From ae0c33b1f1ca842d153ad011ae94d6a4c95c0f77 Mon Sep 17 00:00:00 2001
From: Martin Polanka <PolankaMartin@gmail.com>
Date: Tue, 15 Nov 2016 21:52:29 +0100
Subject: [PATCH] installation now have separate page

---
 Installation.md | 105 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 104 insertions(+), 1 deletion(-)

diff --git a/Installation.md b/Installation.md
index f34d65b..62e0f3d 100644
--- a/Installation.md
+++ b/Installation.md
@@ -1 +1,104 @@
-# Installation
\ No newline at end of file
+# Installation
+
+Installation of whole ReCodEx solution is a very complex process. It is recommended to have good unix skills with basic knowledge of project architecture.
+
+There are a lot of different GNU/Linux distributions with different package management, naming convention and version release policies. So it is impossible to cover all of the possible variants. We picked one distribution, which is fully supported by automatic installation script, for others there are brief information about installation in every project component's own chapter.
+
+Distribution of our choice is CentOS, currently in version 7. It is a well known server distribution, derived from enterprise distrubution from Red Hat, so it is very stable and widely used system with long term support. There are [EPEL](https://fedoraproject.org/wiki/EPEL) additional repositories from Fedora project, which adds newer versions of some packages into CentOS, which allows us to use current environment. Also, _rpm_ packages are much easier to build (for example from Python sources) and maintain.
+
+The big rival of CentOS in server distributions field is Debian. We are running one instance of ReCodEx on Debian too. You need to use _testing_ repositories to use some decent package versions. It is easy to mess your system easily, so create file `/etc/apt/apt.conf` with content of `APT::Default-Release "stable";`. After you add testing repos to `/etc/apt/sources.list`, you can install packages from there like `$ sudo apt-get -t testing install gcc`.
+
+Some components are also capable of running in Windows environment. However setting up Windows OS is a little bit of pain and it is not supposed to run ReCodEx in this way. Only worker component may be needed to run on Windows, so we are providing clickable installer including dependencies. Just for info, all components should be able to run on Windows, only broker was not tested and may require small tweaks to properly work.
+
+## Ansible installer
+
+For automatic installation is used set of Ansible scripts. Ansible is one of the best known and used tools for automatic server management. It is required only to have SSH access to the server and ansible installed on the client machine. For further reading is supposed basic Ansible knowledge. For more info check their [documentation](http://docs.ansible.com/ansible/intro.html).
+
+All Ansible scripts are located in _utils_ repository, _installation_ [directory](https://github.com/ReCodEx/utils/tree/master/installation). Ansible files are pretty self-describing, they can be also use as template for installation to different systems. Before installation itself it is required to edit two files -- set addresses of hosts and values of some variables.
+
+### Hosts configuration
+
+First, it is needed to set ip addresses of your computers. Common practise is to have multiple files with definitions, one for development, another for production for example. Example configuration is in _development_ file. Each component of ReCodEx project can be installed on different server. Hosts can be specified as hostnames or ip addresses, optionally with port of SSH after colon.
+
+Shorten example of hosts config:
+
+```
+[workers]
+127.0.0.1:22
+
+[broker]
+127.0.0.1:22
+
+[all:children]
+workers
+broker
+```
+
+### Variables
+
+Configurable variables are saved in _group_vars/all.yml_ file. Syntax is basic key-value pair per line, separated by colon. Values with brief description:
+
+- _source_dir_ -- Directory, where to store all sources from GitHub. Defaults `/opt/recodex`.
+- _mysql_root_password_ -- Password of root user of MySQL database. Will be set after installation and saved to `/root/.my.cnf` file.
+- _mysql_recodex_username_ -- MySQL username for ReCodEx API access.
+- _mysql_recodex_password_ -- Password for the user above.
+- _admin_email_ -- Email of administrator. Used when configuring Apache webserver.
+- _recodex_hostname -- Hostname where the API and web app will be accessible. For example "recodex.projekty.ms.mff.cuni.cz".
+- _webapp_node_addr_ -- IP address of NodeJS server running web app. Defaults to "127.0.0.1" and should not be changed.
+- _webapp_node_port_ -- Port to above.
+- _webapp_public_addr_ -- Public address, where web server for web app will listen. Defaults to "*".
+- _webapp_public_port_ -- Port to above.
+- _webapp_firewall_ -- Open port for web app in firewall, values "yes" or "no".
+- _webapi_public_endpoint_ -- Public URL when the API will be running, for example "https://recodex.projekty.ms.mff.cuni.cz:4000/v1".
+- _webapi_public_addr_ -- Public address, where web server for API will listen. Defaults to "*".
+- _webapi_public_port_ -- Port to above.
+- _webapi_firewall_ -- Open port for API in firewall, values "yes" or "no".
+- _database_firewall_ -- Open port for database in firewall, values "yes" or "no".
+- _broker_to_webapi_addr_ -- Address, where API can reach broker. Private one is recommended.
+- _broker_to_webapi_port_ -- Port to above.
+- _broker_firewall_api_ -- Open above port in firewall, "yes" or "no".
+- _broker_to_workers_addr_ -- Address, where workers can reach broker. Private one is recommended.
+- _broker_to_workers_port_ -- Port to above.
+- _broker_firewall_workers_ -- Open above port in firewall, "yes" or "no".
+- _broker_notifier_address_ -- URL (on API), where broker will send notifications, for example "https://recodex.projekty.ms.mff.cuni.cz/v1/broker-reports".
+- _broker_notifier_port_ -- Port to above, should be the same as for API itself (_webapi_public_port_)
+- _broker_notifier_username_ -- Username for HTTP Authentication for reports
+- _broker_notifier_password_ -- Password for HTTP Authentication for reporst
+- _monitor_websocket_addr_ -- Address, where websocket connection from monitor will be available
+- _monitor_websocket_port_ -- Port to above.
+- _monitor_firewall_websocket_ -- Open above port in firewall, "yes" or "no".
+- _monitor_zeromq_addr_ -- Address, where monitor will be available on ZeroMQ socket for broker to receive reports.
+- _monitor_zeromq_port_ -- Port to above.
+- _monitor_firewall_zeromq_ -- Open above port in firewall, "yes" or "no".
+- _fileserver_addr_ -- Address, where fileserver will serve files.
+- _fileserver_port_ -- Port to above.
+- _fileserver_firewall_ -- Open above port in firewall, "yes" or "no".
+- _fileserver_username_ -- Username for HTTP Authentication for access the fileserver.
+- _fileserver_password_ -- Password for HTTP Authentication for access the fileserver.
+- _worker_cache_dir_ -- File cache storage for workers. Defaults to "/tmp/recodex/cache".
+- _worker_cache_age_ -- How long hold fetched files in worker cache, in seconds.
+- _isolate_version_ -- Git tag of Isolate version worker depends on.
+
+### Installation itself
+
+With your computers installed with CentOS and configuration modified it is time to run the installation. 
+
+```
+$ ansible-playbook -i development recodex.yml
+```
+
+This command installs all components of ReCodEx onto machines listed in _development_ file. It is possible to install only specified parts of project, just use component's YAML file instead of _recodex.yml_.
+
+Ansible expects to have password-less access to the remote machines. If you have not such setup, use options `--ask-pass` and `--ask-become-pass`.
+
+
+## Security
+
+One of the most important aspects of ReCodEx instance is security. It is crucial to keep gathered data safe and not to allow unauthorized users modify restricted pieces of information. Here is a small list of recommendations to keep running ReCodEx instance safe.
+
+- Secure MySQL installation. The installation script does not do any security actions, so please run at least `mysql_secure_installation` script on database computer.
+- Get HTTPS certificate and set it in Apache for web application and API. Monitor should be proxied through the web server too with valid certificate. You can get free DV certificate from [Let's Encrypt](https://letsencrypt.org/). Do not forget to set up automatic renewing!
+- Hide broker, workers and fileserver behind firewall, private subnet or IPsec tunnel. They are not required to be reached from public internet, so it is better keep them isolated.
+- Keep your server updated and well configured. For automatic installation of security updates on CentOS system refer to `yum-cron` package. Configure SSH and Apache to use only strong ciphers, some recommendations can be found [here](https://bettercrypto.org/static/applied-crypto-hardening.pdf).
+- Do not put actually used credentials on web, for example do not commit your passwords (in Ansible variables file) on GitHub.
+- Regularly check logs for anomalies.
\ No newline at end of file