Mqtt install

deploy/services/README.md

@@ -0,0 +1,42 @@
+# Platform Services
+
+It is recommended to install certain third-party software for use
+by digital twins running inside the DTaaS software.
+
+The installation scripts in this directory install:
+
+* **Influx** time-series database and dashboard service
+* **Grafana** visualization and dashboard service
+* **RabbitMQ** AMQP broker and its' management interface
+* Eclipse Mosquitto **MQTT** broker
+
+## Configure and Install
+
+The first step in installation is to specify the config of the services.
+There are two configuration files. The __services.yml__ contains most
+of configuration settings. The __mqtt-default.conf__ file contains
+the MQTT listening port. Update these two config files before proceeding
+with the installation of the services.
+
+```bash
+yarn install
+node services.js
+```
+
+## Use
+
+After the installation is complete, you can see the following services active
+at the following ports / URLs.
+
+| service | external url |
+|:---|:---|
+| Influx | services.foo.com |
+| Grafana | services.foo.com:3000 |
+| RabbitMQ Broker | services.foo.com:5672 |
+| RabbitMQ Broker Management Website | services.foo.com:15672 |
+| MQTT Broker | services.foo.com:1883 |
+||
+
+The firewall and network access settings of corporate / cloud network need to be
+configured to allow external access to the services. Otherwise the users of DTaaS
+will not be able to utilize these services from their user workspaces.

deploy/services/mqtt-default.conf

@@ -0,0 +1,2 @@
+listener 1883
+password_file /etc/mosquitto/passwd

deploy/services/package.json

@@ -0,0 +1,13 @@
+{
+  "name": "@into-cps-association/dtaas-install-services",
+  "version": "0.0.1",
+  "description": "Install platform services for the DTaaS software",
+  "author": "Prasad Talasila",
+  "private": false,
+  "type": "module",
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "execa": "^8.0.1",
+    "js-yaml": "^4.1.0"
+  }
+}

deploy/vagrant/two-machine/services.js → deploy/services/services.js

@@ -15,7 +15,7 @@ const sleep = (ms) =>
   });
 
   try {
-  console.log(chalk.blue("Load services configuration"));
+  log(chalk.blue("Load services configuration"));
   config = await yaml.load(fs.readFileSync('services.yml', 'utf8'));
   log(chalk.green("configuration loading is successful and config is a valid yaml file"));
 } catch (e) {
@@ -84,7 +84,7 @@ await $$`docker run -d \
   grafana/grafana:10.1.4`;
 log(chalk.green("Grafana server docker container started successfully"));
 
-console.log(chalk.blue("Wait one minute for Grafana server to bootstrap"));
+log(chalk.blue("Wait one minute for Grafana server to bootstrap"));
 await sleep(60000);  //60 seconds
 
 await $$`docker exec grafana grafana-cli admin reset-admin-password ${grafanaConfig.password}`;
@@ -102,17 +102,37 @@ try {
   await $$`docker rm rabbitmq-server`;  
 } catch (e) {
 }
-//await $$`docker run -d --name rabbitmq-server -p 5672:5672  -p 15672:15672 rabbitmq:3-management`;
+
 log(chalk.green("Start RabbitMQ server docker container"));
 await $$`docker run -d --name rabbitmq-server \
   -p ${rabbitmqConfig.ports.main}:5672 \
   -p ${rabbitmqConfig.ports.management}:15672 rabbitmq:3-management`;
 log(chalk.green("RabbitMQ server docker container started successfully\n"));
 
-console.log(chalk.blue("Wait 2 minutes for RabbitMQ server to bootstrap"));
+log(chalk.blue("Wait 2 minutes for RabbitMQ server to bootstrap"));
 await sleep(120000);  //120 seconds
 
 let args = [rabbitmqConfig.username, rabbitmqConfig.password];
-//console.log(chalk.blue("Add ${rabbitmqConfig.username} user and give permission to ${rabbitmqConfig.vhost} vhost"));
+log(chalk.blue(
+  "Add %s user and give permission to %s vhost"),
+  rabbitmqConfig.username, rabbitmqConfig.vhost);
 await $$`docker exec rabbitmq-server rabbitmqctl add_user ${args}`;
 await $$`docker exec rabbitmq-server rabbitmqctl set_permissions -p ${rabbitmqConfig.vhost} ${rabbitmqConfig.username} ".*" ".*" ".*"`;
+
+//---------------
+log(chalk.blue("Install and start MQTT server"));
+const mqttConfig = config.services.mqtt;
+
+log(chalk.blue("Attempt to install mosquitto MQTT server using apt-get package manager"));
+await $$`sudo apt-get install -y mosquitto mosquitto-clients`;
+log(chalk.blue("Create user account for %s in MQTT server"), mqttConfig.username);
+await $$`sudo sudo mosquitto_passwd -c -b /etc/mosquitto/passwd ${mqttConfig.username} ${mqttConfig.password}`;
+await $$`sudo chown root:mosquitto /etc/mosquitto/passwd`;
+await $$`sudo chmod 660 /etc/mosquitto/passwd`;
+
+log(chalk.blue("Set MQTT listening port configuration"));
+await $$`sudo cp mqtt-default.conf /etc/mosquitto/conf.d/default.conf`;
+await $$`sudo chmod 664 /etc/mosquitto/conf.d/default.conf`;
+await $$`sudo chown root:mosquitto /etc/mosquitto/conf.d/default.conf`;
+await $$`sudo systemctl restart mosquitto`;
+await $$`sudo systemctl status mosquitto`;

deploy/vagrant/two-machine/services.yml → deploy/services/services.yml

@@ -17,3 +17,6 @@ services:
         password: "dtaas1357"   # need to have letters and numbers
         datapath: "/home/prasad/git/prasadtalasila/DTaaS/deploy/vagrant/two-machine/influx" #no spaces in the path
         port: 80
+    mqtt:  # usernames and passwords are in deploy/config/services/mqtt/config/password
+        username: "dtaas"
+        password: "dtaas"

deploy/vagrant/two-machine/README.md

@@ -15,10 +15,11 @@ server1. The _workspaces.sh_ contains installation commands for provisioning
 user workspaces. If you desire to have more users, you need to modify this
 shell script.
 
-The default installation setup also installs InfluxDB, Grafana and RabbitMQ
-services on server2. If you would like to install more services, you can create
-shell scripts to install the same on server2. If you have these scripts ready,
-you can place them in this directory and invoke them from _services.sh_ script.
+The default installation setup also installs InfluxDB, Grafana, RabbitMQ
+and MQTT services on server2. If you would like to install more services,
+you can create
+scripts to install the same on server2. If you have these scripts ready,
+you can place them in this directory and invoke them from _services.js_ script.
 
 ## Create Base Vagrant Box
 
@@ -60,37 +61,19 @@ The fields to update are:
 
 ## Launch platform default services
 
-RabbitMQ, Grafana and InfluxDB services are provisioned on this server.
-InfluxDB webUI will be available at: _services.foo.com_.
-The RabbitMQ service and its management interface shall be available
-at 5672 and 15672 TCP ports respectively.
-The Grafana service shall be available at TCP port 3000.
-
-The firewall and network access settings of corporate / cloud network need to be
-configured to allow external access to the services. Otherwise the users of DTaaS
-will not be able to utilize these services from their user workspaces.
+RabbitMQ, Grafana, InfluxDB and MQTT services are provisioned on this server.
 
 Execute the following commands from terminal to start the machine.
 
 ```bash
 vagrant up --provision services
 vagrant ssh services
-wget https://raw.githubusercontent.com/INTO-CPS-Association/DTaaS/feature/distributed-demo/deploy/vagrant/two-machine/services.sh
-bash services.sh
 wget https://raw.githubusercontent.com/INTO-CPS-Association/DTaaS/feature/distributed-demo/deploy/vagrant/route.sh
 sudo bash route.sh
 ```
 
-After the server is up and running, you can see the following services active
-within server2.
-
-| service | external url |
-|:---|:---|
-| Influx visualization service | services.foo.com |
-| Grafana visualization service | services.foo.com:3000 |
-| RabbitMQ communication service | services.foo.com:5672 |
-| RabbitMQ management service | services.foo.com:15672 |
-||
+Follow the instructions in [services](../../services/README.md) to install
+the platform default services on this vagrant machine.
 
 ## Launch DTaaS application
 
@@ -99,6 +82,11 @@ Execute the following commands from terminal
 ```bash
 vagrant up --provision dtaas
 vagrant ssh dtaas
+```
+
+Once inside the vagrant box, execute
+
+```bash
 wget https://raw.githubusercontent.com/INTO-CPS-Association/DTaaS/feature/distributed-demo/deploy/vagrant/route.sh
 sudo bash route.sh
 ```

docs/FAQ.md

@@ -216,9 +216,7 @@
 
     The core feature of DTaaS software is to help users
     create DTs from assets already available in the library.
-
     ![Create Library Assets](./user/servers/lib/author.png)
-
     However, it is possible for users to take advantage of services
     available in their workspace to install asset authoring tools
     in their own workspace.
@@ -227,4 +225,47 @@
     Thus any licensed software tools installed in their workspace is
     only available to them.
 
+## GDPR Concerns
+
+??? Question "Does your platform adhere to GDPR compliance standards? If so, how?"
+
+    The DTaaS software platform does not store any personal information
+    of users. It only stores username to identify users and these
+    usernames do not contain enough information to deduce the true
+    identify of users.
+
+??? Question "Which security measures are deployed? How is data encrypted (if exists)?"
+
+    The default installation requires a HTTPS terminating reverse proxy server
+    from user to the DTaaS software installation. The administrators of DTaaS
+    software can also install HTTPS certificates into the application.
+    The codebase can generate HTTPS application and the users also have
+    the option of installing their own certificates obtained from
+    certification agencies such as LetsEncrypt.
+
+??? Question "What security measures does your cloud provider offer?"
+
+    The current installation of DTaaS software runs on Aarhus University
+    servers. The university network offers firewall access control to servers
+    so that only permitted user groups have access to the network and
+    physical access to the server.
+
+??? Question "How is user access controlled and authenticated?"
+
+    There is a two-level authentication mechanism in place in each default
+    installation of DTaaS. The first-level is HTTP basic authentication
+    over secure HTTPS connection. The second-level is the OAuth PKCE
+    authentication flow for each user. The OAuth authentication is provider
+    by a Gitlab instance. The DTaaS does not store the account and
+    authentication information of users.
+
+??? Question "Does you platform manage personal data? How is data classified and tagged based on the sensitivity? Who has access to the critical data?"
+
+    The platform does not store personal data of users.
+
+??? Question "How are identities and roles managed within the platform?"
+
+    There are two roles for users on the platform. One is the administrator
+    and the other one is user. The user roles are managed by the administrator.
+
 <!-- markdownlint-enable MD046 -->