noggin
noggin copied to clipboard
fedora-infra
[secaudit-blocking] No installation documentation
Part of secaudit #316, blocking.
The Installation documentation is absent, and doesn't contain any useful information in how to set up a production-grade setup of noggin.
@puiterwijk we will get working on this ASAP.
Note too, (while not documentation, i know), there is the vagrant setup that sets up a freeipa server, installs the freeipa-fas plugin to freeipa, then installs noggin.
Note too there is an in-review PR here (https://github.com/fedora-infra/noggin/pull/326) that makes the noggin flask app behave a little better.
@ryanlerch Right. But note that if you decide the Vagrant setup is the official way of deploying, I'll have many complaints about insecure deployment practices 😀. That's why I want to see how you tell people to actually deploy it.
@puiterwijk I don't think we'll document using Vagrant to deploy in production, with or without your comment :wink:. Off the top of your head, are there any other gotchas? If we can avoid embarrassing ourselves upfront, I'm all for it.
Some of the things you really want to point out:
- Don't use
flask run, but instead use a serious HTTP server, and explain how to do so (apache/nginx with possible gunicorn behind it) - Do not use the global
adminuser: instead, I'd strongly recommend a separate noggin user for auditing/permission purposes (as part of the docs would then be "What are the minimum required permissions to grant") - Make very sure to change
SECRETandFERNET_SECRET(#334)
And other things like those
@nphilipp @puiterwijk Probably a good starting point for installation documentation would be the haphazard one I wrote for getting the system up and running for openSUSE infrastructure on COPR: https://copr.fedorainfracloud.org/coprs/ngompa/fedora-aaa/
Yeah there is still no proper installation documentation, sadly. But all the steps and files we use in our Openshift deployment are publicly accessible (playbook, template). I know it's not ideal but it's there.
Noggin is deployed in Openshift using the python s2i container, which runs gunicorn. It connects to IPA with a specific user that only has the necessary permissions (setup by this playbook). The SECRET and FERNET_SECRET variables are long randomly generated strings (that are, obviously, not public).
We'll probably have classical setup information available soon too, it just takes some time to run through a setup and make it a thing.
That's understandable. I do want to ask what is the recommended setup for this. For example, if I have 4 IPA servers internally do I want to install it on each of them? Just of the IPA servers? etc
This issue has been sitting out for over a year. Is there any way someone could upload a rudimentary list of steps to install this product?
We do not use Openshift and want to install this manually for our ipa cluster.
I guess I could write up a guide for installing it the traditional way with the RPMs I made of this. The main reason I haven't done it yet is that I need to finish the work to update it to the latest stable version in Fedora.
@Conan-Kudo That would much be appreciated. I do think you should include how to install it with the playbooks and templates too. Do you have an estimate on how long this may take?
As I don't use Ansible much, I'm not sure I could help there, but at least I can document the manual setup process and someone can contribute Ansible stuff. As for an estimate, my priorities at the moment do not leave me a lot of time for this right now, but I'm hoping to come back to this in mid-December.
Mid-December would be great. In terms of the Ansible installation, I would say just leave a Todo in the documentation.
@Cliftonz actually, in the process of testing it, I discovered that the deployment was broken and I'm trying to figure out why... 😕
I've made some progress on this, I'm having @jonathanspw test out my draft before submitting it upstream.