[secaudit-blocking] No installation documentation

[puiterwijk]

Part of secaudit #316, blocking.

The Installation documentation is absent, and doesn't contain any useful information in how to set up a production-grade setup of noggin.

[ryanlerch]

@puiterwijk we will get working on this ASAP.

Note too, (while not documentation, i know), there is the vagrant setup that sets up a freeipa server, installs the freeipa-fas plugin to freeipa, then installs noggin.

Note too there is an in-review PR here (https://github.com/fedora-infra/noggin/pull/326) that makes the noggin flask app behave a little better.

[puiterwijk]

@ryanlerch Right. But note that if you decide the Vagrant setup is the official way of deploying, I'll have many complaints about insecure deployment practices 😀. That's why I want to see how you tell people to actually deploy it.

[nphilipp]

@puiterwijk I don't think we'll document using Vagrant to deploy in production, with or without your comment :wink:. Off the top of your head, are there any other gotchas? If we can avoid embarrassing ourselves upfront, I'm all for it.

[puiterwijk]

Some of the things you really want to point out:

• Don't use flask run, but instead use a serious HTTP server, and explain how to do so (apache/nginx with possible gunicorn behind it)
• Do not use the global admin user: instead, I'd strongly recommend a separate noggin user for auditing/permission purposes (as part of the docs would then be "What are the minimum required permissions to grant")
• Make very sure to change SECRET and FERNET_SECRET (#334)

And other things like those

[Conan-Kudo]

@nphilipp @puiterwijk Probably a good starting point for installation documentation would be the haphazard one I wrote for getting the system up and running for openSUSE infrastructure on COPR: https://copr.fedorainfracloud.org/coprs/ngompa/fedora-aaa/

[Cliftonz]

Any updates on this?

[abompard]

Yeah there is still no proper installation documentation, sadly. But all the steps and files we use in our Openshift deployment are publicly accessible (playbook, template). I know it's not ideal but it's there.

Noggin is deployed in Openshift using the python s2i container, which runs gunicorn. It connects to IPA with a specific user that only has the necessary permissions (setup by this playbook). The SECRET and FERNET_SECRET variables are long randomly generated strings (that are, obviously, not public).

[Conan-Kudo]

We'll probably have classical setup information available soon too, it just takes some time to run through a setup and make it a thing.

[Cliftonz]

That's understandable. I do want to ask what is the recommended setup for this. For example, if I have 4 IPA servers internally do I want to install it on each of them? Just of the IPA servers? etc

[abompard]

If it's an IPA cluster, then you only need one instance of Noggin.

[Cliftonz]

This issue has been sitting out for over a year. Is there any way someone could upload a rudimentary list of steps to install this product?

We do not use Openshift and want to install this manually for our ipa cluster.

[Conan-Kudo]

I guess I could write up a guide for installing it the traditional way with the RPMs I made of this. The main reason I haven't done it yet is that I need to finish the work to update it to the latest stable version in Fedora.

[Cliftonz]

@Conan-Kudo That would much be appreciated. I do think you should include how to install it with the playbooks and templates too. Do you have an estimate on how long this may take?

[Conan-Kudo]

As I don't use Ansible much, I'm not sure I could help there, but at least I can document the manual setup process and someone can contribute Ansible stuff. As for an estimate, my priorities at the moment do not leave me a lot of time for this right now, but I'm hoping to come back to this in mid-December.

[Cliftonz]

Mid-December would be great. In terms of the Ansible installation, I would say just leave a Todo in the documentation.

[Cliftonz]

@Conan-Kudo Any updates?

[Conan-Kudo]

Life happened the past few months, but I'm coming back to this.

[Cliftonz]

@Conan-Kudo Did life get in the way again?

[Conan-Kudo]

@Cliftonz actually, in the process of testing it, I discovered that the deployment was broken and I'm trying to figure out why... 😕

[Cliftonz]

Awesome!

[Conan-Kudo]

I've made some progress on this, I'm having @jonathanspw test out my draft before submitting it upstream.

[Cliftonz]

@Conan-Kudo updates?

[Cliftonz]

@abompard @Conan-Kudo I think this be closed now, correct?