System Engineering & Cloud: Install Rancid and ViewVC on Centos 7

In this post I want to walk though the steps to install Rancid on CentOS 7 minimal. Rancid is a great tool to help monitor a device configuration for any changes. It also keeps track of them by using CVS (Concurrent Version System) for backups, so you can go back and compare versions or revert to a previous configuration. Rancid supports multiple hardware from Cisco, HP, Dell, Juniper and more. This is all open-source so you can create custom scripts or add commands to really make this a personal repository that fits your company. During this install guide several things are required when we install Rancid, I have tired to make this as simple as possible but its not just a type and watch it install. You have to customize some of the scripts to make Rancid work like it should. Read it though and follow along.

So I’m already assuming that you have CentOS 7 minimal installed, with connection to the internet, and have just the root account with a password. You can pick up the latest CentOS at http://www.centos.org/

yum update

We now need to install all the prerequisites needed for Rancid and some other tools we’ll need for troubleshooting (if needed)

yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python

Since we installed Apache we will want to change the firewall rules on our system to allow HTTP and (HTTPS if we want it)

Allow HTTP:

firewall-cmd --permanent --zone=public --add-service=http

Allow HTTPS:

firewall-cmd --permanent --zone=public --add-service=https

Reload the Firewall to save changes

firewall-cmd --reload

Enable the Apache service to start on bootup and let’s start it up for the first time.

systemctl enable httpd.service

systemctl start httpd.service

After you enable Apache you should see a sample webpage from Apache when you browse to your server’s IP address with a browser. We now need to add a group for the rancid user.

groupadd netadm

Next we will create a user called rancid and put this user under the group we just created which is netadm. We will also put in the home directory for this rancid user.

useradd -g netadm -c "Networking Backups" -d /home/rancid rancid

Let’s be a little organized and create a directory to put all of our installation files. Once created let’s change directories to that tar folder we just created.

mkdir /home/rancid/tar

Move to the tar folder

cd /home/rancid/tar/

We will download the latest version of Rancid which at the time of this writing is 3.1

1	`wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.1.tar.gz`

Extract the tar ball we just downloaded:

tar -zxvf rancid-3.1.tar.gz

Move into the rancid-3.1 folder:

cd rancid-3.1

Run/type in the following followed by enter. This get’s Rancid ready for install.

./configure --prefix=/usr/local/rancid

After all of the output clears run the install.

make install

Now let’s copy and modify some permissions

cp cloginrc.sample /home/rancid/.cloginrc

chmod 0640 /home/rancid/.cloginrc

chown -R rancid:netadm /home/rancid/.cloginrc

chown -R rancid:netadm /usr/local/rancid/

chmod 775 /usr/local/rancid/

We have to edit the rancid configuration file and put our devices in groups. Find “list of rancid groups” and uncomment it. Type in the groups you would like, for example (Routers Switches)

nano /usr/local/rancid/etc/rancid.conf

...

# list of rancid groups

LIST_OF_GROUPS="Routers Switches"

# more groups...

#LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp"

#

...

Switch to the Rancid user account

su -rancid

Run the following, this creates a CVS Repository with the groups you just entered in the List of Groups.

/usr/local/rancid/bin/rancid-cvs

No conflicts created by this import

cvs checkout: Updating Routers

Directory /usr/local/rancid/var/CVS/Routers/configs added to the repository

cvs commit: Examining configs

cvs add: scheduling file `router.db' for addition

cvs add: use 'cvs commit' to add this file permanently

RCS file: /usr/local/rancid/var/CVS/Routers/router.db,v

done

Checking in router.db;

/usr/local/rancid/var/CVS/Routers/router.db,v  &amp;amp;lt;--  router.db

initial revision: 1.1

done

No conflicts created by this import

cvs checkout: Updating Switches

Directory /usr/local/rancid/var/CVS/Switches/configs added to the repository

cvs commit: Examining configs

cvs add: scheduling file `router.db' for addition

cvs add: use 'cvs commit' to add this file permanently

RCS file: /usr/local/rancid/var/CVS/Switches/router.db,v

done

Checking in router.db;

/usr/local/rancid/var/CVS/Switches/router.db,v  &amp;amp;lt;--  router.db

initial revision: 1.1

done

[rancid@rancid ~]$

After the command runs logout of Rancid user and go back to root. Move back to TAR folder.

cd /home/rancid/tar/

Next we will want to download ViewVC and as of this writing the latest the version is 1.1.23.

1	`wget http://viewvc.tigris.org/files/documents/3330/49392/viewvc-1.1.23.tar.gz`

Extract the tarball

tar -zxvf viewvc-1.1.23.tar.gz

Move to the ViewVC folder and run the installer, accept the defaults.

cd viewvc-1.1.23

./viewvc-install

We now need to modify the ViewVC configuration file, basically telling ViewVC where the CVS repo is.

nano /usr/local/viewvc-1.1.23/viewvc.conf

Find the following and edit as shown below:

...

## Example:

## cvs_roots = cvsroot: /opt/cvs/repos1,

##             anotherroot: /usr/local/cvs/repos2

##

#cvs_roots = cvs:

## svn_roots: Specifies each of the Subversion roots (repositories) on

## your system and assigns names to them. Each root should be given by

...

## Example:

## root_parents = /opt/svn: svn,

##                /opt/cvs: cvs

##

root_parents = /usr/local/rancid/var/CVS : cvs

## default_root: This is the name of the default root.  Valid names

...

## Example:

## rcs_dir = /usr/bin/

##

rcs_dir = /usr/local/bin

## cvsnt: Location of cvsnt program.  ViewVC can use CVSNT (www.cvsnt.org)

...

## use_rcsparse: Use the rcsparse Python module to retrieve CVS

## repository information instead of invoking rcs utilities [EXPERIMENTAL]

##

use_rcsparse = 1

...

We need to copy some files and change permissions for ViewVC.

cp /usr/local/viewvc-1.1.23/bin/cgi/*.cgi /var/www/cgi-bin

chmod +x /var/www/cgi-bin/*.cgi

chown apache:apache /var/www/cgi-bin/*.cgi

For this example we will use HTTP for ViewVC, although you could use HTTPS just have to modify the Apache (HTTPD file)

nano /etc/httpd/conf/httpd.conf

I put the following at the bottom of the HTTPD file

# Custom Rancid Config

<VirtualHost *:80>

        DocumentRoot /var/www

        ScriptAlias /cgi-bin/ "/var/www/cgi-bin"

        ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi

        ScriptAlias /query /var/www/cgi-bin/query.cgi

<Directory "/var/www/cgi-bin">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

</Directory>

</VirtualHost>

We are almost done, we now need to turn on Mariadb which ViewVC uses, and start up the secure installation. (Accept all defaults and type in a root password for MariaDB.

systemctl enable mariadb

systemctl start mariadb

sudo mysql_secure_installation

Go back into MariaDB and create a ViewVC user and use the password you just created.

mysql -u root -p

Enter the following: (Replace YourPassowrdHere with something else)

CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY 'YourPasswordHere';

GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION;

FLUSH PRIVILEGES;

quit

Make the ViewVC Database with the username and password you just created. (Accept the defaults)

/usr/local/viewvc-1.1.23/bin/make-database

MySQL Hostname (leave blank for default):

MySQL Port (leave blank for default):

MySQL User: VIEWVC

MySQL Password: YourPasswordHere

ViewVC Database Name [default: ViewVC]:

Database created successfully.  Don't forget to configure the

[cvsdb] section of your viewvc.conf file.

Go back to MariaDB (MySQL) with the root password

mysql -u root -p

Create a Read-Only account for ViewVC on the MySQL database. (Replace YourROPassowrdHere with something else)

CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY 'YourROPasswordHere';

GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION;

FLUSH PRIVILEGES;

quit

We now need to configure the ViewVC configuration file with the user names and passwords to that we created in MySQL.

nano /usr/local/viewvc-1.1.23/viewvc.conf

Find cvsdb and change it to something like this:

##---------------------------------------------------------------------------

[cvsdb]

## enabled: Enable database integration feature.

##

enabled = 1

## host: Database hostname.  Leave unset to use a local Unix socket

## connection.

##

host = localhost

## post: Database listening port.

##

port = 3306

## database_name: ViewVC database name.

##

database_name = ViewVC

## user: Username of user with read/write privileges to the database

## specified by the 'database_name' configuration option.

##

user = VIEWVC

## passwd: Password of user with read/write privileges to the database

## specified by the 'database_name' configuration option.

##

passwd = YourPasswordHere

## readonly_user: Username of user with read privileges to the database

## specified by the 'database_name' configuration option.

##

readonly_user = VIEWVCRO

## readonly_passwd: Password of user with read privileges to the database

## specified by the 'database_name' configuration option.

##

readonly_passwd = YourROPasswordHere

Run the following command to build the Database.

/usr/local/viewvc-1.1.23/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/

Reboot the server once online you should be able view the Repository at http://rancid-servicer-ip/viewvc

SCREENSHOT OF VIEWVC USING RANCID

If you see the groups that we created we looking good so far. To finish this installation off we need to setup Rancid to send emails. Usually you have to add the Rancid to the allowed senders list on your email infrastructure. Rancid uses aliases to send emails we need to edit the aliases file.

nano /etc/aliases

Depending on your infrastructure you might have different teams of people for different equipment that rancid is monitoring. Or you are running one-man-shop either way you can specify. In this example I’m using only one email address and created a new aliases called Rancid all of this is at the bottom of the aliases file.

# Custom Rancid Configuration (Put an Email Here)

rancid:         emailaddress@goeshere.com

# Custom Rancid Configuration

rancid-admin-Routers: rancid

rancid-Routers: rancid

rancid-admin-Switches: rancid

rancid-Switches: rancid

Depending on what you created in your List of Groups in the rancid configuration file you might have more or less. (In this example we just created Routers and Switches) We must specify these in the aliases file otherwise Rancid wont send emails for these groups. Once we are done editing you want to let our Rancid box know about the new aliases we just created. Type in the following command to update.

newaliases

In this example postfix is already installed so we just need to edit the postfix configuration file.

nano /etc/postfix/main.cf

Find and uncomment “relayhost” and type either the domain name (if you have MX records) the FQDN or IP address of your email system.

relayhost =  mycompanydomain.com

relayhost = email.mycompanydomain.com

#relayhost = [mailserver.isp.tld]

#relayhost = uucphost

#relayhost = [an.ip.add.ress]

Start up posfix and enable it on boot

systemctl start postfix

systemctl enable postfix

Finished! We have just installed Rancid along with made some helpful tweaks like getting an upfront web page to view the configurations instead of CLI as well as setting up Rancid to email us if anything changes or if there are issues with connecting to any equipment. I’ll put the brakes here and in the next post we will go over how to customize rancid to log into devices and grab configurations

System Engineering & Cloud

Sunday, February 14, 2016

Install Rancid and ViewVC on Centos 7

No comments:

About Me