Production TKControl¶
Installation will be carried out on 2 hosts on the Debian 10 distribution.
Salt-Master Server¶
Following statement is executed on the first host. Instruction includes installation and configuration of salt-master, salt-api and vncrepeater.
Installation¶
Before starting the installation, update the package list and install the required libraries:
sudo apt update -y sudo apt install -y git make gcc python3-pip python-dev
SaltStack¶
Install Salt Master and Salt Api:
sudo apt install -y salt-master salt-api
TKControl¶
Install tkcontrol-configure module:
sudo pip3 install --prefix /usr/local \ --index-url http://pypi.accentos.ru/ \ --trusted-host pypi.accentos.ru \ tkcontrol-configure
VNC Repeater¶
Clone the repository uvncrepeater-ac:
git clone https://github.com/tenchman/uvncrepeater-ac
Start building app:
sudo make -C uvncrepeater-ac install
Add user for uvncrepeater:
sudo useradd -s /sbin/nologin uvncrep
Configuration¶
Run configuration for salt-master and vnc-repeater:
sudo tkcontrol-configure vnc-repeater --with-systemd && \ sudo tkcontrol-configure salt-master --with-patch
If you need password connection to VNC, replace the file
/srv/salt/states/connect-vnc.sls
:sudo cp /srv/salt/states/connect-vnc.sls /srv/salt/states/connect-vnc-notify.sls sudo cp /srv/salt/states/connect-vnc-pass.sls /srv/salt/states/connect-vnc.sls
Generate password for salt user:
openssl rand -base64 16
Paste received password into the field “sharedsecret” of
/etc/salt/master.d/api.conf
file, wheregenerated_password
is password generated by the previous commands:sudo sed 's|saltpass|generated_password|' -i /etc/salt/master.d/api.conf
Share salt-api with other networks:
sudo sed 's|"host": "127.0.0.1"|"host": "0.0.0.0"|' -i /etc/salt/master.d/api.conf
Enable SSL:
sudo sed 's|"disable_ssl": True|"disable_ssl": False|' -i /etc/salt/master.d/api.conf
Add certificate salt-api. If it is missing, generate self-signed certificate:
# Create directory for certificates sudo mkdir /etc/salt/ssl # Generate certificate, when generating, specify "Common Name" saltstack sudo openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout /etc/salt/ssl/salt-api.key -out /etc/salt/ssl/salt-api.crt # Change the owner of the certificate and private key sudo chown salt:salt /etc/salt/ssl/salt-api.key /etc/salt/ssl/salt-api.crt
Add location of certificates to
/etc/salt/master.d/api.conf
:"rest_cherrypy": { ... "ssl_crt": "/etc/salt/ssl/salt-api.crt", "ssl_key": "/etc/salt/ssl/salt-api.key", ... }
Start¶
Restart services salt-master and salt-api:
sudo systemctl restart salt-master sudo systemctl restart salt-api
Start vnc-repeater:
sudo systemctl enable tkcontrol-vnc-repeater sudo systemctl start tkcontrol-vnc-repeater
TKControl Server¶
Following statement is executed on the second host. Instruction includes installation and configuration of mongodb, rabbitmq, websockify, nginx, tkcontrol-auth, tkcontrol-backend, tkcontrol-services, tkcontrol-dbadapter.
Installation¶
Before starting the installation, update the package list and install the required libraries:
sudo apt update -y sudo apt install -y git gnupg2 make gcc python3-pip libsasl2-dev python-dev libldap2-dev libssl-dev
Mongo DB¶
Import mongodb public gpg key:
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
Add mongodb to the list of repositories:
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
Update package list and install mongodb:
sudo apt update -y sudo apt install -y mongodb-org
Add mongodb to autostart and enable service:
sudo systemctl enable mongod sudo systemctl start mongod
Rabbit MQ¶
Install Rabbit MQ Server:
sudo apt install -y rabbitmq-server
Add rabbitmq to autostart and enable the service:
sudo systemctl enable rabbitmq-server sudo systemctl start rabbitmq-server
Websockify¶
Install websockify:
sudo apt install -y websockify
Nginx JWT Module¶
Installation from source files¶
Set module versions to environment variables:
export NGINX_VERSION=1.14.2 && \ export JANSSON_VERSION=2.10 && \ export LIBJWT_VERSION=1.9.0
Install required libraries to build source files:
sudo apt install -y build-essential sudo apt install -y wget unzip git cmake check autoconf libtool openssl libssl-dev libpcre3 libpcre3-dev zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev libgd-dev google-perftools libgoogle-perftools-dev libperl-dev
Install nginx:
sudo apt install -y nginx=$NGINX_VERSION-2+deb10u4
Stop and disconnect nginx:
sudo systemctl stop nginx sudo systemctl disable nginx
Install the library to work with JSON:
wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \ unzip v$JANSSON_VERSION.zip && \ rm v$JANSSON_VERSION.zip && \ cd jansson-$JANSSON_VERSION && \ cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \ make && \ make check && \ sudo make install && \ cd ..
Install the library for working with JWT tokens:
wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \ unzip v$LIBJWT_VERSION.zip && \ rm v$LIBJWT_VERSION.zip && \ cd libjwt-$LIBJWT_VERSION && \ autoreconf -i && \ ./configure && \ make all && \ sudo make install && \ cd ..
Download the nginx module for working with JWT tokens:
git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module
Build nginx with required modules:
wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \ tar -xzf nginx-$NGINX_VERSION.tar.gz && \ rm nginx-$NGINX_VERSION.tar.gz && \ cd nginx-$NGINX_VERSION # Configuring nginx modules ./configure --add-dynamic-module=../ngx-http-auth-jwt-module \ --prefix=/usr/share/nginx \ --sbin-path=/usr/sbin/nginx \ --modules-path=/usr/lib/nginx/modules \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --user=www-data \ --group=www-data \ --build=Ubuntu \ --http-client-body-temp-path=/var/lib/nginx/body \ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ --http-proxy-temp-path=/var/lib/nginx/proxy \ --http-scgi-temp-path=/var/lib/nginx/scgi \ --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \ --with-pcre \ --with-pcre-jit \ --with-compat \ --with-file-aio \ --with-threads \ --with-http_addition_module \ --with-http_auth_request_module \ --with-http_dav_module \ --with-http_flv_module \ --with-http_gunzip_module \ --with-http_gzip_static_module \ --with-http_image_filter_module=dynamic \ --with-http_mp4_module \ --with-http_random_index_module \ --with-http_realip_module \ --with-http_slice_module \ --with-http_ssl_module \ --with-http_sub_module \ --with-http_stub_status_module \ --with-http_xslt_module=dynamic \ --with-http_v2_module \ --with-http_secure_link_module \ --with-mail=dynamic \ --with-mail_ssl_module \ --with-stream=dynamic \ --with-stream_realip_module \ --with-stream_ssl_module \ --with-stream_ssl_preread_module \ --with-debug \ --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-mcUg8N/nginx-$NGINX_VERSION=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2'\ --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' # Build nginx make && \ sudo make install && \ cd .. # Unlink configurations of old modules sudo unlink /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf && \ sudo unlink /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf && \ sudo unlink /etc/nginx/modules-enabled/50-mod-http-echo.conf && \ sudo unlink /etc/nginx/modules-enabled/50-mod-http-geoip.conf && \ sudo unlink /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf && \ sudo unlink /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf # Add configuration for jwt module echo "load_module modules/ngx_http_auth_jwt_module.so;" | sudo tee /etc/nginx/modules-enabled/http-auth-jwt.conf
Update dynamic libraries:
sudo /sbin/ldconfig
TKControl¶
Install TKControl modules packages:
sudo pip3 install --prefix /usr/local \ --index-url http://pypi-dev.tnxos.loc/ \ --trusted-host pypi-dev.tnxos.loc \ tkcontrol-auth \ tkcontrol-backend \ tkcontrol-dbadapter \ tkcontrol-modules \ tkcontrol-configure \ tkcontrol-services
Add link to gunicorn:
sudo ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn
Configuration¶
Add hostnames to
/etc/hosts
:127.0.0.1 localhost db dbadapter backend auth mq novnc-proxy address_of_saltmaster saltstack vnc-repeater
Run commands to configure services:
sudo tkcontrol-auth configure --with-systemd && \ sudo tkcontrol-backend configure --with-systemd && \ sudo tkcontrol-dbadapter configure --with-systemd && \ sudo tkcontrol-services configure --with-systemd && \ sudo tkcontrol-configure websockify --with-systemd && \ sudo tkcontrol-configure proxy
Customize the configuration of tkcontrol-services
/etc/tkcontrol/tkcontrol-services/config.py
:# Change protocol from http to https sudo sed "s|'http://' + SALT_API_ADDRESS|'https://' + SALT_API_ADDRESS|" -i /etc/tkcontrol/tkcontrol-services/config.py # Set password for the salt user, where generated_password is the password generated for the salt-api sudo sed "s|saltpass|generated_password|" -i /etc/tkcontrol/tkcontrol-services/config.py # Copy certificate salt-api sudo scp user@saltstack:/etc/salt/ssl/salt-api.crt /etc/tkcontrol/tkcontrol-services/ca.pem
Add certificate for nginx. If it is missing, generate self-signed certificate:
# Generate certificate if it is missing sudo openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout /etc/ssl/tkcontrol.key -out /etc/ssl/tkcontrol.crt
Add certificate for nginx and change listening port
sudo vim /etc/nginx/sites-available/tkcontrol.conf
:# Comment out following lines in the first block server #server_name 0.0.0.0; #listen 80 default_server; #listen [::]:80 default_server; # Add 443 port listening and certificate location listen 443 ssl; ssl_certificate /etc/ssl/tkcontrol.crt; ssl_certificate_key /etc/ssl/tkcontrol.key;
Start¶
Start novnc-proxy:
sudo systemctl enable tkcontrol-websockify sudo systemctl start tkcontrol-websockify
Start tkcontrol-auth:
sudo systemctl enable tkcontrol-auth sudo systemctl start tkcontrol-auth
Start tkcontrol-dbadapter:
sudo systemctl enable tkcontrol-dbadapter sudo systemctl start tkcontrol-dbadapter
Start tkcontrol-backend:
sudo systemctl enable tkcontrol-backend sudo systemctl start tkcontrol-backend
Start tkcontrol-services:
sudo systemctl enable tkcontrol-services sudo systemctl start tkcontrol-services
Start nginx-proxy:
sudo systemctl enable nginx sudo systemctl start nginx