Sunday, February 14, 2016

Install Rancid and ViewVC on Centos 7

In this post I want to walk though the steps to install Rancid on CentOS 7 minimal. Rancid is a great tool to help monitor a device configuration for any changes. It also keeps track of them by using CVS (Concurrent Version System) for backups, so you can go back and compare versions or revert to a previous configuration. Rancid supports multiple hardware from Cisco, HP, Dell, Juniper and more. This is all open-source so you can create custom scripts or add commands to really make this a personal repository that fits your company.  During this install guide several things are required when we install Rancid, I have tired to make this as simple as possible but its not just a type and watch it install. You have to customize some of the scripts to make Rancid work like it should. Read it though and follow along.
So I’m already assuming that you have CentOS 7 minimal installed, with connection to the internet, and have just the root account with a password. You can pick up the latest CentOS at http://www.centos.org/
Login as the root account and let’s update this thing and accept any updates before we do anything else.
1
yum update
We now need to install all the prerequisites needed for Rancid and some other tools we’ll need for troubleshooting (if needed)
1
yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python
Since we installed Apache we will want to change the firewall rules on our system to allow HTTP and (HTTPS if we want it)
Allow HTTP:
1
firewall-cmd --permanent --zone=public --add-service=http
Allow HTTPS:
1
firewall-cmd --permanent --zone=public --add-service=https
Reload the Firewall to save changes
1
firewall-cmd --reload
Enable the Apache service to start on bootup and let’s start it up for the first time.
1
2
systemctl enable httpd.service
systemctl start httpd.service
After you enable Apache you should see a sample webpage from Apache when you browse to your server’s IP address with a browser. We now need to add a group for the rancid user.
1
groupadd netadm
Next we will create a user called rancid and put this user under the group we just created which is netadm. We will also put in the home directory for this rancid user.
1
useradd -g netadm -c "Networking Backups" -d /home/rancid rancid
Let’s be a little organized and create a directory to put all of our installation files. Once created let’s change directories to that tar folder we just created.
1
mkdir /home/rancid/tar
Move to the tar folder
1
cd /home/rancid/tar/
We will download the latest version of Rancid which at the time of this writing is 3.1
Extract the tar ball we just downloaded:
1
tar -zxvf rancid-3.1.tar.gz
Move into the rancid-3.1 folder:
1
cd rancid-3.1
Run/type in the following followed by enter. This get’s Rancid ready for install.
1
./configure --prefix=/usr/local/rancid
After all of the output clears run the install.
1
make install
Now let’s copy and modify some permissions
1
2
3
4
5
cp cloginrc.sample /home/rancid/.cloginrc
chmod 0640 /home/rancid/.cloginrc
chown -R rancid:netadm /home/rancid/.cloginrc
chown -R rancid:netadm /usr/local/rancid/
chmod 775 /usr/local/rancid/
We have to edit the rancid configuration file and put our devices in groups. Find “list of rancid groups” and uncomment it. Type in the groups you would like, for example (Routers Switches)
1
2
3
4
5
6
7
8
nano /usr/local/rancid/etc/rancid.conf
...
# list of rancid groups
LIST_OF_GROUPS="Routers Switches"
# more groups...
#LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp"
#
...
Switch to the Rancid user account
1
su -rancid
Run the following, this creates a CVS Repository with the groups you just entered in the List of Groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/usr/local/rancid/bin/rancid-cvs
 
No conflicts created by this import
 
cvs checkout: Updating Routers
Directory /usr/local/rancid/var/CVS/Routers/configs added to the repository
cvs commit: Examining configs
cvs add: scheduling file `router.db' for addition
cvs add: use 'cvs commit' to add this file permanently
RCS file: /usr/local/rancid/var/CVS/Routers/router.db,v
done
Checking in router.db;
/usr/local/rancid/var/CVS/Routers/router.db,v  <--  router.db
initial revision: 1.1
done
 
No conflicts created by this import
 
cvs checkout: Updating Switches
Directory /usr/local/rancid/var/CVS/Switches/configs added to the repository
cvs commit: Examining configs
cvs add: scheduling file `router.db' for addition
cvs add: use 'cvs commit' to add this file permanently
RCS file: /usr/local/rancid/var/CVS/Switches/router.db,v
done
Checking in router.db;
/usr/local/rancid/var/CVS/Switches/router.db,v  <--  router.db
initial revision: 1.1
done
[rancid@rancid ~]$
After the command runs logout of Rancid user and go back to root. Move back to TAR folder.
1
cd /home/rancid/tar/
Next we will want to download ViewVC and as of this writing the latest the version is 1.1.23.
Extract the tarball
1
tar -zxvf viewvc-1.1.23.tar.gz
Move to the ViewVC folder and run the installer, accept the defaults.
1
2
cd viewvc-1.1.23
./viewvc-install
We now need to modify the ViewVC configuration file, basically telling ViewVC where the CVS repo is.
1
nano /usr/local/viewvc-1.1.23/viewvc.conf
Find the following and edit as shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
...
## Example:
## cvs_roots = cvsroot: /opt/cvs/repos1,
##             anotherroot: /usr/local/cvs/repos2
##
#cvs_roots = cvs:
 
## svn_roots: Specifies each of the Subversion roots (repositories) on
## your system and assigns names to them. Each root should be given by
...
## Example:
## root_parents = /opt/svn: svn,
##                /opt/cvs: cvs
##
root_parents = /usr/local/rancid/var/CVS : cvs
 
## default_root: This is the name of the default root.  Valid names
...
## Example:
## rcs_dir = /usr/bin/
##
rcs_dir = /usr/local/bin
 
## cvsnt: Location of cvsnt program.  ViewVC can use CVSNT (www.cvsnt.org)
...
## use_rcsparse: Use the rcsparse Python module to retrieve CVS
## repository information instead of invoking rcs utilities [EXPERIMENTAL]
##
use_rcsparse = 1
...
We need to copy some files and change permissions for ViewVC.
1
2
3
cp /usr/local/viewvc-1.1.23/bin/cgi/*.cgi /var/www/cgi-bin
chmod +x /var/www/cgi-bin/*.cgi
chown apache:apache /var/www/cgi-bin/*.cgi
For this example we will use HTTP for ViewVC, although you could use HTTPS just have to modify the Apache (HTTPD file)
1
nano /etc/httpd/conf/httpd.conf
I put the following at the bottom of the HTTPD file
1
2
3
4
5
6
7
8
9
10
11
12
13
# Custom Rancid Config
<VirtualHost *:80>
        DocumentRoot /var/www
        ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
        ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
        ScriptAlias /query /var/www/cgi-bin/query.cgi
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>
We are almost done, we now need to turn on Mariadb which ViewVC uses, and start up the secure installation. (Accept all defaults and type in a root password for MariaDB.
1
2
3
systemctl enable mariadb
systemctl start mariadb
sudo mysql_secure_installation
Go back into MariaDB and create a ViewVC user and use the password you just created.
1
mysql -u root -p
Enter the following: (Replace YourPassowrdHere with something else)
1
2
3
4
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY 'YourPasswordHere';
GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit
Make the ViewVC Database with the username and password you just created. (Accept the defaults)
1
2
3
4
5
6
7
8
9
/usr/local/viewvc-1.1.23/bin/make-database
MySQL Hostname (leave blank for default):
MySQL Port (leave blank for default):
MySQL User: VIEWVC
MySQL Password: YourPasswordHere
ViewVC Database Name [default: ViewVC]:
 
Database created successfully.  Don't forget to configure the
[cvsdb] section of your viewvc.conf file.
Go back to MariaDB (MySQL) with the root password
1
mysql -u root -p
Create a Read-Only account for ViewVC on the MySQL database. (Replace YourROPassowrdHere with something else)
1
2
3
4
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY 'YourROPasswordHere';
GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit
We now need to configure the ViewVC configuration file with the user names and passwords to that we created in MySQL.
1
nano /usr/local/viewvc-1.1.23/viewvc.conf
Find cvsdb and change it to something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
##---------------------------------------------------------------------------
[cvsdb]
 
## enabled: Enable database integration feature.
##
enabled = 1
 
## host: Database hostname.  Leave unset to use a local Unix socket
## connection.
##
host = localhost
 
## post: Database listening port.
##
port = 3306
 
## database_name: ViewVC database name.
##
database_name = ViewVC
 
## user: Username of user with read/write privileges to the database
## specified by the 'database_name' configuration option.
##
user = VIEWVC
 
## passwd: Password of user with read/write privileges to the database
## specified by the 'database_name' configuration option.
##
passwd = YourPasswordHere
 
## readonly_user: Username of user with read privileges to the database
## specified by the 'database_name' configuration option.
##
readonly_user = VIEWVCRO
 
## readonly_passwd: Password of user with read privileges to the database
## specified by the 'database_name' configuration option.
##
readonly_passwd = YourROPasswordHere
Run the following command to build the Database.
1
/usr/local/viewvc-1.1.23/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/
Reboot the server once online you should be able view the Repository at http://rancid-servicer-ip/viewvc
Screenshot of ViewVC using Rancid
SCREENSHOT OF VIEWVC USING RANCID
If you see the groups that we created we looking good so far. To finish this installation off we need to setup Rancid to send emails. Usually you have to add the Rancid to the allowed senders list on your email infrastructure. Rancid uses aliases to send emails we need to edit the aliases file.
1
nano /etc/aliases
Depending on your infrastructure you might have different teams of people for different equipment that rancid is monitoring. Or you are running one-man-shop either way you can specify. In this example I’m using only one email address and created a new aliases called Rancid all of this is at the bottom of the aliases file.
1
2
3
4
5
6
7
8
# Custom Rancid Configuration (Put an Email Here)
rancid:         emailaddress@goeshere.com
 
# Custom Rancid Configuration
rancid-admin-Routers: rancid
rancid-Routers: rancid
rancid-admin-Switches: rancid
rancid-Switches: rancid
Depending on what you created in your List of Groups in the rancid configuration file you might have more or less. (In this example we just created Routers and Switches) We must specify these in the aliases file otherwise Rancid wont send emails for these groups. Once we are done editing you want to let our Rancid box know about the new aliases we just created. Type in the following command to update.
1
newaliases
In this example postfix is already installed so we just need to edit the postfix configuration file.
1
nano /etc/postfix/main.cf
Find and uncomment “relayhost” and type either the domain name (if you have MX records) the FQDN or IP address of your email system.
1
2
3
4
5
relayhost =  mycompanydomain.com
relayhost = email.mycompanydomain.com
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
Start up posfix and enable it on boot
1
2
systemctl start postfix
systemctl enable postfix
Finished! We have just installed Rancid along with made some helpful tweaks like getting an upfront web page to view the configurations instead of CLI as well as setting up Rancid to email us if anything changes or if there are issues with connecting to any equipment. I’ll put the brakes here and in the next post we will go over how to customize rancid to log into devices and grab configurations

No comments: