Lingkup¶
Teknologi yang akan digunakan:
- Load balancer: DigitalOcean (HAProxy)
- Firewall: DigitalOcean
- Application
- Web app: Odoo 10
- Web proxy: Nginx
- Database: PostgreSQL 9.5
- Monitoring & Alerts
- DigitalOcean
- Postfix & Mailgun
- Sentry
- UptimeRobot
- NGINX Amplify
- Slack
Instalasi Multi Odoo Ubuntu 16.04 LTS¶
Persyaratan:
- VPS Ubuntu 16.04 LTS pada DigitalOcean, hosting VPS nya pun tidak masalah, hanya tidak akan mendapatkan beberapa fitur kontrol terpusat seperti menggunakan doctl
- private & public SSH key untuk otentikasi
- Lakukan hardening tahap awal dengan menggunakan skrip
praUbuntu1604-do.sh - Jika ingin gunakan skrip
terminal-extras.shuntuk mempermudah interaksi dengah CLI/terminal - doctl, akan membantu memudahkan proses pengelolaan Droplets pada DigitalOcean
Hardening tahap awal¶
# dari mesin sendiri
ssh -v -i ~/.ssh/ssh-private-key [email protected]
# server
nano /tmp/pre.sh
# tempelkan praUbuntu1604-do.sh
bash /tmp/pre.sh
# yang perlu dimasukkan manual adalah:
# - sandi root
# - sandi pengguna
# - ssh-public-key
# Aktifkan firewall
sudo ufw enable
Setelah selesai tanpa menutup sesi pengguna root yang masih terbuka lakukan koneksi dengan pengguna biasa non-sudo yang baru dibuat ssh -v -i ~/.ssh/ssh-private-key [email protected].
Jika berhasil restart mesin dengan sudo shutdown -r now. Hardening tahap awal sudah selesai.
Snapshot & backup image¶
Gunakan doctl, pastikan dulu sebelumnya sudah terinstall untuk sistem operasi yang digunakan, silakan kunjungi laman repositori doctl atau langsung ke laman release ini
DO_DROPLET_ID=""
DO_SNAPSHOT_NAME_TS=""
doclt version #
doctl auth init #
doctl account get #
doctl account ratelimit #
doctl compute droplet list #
doctl compute droplet-action snapshot droplet_id
#
doctl compute da snapshot -v $DO_DROPLET_ID --wait --snapshot-name $DO_SNAPSHOT_NAME_TS
doctl compute da power-on $DO_DROPLET_ID #
doctl compute action list
Persiapan instalasi Odoo¶
PostgreSQL¶
#
PRIVATE_INF="eth1"
ODOO_IP_ADDRESS="10.130.50.84"
ODOO_IP_NETWORK="10.130.50.84/16"
POSTGRES_USER="odoo10"
POSTGRES_PORT="5432"
POSTGRES_IP_ADDRESS="10.130.50.79"
# Instalasi PostgreSQL
sudo apt install -y postgresql-9.5 postgresql-server-dev-9.5
sudo systemctl enable postgresql.service
#
sudo systemctl start postgresql.service
#
sudo su - postgres -c "createuser --createdb --username postgres --no-createrole --no-superuser --no-password $POSTGRES_USER"
#
sudo ufw allow in on $PRIVATE_INF from $ODOO_IP_ADDRESS to any port $POSTGRES_PORT
#
sudo nano /etc/postgresql/9.5/main/pg_hba.conf
# host all all $ODOO_IP_NETWORK trust
# sudo echo "host all all $ODOO_IP_NETWORK trust" >> /etc/postgresql/9.5/main/pg_hba.conf
#
# host all all * md5
# host all all 0.0.0.0/0 md5
#
sudo nano /etc/postgresql/9.5/main/postgresql.conf
# listen_addresses = '$POSTGRES_IP_ADDRESS'
#
# listen_addresses = '*'
#
createuser -U postgres odoo10
sudo -u postgres psql postgres
# alter role odoo10 createdb;
# sudo su - postgres -s /bin/bash -c
# psql
\password postgres
\password $POSTGRES_USER
Odoo¶
#
ODOO_USER="smarterp"
#
sudo apt update && sudo apt -y upgrade
#
sudo apt install -y git wkhtmltopdf python-pip python-dev \
python-psutil python-psutil-doc python-virtualenv libevent-dev \
gcc libjpeg-dev libxml2-dev libssl-dev libsasl2-dev node-clean-css \
node-less libldap2-dev libxslt-dev postgresql-client \
postgresql-client-common postgresql-client-9.5
# Membuat pengguna dan direktori bagi instalasi tiap Odoo
sudo adduser --system --group $ODOO_USER --home /opt/$ODOO_USER
# proses untuk Odoo 10
sudo su - $ODOO_USER -s /bin/bash
# Kloning dari repo
ODOO_USER="smarterp"
git clone https://www.github.com/odoo/odoo --depth 1 --branch 10.0 --single-branch /opt/$ODOO_USER
# Gunakan virtual environment untuk instalasi
cd /opt/$ODOO_USER
virtualenv ./venv
source ./venv/bin/activate
pip install -r requirements.txt
exit
#
psql -h $POSTGRES_IP_ADDRESS -U $POSTGRES_USER -d test
\q
Berkas konfigurasi Odoo 10¶
#
ODOO_USER="smarterp"
ODOO_SUPER_PASSWD="sandi_acak_aman_anda"
ODOO_ADDONS_DIR="addons"
ODOO_CONF_DIR="/opt/odoo-conf"
ODOO_LOG_DIR="/var/log/odoo"
ODOO_PORT="8010"
ODOO_INSTALL_DIR="/opt/$ODOO_USER"
ODOO_LOG_FILE="${ODOO_USER}.log"
# membuat direktori konfigurasi odoo
sudo mkdir -p $ODOO_CONF_DIR
# membuat berkas konfigurasi odoo
sudo nano $ODOO_CONF_DIR/$ODOO_USER.conf
#
[options]
# addons
addons_path = $ODOO_INSTALL_DIR/$ODOO_ADDONS_DIR
# db
admin_passwd = $ODOO_SUPER_PASSWD
db_host = $POSTGRES_IP_ADDRESS
db_port = $POSTGRES_PORT
db_user = $POSTGRES_USER
db_password = False
db_maxconn = 64
# performance
workers = 2
# logs
logfile = $ODOO_LOG_DIR/$ODOO_LOG_FILE
syslog = False
logrotate = True
log_level = info
log_db_level = warning
log_handler = :INFO
# proxy and connectivity
xmlrpc_port = $ODOO_PORT
Skrip SystemD
#
sudo nano /lib/systemd/system/$ODOO_USER.service
#
[Unit]
Description=Odoo - smartERP
[Service]
Type=simple
PermissionsStartOnly=true
User=$ODOO_USER
Group=$ODOO_USER
SyslogIdentifier=$ODOO_USER
ExecStart=/opt/$ODOO_USER/venv/bin/python2 $ODOO_INSTALL_DIR/odoo-bin -c $ODOO_CONF_DIR/$ODOO_USER.conf
# ExecStart=/opt/odoo10/venv/bin/python2 /opt/odoo10/venv/bin/odoo -c /etc/odoo/odoo10.conf
[Install]
WantedBy=multi-user.target
#
#
### Finalisasi Odoo 10
# membuka port 8010
sudo ufw allow $ODOO/tcp
# sudo ufw allow out on eth1 from 10.130.50.79 to any port 5432
# menyiapkan direktori log
sudo mkdir -p $ODOO_LOG_DIR
sudo touch $ODOO_LOG_DIR/$ODOO_LOG_FILE
sudo chown -Rv $ODOO_USER:$ODOO_USER $ODOO_LOG_DIR/$ODOO_LOG_FILE
# sudo chmod g+w $ODOO_LOG_DIR/$ODOO_LOG_FILE
# Mengatur agar layanan odoo10 berjalan saat booting
sudo systemctl enable $ODOO_USER.service
# Menjalankan layanan odoo10
s```
#### Instalasi modul addons OCA
```bash
sudo su - odoo10 -s /bin/bash
cd /opt/odoo10
virtualenv venv
. venv/bin/activate
#
python -c "import odoo.api"
#
pip install -r requirements.txt
pip install --upgrade pip
pip install -e .
#
pip list | grep odoo
export PIP_FIND_LINKS="https://wheelhouse.odoo-community.org/oca-10.0"
# pip install odoo-autodiscover
pip install odoo10-addon-mgmtsystem --find-links=https://wheelhouse.odoo-community.org/oca-10.0
Odoo - OCA additional tools¶
#
sudo su - odoo10 -s /bin/bash
. venv/bin/activate
#
Web server & proxy - Nginx¶
#
sudo apt-get update && sudo apt-get install nginx
#
sudo cp nginx.conf{,.orig}
sudo nano /etc/nginx/nginx.conf
sudo nano /etc/nginx/sites-available/bbi.proxsis.com.conf
#
sudo touch /var/log/nginx/bbi.proxsis.com.{access,error}.log
sudo chown www-data:adm /var/log/nginx/bbi*
#
sudo ln -s /etc/nginx/sites-available/bbi.proxsis.com.conf /etc/nginx/sites-enabled/bbi.proxsis.com
#
sudo nginx -t
sudo systemctl restart nginx
#
sudo nano /etc/odoo/odoo10.conf
#
sudo mkdir -p /opt/odoo10/bbi-addons
sudo chown odoo10:odoo10 /opt/odoo10/bbi-addons
Monitoring & alerts¶
Mail notification - Postfix & Mailgun¶
# https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04
# https://cloud.google.com/compute/docs/tutorials/sending-mail/using-mailgun
# Postfix as mail relay
sudo debconf-set-selections <<< "postfix postfix/main_mailer_type select Satellite system"
# Using HOSTNAME as mail server hostname sender
HOSTNAME="bbi.proxsis.com"
sudo debconf-set-selections <<< "postfix postfix/mailname string $HOSTNAME"
# Use Mailgun as SMTP server for relayed mail
sudo debconf-set-selections <<< "postfix postfix/relayhost string [smtp.mailgun.org]:2525"
# Install needed packages
sudo apt -y install postfix mailutils libsasl2-modules
# Create & edit new credentials file
sudo nano /etc/postfix/sasl_passwd
#
# [smtp.mailgun.org]:2525 [email protected]:c4e6d91583b0196b5dc59b7b58eb9bcf
#
# Create & edit new generic mapping local-email account file
sudo nano /etc/postfix/generic
# Add bellow on the file, `odoo10` as local account, `no-reply` for what ever reciever want to see
#
# odoo10 [email protected]
#
# Generate & check `.db` file for Postfix's lookup tables, after that remove the files containing credentials as it is no longer needed
sudo postmap /etc/postfix/{sasl_passwd,generic}
ls -l /etc/postfix/{sasl_passwd,generic}*
sudo rm /etc/postfix/{sasl_passwd,generic}
# Write only by owner (root)
sudo chmod 600 /etc/postfix/{sasl_passwd,generic}.db
# Edit and add at the end of the lines
sudo nano /etc/postfix/main.cf
#
# # Remove
# default_transport = error
# relay_transpor = error
#
# # Add
# smtp_tls_security_level = encrypt
# smtp_sasl_auth_enable = yes
# smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# smtp_sasl_security_options = noanonymous
# smtp_sasl_tls_security_options = noanonymous
# smtp_sasl_mechanism_filter = AUTH LOGIN
# smtpd_relay_restrictions = permit_mynetworks
# permit_sasl_authenticated = defer_unauth_destination
# smtp_generic_maps = hash:/etc/postfix/generic
#
# Edit and add alias to forward email from system notification
sudo nano /etc/aliases
#
# root: [email protected]
#
# Restart Postfix service with new configuration
sudo systemctl restart postfix
# Check and remove any entry for port 25, 465, 587
sudo ufw status
# Allowing Mailgun port
sudo ufw allow 2525/tcp
# Restart the ufw service
sudo systemctl restart ufw
# Check log file for status about mail activity and successfull server respond
sudo tail -F /var/log/mail.log
# sudo tail -n 5 /var/log/syslog
#
# Test sending email from cli
MAIL_SUBJECT="Uji kirim-kirim nih"
MAIL_RECIEVER="[email protected]"
MAIL_CONTENT="Halo dari demo.bbi.proxsis.com"
mail -s "$MAIL_SUBJECT" $MAIL_RECIEVER <<< "$MAIL_CONTENT"
echo -s $MAIL_SUBJECT | mail -s "$MAIL_CONTENT" $MAIL_RECIEVER
Sentry - automated warning & error reporting¶
Pendahuluan:
- Akses Sentry.io
- Buat akun jika belum ada
- Buat proyek baru
- Install & konfigurasikan Sentry agar dapat terintegrasi dengan Odoo
Inslasi dan konfigurasi Sentry pada Odoo¶
#
sudo su - odoo10 -s /bin/bash
. venv/bin/activate
pip install raven --upgrade
nano $ODOO_CONF_DIR/$ODOO_USER.conf
#
# server_wide_modules = web,web_kanban,sentry
#
# sentry_dsn = https://2b77fa22ec104b7d95eab8c99739a0dc:[email protected]/257983
# sentry_enabled = true
# sentry_logging_level = warn
# sentry_exclude_loggers = werkzeug
# sentry_ignore_exceptions = odoo.exceptions.AccessDenied,odoo.exceptions.AccessError,odoo.exceptions.MissingError,odoo.exceptions.RedirectWarning,odoo.exceptions.UserError,odoo.exceptions.ValidationError,odoo.exceptions.Warning,odoo.exceptions.except_orm
# sentry_processors = raven.processors.SanitizePasswordsProcessor,odoo.addons.sentry.logutils.SanitizeOdooCookiesProcessor
# sentry_transport = threaded
# sentry_include_context = true
# sentry_environment = development
# sentry_auto_log_stacks = false
# sentry_odoo_dir = /opt/odoo10/
#
exit
sudo systemctl restart odoo10
Integrasi:
- GitLab
- Repo URL: https://gitlab.com
- Access Token: sAys5DyzULyZSASxFz4W
- Repo Name: proxsis/biztech/external/bbi-odoo-ecommerce
- Issue Labels:
optional
- Slack
- Webhook URL: https://hooks.slack.com/services/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
- Bot Name
- Icon URL
- Destination: #ops-alert
- Include Tags: true
- Included Tags: null
- Excluded Tags: null
- Include Rules: false
- Exclude Project Name: false
- Exclude Culprit: false