Skip to content

README.md

Latest commit

 

History

History
247 lines (191 loc) · 5.74 KB

README.md

File metadata and controls

247 lines (191 loc) · 5.74 KB

Configuration

Warning

After installing the software and configuring all files as described in this documentation, verify their permissions. For example, /etc/vmc/config.yml may have a default permission of rw-r--r-- because of the system umask. To harden it, restrict access to the owner:

chmod 600 /etc/vmc/config.yml

Installation on a virtual machine

To manage VMC through systemctl, place the following unit files in /etc/systemd/system/:

vmc-admin.service

[Unit]
Description=VMC Admin Panel

[Service]
Restart=on-failure
ExecStart=/usr/local/bin/vmcctl start admin

[Install]
WantedBy=multi-user.target

vmc-scheduler.service

[Unit]
Description=VMC Scheduler

[Service]
Restart=on-failure
ExecStart=/usr/local/bin/vmcctl start scheduler

[Install]
WantedBy=multi-user.target

vmc-worker.service

[Unit]
Description=VMC Worker

[Service]
Restart=on-failure
ExecStart=/usr/local/bin/vmcctl start worker

[Install]
WantedBy=multi-user.target

On each server where VMC is installed, create /etc/vmc/config.yml with the following structure:

# VMC
vmc.ssl: true
vmc.domain: localhost
vmc.port: 443

# Redis (connection configuration)
redis.url: redis://:password@localhost:6379/1

# Elasticsearch
elasticsearch.hosts: ["http://127.0.0.1:9200"]
# elasticsearch.user: elastic
# elasticsearch.password: password

# Database
database.engine: django.db.backends.postgresql_psycopg2
database.name: vmc
database.user: postgres
database.password: password
database.host: localhost
database.port: 5432

# Queue
rabbitmq.username: admin
rabbitmq.password: password
rabbitmq.host: localhost
rabbitmq.port: 5672

# Secret — generate with the command shown below and paste here.
# Never reuse the example value.
secret_key: "<generated by get_random_secret_key()>"

# Admin Service Name (resolves to the VMC admin container/host; healthchecks
# under docker-compose rely on this value)
admin_service_name: admin

# debug: true

Important

Generate a fresh secret_key and replace the placeholder above before the first start:

python3 -c "from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())"

On the server where the VMC admin component runs, configure the proxy and the static-file location.

Sample Nginx proxy for VMC admin

http {
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    upstream vmc {
        server 127.0.0.1:8001;
    }

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;

        location / {
            proxy_pass http://vmc;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_redirect off;
        }

        location /static/ {
            alias /usr/share/vmc/static/;
        }

        error_page 404 /404.html;
        location = /40x.html {}

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {}
    }
}

Then run the bootstrap commands on the VMC admin server:

# Collect the static files needed by the admin panel
vmcctl collectstatic

# Create the super-admin user
vmcctl createsuperuser

# Initialise the core indexes in Elasticsearch
vmcctl create_index

Finally, enable and start the services:

systemctl enable vmc-admin vmc-scheduler vmc-worker
systemctl start  vmc-admin vmc-scheduler vmc-worker

Installation using Docker

Before starting VMC containers, make sure all dependencies described in the Requirements chapter are in place. Additional information on running VMC with Docker is available in the vmc-demo repository, and the end-to-end stack (admin + worker + scheduler + Postgres + Elasticsearch + Kibana + Ralph + TheHive + ElastAlert) is orchestrated by vmc-dev-toolkit — see the top-level README.

Prepare config.yml. Under docker-compose the file is mounted at /etc/vmc/config.yml inside the admin/worker/scheduler containers; the demo stack uses vmc-demo/config/vmc/demo.yml as a reference template.

# VMC
vmc.ssl: false
vmc.domain: localhost
vmc.port: 80

# Redis
redis.url: redis://redis:6379/1

# Elasticsearch
elasticsearch.hosts: ["http://elasticsearch:9200"]
# elasticsearch.user: elastic
# elasticsearch.password: password

# Database
database.engine: django.db.backends.postgresql_psycopg2
database.name: vmc
database.user: user
database.password: password
database.host: postgres
database.port: 5432

# Queue
rabbitmq.username: vmc
rabbitmq.password: test_vmc
rabbitmq.host: rabbitmq
rabbitmq.port: 5672

# Secret — see the IMPORTANT note above
secret_key: "<generated by get_random_secret_key()>"

# Admin service name (used by docker-compose healthchecks)
admin_service_name: admin

# debug: true

Warning

In docker-compose.yml, mount the file as a read-only volume using the :ro suffix so the container can read but not modify it.

services:
  admin:
    image: dsecureme/vmc:latest
    volumes:
      - ./config.yml:/etc/vmc/config.yml:ro