Server¶
Our RHSMD is a Python/Flask-based system; very lightweight and designed to service thousands of systems.
We’ve used Flask App Builder, Dynaconf, PostgreSQL, Apache/mod-wsgi and more to deliver an enterprise system; and of course; ongoing development/integrations with other back-office systems.
Deployment¶
As with all of our applications; the software itself is packaged as an RPM. We use Chef to deploy all of the applications across the nodes that comprise the system.
Configuration¶
We use Dynaconf wherever we can: usually with YAML configuration files; which are easily managed via Chef template resources.
---
default:
  AIRFLOW:
    URI: https://airflow.last-bastion.net
    USERNAME:
    PASSWORD:
#  ALEMBIC:
#    SCRIPT_LOCATION: migrations
  AUTHENTICATION:
    GROUPS:
      # automatically set group per owner
      AUTOMATIC: true
  CERTIFICATES:
     # the certificate authority - needs to agree with the content servers for dnf/sslverify
     AUTHORITY:
       CERT: /etc/pki/tls/certs/bastionca.pem
       KEY: /etc/pki/tls/private/bastionca.key
     # the issuer subject
     ISSUER:
       CERT: /etc/pki/tls/certs/entitlements.pem
       KEY: /etc/pki/tls/private/bastion.keydec
     # the server cert for this rhsmd (non-prod) daemon
     SERVER:
       CERT: /etc/pki/tls/certs/bastion.pem
       KEY: /etc/pki/tls/private/bastion.keydec
     STORE:
        CONSUMER: /var/lib/rhsmd/certificates
        PRODUCT: /var/lib/rhsmd/products
     KEYSIZE: 4096
     # rsa, ecdsa
     KEYTYPE: rsa
     DIGEST: sha256
     # certificates which contain the product info on the consumers
     PRODUCT:
       ORG: Last Bastion Network
       EXPIRATION: 1 year
  # company details - for mailing list templates et al
  COMPANY:
     NAME: Last Bastion Network
     HOME: http://au.last-bastion.net
     ADDRESS: 407 The Foundry, 181 Lawson Street, Darlington, Sydney, Australia, 2008
       START: 2023
  # a bunch of flags to turn on/off various subscription-manager features/functionality
  FEATURES:
    # overriding dnf content configuration
    CONTENT_OVERRIDES: true
    # multi-environment
    MULTI_ENV: true
    # upload hypervisor features
    HYPERVISORS: true
    # upload package profiles
    PACKAGES: true
    # support for pools; still figuring out what/how to embed in v3 entitlements
    POOL: true
    # set $releasever in repo content
    RELEASE: true
    # set sslverifystatus in repo content
    SSL_VERIFY_STATUS: false
  # overall log level
  FEEDBACK:
    ENABLED: true
    # the role to receive messages
    ROLE: Admin
    SUBJECT_PREFIX: '[RHSMD]'
    RESPONSE: Thank you for your feeback. We will respond shortly.
  LOGLEVEL: DEBUG
  # flask-mailing for subscription redemption
  MAIL_USERNAME: entitlements@intranet.last-bastion.net
  MAIL_FROM: entitlements@intranet.last-bastion.net
  MAIL_PASSWORD: changeme
  MAIL_SERVER: disco
  MAIL_PORT: 587
  MAILINGLIST:
    USERNAME: admin
    # api token for user
    TOKEN: changeme
    # listmonk API uri
    URI: http://mail:9000/api
    # claimed feedback form
    CONSUMER:
      ENABLED: true
      LIST_ID: 1
      # hmmm; we HAVE specific JSON additional data ...
      TX_TEMPLATE_ID: 1
      # html, plain, markdown
      CONTENT_TYPE: plain
    # claimed feedback form
    OWNER:
      ENABLED: true
      LIST_ID: 1
      # hmmm; we HAVE specific JSON additional data ...
      TX_TEMPLATE_ID: 1
      # html, plain, markdown
      CONTENT_TYPE: plain
    # rhsm redeem an entitlement 
    REDEMPTION:
      ENABLED: true
      LIST_ID: 1
      # hmmm; we HAVE specific JSON additional data ...
      TX_TEMPLATE_ID: 1
      # html, plain, markdown
      CONTENT_TYPE: plain      
    SUBSCRIPTIONS:
      ENABLED: true
      TITLE: Subscribe to the BastionLinux Mailing List.
      RESPONSE: Thank you for subscribing to the BastionLinux mailing list.
      RESPONSE_PRECONFIRM: Please check your email for our confirmation request.
      LIST_ID: 1
      # preconfirm subscriptions - ie no confirmation email
      PRECONFIRM: false
  # global content (ie repo definition) overrides
  # OVERRIDES:
  #   - name: foo
  #     value: bar
  OVERRIDES: []
  # host/nic for non-prod/local running
  # SERVER_NAME: 0.0.0.0
  # PORT: 5000
  # https://developers.google.com/recaptcha/docs/display or cloudflare/turnstile
  RECAPTCHA_PUBLIC_KEY:
  RECAPTCHA_PRIVATE_KEY:
  # the current/default distro release version
  RELEASES:
    - 36
    - 42
  # application secret key; don't change once configured - cos we crypt db stuff
  SECRET_KEY: bla
  # install step-cli and configure this ...
  STEPCA:
      ENABLED: false
      URI: http://stepca:9001
      PASSWORD_FILE: /path/to/password.txt
  SUPPORT:
    ENABLED: false
    RESPONSE: Thank you for your request.  Someone will reach out shortly.
  TAIGA:
    USERNAME: admin
    PASSWORD: changeme
    URI: https://taiga.last-bastion.net
    PROJECTS:
      SUPPORT:
        NAME: support
        ROLES:
         - submitter
        # mappings for issue_types - need the taiga issue type id (integer)
        # $ taiga projects get support
        TYPES:
          # question: 2
          # fix: 10
  # hmmmm; repodata - ship RPM packages ...
  TOPDIR: /var/lib/rpmbuilders/var
  # customise urls/endpoints if behind proxies, gateways etc
  URLS:
      # phone home et al
      CLOUDINIT: /cloud
      # any docs
      DOCS: https://docs.last-bastion.net/bastionlinux.html
      # the external url for the base endpoint
      EXTERNAL: https://localhost:5000
      # the web-portal components of RHSMD (no trailing slashes...)
      GRAFANA: https://grafana.last-bastion.net/
      LOGO: http://intranet.last-bastion.net/_static/img/bastion-logo-invert.svg
      PORTAL: /
      REPO: http://linux.last-bastion.net/LBN/up2date
      # subscription_manager client's api endpoint base
      RHSMD: /rhsmd
      # legal terms and conditions
      TERMS: https://docs.last-bastion.net/legal/index.html
      # serve RPMs from here
      REPODATA: /packages
  # hmmm - actual rhsmd version displayed in theme
  VERSION: 1.8.1
dev:
  CERTIFICATES:
    AUTHORITY:
      CERT: tests/certs/testca.pem
      KEY: tests/certs/testrsa.pem
    STORE:
      CONSUMER: /tmp/certificates
      PRODUCT: /tmp/products
  LOGLEVEL: INFO
  SQLALCHEMY_DATABASE_URI: postgresql://rhsmd:pa55word@airflow-dev/rhsmd
  SUPPORT:
    ENABLED: true
test:
  AUTH_RATE_LIMITED: false
  CERTIFICATES:
    AUTHORITY:
      CERT: tests/certs/testca.pem
      KEY: tests/certs/testrsa.pem
  RATE_LIMITED: false
  SQLALCHEMY_DATABASE_URI: 'sqlite:///:memory:'
  # SQLALCHEMY_DATABASE_URI: 'postgresql://localhost:26257?sslmode=require&user=root&sslcert=/etc/cockroachdb/certs/client.root.crt&sslkey=/etc/cockroachdb/certs/client.root.key'
production:
  # AUTH_TYPE: AUTH_LDAP
  # AUTH_LDAP_GROUP_FIELD: memberOf
  # AUTH_ROLE_MAPPING:
  #   cn=admin,ou=groups,dc=example,dc=com:
  #     - Admin
  #  if we should replace ALL the user's roles each login, or only on registration
  # AUTH_ROLES_SYNC_AT_LOGIN = True
  # force users to re-auth after 30min of inactivity (to keep roles in sync)
  # PERMANENT_SESSION_LIFETIME = 1800
Documentation¶
We use Sphinx as our documentation tool; and it’s integrated into our software development/delivery processes.
Getting It¶
The application is available on BastionLinux at lbn-rhsmd. We would welcome enquiries.