Skip to content

Example setup RedHat 7 and Fedora x86_64

Jump to bottom
sshkm edited this page Mar 18, 2017 · 1 revision

Install components and requirements

yum install -y mariadb-server rabbitmq-server httpd mod_wsgi
yum install -y gcc python python-devel python-pip mariadb-devel postgresql-devel openldap-devel httpd-devel policycoreutils-python

Create user, group, directories, ... for Celery and httpd

groupadd sshkm
useradd -g sshkm -M -s /sbin/nologin sshkm
mkdir -p /var/run/sshkm/celery
mkdir -p /var/log/sshkm/celery
chown -R sshkm.sshkm /var/log/sshkm /var/run/sshkm

Install SSHKM in virtualenv

virtualenv /usr/lib/sshkm
source /usr/lib/sshkm/bin/activate
pip install pip --upgrade
pip install django-sshkm
deactivate

Configure httpd

Create config file /etc/httpd/conf.d/sshkm.conf with the following content:

Alias /sshkm/static/ /usr/lib/sshkm/lib/python2.7/site-packages/sshkm/static/

<Directory /usr/lib/sshkm/lib/python2.7/site-packages/sshkm/static/>
  Require all granted
</Directory>

WSGIScriptAlias /sshkm /usr/lib/sshkm/lib/python2.7/site-packages/sshkm/wsgi.py/
WSGIDaemonProcess sshkm user=sshkm group=sshkm python-path=/usr/lib/sshkm/lib/python2.7/site-packages home=/usr/lib/sshkm processes=4
WSGIProcessGroup sshkm

<Directory /usr/lib/sshkm/lib/python2.7/site-packages>
  <Files wsgi.py>
    Require all granted
  </Files>
</Directory>

Configure SSHKM

/etc/sshkm/sshkm.conf

ALLOWED_HOSTS = ['*']

STATIC_URL = '/sshkm/static/'
LOGIN_URL = '/sshkm/login/'

CELERY_BROKER_URL = 'amqp://'
CELERY_RESULT_BACKEND = 'rpc'

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': 'sshkm',
        'USER': 'sshkm',
        'PASSWORD': 'sshkm',
    }
}

Configure your Firewall

# allow to connect to HTTP
firewall-cmd --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=http

Configure SELinux

# you don't need this two commands if you don't use SQLite
semanage fcontext -a -t httpd_sys_rw_content_t "/usr/lib/sshkm/lib/python2.7/site-packages/sshkm/db.sqlite3"
restorecon -v "/usr/lib/sshkm/lib/python2.7/site-packages/sshkm/db.sqlite3"

semanage fcontext -a -t httpd_sys_rw_content_t "/usr/lib/sshkm/lib/python2.7/site-packages/sshkm"
restorecon -v "/usr/lib/sshkm/lib/python2.7/site-packages/sshkm"

setsebool -P httpd_can_network_connect 1

Configure Celery systemd-unit

cat >/etc/systemd/system/sshkm-celery.service << EOL
[Unit]
Description=SSHKM Celery Service
After=network.target

[Service]
Type=forking
User=sshkm
Group=sshkm
EnvironmentFile=-/etc/sysconfig/sshkm-celery
WorkingDirectory=/usr/lib/sshkm/lib/python2.7/site-packages
ExecStart=/bin/sh -c '${CELERY_BIN} multi start ${CELERYD_NODES} \
  -A ${CELERY_APP} --pidfile=${CELERYD_PID_FILE} \
  --logfile=${CELERYD_LOG_FILE} --loglevel=${CELERYD_LOG_LEVEL} ${CELERYD_OPTS}'
ExecStop=/bin/sh -c '${CELERY_BIN} multi stopwait ${CELERYD_NODES} \
  --pidfile=${CELERYD_PID_FILE}'
ExecReload=/bin/sh -c '${CELERY_BIN} multi restart ${CELERYD_NODES} \
  -A ${CELERY_APP} --pidfile=${CELERYD_PID_FILE} \
  --logfile=${CELERYD_LOG_FILE} --loglevel=${CELERYD_LOG_LEVEL} ${CELERYD_OPTS}'

[Install]
WantedBy=multi-user.target
EOL
cat >/etc/sysconfig/sshkm-celery << EOL
# Name of nodes to start
# here we have a single node
CELERYD_NODES="w1"
# or we could have three nodes:
#CELERYD_NODES="w1 w2 w3"

# Absolute or relative path to the 'celery' command:
CELERY_BIN="/usr/lib/sshkm/bin/celery"
#CELERY_BIN="/virtualenvs/def/bin/celery"

# App instance to use
# comment out this line if you don't use an app
CELERY_APP="sshkm"
# or fully qualified:
#CELERY_APP="proj.tasks:app"

# How to call manage.py
CELERYD_MULTI="multi"

# Extra command-line arguments to the worker
CELERYD_OPTS="--time-limit=300 --concurrency=8"

# - %n will be replaced with the first part of the nodename.
# - %I will be replaced with the current child process index
#   and is important when using the prefork pool to avoid race conditions.
CELERYD_PID_FILE="/var/run/sshkm/celery/%n.pid"
CELERYD_LOG_FILE="/var/log/sshkm/celery/%n%I.log"
CELERYD_LOG_LEVEL="INFO"
EOL

systemctl daemon-reload

Enable and start services

systemctl enable rabbitmq-server.service
systemctl start rabbitmq-server.service

systemctl enable celery.service
systemctl start celery.service

systemctl enable mariadb.service
systemctl start mariadb.service

systemctl enable httpd.service
systemctl restart httpd.service

Create Database

mysql
create database sshkm;
create user 'sshkm'@'localhost' identified by 'sshkm';
grant all on sshkm.* to 'sshkm'@'localhost';
exit

Start working

Connect to http://youhost/sshkm and login as user admin (default password: admin).
In the settings menu you can change the password and upload the master private and public key which is used later to connect to your servers to deploy all other public keys.
Now you can define hosts, groups, keys, os-users and the permissions which are combining everything.
In the hosts-menu you can deploy your configurations to the host/s.

Clone this wiki locally