summaryrefslogtreecommitdiffstats
path: root/docs/sections/installation-advanced.rst
blob: c0cf62ec09b7f72fa4db25052f589024fe28b6e5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
Installation - Advanced Options
===============================

Running conductor-api Under apache2 httpd and mod\_wsgi
-------------------------------------------------------

``conductor-api`` may be run as-is for development and test purposes.
When used in a production environment, it is recommended that
``conductor-api`` run under a multithreaded httpd service supporting
`WSGI <https://www.wikipedia.org/wiki/Web_Server_Gateway_Interface>`__,
tuned as appropriate.

Configuration instructions for **apache2 httpd** and **nginx** are
included herein. Respective package requirements are:

-  `apache2 <http://packages.ubuntu.com/focal/apache2>`__ and
   `libapache2-mod-wsgi <http://packages.ubuntu.com/focal/libapache2-mod-wsgi>`__
-  `nginx <http://packages.ubuntu.com/focal/nginx>`__ and
   `uwsgi <http://packages.ubuntu.com/focal/uwsgi>`__


Sample configuration files have been provided in the repository.

These instructions presume a ``conductor`` user exists. See the
**Service Scripts** section for details.

First, set up a few directories:

.. code:: bash

    $ sudo mkdir -p /var/www/conductor
    $ sudo mkdir /var/log/apache2/conductor

To install, place the Conductor `WSGI application
file </conductor/api/app.wsgi>`__ in ``/var/www/conductor``.

Set the owner/group of both directories/files to ``conductor``:

.. code:: bash

    $ sudo chown -R conductor:conductor /var/log/apache2/conductor /var/www/conductor

Next, place the Conductor `apache2 httpd site config
file </examples/apache2/conductor.conf>`__ in
``/etc/apache2/sites-available``.

Set the owner/group to ``root``:

.. code:: bash

    $ sudo chown -R root:root /etc/apache2/sites-available/conductor.conf

If Conductor was installed in a python virtual environment, append
``python-home=VENV`` to ``WSGIDaemonProcess``, where ``VENV`` is the
python virtual environment root directory.

**IMPORTANT**: Before proceeding, disable the ``conductor-api`` sysvinit
and upstart services, as the REST API will now be handled by apache2
httpd. Otherwise there will be a port conflict, and you will be sad.

Enable the Conductor site, ensure the configuration syntax is valid, and
gracefully restart apache2 httpd.

.. code:: bash

    $ sudo a2ensite conductor
    $ sudo apachectl -t
    Syntax OK
    $ sudo apachectl graceful

To disable the Conductor site, run ``sudo a2dissite conductor``, then
gracefully restart once again. Optionally, re-enable the
``conductor-api`` sysvinit and upstart services.

Running conductor-api Under nginx and uWSGI
-------------------------------------------

Sample configuration files have been provided in the repository.

These instructions presume a ``conductor`` user exists. See the
**Service Scripts** section for details.

To install, place the Conductor `nginx config
files </examples/nginx/>`__ and `WSGI application
file </conductor/api/app.wsgi>`__ in ``/etc/nginx`` (taking care to
backup any prior configuration files). It may be desirable to
incorporate Conductor's ``nginx.conf`` into the existing config.

Rename ``app.wsgi`` to ``conductor.wsgi``:

.. code:: bash

    $ cd /etc/nginx
    $ sudo mv app.wsgi conductor.wsgi

In ``nginx.conf``, set ``CONDUCTOR_API_FQDN`` to the server name.

**IMPORTANT**: Before proceeding, disable the ``conductor-api`` sysvinit
and upstart services, as the REST API will now be handled by nginx.
Otherwise there will be a port conflict, and you will be sad.

Restart nginx:

.. code:: bash

    $ sudo service nginx restart

Then, run ``conductor-api`` under nginx using uWSGI:

.. code:: bash

    $ sudo uwsgi -s /tmp/uwsgi.sock --chmod-socket=777 --wsgi-file /etc/nginx/conductor.wsgi --callable application --set port=8091

To use a python virtual environment, add ``--venv VENV`` to the
``uwsgi`` command, where ``VENV`` is the python virtual environment root
directory.

Networking
----------

All conductor services require line-of-sight access to all Music/ETCD
servers/ports.

The ``conductor-api`` service uses TCP port 8091.

Security
--------

``conductor-api`` is accessed via HTTP. SSL/TLS certificates and
AuthN/AuthZ (e.g., AAF) are supported at this time in kubernetes
environment.

Conductor makes use of plugins that act as gateways to *inventory
providers* and *service controllers*. At present, two plugins are
supported out-of-the-box: **A&AI** and **SDN-C**, respectively.

A&AI requires two-way SSL/TLS. Certificates must be registered and
whitelisted with A&AI. SDN-C uses HTTP Basic Authentication. Consult
with each respective service for official information on how to obtain
access.

Storage
-------

For a cloud environment in particular, it may be desirable to use a
separate block storage device (e.g., an OpenStack Cinder volume) for
logs, configuration, and other data persistence. In this way, it becomes
a trivial matter to replace the entire VM if necessary, followed by
reinstallation of the app and any supplemental configuration. Take this
into consideration when setting various Conductor config options.