Git Product home page Git Product logo

demo's Introduction

Sitch demo environment

Makes things a little bit easier

Join the chat at https://gitter.im/sitch-io/demo

This docker-compose configuration will make setting up a test environment for SITCH a little easier.

Important Note

If you've already set up the SITCH demo environment and you just want the updated app components for the ELK stack, use the release tagged v0.9 from this repo. That updates the ELK stack and leaves InfluxDB alone. In order to update InfluxDB, the back-end ports in the sitch-io/web component will need to be changed. If you're not looking to update InfluxDB, stay with v0.9

Here's the process for setting up the service side of SITCH:

Pre-requisites

* Resin.io
* Slack
  • One provisioned instance (CoreOS or Ubuntu 16.04 preferred)
    • At least 20GB of storage mounted at /opt
    • 4GB RAM
  • Public DNS-resolving hostname assigned to the instance

Doing the thing

  1. SSH into the instance and set up your certificates (fill in SERVER_DNS_NAME_HERE with your server's DNS name):

     docker run -it --rm \
     -p 443:443 -p 80:80 \
     --name certbot \
     -v "/etc/letsencrypt:/etc/letsencrypt" \
     -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
     quay.io/letsencrypt/letsencrypt:latest \
     certonly
    
  2. Start Vault (replace SERVER_DNS_NAME_HERE as in the prior step):

     docker run -d  \
     --cap-add=IPC_LOCK \
     -p 8200:8200  \
     -v /etc/letsencrypt/:/etc/letsencrypt/ \
     -e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_cert_file": "/etc/letsencrypt/live/SERVER_DNS_NAME_HERE/fullchain.pem","tls_key_file":"/etc/letsencrypt/live/SERVER_DNS_NAME_HERE/privkey.pem"}},"default_lease_ttl": "7200h", "max_lease_ttl": "7200h"}' \
     --name sitch_vault \
     vault:v0.6.0 server
    
  3. Unseal the vault:

    1. docker exec sitch_vault vault init --tls-skip-verify
    2. You'll notice that it returns a list of keys. Three of those keys must be used to unseal the Vault. Record these keys in a password manager!
    3. Run this: docker exec -it sitch_vault vault unseal --tls-skip-verify and you'll be prompted to enter a key. Use one of the keys from the prior step. Do this three times total and the vault will unseal.
  4. Generate the Logstash certificates (VAULT_URL is https://YOUR_SERVER_NAME:8200. VAULT_TOKEN is the root token you recorded just before going through the process of unsealing the vault. LS_CLIENTNAME is just a valid hostname, does not need to resolve. LS_SERVERNAME is the same name you used in generating your certs with the certbot docker container, above. Must have 8200:TCP open.):

     docker run -it \
     -e VAULT_URL=$VAULT_URL \
     -e VAULT_TOKEN=$VAULT_TOKEN \
     -e LS_CLIENTNAME=$LS_CLIENTNAME \
     -e LS_SERVERNAME=$LS_SERVERNAME \
     docker.io/sitch/self_signed_seeder
    
  5. Clone this repo to the CoreOS instance, and descend into the root directory of the repository: git clone https://github.com/sitch-io/demo &&
    cd sitch-demo

  6. Use your favorite editor (which is vi, right?? :trollface:) to complete the environment variables in the .env file. Retain the information in the file securely (password manager, etc) and delete it when you're done.

  7. Use docker-compose to complete the setup of your environment: docker-compose up

Wrapping up

If you've not been opening ports as you go along, let's have a look at your firewall to ascertain that you've only got the necessary ports open, and only to the IPs where they're needed. Specifically, we're talking about outside access to the CoreOs instance. If you're awesome, you'll implement this in CoreOS as well as your IAAS provider.
Look at the table below for guidance.

Port/Protocol Purpose
80 Only necessary while using certbot to obtain certs.
443 Certbot only. We used to serve the feed on this port, but the feed is in Github now.
1000 HTTPS access to Chronograf. Only needed for admins.
5001 Logstash port. Needs to be open to each Sensor
8443 HTTPS access to Kibana. Only needed for admins.

Once events are flowing in, you'll need to tell Elasticsearch how to parse SITCH geolocation info. Go to the Elasticsearch developer console and use this query to enable this functionality:

PUT _template/logstash/
{
  "template": "logstash-*",
  "mappings": {
    "_default_": {
      "dynamic_templates": [
        {
          "string_fields": {
            "match_mapping_type": "string",
            "mapping": {
              "type": "text"
            }
          }
        }
      ],
      "properties": {
        "gps_location": {
          "type": "geo_point"
        }
      }
    }
  }
}

What's next??

Access control! Make sure that 1000 and 8443 are only accessible to the right people by implementing OpenVPN and IP address restrictions, or some other method. There are no authentication mechanisms implemented in the browser-accessible part of the application, yet.

Finally: Set up your sensors (https://github.com/sitch-io/sensor) and watch your Slack channel for alerts. Bonus points for creating a nice dashboard in Kibana and/or Chronograf.

demo's People

Contributors

ashmastaflash avatar eenblam avatar gitter-badger avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

demo's Issues

Problem Starting Vault.

COMMAND RUN
docker run -d
--cap-add=IPC_LOCK
-p 8200:8200
-v /etc/letsencrypt/:/etc/letsencrypt/
-e 'VAULT_LOCAL_CONFIG={"backend": {"file": {"path": "/vault/file"}},"listener":{"tcp":{"address":"0.0.0.0:8200","tls_cert_file": "/etc/letsencrypt/live/SERVER_DNS_NAME_HERE/fullchain.pem","tls_key_file":"/etc/letsencrypt/live/SERVER_DNS_NAME_HERE/privkey.pem"}},"default_lease_ttl": "7200h", "max_lease_ttl": "7200h"}'
--name sitch_vault
vault:v0.6.0 server

I have put my server DNS name in the command

ERROR
docker: Error response from daemon: Conflict. The container name "/sitch_vault" is already in use by container "a13662498a1ac251c3cd1d6c2af669b27c7aacad79b9b6089e9b044b89797719". You have to remove (or rename) that container to be able to reuse that name.
See 'docker run --help'.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.