Production TKControl

Installation will be carried out on 2 hosts on the Debian 10 distribution.

Salt-Master Server

Following statement is executed on the first host. Instruction includes installation and configuration of salt-master, salt-api and vncrepeater.

Installation

  1. Before starting the installation, update the package list and install the required libraries:

    sudo apt update -y
    sudo apt install -y git make gcc python3-pip python-dev
    

SaltStack

  1. Install Salt Master and Salt Api:

    sudo apt install -y salt-master salt-api
    

TKControl

  1. Install tkcontrol-configure module:

    sudo pip3 install --prefix /usr/local \
        --index-url http://pypi.accentos.ru/ \
        --trusted-host pypi.accentos.ru \
        tkcontrol-configure
    

VNC Repeater

  1. Clone the repository uvncrepeater-ac:

    git clone https://github.com/tenchman/uvncrepeater-ac
    
  2. Start building app:

    sudo make -C uvncrepeater-ac install
    
  3. Add user for uvncrepeater:

    sudo useradd -s /sbin/nologin uvncrep
    

Configuration

  1. Run configuration for salt-master and vnc-repeater:

    sudo tkcontrol-configure vnc-repeater --with-systemd && \
    sudo tkcontrol-configure salt-master --with-patch
    
  2. If you need password connection to VNC, replace the file /srv/salt/states/connect-vnc.sls:

    sudo cp /srv/salt/states/connect-vnc.sls /srv/salt/states/connect-vnc-notify.sls
    sudo cp /srv/salt/states/connect-vnc-pass.sls /srv/salt/states/connect-vnc.sls
    
  3. Generate password for salt user:

    openssl rand -base64 16
    
  4. Paste received password into the field “sharedsecret” of /etc/salt/master.d/api.conf file, where generated_password is password generated by the previous commands:

    sudo sed 's|saltpass|generated_password|' -i /etc/salt/master.d/api.conf
    
  5. Share salt-api with other networks:

    sudo sed 's|"host": "127.0.0.1"|"host": "0.0.0.0"|' -i /etc/salt/master.d/api.conf
    
  6. Enable SSL:

    sudo sed 's|"disable_ssl": True|"disable_ssl": False|' -i /etc/salt/master.d/api.conf
    
  7. Add certificate salt-api. If it is missing, generate self-signed certificate:

    # Create directory for certificates
    sudo mkdir /etc/salt/ssl
    
    # Generate certificate, when generating, specify "Common Name" saltstack
    sudo openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout /etc/salt/ssl/salt-api.key -out /etc/salt/ssl/salt-api.crt
    
    # Change the owner of the certificate and private key
    sudo chown salt:salt /etc/salt/ssl/salt-api.key /etc/salt/ssl/salt-api.crt
    
  8. Add location of certificates to /etc/salt/master.d/api.conf:

    "rest_cherrypy": {
        ...
        "ssl_crt": "/etc/salt/ssl/salt-api.crt",
        "ssl_key": "/etc/salt/ssl/salt-api.key",
        ...
    }
    

Start

  1. Restart services salt-master and salt-api:

    sudo systemctl restart salt-master
    sudo systemctl restart salt-api
    
  2. Start vnc-repeater:

    sudo systemctl enable tkcontrol-vnc-repeater
    sudo systemctl start tkcontrol-vnc-repeater
    

TKControl Server

Following statement is executed on the second host. Instruction includes installation and configuration of mongodb, rabbitmq, websockify, nginx, tkcontrol-auth, tkcontrol-backend, tkcontrol-services, tkcontrol-dbadapter.

Installation

  1. Before starting the installation, update the package list and install the required libraries:

    sudo apt update -y
    sudo apt install -y git gnupg2 make gcc python3-pip libsasl2-dev python-dev libldap2-dev libssl-dev
    

Mongo DB

  1. Import mongodb public gpg key:

    wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
    
  2. Add mongodb to the list of repositories:

    echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
    
  3. Update package list and install mongodb:

    sudo apt update -y
    sudo apt install -y mongodb-org
    
  4. Add mongodb to autostart and enable service:

    sudo systemctl enable mongod
    sudo systemctl start mongod
    

Rabbit MQ

  1. Install Rabbit MQ Server:

    sudo apt install -y rabbitmq-server
    
  2. Add rabbitmq to autostart and enable the service:

    sudo systemctl enable rabbitmq-server
    sudo systemctl start rabbitmq-server
    

Websockify

  1. Install websockify:

    sudo apt install -y websockify
    

Nginx JWT Module

Installation from source files
  1. Set module versions to environment variables:

    export NGINX_VERSION=1.14.2 && \
    export JANSSON_VERSION=2.10 && \
    export LIBJWT_VERSION=1.9.0
    
  2. Install required libraries to build source files:

    sudo apt install -y build-essential
    sudo apt install -y wget unzip git cmake check autoconf libtool openssl libssl-dev libpcre3 libpcre3-dev zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev libgd-dev google-perftools libgoogle-perftools-dev libperl-dev
    
  3. Install nginx:

    sudo apt install -y nginx=$NGINX_VERSION-2+deb10u4
    
  4. Stop and disconnect nginx:

    sudo systemctl stop nginx
    sudo systemctl disable nginx
    
  5. Install the library to work with JSON:

    wget https://github.com/akheron/jansson/archive/v$JANSSON_VERSION.zip && \
    unzip v$JANSSON_VERSION.zip && \
    rm v$JANSSON_VERSION.zip && \
    cd jansson-$JANSSON_VERSION && \
    cmake . -DJANSSON_BUILD_SHARED_LIBS=1 -DJANSSON_BUILD_DOCS=OFF && \
    make && \
    make check && \
    sudo make install && \
    cd ..
    
  6. Install the library for working with JWT tokens:

    wget https://github.com/benmcollins/libjwt/archive/v$LIBJWT_VERSION.zip && \
    unzip v$LIBJWT_VERSION.zip && \
    rm v$LIBJWT_VERSION.zip && \
    cd libjwt-$LIBJWT_VERSION && \
    autoreconf -i && \
    ./configure && \
    make all && \
    sudo make install && \
    cd ..
    
  7. Download the nginx module for working with JWT tokens:

    git clone https://github.com/TeslaGov/ngx-http-auth-jwt-module
    
  8. Build nginx with required modules:

    wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz && \
    tar -xzf nginx-$NGINX_VERSION.tar.gz && \
    rm nginx-$NGINX_VERSION.tar.gz && \
    cd nginx-$NGINX_VERSION
    
    # Configuring nginx modules
    ./configure --add-dynamic-module=../ngx-http-auth-jwt-module \
                --prefix=/usr/share/nginx \
                --sbin-path=/usr/sbin/nginx \
                --modules-path=/usr/lib/nginx/modules \
                --conf-path=/etc/nginx/nginx.conf \
                --error-log-path=/var/log/nginx/error.log \
                --http-log-path=/var/log/nginx/access.log \
                --pid-path=/run/nginx.pid \
                --lock-path=/var/lock/nginx.lock \
                --user=www-data \
                --group=www-data \
                --build=Ubuntu \
                --http-client-body-temp-path=/var/lib/nginx/body \
                --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
                --http-proxy-temp-path=/var/lib/nginx/proxy \
                --http-scgi-temp-path=/var/lib/nginx/scgi \
                --http-uwsgi-temp-path=/var/lib/nginx/uwsgi \
                --with-pcre \
                --with-pcre-jit \
                --with-compat \
                --with-file-aio \
                --with-threads \
                --with-http_addition_module \
                --with-http_auth_request_module \
                --with-http_dav_module \
                --with-http_flv_module \
                --with-http_gunzip_module \
                --with-http_gzip_static_module \
                --with-http_image_filter_module=dynamic \
                --with-http_mp4_module \
                --with-http_random_index_module \
                --with-http_realip_module \
                --with-http_slice_module \
                --with-http_ssl_module \
                --with-http_sub_module \
                --with-http_stub_status_module \
                --with-http_xslt_module=dynamic \
                --with-http_v2_module \
                --with-http_secure_link_module \
                --with-mail=dynamic \
                --with-mail_ssl_module \
                --with-stream=dynamic \
                --with-stream_realip_module \
                --with-stream_ssl_module \
                --with-stream_ssl_preread_module \
                --with-debug \
                --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-mcUg8N/nginx-$NGINX_VERSION=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2'\
                --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC'
    
    # Build nginx
    make && \
    sudo make install && \
    cd ..
    
    # Unlink configurations of old modules
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-auth-pam.conf && \
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-dav-ext.conf && \
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-echo.conf && \
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-geoip.conf && \
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-subs-filter.conf && \
    sudo unlink /etc/nginx/modules-enabled/50-mod-http-upstream-fair.conf
    
    # Add configuration for jwt module
    echo "load_module modules/ngx_http_auth_jwt_module.so;" | sudo tee /etc/nginx/modules-enabled/http-auth-jwt.conf
    
  9. Update dynamic libraries:

    sudo /sbin/ldconfig
    

TKControl

  1. Install TKControl modules packages:

    sudo pip3 install --prefix /usr/local \
        --index-url http://pypi-dev.tnxos.loc/ \
        --trusted-host pypi-dev.tnxos.loc \
        tkcontrol-auth \
        tkcontrol-backend \
        tkcontrol-dbadapter \
        tkcontrol-modules \
        tkcontrol-configure \
        tkcontrol-services
    
  2. Add link to gunicorn:

    sudo ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn
    

Configuration

  1. Add hostnames to /etc/hosts:

    127.0.0.1 localhost db dbadapter backend auth mq novnc-proxy
    address_of_saltmaster saltstack vnc-repeater
    
  2. Run commands to configure services:

    sudo tkcontrol-auth configure --with-systemd && \
    sudo tkcontrol-backend configure --with-systemd && \
    sudo tkcontrol-dbadapter configure --with-systemd && \
    sudo tkcontrol-services configure --with-systemd && \
    sudo tkcontrol-configure websockify --with-systemd && \
    sudo tkcontrol-configure proxy
    
  3. Customize the configuration of tkcontrol-services /etc/tkcontrol/tkcontrol-services/config.py:

    # Change protocol from http to https
    sudo sed "s|'http://' + SALT_API_ADDRESS|'https://' + SALT_API_ADDRESS|" -i /etc/tkcontrol/tkcontrol-services/config.py
    
    # Set password for the salt user, where generated_password is the password generated for the salt-api
    sudo sed "s|saltpass|generated_password|" -i /etc/tkcontrol/tkcontrol-services/config.py
    
    # Copy certificate salt-api
    sudo scp user@saltstack:/etc/salt/ssl/salt-api.crt /etc/tkcontrol/tkcontrol-services/ca.pem
    
  4. Add certificate for nginx. If it is missing, generate self-signed certificate:

    # Generate certificate if it is missing
    sudo openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout /etc/ssl/tkcontrol.key -out /etc/ssl/tkcontrol.crt
    
  5. Add certificate for nginx and change listening port sudo vim /etc/nginx/sites-available/tkcontrol.conf:

    # Comment out following lines in the first block server
    #server_name 0.0.0.0;
    #listen 80 default_server;
    #listen [::]:80 default_server;
    
    # Add 443 port listening and certificate location
    listen 443 ssl;
    ssl_certificate /etc/ssl/tkcontrol.crt;
    ssl_certificate_key /etc/ssl/tkcontrol.key;
    

Start

  1. Start novnc-proxy:

    sudo systemctl enable tkcontrol-websockify
    sudo systemctl start tkcontrol-websockify
    
  2. Start tkcontrol-auth:

    sudo systemctl enable tkcontrol-auth
    sudo systemctl start tkcontrol-auth
    
  3. Start tkcontrol-dbadapter:

    sudo systemctl enable tkcontrol-dbadapter
    sudo systemctl start tkcontrol-dbadapter
    
  4. Start tkcontrol-backend:

    sudo systemctl enable tkcontrol-backend
    sudo systemctl start tkcontrol-backend
    
  5. Start tkcontrol-services:

    sudo systemctl enable tkcontrol-services
    sudo systemctl start tkcontrol-services
    
  6. Start nginx-proxy:

    sudo systemctl enable nginx
    sudo systemctl start nginx