Server¶
Our RHSMD is a Python/Flask-based system; very lightweight and designed to service thousands of systems.
We’ve used Flask App Builder, Dynaconf, PostgreSQL, Apache/mod-wsgi and more to deliver an enterprise system; and of course; ongoing development/integrations with other back-office systems.
Deployment¶
As with all of our applications; the software itself is packaged as an RPM. We use Chef to deploy all of the applications across the nodes that comprise the system.
Configuration¶
We use Dynaconf wherever we can: usually with YAML configuration files; which are easily managed via Chef template resources.
---
default:
AIRFLOW:
URI: https://airflow.last-bastion.net
USERNAME:
PASSWORD:
# ALEMBIC:
# SCRIPT_LOCATION: migrations
AUTHENTICATION:
GROUPS:
# automatically set group per owner
AUTOMATIC: true
CERTIFICATES:
# the certificate authority - needs to agree with the content servers for dnf/sslverify
AUTHORITY:
CERT: /etc/pki/tls/certs/bastionca.pem
KEY: /etc/pki/tls/private/bastionca.key
# the issuer subject
ISSUER:
CERT: /etc/pki/tls/certs/entitlements.pem
KEY: /etc/pki/tls/private/bastion.keydec
# the server cert for this rhsmd (non-prod) daemon
SERVER:
CERT: /etc/pki/tls/certs/bastion.pem
KEY: /etc/pki/tls/private/bastion.keydec
STORE:
CONSUMER: /var/lib/rhsmd/certificates
PRODUCT: /var/lib/rhsmd/products
KEYSIZE: 4096
# certificates which contain the product info on the consumers
PRODUCT:
ORG: Last Bastion Network
EXPIRATION: 1 year
# company details - for mailing list templates et al
COMPANY:
NAME: Last Bastion Network
HOME: http://au.last-bastion.net
ADDRESS: 407 The Foundry, 181 Lawson Street, Darlington, Sydney, Australia, 2008
COPYRIGHT:
START: 2023
DEBUG: false
FEATURES:
# overriding dnf content configuration
CONTENT_OVERRIDES: true
# multi-environment
MULTI_ENV: true
# upload hypervisor features
HYPERVISORS: true
# upload package profiles
PACKAGES: true
# support for pools; still figuring out what/how to embed in v3 entitlements
POOL: true
# set $releasever in repo content
RELEASE: true
# set sslverifystatus in repo content
SSL_VERIFY_STATUS: false
# overall log level
FEEDBACK:
ENABLED: true
# the role to receive messages
ROLE: Admin
SUBJECT_PREFIX: '[RHSMD]'
RESPONSE: Thank you for your feeback. We will respond shortly.
LOGLEVEL: DEBUG
# flask-mailing for subscription redemption
MAIL_USERNAME: entitlements@intranet.last-bastion.net
MAIL_FROM: entitlements@intranet.last-bastion.net
MAIL_PASSWORD: changeme
MAIL_SERVER: disco
MAIL_PORT: 587
MAILINGLIST:
USERNAME: admin
# api token for user
TOKEN: changeme
# listmonk API uri
URI: http://mail:9000/api
# claimed feedback form
CONSUMER:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
# claimed feedback form
OWNER:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
# rhsm redeem an entitlement
REDEMPTION:
ENABLED: true
LIST_ID: 1
# hmmm; we HAVE specific JSON additional data ...
TX_TEMPLATE_ID: 1
# html, plain, markdown
CONTENT_TYPE: plain
SUBSCRIPTIONS:
ENABLED: true
TITLE: Subscribe to the BastionLinux Mailing List.
RESPONSE: Thank you for subscribing to the BastionLinux mailing list.
RESPONSE_PRECONFIRM: Please check your email for our confirmation request.
LIST_ID: 1
# preconfirm subscriptions - ie no confirmation email
PRECONFIRM: false
# global content (ie repo definition) overrides
# OVERRIDES:
# - name: foo
# value: bar
OVERRIDES: []
# host/nic for non-prod/local running
# SERVER_NAME: 0.0.0.0
# PORT: 5000
# https://developers.google.com/recaptcha/docs/display or cloudflare/turnstile
RECAPTCHA_PUBLIC_KEY:
RECAPTCHA_PRIVATE_KEY:
# the current/default distro release version
RELEASE_VERSION: 1.6.8
# application secret key; don't change once configured - cos we crypt db stuff
SECRET_KEY: bla
# install step-cli and configure this ...
STEPCA:
ENABLED: false
URI: http://stepca:9001
PASSWORD_FILE: /path/to/password.txt
SUPPORT:
ENABLED: false
RESPONSE: Thank you for your request. Someone will reach out shortly.
TAIGA:
USERNAME: admin
PASSWORD: changeme
URI: https://taiga.last-bastion.net
PROJECTS:
SUPPORT:
NAME: support
ROLES:
- submitter
# mappings for issue_types - need the taiga issue type id (integer)
# $ aiga projects get support
TYPES:
# question: 2
# fix: 10
# customise urls/endpoints if behind proxies, gateways etc
URLS:
# any docs
DOCS: https://docs.last-bastion.net/bastionlinux.html
# the external url for the base endpoint
EXTERNAL: https://localhost:5000
# the web-portal components of RHSMD (no trailing slashes...)
GRAFANA: https://grafana.last-bastion.net/
LOGO: http://intranet.last-bastion.net/_static/img/bastion-logo-invert.svg
PORTAL: /
REPO: http://linux.last-bastion.net/LBN/up2date
# subscription_manager client's api endpoint base
RHSMD: /rhsmd
# legal terms and conditions
TERMS: https://docs.last-bastion.net/legal/index.html
# hmmm - actual rhsmd version displayed in theme
VERSION: 1.6.8
dev:
CERTIFICATES:
AUTHORITY:
CERT: tests/certs/testca.pem
KEY: tests/certs/testrsa.pem
STORE:
CONSUMER: /tmp/certificates
PRODUCT: /tmp/products
DEBUG: false
LOGLEVEL: INFO
SQLALCHEMY_DATABASE_URI: postgresql://rhsmd:pa55word@airflow-dev/rhsmd
SUPPORT:
ENABLED: true
test:
AUTH_RATE_LIMITED: false
CERTIFICATES:
AUTHORITY:
CERT: tests/certs/testca.pem
KEY: tests/certs/testrsa.pem
DEBUG: false
RATE_LIMITED: false
SQLALCHEMY_DATABASE_URI: 'sqlite:///:memory:'
# SQLALCHEMY_DATABASE_URI: 'postgresql://localhost:26257?sslmode=require&user=root&sslcert=/etc/cockroachdb/certs/client.root.crt&sslkey=/etc/cockroachdb/certs/client.root.key'
production:
DEBUG: false
# AUTH_TYPE: AUTH_LDAP
# AUTH_LDAP_GROUP_FIELD: memberOf
# AUTH_ROLE_MAPPING:
# cn=admin,ou=groups,dc=example,dc=com:
# - Admin
# if we should replace ALL the user's roles each login, or only on registration
# AUTH_ROLES_SYNC_AT_LOGIN = True
# force users to re-auth after 30min of inactivity (to keep roles in sync)
# PERMANENT_SESSION_LIFETIME = 1800
Documentation¶
We use Sphinx as our documentation tool; and it’s integrated into our software development/delivery processes.
Getting It¶
The application is available on BastionLinux at lbn-rhsmd. We would welcome enquiries.