Setting up NOCLook
NOCLook is the main GUI component, a django webapp that allows users to access the data stored in NI, it is also often what people refer to when they say NI.
This guide is written for Ubuntu 16.04.
NEO4J database
The official neo4j installation guide for version 3.2 is the reference for this part.
Install Java8
$ sudo add-apt-repository ppa:webupd8team/java $ sudo apt-get update $ sudo apt-get install oracle-java8-installer $ java -version java version "1.8.x"
NEO4J
$ wget -O - https://debian.neo4j.org/neotechnology.gpg.key | sudo apt-key add - $ echo 'deb http://debian.neo4j.org/repo stable/' | sudo tee -a /etc/apt/sources.list.d/neo4j.list $ sudo apt-get update $ sudo apt-get install neo4j=3.2.2
Configuration
$ sudo vim /etc/neo4j/neo4j.conf Add the following: # Autoindexing # Enable auto-indexing for nodes, default is false node_auto_indexing=true # The node property keys to be auto-indexed, if enabled node_keys_indexable=name, description, ip_address, ip_addresses, as_number, hostname, hostnames, telenor_tn1_number, nordunet_id, version # Enable auto-indexing for relationships, default is false relationship_auto_indexing=true # The relationship property keys to be auto-indexed, if enabled relationship_keys_indexable=ip_address
$ sudo rm /var/lib/neo4j/data/dbms/auth # Note the extra space before the command to avoid saving password in bash history $ sudo -u neo4j neo4j-admin set-initial-password your_awesome_password $ sudo service neo4j restart
Postgres database
Set password for database user and create a new database
$ sudo apt-get install postgresql $ sudo -u postgres psql postgres template1=# CREATE USER ni with PASSWORD 'secret'; template1=# CREATE DATABASE norduni; template1=# GRANT ALL PRIVILEGES ON DATABASE norduni to ni; template1=# ALTER DATABASE norduni OWNER TO ni; # Allow user ni to drop and create for restoring template1=# ALTER USER ni CREATEDB; # and development purposes template1=# \q
NOCLook
Before installing NOCLook you need to install the required system libraries
$ sudo apt-get install git python-pip libpq-dev $ sudo pip install -U pip $ sudo pip install virtualenv $ sudo adduser --disabled-password --home /var/opt/norduni ni
Now you are ready to install NOCLook, start by changing to the ni user.
$ sudo -u ni -i $ pwd /var/opt/norduni $ git clone git://git.nordu.net/norduni.git # Create virtual env $ virtualenv norduni_environment # Activate virtual env $ . norduni_environment/bin/activate # Install python dependencies $ pip install -r norduni/requirements/prod.txt
Configure NOCLook
$ cd norduni/src/niweb/ $ cp dotenv .env $ vi .env
You need to setup the following settings:
NEO4J_USERNAME=neo4j NEO4J_PASSWORD= REPORTS_TO= SECURITY_REPORTS_TO= DB_PASSWORD= ALLOWED_HOSTS=ni.yourdomain.tld localhost DEFAULT_FROM_EMAIL= EMAIL_HOST= SECRET_KEY=
The secret key should be at least 50 chars long consisting of the following characters: 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
You can use the following snippit to gennerate such a string locally:
# Missing ! since bash is sad when you use ! in anything, and pyton thinks \! is to be read as both \ and ! $ python -c "import random; print(''.join([random.SystemRandom().choice('abcdefghijklmnopqrstuvwxyz0123456789@#$%^&*(-_=+)') for i in range(50)]))"
Migrate databases and check config
# To make it easier for yourself set DJANGO_SETTINGS_MODULE=niweb.settings.prod in your bashprofile/bashrc $ cd norduni/src/niweb $ python manage.py migrate $ python manage.py collectstatic $ python manage.py runserver
Create local superuser
$ python manage.py createsuperuser
Deploying NOCLook
Start by installing uwsgi and nginx.
$ sudo apt-get install nginx-full uwsgi uwsgi-plugin-python
UWSGI
$ sudo vi /etc/uwsgi/apps-available/noclook.ini The following configuration should be a good start. [uwsgi] # Django-related settings plugins = python protocol = uwsgi # the base directory (full path) chdir = /var/opt/norduni/norduni/src/niweb/ # Django's wsgi file wsgi-file = /var/opt/norduni/norduni/src/niweb/niweb/wsgi.py env = DJANGO_SETTINGS_MODULE=niweb.settings.prod # the virtualenv (full path) home = /var/opt/norduni/norduni_environment # logging daemonize = /var/log/uwsgi/app/noclook.log # process-related settings # master master = true # maximum number of worker processes processes = 5 #threads = 2 max-requests = 5000 # the socket (use the full path to be safe socket = 127.0.0.1:8001 # clear environment on exit vacuum = true
Link the configuration in to the correct directory.
$ sudo ln -s /etc/uwsgi/apps-available/noclook.ini /etc/uwsgi/apps-enabled/noclook.ini
Make temp dir and log dir writable by the uwsgi user (www-data on ubuntu)
sudo mkdir -p /tmp/django_cache sudo chown -R ni:www-data /tmp/django_cache sudo chmod -R g+w /tmp/django_cache sudo chown -R ni:www-data /var/opt/norduni/norduni/src/niweb/logs/ sudo chmod -R g+w /var/opt/norduni/norduni/src/niweb/logs/
Finally restart uwsgi
$ sudo service uwsgi restart
NGINX
Setup new dhparam file 2048 should suffice, but if you like you can go with 4096 instead:
$ sudo openssl dhparam -out /etc/ssl/dhparams.pem 2048
Configure nginx.
$ sudo vi /etc/nginx/sites-available/default # The following configuration should be a good start. # Remember certificates or # sudo openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ni_nordu_net.key -out /etc/ssl/certs/ni_nordu_net.crt upstream django { server 127.0.0.1:8001; # for a web port socket } server { listen 80; listen [::]:80; server_name ni.nordu.net; return 301 https://$server_name$request_uri; } server { listen 443; listen [::]:443 default ipv6only=on; ## listen for ipv6 ssl on; ssl_certificate /etc/ssl/certs/ni_nordu_net.crt; ssl_certificate_key /etc/ssl/private/ni_nordu_net.key; # https://cipherli.st ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_session_cache shared:SSL:10m; ssl_ecdh_curve secp384r1; ssl_dhparam /etc/ssl/dhparams.pem; server_name ni.nordu.net; location /static/ { alias /var/opt/norduni/norduni/src/niweb/niweb/static/; autoindex on; access_log off; expires 30d; } location / { include /etc/nginx/uwsgi_params; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; uwsgi_pass django; } }
Then restart nginx (still remember to setup ssl certificates)
$ sudo service nginx restart
SAML SP
If you want to set up NOCLook as a SAML SP you need to install the following packages and Python modules.
$ sudo apt-get install libffi-dev xmlsec1 $ sudo -u ni -i $ . norduni_environment/bin/activate $ pip install djangosaml2
You then need to uncomment the lines in settings.py that imports and sets up djangosaml2. You also have to create a pysaml2 configuration.
All this is best described in the documentation at https://pypi.python.org/pypi/djangosaml2.
Local saml metadata
To speed up login you can use local metadata. This metadata still needs to be updated and verified, and for that you can use https://github.com/NORDUnet/metadata-updater
You need to configure djangosaml2 to use local metadata, and you will have to add the meta-dataupdater to cron, preferably by running crontab -e as the ni user. Once an hour is reasonable, once a day can be ok, once a week might be tiresome when the cert expires.