Sauvegarde et archivage des configurations des équipements avec Rancid sous GNU/Linux Debian

Pré-requis

Un compte de service rancid renseigné dans l’annuaire Active Directory

Un cluster Pacemaker/Corosync avec une ressource DRBD

Les noeuds du cluster sont membres du domaine Active Directory

Un serveur Apache2 sur chaque nœud du cluster

Un serveur TACACS+ sur chaque nœud du cluster

La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.

Configuration de TACACS+

Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :

vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Relancer les serveurs TACACS+ :

# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload

Installation et configuration de Rancid

Installer Rancid :

# aptitude update && aptitude install rancid

Sauvegarder le fichier de configuration de Rancid :

# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original

Modifier la configuration de Rancid :

# vim /etc/rancid/rancid.conf
# rancid 2.3.3
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below).  In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up.  Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached.  The value should be greater than the number
# of hours between your rancid-run cron job.  Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
#   rancid-group:       joe,moe@foo
#   rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here.  "@" must be
# included, as this is simply appended to the usual recipients.  It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk".  This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers.  Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS

Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :

# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs

Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :

# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/

Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.

Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :

# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc

Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :

# chown root:root /var/lib/rancid/bin/h3c*

Renseigner le modèle H3C dans Rancid :

# vim /var/lib/rancid/bin/rancid-fe

Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :

# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs

Compléter la liste des équipements pour chacun des groupes :

$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status
sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status
sw4.home.local:h3c:up

Lancer une première collecte de la configuration des équipements :

$ /var/lib/rancid/bin/rancid-run

Installation et configuration de CVSWeb

Installer CVSWeb :

# aptitude install cvsweb

Sauvegarder la configuration de CVSWeb :

# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original

Modifier la configuration de CVSWeb :

# vim /etc/cvsweb/cvsweb.conf
#                                                                  -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller    <zeller@think.de>
#     1999      H. Nordstrom <hno@hem.passagen.se>
#     2000-2002 A. MUSHA     <knu@FreeBSD.org>
#     2002-2005 V. Skyttä    <scop@FreeBSD.org>
#          based on work by Bill Fenner  <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#

#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#

# Set the path for the following commands:
#   cvs, rlog, rcsdiff
#   gzip (if you enable $allow_compress)
#   (g)tar, zip (if you enable $allow_tar)
#   cvsgraph (if you enable $allow_graph)
#   enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);

# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
        $CMD{$_} = search_path($_);
}
$CMD{tar}   = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');

# CVS roots
#
# CVSweb can handle several CVS repositories at once.  Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here.  The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs.  If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root.  For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported.  Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display',  '/path/to/cvsroot']
#
@CVSrepositories = (
#       'local'   => ['Local Repository', '/var/lib/cvs'],
#       'freebsd' => ['FreeBSD',          '/var/ncvs'],
#       'openbsd' => ['OpenBSD',          '/var/ncvs'],
#       'netbsd'  => ['NetBSD',           '/var/ncvs'],
#       'ruby'    => ['Ruby',             '/var/anoncvs/ruby'],
        'Rancid'     => ['My Network Devices', '/var/lib/rancid/CVS'],
);

# The default CVS root.  Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';

# Mirror sites.  The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
#     'Other location'  => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
#     'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);

# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
#    advocacy
#    alpha
#    bin
#    conf
#    docs
#    gnu
#    i386
#    kern
#    misc
#    pending
#    ports
#    sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";

# Manual gateway linking.  This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";

# Defaults for user definable options.
#
%DEFAULTVALUE = (

    # sortby: File sort order
    #   file   Sort by filename
    #   rev    Sort by revision number
    #   date   Sort by commit date
    #   author Sort by author
    #   log    Sort by log message
    "sortby" => "file",

    # ignorecase: Ignore case in sorts (filenames, authors, log messages)
    #   0      Honor case
    #   1      Ignore case
    "ignorecase" => "0",

    # hideattic: Hide or show files in Attic
    #   1      Hide files in Attic
    #   0      Show files in Attic
    "hideattic" => "1",

    # logsort: Sort order for CVS logs
    #   date   Sort revisions by date
    #   rev    Sort revision by revision number
    #   cvs    Don't sort them. Same order as CVS/RCS shows them.
    "logsort" => "date",

    # f: Default diff format
    #   h      Human readable
    #   u      Unified diff
    #   c      Context diff
    #   s      Side by side
    #   uc     Unified diff, enscript colored (falls back to "u" w/o enscript)
    #   cc     Context diff, enscript colored (falls back to "c" w/o enscript)
    #   sc     Side by side, enscript colored (falls back to "s" w/o enscript)
    "f" => "u",

    # hidecvsroot: Don't show the CVSROOT directory.  Note that this is
    # just the default for a user settable option (like others in this
    # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
    # See @ForbiddenFiles for that.
    #   1      Do not include the top-level CVSROOT directory in dir listings
    #   0      Treat the top-level CVSROOT directory just like all other dirs
    "hidecvsroot" => "0",

    # hidenonreadable: Don't show files and directories that cannot be read
    # in directory listings.
    #   1      Hide non-readable entries
    #   0      Show non-readable entries
    "hidenonreadable" => "1",

    # ln: Show line numbers in HTMLized views
    #   1      Show line numbers
    #   0      Don't show line numbers
    "ln" => "0",
);

#
# Layout options (see also the included CSS file)
#

# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';

# The title of the Page on startup.  This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";

# The address is shown on the footer.  This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';

$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT

$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT

# Icons for the web UI.  If ICON-URL is empty, the TEXT representation is
# used.  If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons.  If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';

# format:          TEXT       ICON-URL                  width height
%ICONS = (
     back    => [('[BACK]',   "$iconsdir/back.gif",      20,   22)],
     dir     => [('[DIR]',    "$iconsdir/dir.gif",       20,   22)],
     file    => [('[TXT]',    "$iconsdir/text.gif",      20,   22)],
     binfile => [('[BIN]',    "$iconsdir/binary.gif",    20,   22)],
     graph   => [('[GRAPH]',  "$iconsdir/minigraph.png", 16,   16)],
);
undef $iconsdir;

# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';

# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;

# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity

# Cell padding for directory table.
#
$tablepadding = 2;

# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present.  Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
    qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
    qr|/\.cvspass$|o,       # Ditto.  Just in case.
   #qr|^my/+secret/+dir|o,
);

# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;

#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>

# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;

# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;

# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
    qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
    qr/\.rb$/o         => "^[\t ]*\\(class\\|module\\|def\\) ",
);

# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;

# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;

# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;

# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc.  Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
#   name: the name to show in the UI for this diff type
#   cmd:  full path to executable
#   args: arguments as an array ref (not string!, defaults to no arguments)
#   type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
  #'text/xml' => [
  #  { name => 'XMLdiff',
  #    cmd  => $CMD{xmldiff},
  #  },
  #  { name => 'XMLdiff (XUpdate)',
  #    cmd  => $CMD{xmldiff},
  #    args => [ qw(-x) ],
  #    type => 'text/xml',
  #  },
  #],
);

#
# Mime types
#

# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
#    substitution mode is b (ie. the file was checked in as binary to CVS),
#    'text/plain' otherwise.

# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup.  You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
        "html"  => "text/html",
        "shtml" => "text/html",
        "gif"   => "image/gif",
        "jpeg"  => "image/jpeg",
        "jpg"   => "image/jpeg",
        "png"   => "image/png",
        "xpm"   => "image/xpm",
#       "*"     => "text/plain",
);

# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';

# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';

# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
#  : $where =~ m,/zh[/_-], ? 'big5'
#  : $where =~ m,/ja[/_-], ? 'x-euc-jp'
#  : $where =~ m,/ko[/_-], ? 'x-euc-kr'
#  : 'iso-8859-1';

# Output filter
#
$output_filter = '';

# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';

##############
# Misc
##############

# Allow annotation of files?  See also @annotate_options below.
#
$allow_annotate = 1;

# Allow HTMLized versions of files?
#
$allow_markup = 1;

# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views?  Default: yes.
#
#$allow_mailtos = 0;

## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.

# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;

# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;

# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;

# Allow compression with gzip in general?  Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;

# Use JavaScript in the UI?
#
$use_java_script = 1;

# Show a form for setting options in the directory view?
#
$edit_option_form = 1;

# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;

# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;

# Preformat when viewing file contents?  This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;

# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width.  It uses the value from them if found,
# falling back to the value of $tabstop if not.  Default: 8.
#
#$tabstop = 4;

# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");

# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content.  In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent.  If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;

# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs.  A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;

# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;

# Path to the CvsGraph configuration file.  Only used if $allow_cvsgraph
# is true.  Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file.  Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";

# URL to the CVSHistory script.  This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";

# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space.  For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags.  See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;

# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();

# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();

# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);

# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS.  For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1.  A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});

# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;

# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);

# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;

# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);

# Enscript highlight rule to filename regex mappings.  The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
  (
   'ada'          => qr/\.ad(s|b|a)$/o,
   'asm'          => qr/\.[Ss]$/o,
   'awk'          => qr/\.awk$/o,
   'bash'         => qr/\.(bash(_profile|rc)|inputrc)$/o,
   'c'            => qr/\.(c|h)$/o,
   'changelog'    => qr/^changelog$/io,
   'cpp'          => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
   'csh'          => qr/\.(csh(rc)?|log(in|out)|history)$/o,
   'elisp'        => qr/\.e(l|macs)$/o,
   'fortran'      => qr/\.[fF]$/o,
   'haskell'      => qr/\.(l?h|l?g)s$/o,
   'html'         => qr/\.x?html?$/o,
   'idl'          => qr/\.idl$/o,
   'inf'          => qr/\.inf$/io,
   'java'         => qr/\.java$/o,
   'javascript'   => qr/\.(js|pac)$/o,
   'ksh'          => qr/\.ksh$/o,
   'm4'           => qr/\.m4$/o,
   'makefile'     => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
   'matlab'       => qr/\.m$/o,
   'nroff'        => qr/\.man$/o,
   'pascal'       => qr/\.p(as|p)?$/io,
   'perl'         => qr/\.p(m|(er)?l)$/io,
   'postscript'   => qr/\.e?ps$/io,
   'python'       => qr/\.py$/o,
   'rfc'          => qr/\b((rfc|draft)\..*\.txt)$/o,
   'scheme'       => qr/\.(scm|scheme)$/o,
   'sh'           => qr/\.sh$/o,
   'skill'        => qr/\.il$/o,
   'sql'          => qr/\.sql$/o,
   'states'       => qr/\.st$/o,
   'synopsys'     => qr/\.s(cr|yn(th)?)$/o,
   'tcl'          => qr/\.tcl$/o,
   'tcsh'         => qr/\.tcshrc$/o,
   'tex'          => qr/\.tex$/o,
   'vba'          => qr/\.vba$/o,
   'verilog'      => qr/\.(v|vh)$/o,
   'vhdl'         => qr/\.vhdl?$/o,
   'vrml'         => qr/\.wrl$/o,
   'wmlscript'    => qr/\.wmls(cript)?$/o,
   'zsh'          => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
  );

# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log.  Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;

# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in.  This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
  my $confdir = catdir(dirname(__FILE__), 'conf.d');
  if (opendir(CONFD, $confdir)) {
    my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
    close(CONFD);
    for my $conffile (grep(-f && -r _, @files)) {
      ($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
      do "$conffile" or config_error($conffile, $@);
    }
  }
}

1;

# EOF

Créer le répertoire pour le VHost Apache cvs.home.local :

# mkdir /var/www/cvs.home.local/

Créer un répertoire pour les clés et certificats SSL utilisés par Apache :

# mkdir /etc/apache2/ssl/

Placer la clés et les certificats adéquats :

  • ca.crt
  • wildcard.home.local.crt
  • wildcard.home.local.key

Créer la configuration du VHost Apache cvs.home.local :

# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     (.*)    https://%{SERVER_NAME}$1
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        DocumentRoot /var/www/cvs.home.local/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Location />
                Order deny,allow
                Deny from all
                Allow from 10.20.30.0/24

                AuthUserFile /etc/apache2/passwd
                AuthName "!HOME! Restricted Access !HOME!"
                AuthType Basic
                Require user admin

                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
        </Location>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /cvsweb /usr/share/cvsweb

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     ^/$    /cgi-bin/cvsweb  [R]
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
        ServerSignature Off

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
                SSLCACertificateFile /etc/apache2/ssl/ca.crt
        </IfModule>
</VirtualHost>

Activer les modules Apache nécessaires :

# a2enmod rewrite ssl cgi

Activer le VHost Apache cvs.home.local :

# a2ensite cvs.home.local

Relancer Apache2 :

# /etc/init.d/apache2 reload

Automatisation des sauvegardes

Ajouter une tâches sur les deux noeuds du cluster :

# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau
30 19 * * *     root    ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null

Leave a Reply