In this post I want to walk though the steps to install Rancid on CentOS 7 minimal. Rancid is a great tool to help monitor a device configuration for any changes. It also keeps track of them by using CVS (Concurrent Version System) for backups, so you can go back and compare versions or revert to a previous configuration. Rancid supports multiple hardware from Cisco, HP, Dell, Juniper and more. This is all open-source so you can create custom scripts or add commands to really make this a personal repository that fits your company. During this install guide several things are required when we install Rancid, I have tired to make this as simple as possible but its not just a type and watch it install. You have to customize some of the scripts to make Rancid work like it should. Read it though and follow along.
So I’m already assuming that you have CentOS 7 minimal installed, with connection to the internet, and have just the root account with a password. You can pick up the latest CentOS at http://www.centos.org/
Login as the root account and let’s update this thing and accept any updates before we do anything else.
1
| yum update |
We now need to install all the prerequisites needed for Rancid and some other tools we’ll need for troubleshooting (if needed)
1
| yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python |
Since we installed Apache we will want to change the firewall rules on our system to allow HTTP and (HTTPS if we want it)
Allow HTTP:
1
| firewall-cmd --permanent --zone=public --add-service=http |
Allow HTTPS:
1
| firewall-cmd --permanent --zone=public --add-service=https |
Reload the Firewall to save changes
1
| firewall-cmd --reload |
Enable the Apache service to start on bootup and let’s start it up for the first time.
1
2
| systemctl enable httpd.service systemctl start httpd.service |
After you enable Apache you should see a sample webpage from Apache when you browse to your server’s IP address with a browser. We now need to add a group for the rancid user.
1
| groupadd netadm |
Next we will create a user called rancid and put this user under the group we just created which is netadm. We will also put in the home directory for this rancid user.
1
| useradd -g netadm -c "Networking Backups" -d /home/rancid rancid |
Let’s be a little organized and create a directory to put all of our installation files. Once created let’s change directories to that tar folder we just created.
1
| mkdir /home/rancid/tar |
Move to the tar folder
1
| cd /home/rancid/tar/ |
We will download the latest version of Rancid which at the time of this writing is 3.1
Extract the tar ball we just downloaded:
1
| tar -zxvf rancid-3.1.tar.gz |
Move into the rancid-3.1 folder:
1
| cd rancid-3.1 |
Run/type in the following followed by enter. This get’s Rancid ready for install.
1
| ./configure --prefix=/usr/local/rancid |
After all of the output clears run the install.
1
| make install |
Now let’s copy and modify some permissions
1
2
3
4
5
| cp cloginrc.sample /home/rancid/.cloginrc chmod 0640 /home/rancid/.cloginrc chown -R rancid:netadm /home/rancid/.cloginrc chown -R rancid:netadm /usr/local/rancid/ chmod 775 /usr/local/rancid/ |
We have to edit the rancid configuration file and put our devices in groups. Find “list of rancid groups” and uncomment it. Type in the groups you would like, for example (Routers Switches)
1
2
3
4
5
6
7
8
| nano /usr/local/rancid/etc/rancid.conf ... # list of rancid groups LIST_OF_GROUPS="Routers Switches" # more groups... #LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp" # ... |
Switch to the Rancid user account
1
| su -rancid |
Run the following, this creates a CVS Repository with the groups you just entered in the List of Groups.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| /usr/local/rancid/bin/rancid-cvs No conflicts created by this import cvs checkout: Updating Routers Directory /usr/local/rancid/var/CVS/Routers/configs added to the repository cvs commit: Examining configs cvs add: scheduling file `router.db' for addition cvs add: use 'cvs commit' to add this file permanently RCS file: /usr/local/rancid/var/CVS/Routers/router.db,v done Checking in router.db; /usr/local/rancid/var/CVS/Routers/router.db,v <-- router.db initial revision: 1.1 done No conflicts created by this import cvs checkout: Updating Switches Directory /usr/local/rancid/var/CVS/Switches/configs added to the repository cvs commit: Examining configs cvs add: scheduling file `router.db' for addition cvs add: use 'cvs commit' to add this file permanently RCS file: /usr/local/rancid/var/CVS/Switches/router.db,v done Checking in router.db; /usr/local/rancid/var/CVS/Switches/router.db,v <-- router.db initial revision: 1.1 done [rancid@rancid ~]$ |
After the command runs logout of Rancid user and go back to root. Move back to TAR folder.
1
| cd /home/rancid/tar/ |
Next we will want to download ViewVC and as of this writing the latest the version is 1.1.23.
Extract the tarball
1
| tar -zxvf viewvc-1.1.23.tar.gz |
Move to the ViewVC folder and run the installer, accept the defaults.
1
2
| cd viewvc-1.1.23 ./viewvc-install |
We now need to modify the ViewVC configuration file, basically telling ViewVC where the CVS repo is.
1
| nano /usr/local/viewvc-1.1.23/viewvc.conf |
Find the following and edit as shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| ... ## Example: ## cvs_roots = cvsroot: /opt/cvs/repos1, ## anotherroot: /usr/local/cvs/repos2 ## #cvs_roots = cvs: ## svn_roots: Specifies each of the Subversion roots (repositories) on ## your system and assigns names to them. Each root should be given by ... ## Example: ## root_parents = /opt/svn: svn, ## /opt/cvs: cvs ## root_parents = /usr/local/rancid/var/CVS : cvs ## default_root: This is the name of the default root. Valid names ... ## Example: ## rcs_dir = /usr/bin/ ## rcs_dir = /usr/local/bin ## cvsnt: Location of cvsnt program. ViewVC can use CVSNT (www.cvsnt.org) ... ## use_rcsparse: Use the rcsparse Python module to retrieve CVS ## repository information instead of invoking rcs utilities [EXPERIMENTAL] ## use_rcsparse = 1 ... |
We need to copy some files and change permissions for ViewVC.
1
2
3
| cp /usr/local/viewvc-1.1.23/bin/cgi/*.cgi /var/www/cgi-bin chmod +x /var/www/cgi-bin/*.cgi chown apache:apache /var/www/cgi-bin/*.cgi |
For this example we will use HTTP for ViewVC, although you could use HTTPS just have to modify the Apache (HTTPD file)
1
| nano /etc/httpd/conf/httpd.conf |
I put the following at the bottom of the HTTPD file
1
2
3
4
5
6
7
8
9
10
11
12
13
| # Custom Rancid Config <VirtualHost *:80> DocumentRoot /var/www ScriptAlias /cgi-bin/ "/var/www/cgi-bin" ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi ScriptAlias /query /var/www/cgi-bin/query.cgi <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost> |
We are almost done, we now need to turn on Mariadb which ViewVC uses, and start up the secure installation. (Accept all defaults and type in a root password for MariaDB.
1
2
3
| systemctl enable mariadb systemctl start mariadb sudo mysql_secure_installation |
Go back into MariaDB and create a ViewVC user and use the password you just created.
1
| mysql -u root -p |
Enter the following: (Replace YourPassowrdHere with something else)
1
2
3
4
| CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY 'YourPasswordHere'; GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; quit |
Make the ViewVC Database with the username and password you just created. (Accept the defaults)
1
2
3
4
5
6
7
8
9
| /usr/local/viewvc-1.1.23/bin/make-database MySQL Hostname (leave blank for default): MySQL Port (leave blank for default): MySQL User: VIEWVC MySQL Password: YourPasswordHere ViewVC Database Name [default: ViewVC]: Database created successfully. Don't forget to configure the [cvsdb] section of your viewvc.conf file. |
Go back to MariaDB (MySQL) with the root password
1
| mysql -u root -p |
Create a Read-Only account for ViewVC on the MySQL database. (Replace YourROPassowrdHere with something else)
1
2
3
4
| CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY 'YourROPasswordHere'; GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; quit |
We now need to configure the ViewVC configuration file with the user names and passwords to that we created in MySQL.
1
| nano /usr/local/viewvc-1.1.23/viewvc.conf |
Find cvsdb and change it to something like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
| ##--------------------------------------------------------------------------- [cvsdb] ## enabled: Enable database integration feature. ## enabled = 1 ## host: Database hostname. Leave unset to use a local Unix socket ## connection. ## host = localhost ## post: Database listening port. ## port = 3306 ## database_name: ViewVC database name. ## database_name = ViewVC ## user: Username of user with read/write privileges to the database ## specified by the 'database_name' configuration option. ## user = VIEWVC ## passwd: Password of user with read/write privileges to the database ## specified by the 'database_name' configuration option. ## passwd = YourPasswordHere ## readonly_user: Username of user with read privileges to the database ## specified by the 'database_name' configuration option. ## readonly_user = VIEWVCRO ## readonly_passwd: Password of user with read privileges to the database ## specified by the 'database_name' configuration option. ## readonly_passwd = YourROPasswordHere |
Run the following command to build the Database.
1
| /usr/local/viewvc-1.1.23/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/ |
Reboot the server once online you should be able view the Repository at http://rancid-servicer-ip/viewvc
If you see the groups that we created we looking good so far. To finish this installation off we need to setup Rancid to send emails. Usually you have to add the Rancid to the allowed senders list on your email infrastructure. Rancid uses aliases to send emails we need to edit the aliases file.
1
| nano /etc/aliases |
Depending on your infrastructure you might have different teams of people for different equipment that rancid is monitoring. Or you are running one-man-shop either way you can specify. In this example I’m using only one email address and created a new aliases called Rancid all of this is at the bottom of the aliases file.
1
2
3
4
5
6
7
8
| # Custom Rancid Configuration (Put an Email Here) rancid: emailaddress@goeshere.com # Custom Rancid Configuration rancid-admin-Routers: rancid rancid-Routers: rancid rancid-admin-Switches: rancid rancid-Switches: rancid |
Depending on what you created in your List of Groups in the rancid configuration file you might have more or less. (In this example we just created Routers and Switches) We must specify these in the aliases file otherwise Rancid wont send emails for these groups. Once we are done editing you want to let our Rancid box know about the new aliases we just created. Type in the following command to update.
1
| newaliases |
In this example postfix is already installed so we just need to edit the postfix configuration file.
1
| nano /etc/postfix/main.cf |
Find and uncomment “relayhost” and type either the domain name (if you have MX records) the FQDN or IP address of your email system.
1
2
3
4
5
| relayhost = mycompanydomain.com relayhost = email.mycompanydomain.com #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress] |
Start up posfix and enable it on boot
1
2
| systemctl start postfix systemctl enable postfix |
Finished! We have just installed Rancid along with made some helpful tweaks like getting an upfront web page to view the configurations instead of CLI as well as setting up Rancid to email us if anything changes or if there are issues with connecting to any equipment. I’ll put the brakes here and in the next post we will go over how to customize rancid to log into devices and grab configurations
No comments:
Post a Comment