Server¶
Our RHSMD is a Python/Flask-based system; very lightweight and designed to service thousands of systems.
We’ve used Flask App Builder, Dynaconf, PostgreSQL, Apache/mod-wsgi and more to deliver an enterprise system; and of course; ongoing development/integrations with other back-office systems.
Deployment¶
As with all of our applications; the software itself is packaged as an RPM. We use Chef to deploy all of the applications across the nodes that comprise the system.
Configuration¶
We use Dynaconf wherever we can: usually with YAML configuration files; which are easily managed via Chef template resources.
---
default:
AIRFLOW:
URI: https://airflow.last-bastion.net
USERNAME:
PASSWORD:
# ALEMBIC:
# SCRIPT_LOCATION: migrations
AUTHENTICATION:
GROUPS:
# automatically set group per owner
AUTOMATIC: false
CERTIFICATES:
# the certificate authority - needs to agree with the content servers for dnf/sslverify
AUTHORITY:
CERT: /etc/pki/tls/certs/bastionca.pem
KEY: /etc/pki/tls/private/bastionca.key
# the issuer subject
ISSUER:
CERT: /etc/pki/tls/certs/entitlements.pem
KEY: /etc/pki/tls/private/bastion.keydec
# the server cert for this rhsmd (non-prod) daemon
SERVER:
CERT: /etc/pki/tls/certs/bastion.pem
KEY: /etc/pki/tls/private/bastion.keydec
STORE:
CONSUMER: /var/lib/rhsmd/certificates
PRODUCT: /var/lib/rhsmd/products
KEYSIZE: 4096
# certificates which contain the product info on the consumers
PRODUCT:
ORG: Last Bastion Network
EXPIRATION: 1 year
DEBUG: false
# a bunch of flags to turn on/off various subscription-manager features/functionality
FEATURES:
# overriding dnf content configuration
CONTENT_OVERRIDES: true
# multi-environment
MULTI_ENV: true
# upload hypervisor features
# upload package profiles
PACKAGES: true
# support for pools; still figuring out what/how to embed in v3 entitlements
POOL: true
# set $releasever in repo content
RELEASE: true
# set sslverifystatus in repo content
SSL_VERIFY_STATUS: false
# overall log level
FEEDBACK:
ENABLED: true
# the role to receive messages
ROLE: Admin
SUBJECT_PREFIX: '[RHSMD]'
RESPONSE: Thank you for your feeback. We will respond shortly.
LOGLEVEL: DEBUG
# flask-mailing for subscription redemption
MAIL_USERNAME: entitlements@intranet.last-bastion.net
MAIL_FROM: entitlements@intranet.last-bastion.net
MAIL_PASSWORD: changeme
MAIL_SERVER: disco
MAIL_PORT: 587
MAILINGLIST:
USERNAME: admin
PASSWORD: changeme
# listmonk API uri
URI: http://mail:9000/api
# claimed feedback form
CONSUMER:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
# claimed feedback form
OWNER:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
# rhsm redeem an entitlement
REDEMPTION:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
SUBSCRIPTIONS:
ENABLED: true
TITLE: Subscribe to the BastionLinux Mailing List.
RESPONSE: Thank you for subscribing to the BastionLinux mailing list.
RESPONSE_PRECONFIRM: Please check your email for our confirmation request.
LIST_ID: 1
# preconfirm subscriptions - ie no confirmation email
PRECONFIRM: false
# global content (ie repo definition) overrides
# OVERRIDES:
# - name: foo
# value: bar
OVERRIDES: []
# host/nic for non-prod/local running
# SERVER_NAME: 0.0.0.0
# PORT: 5000
# the current/default distro release version
RELEASE_VERSION: 1.5.4
# application secret key; don't change once configured - cos we crypt db stuff
SECRET_KEY: bla
# install step-cli and configure this ...
STEPCA:
ENABLED: false
URI: http://stepca:9001
PASSWORD_FILE: /path/to/password.txt
# customise urls/endpoints if behind proxies, gateways etc
URLS:
# the external url for the base endpoint
EXTERNAL: https://localhost:5000
# the web-portal components of RHSMD (no trailing slashes...)
PORTAL: /
# subscription_manager client's api endpoint base
RHSMD: /rhsmd
# hmmm - actual rhsmv version displayed in theme
VERSION: 1.5.4
dev:
CERTIFICATES:
AUTHORITY:
CERT: tests/certs/testca.pem
KEY: tests/certs/testrsa.pem
STORE:
CONSUMER: /tmp/certificates
PRODUCT: /tmp/products
DEBUG: false
LOGLEVEL: INFO
SQLALCHEMY_DATABASE_URI: postgresql://rhsmd:pa55word@airflow-dev/rhsmd
test:
CERTIFICATES:
AUTHORITY:
CERT: tests/certs/testca.pem
KEY: tests/certs/testrsa.pem
DEBUG: false
SQLALCHEMY_DATABASE_URI: 'sqlite:///:memory:'
production:
DEBUG: false
# AUTH_TYPE: AUTH_LDAP
# AUTH_LDAP_GROUP_FIELD: memberOf
# AUTH_ROLE_MAPPING:
# cn=admin,ou=groups,dc=example,dc=com:
# - Admin
# if we should replace ALL the user's roles each login, or only on registration
# AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
# PERMANENT_SESSION_LIFETIME = 1800
Documentation¶
We use Sphinx as our documentation tool; and it’s integrated into our software development/delivery processes.
Getting It¶
The application is available on BastionLinux at lbn-rhsmd. We would welcome enquiries.