|
|
|
|
@ -33,6 +33,32 @@ we are providing clickable installer including dependencies. Just for info, all
|
|
|
|
|
components should be able to run on Windows, only broker was not tested and may
|
|
|
|
|
require small tweaks to work properly.
|
|
|
|
|
|
|
|
|
|
## Security
|
|
|
|
|
|
|
|
|
|
One of the most important aspects of ReCodEx instance is security. It is crucial
|
|
|
|
|
to keep gathered data safe and not to allow unauthorized users modify restricted
|
|
|
|
|
pieces of information. Here is a small list of recommendations to keep running
|
|
|
|
|
ReCodEx instance safe.
|
|
|
|
|
|
|
|
|
|
- Secure MySQL installation. The installation script does not do any security
|
|
|
|
|
actions, so please run at least `mysql_secure_installation` script on database
|
|
|
|
|
computer.
|
|
|
|
|
- Get HTTPS certificate and set it in Apache for web application and API.
|
|
|
|
|
Monitor should be proxied through the web server too with valid certificate.
|
|
|
|
|
You can get free DV certificate from [Let's
|
|
|
|
|
Encrypt](https://letsencrypt.org/). Do not forget to set up automatic
|
|
|
|
|
renewing!
|
|
|
|
|
- Hide broker, workers and fileserver behind firewall, private subnet or IPsec
|
|
|
|
|
tunnel. They are not required to be reached from public internet, so it is
|
|
|
|
|
better keep them isolated.
|
|
|
|
|
- Keep your server updated and well configured. For automatic installation of
|
|
|
|
|
security updates on CentOS system refer to `yum-cron` package. Configure SSH
|
|
|
|
|
and Apache to use only strong ciphers, some recommendations can be found
|
|
|
|
|
[here](https://bettercrypto.org/static/applied-crypto-hardening.pdf).
|
|
|
|
|
- Do not put actually used credentials on web, for example do not commit your
|
|
|
|
|
passwords (in Ansible variables file) on GitHub.
|
|
|
|
|
- Regularly check logs for anomalies.
|
|
|
|
|
|
|
|
|
|
## Ansible installer
|
|
|
|
|
|
|
|
|
|
DEPRECATED - Ansible installer is no longer working!
|
|
|
|
|
@ -152,110 +178,6 @@ just use component's YAML file instead of _recodex.yml_.
|
|
|
|
|
Ansible expects to have password-less access to the remote machines. If you have
|
|
|
|
|
not such setup, use options `--ask-pass` and `--ask-become-pass`.
|
|
|
|
|
|
|
|
|
|
## Manual installation
|
|
|
|
|
|
|
|
|
|
### Monitor
|
|
|
|
|
|
|
|
|
|
For monitor functionality there are some required packages. All of them are
|
|
|
|
|
listed in _requirements.txt_ file in the repository and can be installed by
|
|
|
|
|
`pip` package manager as
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ pip install -r requirements.txt
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
**Description of dependencies:**
|
|
|
|
|
|
|
|
|
|
- zmq -- binding to ZeroMQ framework
|
|
|
|
|
- websockets -- framework for communication over WebSockets
|
|
|
|
|
- asyncio -- library for fast asynchronous operations
|
|
|
|
|
- pyyaml -- parsing YAML configuration files
|
|
|
|
|
- argparse -- parsing command line arguments
|
|
|
|
|
|
|
|
|
|
Installation will provide you following files:
|
|
|
|
|
|
|
|
|
|
- `/usr/bin/recodex-monitor` -- simple startup script located in PATH
|
|
|
|
|
- `/etc/recodex/monitor/config.yml` -- configuration file
|
|
|
|
|
- `/etc/systemd/system/recodex-monitor.service` -- systemd startup script
|
|
|
|
|
- code files will be installed in location depending on your system settings,
|
|
|
|
|
mostly into `/usr/lib/python3.5/site-packages/monitor/` or similar
|
|
|
|
|
|
|
|
|
|
Systemd script runs monitor binary as specific _recodex_ user, so in `postinst`
|
|
|
|
|
script user and group of this name are created. Also, ownership of configuration
|
|
|
|
|
file will be granted to that user.
|
|
|
|
|
|
|
|
|
|
- RPM distributions can make and install binary package. This can be done like
|
|
|
|
|
this:
|
|
|
|
|
- run command
|
|
|
|
|
```
|
|
|
|
|
$ python3 setup.py bdist_rpm --post-install ./install/postints
|
|
|
|
|
```
|
|
|
|
|
to generate binary `.rpm` package or download precompiled one from releases
|
|
|
|
|
tab of monitor GitHub repository (it is architecture independent package)
|
|
|
|
|
- install package using
|
|
|
|
|
```
|
|
|
|
|
# yum install ./dist/recodex-monitor-<version>-1.noarch.rpm
|
|
|
|
|
```
|
|
|
|
|
- Other Linux distributions can install cleaner straight
|
|
|
|
|
```
|
|
|
|
|
$ python3 setup.py install --install-scripts /usr/bin
|
|
|
|
|
# ./install/postinst
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Usage
|
|
|
|
|
|
|
|
|
|
Preferred way to start monitor as a service is via systemd as the other parts of
|
|
|
|
|
ReCodEx solution.
|
|
|
|
|
|
|
|
|
|
- Running monitor is fairly simple:
|
|
|
|
|
```
|
|
|
|
|
# systemctl start recodex-monitor.service
|
|
|
|
|
```
|
|
|
|
|
- Current state can be obtained by
|
|
|
|
|
```
|
|
|
|
|
# systemctl status recodex-monitor.service
|
|
|
|
|
```
|
|
|
|
|
You should see green **Active (running)**.
|
|
|
|
|
- Setting up monitor to be started on system startup:
|
|
|
|
|
```
|
|
|
|
|
# systemctl enable recodex-monitor.service
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Alternatively monitor can be started directly from command line with specifying
|
|
|
|
|
path to configuration file. Note that this command will not start monitor as a
|
|
|
|
|
daemon.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ recodex-monitor -c /etc/recodex/monitor/config.yml
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Security
|
|
|
|
|
|
|
|
|
|
One of the most important aspects of ReCodEx instance is security. It is crucial
|
|
|
|
|
to keep gathered data safe and not to allow unauthorized users modify restricted
|
|
|
|
|
pieces of information. Here is a small list of recommendations to keep running
|
|
|
|
|
ReCodEx instance safe.
|
|
|
|
|
|
|
|
|
|
- Secure MySQL installation. The installation script does not do any security
|
|
|
|
|
actions, so please run at least `mysql_secure_installation` script on database
|
|
|
|
|
computer.
|
|
|
|
|
- Get HTTPS certificate and set it in Apache for web application and API.
|
|
|
|
|
Monitor should be proxied through the web server too with valid certificate.
|
|
|
|
|
You can get free DV certificate from [Let's
|
|
|
|
|
Encrypt](https://letsencrypt.org/). Do not forget to set up automatic
|
|
|
|
|
renewing!
|
|
|
|
|
- Hide broker, workers and fileserver behind firewall, private subnet or IPsec
|
|
|
|
|
tunnel. They are not required to be reached from public internet, so it is
|
|
|
|
|
better keep them isolated.
|
|
|
|
|
- Keep your server updated and well configured. For automatic installation of
|
|
|
|
|
security updates on CentOS system refer to `yum-cron` package. Configure SSH
|
|
|
|
|
and Apache to use only strong ciphers, some recommendations can be found
|
|
|
|
|
[here](https://bettercrypto.org/static/applied-crypto-hardening.pdf).
|
|
|
|
|
- Do not put actually used credentials on web, for example do not commit your
|
|
|
|
|
passwords (in Ansible variables file) on GitHub.
|
|
|
|
|
- Regularly check logs for anomalies.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<!---
|
|
|
|
|
// vim: set formatoptions=tqn flp+=\\\|^\\*\\s* textwidth=80 colorcolumn=+1:
|
|
|
|
|
|
Martin Polanka
7 years ago