Pré-requis
Un compte de service rancid renseigné dans l’annuaire Active Directory
Un cluster Pacemaker/Corosync avec une ressource DRBD
Les noeuds du cluster sont membres du domaine Active Directory
Un serveur Apache2 sur chaque nœud du cluster
Un serveur TACACS+ sur chaque nœud du cluster
La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.
Configuration de TACACS+
Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :
vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus.acct
# This is the key that clients have to use to access Tacacs+
key = "abcdefgh"
# Groups
group = admins {
default service = permit
login = PAM
service = exec {
priv-lvl = 15
idletime = 10
}
}
# Users
user = test1 {
member = admins
}
user = test2 {
member = admins
}
user = rancid {
member = admins
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details
# Define where to log accounting data, this is the default.
accounting file = /var/log/tac_plus_nortel.acct
# This is the key that clients have to use to access Tacacs+
key = "abcdefgh"
# Groups
group = admins {
default service = permit
login = PAM
service = exec {
priv-lvl = 6
idletime = 10
}
}
# Users
user = test1 {
member = admins
}
user = test2 {
member = admins
}
user = rancid {
member = admins
}
# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
Relancer les serveurs TACACS+ :
# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload
Installation et configuration de Rancid
Installer Rancid :
# aptitude update && aptitude install rancid
Sauvegarder le fichier de configuration de Rancid :
# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original
Modifier la configuration de Rancid :
# vim /etc/rancid/rancid.conf
# rancid 2.3.3
# This file sets up the environment used for rancid. see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below). In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository. Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn". Do not change
# this after CVSROOT has been created with rancid-cvs. Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL). see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up. Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached. The value should be greater than the number
# of hours between your rancid-run cron job. Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
# rancid-group: joe,moe@foo
# rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here. "@" must be
# included, as this is simply appended to the usual recipients. It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk". This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers. Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS
Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :
# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs
Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :
# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/
Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.
Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :
# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc
Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :
# chown root:root /var/lib/rancid/bin/h3c*
Renseigner le modèle H3C dans Rancid :
# vim /var/lib/rancid/bin/rancid-fe
Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :
# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs
Compléter la liste des équipements pour chacun des groupes :
$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status
sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status
sw4.home.local:h3c:up
Lancer une première collecte de la configuration des équipements :
$ /var/lib/rancid/bin/rancid-run
Installation et configuration de CVSWeb
Installer CVSWeb :
# aptitude install cvsweb
Sauvegarder la configuration de CVSWeb :
# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original
Modifier la configuration de CVSWeb :
# vim /etc/cvsweb/cvsweb.conf
# -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller <zeller@think.de>
# 1999 H. Nordstrom <hno@hem.passagen.se>
# 2000-2002 A. MUSHA <knu@FreeBSD.org>
# 2002-2005 V. Skyttä <scop@FreeBSD.org>
# based on work by Bill Fenner <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#
#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#
# Set the path for the following commands:
# cvs, rlog, rcsdiff
# gzip (if you enable $allow_compress)
# (g)tar, zip (if you enable $allow_tar)
# cvsgraph (if you enable $allow_graph)
# enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);
# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
$CMD{$_} = search_path($_);
}
$CMD{tar} = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');
# CVS roots
#
# CVSweb can handle several CVS repositories at once. Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here. The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs. If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root. For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported. Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display', '/path/to/cvsroot']
#
@CVSrepositories = (
# 'local' => ['Local Repository', '/var/lib/cvs'],
# 'freebsd' => ['FreeBSD', '/var/ncvs'],
# 'openbsd' => ['OpenBSD', '/var/ncvs'],
# 'netbsd' => ['NetBSD', '/var/ncvs'],
# 'ruby' => ['Ruby', '/var/anoncvs/ruby'],
'Rancid' => ['My Network Devices', '/var/lib/rancid/CVS'],
);
# The default CVS root. Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';
# Mirror sites. The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
# 'Other location' => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
# 'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);
# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
# advocacy
# alpha
# bin
# conf
# docs
# gnu
# i386
# kern
# misc
# pending
# ports
# sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";
# Manual gateway linking. This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
"http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";
# Defaults for user definable options.
#
%DEFAULTVALUE = (
# sortby: File sort order
# file Sort by filename
# rev Sort by revision number
# date Sort by commit date
# author Sort by author
# log Sort by log message
"sortby" => "file",
# ignorecase: Ignore case in sorts (filenames, authors, log messages)
# 0 Honor case
# 1 Ignore case
"ignorecase" => "0",
# hideattic: Hide or show files in Attic
# 1 Hide files in Attic
# 0 Show files in Attic
"hideattic" => "1",
# logsort: Sort order for CVS logs
# date Sort revisions by date
# rev Sort revision by revision number
# cvs Don't sort them. Same order as CVS/RCS shows them.
"logsort" => "date",
# f: Default diff format
# h Human readable
# u Unified diff
# c Context diff
# s Side by side
# uc Unified diff, enscript colored (falls back to "u" w/o enscript)
# cc Context diff, enscript colored (falls back to "c" w/o enscript)
# sc Side by side, enscript colored (falls back to "s" w/o enscript)
"f" => "u",
# hidecvsroot: Don't show the CVSROOT directory. Note that this is
# just the default for a user settable option (like others in this
# %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
# See @ForbiddenFiles for that.
# 1 Do not include the top-level CVSROOT directory in dir listings
# 0 Treat the top-level CVSROOT directory just like all other dirs
"hidecvsroot" => "0",
# hidenonreadable: Don't show files and directories that cannot be read
# in directory listings.
# 1 Hide non-readable entries
# 0 Show non-readable entries
"hidenonreadable" => "1",
# ln: Show line numbers in HTMLized views
# 1 Show line numbers
# 0 Don't show line numbers
"ln" => "0",
);
#
# Layout options (see also the included CSS file)
#
# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';
# The title of the Page on startup. This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";
# The address is shown on the footer. This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';
$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT
$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT
# Icons for the web UI. If ICON-URL is empty, the TEXT representation is
# used. If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons. If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';
# format: TEXT ICON-URL width height
%ICONS = (
back => [('[BACK]', "$iconsdir/back.gif", 20, 22)],
dir => [('[DIR]', "$iconsdir/dir.gif", 20, 22)],
file => [('[TXT]', "$iconsdir/text.gif", 20, 22)],
binfile => [('[BIN]', "$iconsdir/binary.gif", 20, 22)],
graph => [('[GRAPH]', "$iconsdir/minigraph.png", 16, 16)],
);
undef $iconsdir;
# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';
# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;
# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity
# Cell padding for directory table.
#
$tablepadding = 2;
# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present. Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
qr|/\.cvspass$|o, # Ditto. Just in case.
#qr|^my/+secret/+dir|o,
);
# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;
#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>
# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;
# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;
# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
qr/\.rb$/o => "^[\t ]*\\(class\\|module\\|def\\) ",
);
# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;
# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;
# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;
# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc. Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
# name: the name to show in the UI for this diff type
# cmd: full path to executable
# args: arguments as an array ref (not string!, defaults to no arguments)
# type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
#'text/xml' => [
# { name => 'XMLdiff',
# cmd => $CMD{xmldiff},
# },
# { name => 'XMLdiff (XUpdate)',
# cmd => $CMD{xmldiff},
# args => [ qw(-x) ],
# type => 'text/xml',
# },
#],
);
#
# Mime types
#
# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
# substitution mode is b (ie. the file was checked in as binary to CVS),
# 'text/plain' otherwise.
# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup. You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
"html" => "text/html",
"shtml" => "text/html",
"gif" => "image/gif",
"jpeg" => "image/jpeg",
"jpg" => "image/jpeg",
"png" => "image/png",
"xpm" => "image/xpm",
# "*" => "text/plain",
);
# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';
# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';
# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
# : $where =~ m,/zh[/_-], ? 'big5'
# : $where =~ m,/ja[/_-], ? 'x-euc-jp'
# : $where =~ m,/ko[/_-], ? 'x-euc-kr'
# : 'iso-8859-1';
# Output filter
#
$output_filter = '';
# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';
##############
# Misc
##############
# Allow annotation of files? See also @annotate_options below.
#
$allow_annotate = 1;
# Allow HTMLized versions of files?
#
$allow_markup = 1;
# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views? Default: yes.
#
#$allow_mailtos = 0;
## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.
# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;
# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;
# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;
# Allow compression with gzip in general? Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;
# Use JavaScript in the UI?
#
$use_java_script = 1;
# Show a form for setting options in the directory view?
#
$edit_option_form = 1;
# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;
# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;
# Preformat when viewing file contents? This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;
# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width. It uses the value from them if found,
# falling back to the value of $tabstop if not. Default: 8.
#
#$tabstop = 4;
# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");
# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content. In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent. If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;
# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs. A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;
# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;
# Path to the CvsGraph configuration file. Only used if $allow_cvsgraph
# is true. Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file. Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";
# URL to the CVSHistory script. This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";
# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space. For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags. See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;
# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();
# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();
# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);
# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS. For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1. A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});
# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;
# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);
# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;
# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);
# Enscript highlight rule to filename regex mappings. The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
(
'ada' => qr/\.ad(s|b|a)$/o,
'asm' => qr/\.[Ss]$/o,
'awk' => qr/\.awk$/o,
'bash' => qr/\.(bash(_profile|rc)|inputrc)$/o,
'c' => qr/\.(c|h)$/o,
'changelog' => qr/^changelog$/io,
'cpp' => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
'csh' => qr/\.(csh(rc)?|log(in|out)|history)$/o,
'elisp' => qr/\.e(l|macs)$/o,
'fortran' => qr/\.[fF]$/o,
'haskell' => qr/\.(l?h|l?g)s$/o,
'html' => qr/\.x?html?$/o,
'idl' => qr/\.idl$/o,
'inf' => qr/\.inf$/io,
'java' => qr/\.java$/o,
'javascript' => qr/\.(js|pac)$/o,
'ksh' => qr/\.ksh$/o,
'm4' => qr/\.m4$/o,
'makefile' => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
'matlab' => qr/\.m$/o,
'nroff' => qr/\.man$/o,
'pascal' => qr/\.p(as|p)?$/io,
'perl' => qr/\.p(m|(er)?l)$/io,
'postscript' => qr/\.e?ps$/io,
'python' => qr/\.py$/o,
'rfc' => qr/\b((rfc|draft)\..*\.txt)$/o,
'scheme' => qr/\.(scm|scheme)$/o,
'sh' => qr/\.sh$/o,
'skill' => qr/\.il$/o,
'sql' => qr/\.sql$/o,
'states' => qr/\.st$/o,
'synopsys' => qr/\.s(cr|yn(th)?)$/o,
'tcl' => qr/\.tcl$/o,
'tcsh' => qr/\.tcshrc$/o,
'tex' => qr/\.tex$/o,
'vba' => qr/\.vba$/o,
'verilog' => qr/\.(v|vh)$/o,
'vhdl' => qr/\.vhdl?$/o,
'vrml' => qr/\.wrl$/o,
'wmlscript' => qr/\.wmls(cript)?$/o,
'zsh' => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
);
# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log. Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;
# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in. This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
my $confdir = catdir(dirname(__FILE__), 'conf.d');
if (opendir(CONFD, $confdir)) {
my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
close(CONFD);
for my $conffile (grep(-f && -r _, @files)) {
($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
do "$conffile" or config_error($conffile, $@);
}
}
}
1;
# EOF
Créer le répertoire pour le VHost Apache cvs.home.local :
# mkdir /var/www/cvs.home.local/
Créer un répertoire pour les clés et certificats SSL utilisés par Apache :
# mkdir /etc/apache2/ssl/
Placer la clés et les certificats adéquats :
- ca.crt
- wildcard.home.local.crt
- wildcard.home.local.key
Créer la configuration du VHost Apache cvs.home.local :
# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80>
ServerAdmin webmaster@home.local
ServerName cvs.home.local
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule (.*) https://%{SERVER_NAME}$1
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@home.local
ServerName cvs.home.local
DocumentRoot /var/www/cvs.home.local/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Location />
Order deny,allow
Deny from all
Allow from 10.20.30.0/24
AuthUserFile /etc/apache2/passwd
AuthName "!HOME! Restricted Access !HOME!"
AuthType Basic
Require user admin
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Location>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
Alias /cvsweb /usr/share/cvsweb
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^/$ /cgi-bin/cvsweb [R]
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
ServerSignature Off
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
</IfModule>
</VirtualHost>
Activer les modules Apache nécessaires :
# a2enmod rewrite ssl cgi
Activer le VHost Apache cvs.home.local :
# a2ensite cvs.home.local
Relancer Apache2 :
# /etc/init.d/apache2 reload
Automatisation des sauvegardes
Ajouter une tâches sur les deux noeuds du cluster :
# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau
30 19 * * * root ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null