-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
6a1966f
commit b47b01f
Showing
81 changed files
with
15,999 additions
and
0 deletions.
There are no files selected for viewing
77 changes: 77 additions & 0 deletions
77
docs/server/_sources/administration_guide/access_token.md.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Access token | ||
|
||
---- | ||
|
||
The Anweddol server implementation can restrict its utilization by using the `tools` [Access token feature](https://anweddol-server.readthedocs.io/en/latest/technical_specifications/tools/access_token.html) for client authentication. | ||
|
||
An access token is a url-safe 124 characters long used on the implementation to restrict access. | ||
These tokens are stored in a SQLite database file on the system. | ||
|
||
**NOTE** : There is one token for one client, since a client cannot store 2 tokens for one same server (see the [Client usage guide](https://anweddol-client.readthedocs.io/en/latest/usage_guide/index.html) to learn more). | ||
|
||
## Prerequisites | ||
|
||
This feature can be enabled or disabled. | ||
Being disabled by default, you can enable it by changing the `enabled` field value for `True` : | ||
|
||
``` | ||
[...] | ||
# List of allowed / denied IPs | ||
# Specify any IPs with 'any' | ||
allowed_ip_list: | ||
- any | ||
denied_ip_list: [] | ||
|
||
# --- | ||
# Access token parameters | ||
token_authentication: | ||
|
||
# Enable this feature or not | ||
# If this value is set to 'false', all parameters below will be ignored | ||
enabled: True # <----- Here | ||
|
||
[...] | ||
``` | ||
|
||
Then restart the server. | ||
|
||
**NOTE** : If this feature is enabled but no tokens are added, no clients will be able to use the server. | ||
|
||
## Add / delete a token | ||
|
||
To add a token to the database, execute : | ||
|
||
``` | ||
$ anwdlserver access-tk -a | ||
``` | ||
|
||
It will result with the created token and its entry ID on the standard output. | ||
|
||
On the client-side, you need to record this token in order to be able to authenticate. | ||
See the [Client usage guide](https://anweddol-client.readthedocs.io/en/latest/usage_guide/index.html) to learn more. | ||
|
||
**NOTE** : Since the access tokens are hashed in the database (see the technical specifications [Access token](https://anweddol-server.readthedocs.io/en/latest/technical_specifications/tools/access_token.html) section to learn more), there's no way to see them again in plain text : Store this plain token somewhere safe in order to use it for further operations. | ||
|
||
If you want to delete a token, execute : | ||
|
||
``` | ||
$ anwdlserver access-tk -r <entry_id> | ||
``` | ||
|
||
## Enable / Disable a token | ||
|
||
You have the possibility to enable or disable recorded tokens to temporarily disable its usage. | ||
|
||
To disable a token, execute : | ||
|
||
``` | ||
$ anwdlserver access-tk -d <entry_id> | ||
``` | ||
|
||
**NOTE** : A created token is automatically enabled. Use the `--disabled` option with the `-a` parameter to disable it. | ||
|
||
And to re-enable it : | ||
|
||
``` | ||
$ anwdlserver access-tk -e <entry_id> | ||
``` |
7 changes: 7 additions & 0 deletions
7
docs/server/_sources/administration_guide/configuration_file.md.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Configuration file | ||
|
||
---- | ||
|
||
The Anweddol server implementation is using a YAML file for configuration. | ||
|
||
It is stored in `/etc/anweddol/config.yaml` after installation, read its header to learn about it. |
15 changes: 15 additions & 0 deletions
15
docs/server/_sources/administration_guide/container_iso.md.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Container ISO | ||
|
||
---- | ||
|
||
In order to provice a valid service, containers domains needs to run with a specific ISO image. | ||
|
||
## Download the ISO image | ||
|
||
This ISO image is actually a custom live Debian image that you can retrieve on the [official mirror](https://mega.nz/folder/BTFyVCLB#DNC2K8Lmhgbk6QWrVpeznw). | ||
|
||
You'll need to copy the downloaded `anweddol_container.iso` file on the `/etc/anweddol/iso/` folder by default, or you can specify the ISO path in the configuration file, in the `container_iso_path` key. | ||
|
||
> This ISO image is meant to be replaced at each update announced | ||
|
||
Learn more about the container ISO on the technical specifications [Container OS section](https://anweddol-server.readthedocs.io/en/latest/technical_specifications/core/virtualization.html#container-os). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# Administration guide | ||
|
||
---- | ||
|
||
Hello and welcome to the Anweddol server administration guide. | ||
|
||
The following sections will explain how to administrate and configure the Anweddol server implementation in an optimal way. | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
installation | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
server_usage | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
access_token | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
configuration_file | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
container_iso | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
logging | ||
``` | ||
|
||
```{toctree} | ||
--- | ||
maxdepth: 3 | ||
includehidden: | ||
--- | ||
|
||
troubleshooting | ||
``` |
212 changes: 212 additions & 0 deletions
212
docs/server/_sources/administration_guide/installation.md.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,212 @@ | ||
# Installation | ||
|
||
---- | ||
|
||
This section covers the prerequisites needed for the system before the Anweddol server installation. | ||
|
||
## Anweddol server installation | ||
|
||
Install the Anweddol server by the sources : | ||
|
||
``` | ||
$ git clone https://github.com/the-anweddol-project/Anweddol-server.git | ||
$ cd Anweddol-server | ||
$ sudo pip install . | ||
``` | ||
|
||
The nessessary files and users will be created during the installation. | ||
|
||
**NOTE** : If the pip installation is launched with non-root permissions, only the `anwdlserver` package will be installed : the full setup will be skipped. | ||
|
||
## Environment setup | ||
|
||
### Libvirt | ||
|
||
[Libvirt](https://libvirt.org/) is a toolkit to manage virtualization platforms that the server is using to manage container domains. | ||
|
||
#### Installation | ||
|
||
Libvirt must be installed via your package manager : | ||
|
||
Apt : | ||
|
||
``` | ||
$ sudo apt-get update | ||
$ sudo apt-get install python-libvirt | ||
``` | ||
|
||
DNF : | ||
|
||
``` | ||
$ sudo dnf install python-libvirt | ||
``` | ||
|
||
Yum : | ||
|
||
``` | ||
$ sudo yum install python-libvirt | ||
``` | ||
|
||
**NOTE** : You can also install it from pip by executing : | ||
|
||
``` | ||
$ pip install libvirt-python | ||
``` | ||
|
||
But you need to install build dependencies manually, and this topic is not covered in this documentation. | ||
|
||
#### Setup | ||
|
||
You need to modify the `/etc/libvirt/qemu.conf` file to give libvirt appropriate rights. | ||
|
||
Edit the `/etc/libvirt/qemu.conf` file : | ||
|
||
``` | ||
$ sudo nano /etc/libvirt/qemu.conf | ||
``` | ||
|
||
Find the `user` and `group` directives. By default, both are set to `root` : | ||
|
||
``` | ||
[...] | ||
Some examples of valid values are: | ||
# | ||
user = "qemu" # A user named "qemu" | ||
user = "+0" # Super user (uid=0) | ||
user = "100" # A user named "100" or a user with uid=100 | ||
# | ||
#user = "root" | ||
The group for QEMU processes run by the system instance. It can be | ||
specified in a similar way to user. | ||
#group = "root" | ||
[...] | ||
``` | ||
|
||
Uncomment both lines and replace `root` with `anweddol` and the group with `libvirt` as shown below: | ||
|
||
``` | ||
[...] | ||
Some examples of valid values are: | ||
# | ||
user = "qemu" # A user named "qemu" | ||
user = "+0" # Super user (uid=0) | ||
user = "100" # A user named "100" or a user with uid=100 | ||
# | ||
user = "anweddol" | ||
The group for QEMU processes run by the system instance. It can be | ||
specified in a similar way to user. | ||
group = "libvirt" | ||
[...] | ||
``` | ||
|
||
Then restart the libvirtd daemon : | ||
|
||
``` | ||
$ sudo systemctl restart libvirtd.service | ||
``` | ||
|
||
(source : [ostechnix](https://ostechnix.com/solved-cannot-access-storage-file-permission-denied-error-in-kvm-libvirt/)) | ||
|
||
### Networking | ||
|
||
For the containers to be able to communicate with the outside, the host system must have a bridge interface linking the main network interface to the container domain's interface. | ||
|
||
It consists of a bridge interface with the main network interface set as a slave to the bridge : | ||
the container domain's interface will connect to it on the runtime via TAP link. | ||
|
||
> If the server is using a WI-FI interface as the main network interface, a more specific setup must be done before continuing (see the [debian documentation](https://wiki.debian.org/BridgeNetworkConnections#Bridging_with_a_wireless_NIC) for more). | ||
|
||
Follow the steps below according to your system : | ||
|
||
#### Debian-based systems | ||
|
||
First, you need to stop the networking service : | ||
|
||
``` | ||
$ service network stop | ||
``` | ||
|
||
Then you can create the `anwdlbr0` bridge interface, replacing `MASTER_INTERFACE_NAME` by your actual master interface name : | ||
|
||
``` | ||
$ brctl addbr anwdlbr0 | ||
$ brctl addif anwdlbr0 MASTER_INTERFACE_NAME | ||
``` | ||
|
||
Create persistent configuration files for your interfaces : | ||
|
||
``` | ||
$ printf "iface MASTER_INTERFACE_NAME inet manual" >> /etc/network/interfaces | ||
$ printf "iface anwdlbr0 inet dhcp\n\tbridge_ports MASTER_INTERFACE_NAME" >> /etc/network/interfaces | ||
``` | ||
|
||
Enable the `anwdlbr0` interface, and restart the networking service : | ||
|
||
``` | ||
$ ifup anwdlbr0 | ||
$ service network start | ||
``` | ||
|
||
|
||
#### Redhat-based systems | ||
|
||
Disable NetworkManager : | ||
|
||
``` | ||
$ sudo chkconfig NetworkManager off | ||
$ sudo chkconfig network on | ||
$ sudo service NetworkManager stop | ||
$ sudo service network start | ||
``` | ||
|
||
Define the main network interface in networks-script, replacing `MASTER_INTERFACE_NAME` by your actual master interface name : | ||
|
||
``` | ||
$ sudo printf "DEVICE=MASTER_INTERFACE_NAME\nHWADDR=$(ifconfig MASTER_INTERFACE_NAME | grep -o -E ..:..:..:..:..:..)\nONBOOT=yes\nBRIDGE=anwdlbr0\nNM_CONTROLLED=no" /etc/sysconfig/networks-script/MASTER_INTERFACE_NAME | ||
``` | ||
|
||
Create the `anwdlbr0` bridge interface in networks-script : | ||
|
||
``` | ||
$ sudo printf "DEVICE=anwdlbr0\nTYPE=Bridge\nBOOTPROTO=dhcp\nONBOOT=yes\nDELAY=0\nNM_CONTROLLED=no" /etc/sysconfig/networks-script/ifcfg-anwdlbr0 | ||
``` | ||
|
||
Add sysctl rules to enable packet forwarding : | ||
|
||
``` | ||
$ sudo printf "net.bridge.bridge-nf-call-ip6tables = 0\nnet.bridge.bridge-nf-call-iptables = 0\nnet.bridge.bridge-nf-call-arptables = 0" >> /etc/sysctl.conf | ||
$ sudo sysctl -p /etc/sysctl.conf | ||
``` | ||
|
||
Add iptables rules to accept packet forwarding from bridged interfaces : | ||
|
||
``` | ||
$ sudo printf "-I FORWARD -m physdev --physdev-is-bridged -j ACCEPT" /etc/sysconfig/anweddol-iptables-forward-rules | ||
$ sudo lokkit --custom-rules=ipv4:filter:/etc/sysconfig/anweddol-iptables-forward-rules | ||
``` | ||
|
||
Restart the network service : | ||
|
||
``` | ||
$ sudo service network restart | ||
``` | ||
|
||
### Container ISO | ||
|
||
Before using the server, you need to download a specific ISO image for the container domains in order to provide a functional service. | ||
|
||
See the [Container ISO](container_iso.md) section to learn more. | ||
|
||
## Getting started | ||
|
||
At this point, you should be able to start the server. See the [Server usage section](server_usage.md) to do so. | ||
|
||
## Anweddol server uninstallation | ||
|
||
To uninstall the Anweddol server, execute : | ||
|
||
``` | ||
$ sudo anwdlserver-uninstall | ||
``` | ||
|
||
The script will delete any files and everything associated with the Anweddol server. |
Oops, something went wrong.