CC-Agency: Installation

The following instructions have been tested on Ubuntu 18.04 with Python 3.6. Instructions for other Linux distributions should be similar.

System Packages

As admin user.

sudo apt-get update
sudo apt-get install python3-pip python3-venv uwsgi uwsgi-plugin-python3
sudo apt-get install apache2 libapache2-mod-proxy-uwsgi

MongoDB

As admin user.

Install MongoDB 4.0. Instructions can be found in the MongoDB documentation.

After the installation of the required system packages, enable and start the service.

sudo systemctl enable mongod
sudo systemctl start mongod

System User

As admin user.

Create a new system user called cc. CC-Agency will run under the privileges of this user.

sudo useradd -ms /bin/bash cc

UWSGI Configuration

As admin user.

sudo mkdir -p /opt/ccagency/privileged /opt/ccagency/unprivileged
sudo chown www-data:www-data /opt/ccagency/unprivileged

Create /opt/ccagency/privileged/ccagency-trustee.ini for uwsgi. The wsgi-file path may vary for your version of Python 3.

[uwsgi]
plugins = python3
http-socket = 127.0.0.1:6001
wsgi-file = /home/cc/ccagency-venv/lib/python3.5/site-packages/cc_agency/trustee/app.py
uid = cc
gid = cc
processes = 1
threads = 1

if-env = VIRTUAL_ENV
virtualenv = %(_)
endif =

Create /opt/ccagency/privileged/ccagency-broker.ini for uwsgi. The wsgi-file path may vary for your version of Python 3.

[uwsgi]
plugins = python3
chown-socket = www-data:www-data
socket = /opt/ccagency/unprivileged/ccagency-broker.sock
wsgi-file = /home/cc/ccagency-venv/lib/python3.5/site-packages/cc_agency/broker/app.py
uid = cc
gid = cc
processes = 4
threads = 4
lazy-apps = True

if-env = VIRTUAL_ENV
virtualenv = %(_)
endif =

Python Packages

As cc user.

Install Python packages for user cc.

python3 -m venv ~/ccagency-venv
. ~/ccagency-venv/bin/activate
pip install wheel
pip install --upgrade cc-agency==9.*

Run CLI tool.

ccagency --help

CC-Agency Configuration

As cc user.

Create configuration file ~/.config/cc-agency.yml. Copy the following content, but choose new strong values for mongo.password and trustee.password.

broker:
  auth:
    num_login_attempts: 3
    block_for_seconds: 30
    tokens_valid_for_seconds: 86400  # 24 h

controller:
  bind_socket_path: "~/.cache/cc-agency-controller.sock"
  docker:
    allow_insecure_capabilities: false
    nodes: {}

trustee:
  internal_url: "http://127.0.0.1:6001"
  username: "cctrustee"
  password: "SECRET"

mongo:
  db: "ccagency"
  username: "ccadmin"
  password: "SECRET"

Set allow_insecure_capabilities: true, if you want to allow the usage of FUSE file-system mounts for certain directory connectors (e.g. red-connector-ssh mount-dir) in your Docker cluster.

Change the file permissions to be restrictive. This will prevent system users other than cc to access your confidential configuration.

chmod 600 ~/.config/cc-agency.yml

MongoDB User

As cc user.

Use the ccagency CLI tool, to create a new MongoDB user as specified in the cc-agency.yml configuration file.

Reminder: If the virtual environment is not yet activated, run . ~/ccagency-venv/bin/activate before executing the ccagency CLI tool.

ccagency create-db-user

Broker User

As cc user.

Run the interactive ccagency CLI tool, to create at least one CC-Agency Broker user. Users created with this script can authenticate with the Broker REST API.

ccagency create-broker-user

Additional users can be added at all times.

Systemd Units

As admin user.

Trustee Service

Create Systemd unit file /etc/systemd/system/ccagency-trustee.service for CC-Agency Trustee.

Description=CC-Agency Trustee
Documentation=https://www.curious-containers.cc/

[Service]
Type=simple
ExecStart=/usr/bin/uwsgi /opt/ccagency/privileged/ccagency-trustee.ini
Restart=no
Environment=VIRTUAL_ENV=/home/cc/ccagency-venv

[Install]
WantedBy=multi-user.target

Enable and start ccagency-trustee service.

sudo systemctl enable ccagency-trustee
sudo systemctl start ccagency-trustee

Controller Service

Create Systemd unit file /etc/systemd/system/ccagency-controller.service for CC-Agency Controller.

[Unit]
Description=CC-Agency Controller
Documentation=https://www.curious-containers.cc/
Requires=mongod.service ccagency-trustee.service
After=mongod.service ccagency-trustee.service

[Service]
Type=simple
User=cc
Group=cc
ExecStart=/home/cc/ccagency-venv/bin/ccagency-controller
Restart=no
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target

Enable and start ccagency-controller service.

sudo systemctl enable ccagency-controller
sudo systemctl start ccagency-controller

Broker Service

Create Systemd unit file /etc/systemd/system/ccagency-broker.service for CC-Agency Broker.

[Unit]
Description=CC-Agency Broker
Documentation=https://www.curious-containers.cc/
Requires=ccagency-controller.service ccagency-trustee.service mongod.service apache2.service
After=ccagency-controller.service ccagency-trustee.service mongod.service apache2.service

[Service]
Type=simple
ExecStart=/usr/bin/uwsgi /opt/ccagency/privileged/ccagency-broker.ini
Restart=no
Environment=VIRTUAL_ENV=/home/cc/ccagency-venv

[Install]
WantedBy=multi-user.target

Enable and start ccagency-broker service.

sudo systemctl enable ccagency-broker
sudo systemctl start ccagency-broker

Create apache2 site /etc/apache2/sites-available/ccagency-broker.conf. Change SSLCertificateFile and SSLCertificateKeyFile paths or switch to an unencrypted configuration, which is not recommended. The server name should match the domain of your server. The Broker will be available as https://example.com/cc.

Listen 443

<VirtualHost *:443>
    ServerName example.com

    SSLEngine on
    SSLCertificateFile /opt/ssl/cert.pem
    SSLCertificateKeyFile /opt/ssl.key.pem

    ProxyRequests Off
    ProxyPass /cc unix:/opt/ccagency/unprivileged/ccagency-broker.sock|uwsgi://ccagency-broker/
</VirtualHost>

Enable Apache2 mods and site.

sudo a2enmod ssl
sudo a2enmod proxy_uwsgi

sudo a2ensite ccagency-broker

sudo systemctl restart apache2

Docker Cluster

As cc user.

Edit ~/.config/cc-agency.yml and add the individual docker-machines in the controller.docker.nodes dictionary. If you are connecting to remote machines, the docker-engines must listen on a TCP port (see Docker documentation). Using TLS is optional, but recommended. If you are not using TLS, remove the corresponding tls sections from the config.

controller:
  docker:
    nodes:
      node1:
        base_url: "tcp://192.168.0.100:2376"
        tls:
          verify: "/home/cc/.docker/machine/machines/node1/ca.pem"
          client_cert:
            - "/home/cc/.docker/machine/machines/node1/cert.pem"
            - "/home/cc/.docker/machine/machines/node1/key.pem"
          assert_hostname: False
      node2:
        base_url: "tcp://192.168.0.101:2375"
      node3:
        base_url: "unix://var/run/docker.sock"

As admin user.

Restart CC-Agency Controller:

sudo systemctl restart ccagency-controller

Status and Logging

As admin user.

Use the following commands to inspect the status and log files of the configured software components.

# MongoDB
sudo systemctl status mongod
sudo journalctl -u mongod

# Apache2
sudo systemctl status apache2
sudo journalctl -u apache2
sudo less /var/log/apache2/error.log
sudo less /var/log/apache2/access.log

# CC-Agency Controller
sudo systemctl status ccagency-controller
sudo journalctl -u ccagency-controller

# CC-Agency Trustee
sudo systemctl status ccagency-trustee
sudo journalctl -u ccagency-trustee

# CC-Agency Broker
sudo systemctl status ccagency-broker
sudo journalctl -u ccagency-broker

Updated: