AUTH_LDAP_BIND_DN = '' AUTH_LDAP_BIND_PASSWORD = '' AUTH_LDAP_ADMIN_BIND_DN = '(the rootDN you got from tampakrap)' AUTH_LDAP_ADMIN_BIND_PASSWORD = '(the rootpw you got from tampakrap)' AUTH_LDAP_USER_ATTR = 'uid' AUTH_LDAP_USER_BASE_DN = 'ou=users,dc=tampakrap,dc=gr' AUTH_LDAP_PERMIT_EMPTY_PASSWORD = False AUTH_LDAP_START_TLS = True # objectClasses that are used by any user AUTH_LDAP_USER_OBJECTCLASS = ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'ldapPublicKey', 'gentooGroup'] # additional objectClasses that are used by developers AUTH_LDAP_DEV_OBJECTCLASS = ['gentooDevGroup']