Pré-requis
Un compte de service rancid renseigné dans l’annuaire Active Directory
Un cluster Pacemaker/Corosync avec une ressource DRBD
Les noeuds du cluster sont membres du domaine Active Directory
Un serveur Apache2 sur chaque nœud du cluster
Un serveur TACACS+ sur chaque nœud du cluster
La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.
Configuration de TACACS+
Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :
vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) # See man(5) tac_plus.conf for more details # Define where to log accounting data, this is the default. accounting file = /var/log/tac_plus.acct # This is the key that clients have to use to access Tacacs+ key = "abcdefgh" # Groups group = admins { default service = permit login = PAM service = exec { priv-lvl = 15 idletime = 10 } } # Users user = test1 { member = admins } user = test2 { member = admins } user = rancid { member = admins } # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be) # See man(5) tac_plus.conf for more details # Define where to log accounting data, this is the default. accounting file = /var/log/tac_plus_nortel.acct # This is the key that clients have to use to access Tacacs+ key = "abcdefgh" # Groups group = admins { default service = permit login = PAM service = exec { priv-lvl = 6 idletime = 10 } } # Users user = test1 { member = admins } user = test2 { member = admins } user = rancid { member = admins } # Much more features are availables, like ACL, more service compatibilities, # commands authorization, scripting authorization. # See the man page for those features.
Relancer les serveurs TACACS+ :
# /etc/init.d/tacacs_plus reload # /etc/init.d/tacacs_plus_nortel reload
Installation et configuration de Rancid
Installer Rancid :
# aptitude update && aptitude install rancid
Sauvegarder le fichier de configuration de Rancid :
# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original
Modifier la configuration de Rancid :
# vim /etc/rancid/rancid.conf
# rancid 2.3.3 # This file sets up the environment used for rancid. see rancid.conf(5) # # This will be site specific # TERM=network;export TERM # # Create files w/o world read/write/exec permissions, but read/exec permissions # for group. umask 027 # # Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for # the logs from rancid and a directory for each group of routers defined in # LIST_OF_GROUPS (below). In addition to these, there will be a "CVS" # directory which is the cvs (or Subversion) repository. # # Use a full path (no sym-links) for BASEDIR. # TMPDIR=/tmp; export TMPDIR # Be careful changing this, it affects CVSROOT below. BASEDIR=/var/lib/rancid; export BASEDIR PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH # Location of the CVS/SVN repository. Be careful changing this. CVSROOT=$BASEDIR/CVS; export CVSROOT # Location of log files produced by rancid-run(1). LOGDIR=$BASEDIR/logs; export LOGDIR # # Select which RCS system to use, "cvs" (default) or "svn". Do not change # this after CVSROOT has been created with rancid-cvs. Changing between these # requires manual conversions. RCSSYS=cvs; export RCSSYS # # if ACLSORT is NO, access-lists will NOT be sorted. #ACLSORT=YES; export ACLSORT # # if NOPIPE is set, temp files will be used instead of a cmd pipe during # collection from the router(s). #NOPIPE=YES; export NOPIPE # # FILTER_PWDS determines which passwords are filtered from configs by the # value set (NO | YES | ALL). see rancid.conf(5). #FILTER_PWDS=YES; export FILTER_PWDS # # if NOCOMMSTR is set, snmp community strings will be stripped from the configs #NOCOMMSTR=YES; export NOCOMMSTR # # How many times failed collections are retried (for each run) before # giving up. Minimum: 1 #MAX_ROUNDS=4; export MAX_ROUNDS # # How many hours should pass before complaining about routers that # can not be reached. The value should be greater than the number # of hours between your rancid-run cron job. Default: 24 #OLDTIME=4; export OLDTIME # # How many hours should pass before complaining that a group's collection # (the age of it's lock file) is hung. #LOCKTIME=4; export LOCKTIME # # The number of devices to collect simultaneously. #PAR_COUNT=5; export PAR_COUNT # # list of rancid groups #LIST_OF_GROUPS="sl joebobisp" # more groups... LIST_OF_GROUPS="GRP1 GRP2 GRP3" # # For each group, define a list of people to receive the diffs. # in sendmail's /etc/aliases. # rancid-group: joe,moe@foo # rancid-admin-group: hostmaster # be sure to read ../README regarding aliases. # # If your MTA configuration is broken or you want mail to be forwarded to a # domain not the same as the local one, define that domain here. "@" must be # included, as this is simply appended to the usual recipients. It is NOT # appended to recipients specified in rancid-run's -m option. #MAILDOMAIN="@example.com"; export MAILDOMAIN # # By default, rancid mail is marked with precedence "bulk". This may be # changed by setting the MAILHEADERS variable; for example no header by setting # it to "" or adding X- style headers. Individual headers must be separated # by a \n. #MAILHEADERS="Precedence: bulk"; export MAILHEADERS
Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :
# mv /var/lib/rancid /cluster/ # ln -s /cluster/rancid /var/lib/ # rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs
Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :
# rm -rf /var/lib/rancid # ln -s /cluster/rancid /var/lib/
Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.
Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :
# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc} add cyphertype sw2.home.local {aes128-cbc} add cyphertype sw3.home.local {aes128-cbc} add cyphertype sw4.home.local {aes128-cbc} add noenable * {1} add autoenable * {1} add user * {rancid} add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc
Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :
# chown root:root /var/lib/rancid/bin/h3c*
Renseigner le modèle H3C dans Rancid :
# vim /var/lib/rancid/bin/rancid-fe
Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :
# usermod -s /bin/bash rancid # su - rancid $ /var/lib/rancid/bin/rancid-cvs
Compléter la liste des équipements pour chacun des groupes :
$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status sw1.home.local:h3c:up sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status sw4.home.local:h3c:up
Lancer une première collecte de la configuration des équipements :
$ /var/lib/rancid/bin/rancid-run
Installation et configuration de CVSWeb
Installer CVSWeb :
# aptitude install cvsweb
Sauvegarder la configuration de CVSWeb :
# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original
Modifier la configuration de CVSWeb :
# vim /etc/cvsweb/cvsweb.conf
# -*- perl -*- # Configuration of cvsweb.cgi, a web interface to CVS repositories. # # (c) 1998-1999 H. Zeller <zeller@think.de> # 1999 H. Nordstrom <hno@hem.passagen.se> # 2000-2002 A. MUSHA <knu@FreeBSD.org> # 2002-2005 V. Skyttä <scop@FreeBSD.org> # based on work by Bill Fenner <fenner@FreeBSD.org> # # $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $ # $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $ # $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $ # # # Unless otherwise noted, all boolean parameters here default to off # when no value for them has been explicitly set. # # Set the path for the following commands: # cvs, rlog, rcsdiff # gzip (if you enable $allow_compress) # (g)tar, zip (if you enable $allow_tar) # cvsgraph (if you enable $allow_graph) # enscript (if you enable $allow_enscript) # @command_path = qw(/bin /usr/bin /usr/local/bin); # Search the above directories for each command (prefer gtar over tar). # for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) { $CMD{$_} = search_path($_); } $CMD{tar} = delete($CMD{gtar}) if $CMD{gtar}; $CMD{tar} ||= search_path('tar'); # CVS roots # # CVSweb can handle several CVS repositories at once. Enter short (internal) # symbolic repository names, their names in the UI and the actual locations # here. The repositories will be listed in the order they're specified here. # # Obviously, CVSweb will need read access to these repository dirs. If you # receive an error that no valid CVS roots were found, double-check the file # permissions and any other attributes your system may have for the repository # directories, such as SELinux file contexts. # # CVSweb will also load per-cvsroot configuration files if they exist. # The symbolic_name (see below) of the CVS root will be concatenated into the # name of the main (this) configuration file along with a hyphen, and that # file will be loaded for that particular CVS root. For examples, see # cvsweb.conf-* in the CVSweb distribution. # # Note that only local repositories are currently supported. Things like # :pserver:someone@xyz.com:/data/cvsroot won't work. # # 'symbolic_name' => ['Name to display', '/path/to/cvsroot'] # @CVSrepositories = ( # 'local' => ['Local Repository', '/var/lib/cvs'], # 'freebsd' => ['FreeBSD', '/var/ncvs'], # 'openbsd' => ['OpenBSD', '/var/ncvs'], # 'netbsd' => ['NetBSD', '/var/ncvs'], # 'ruby' => ['Ruby', '/var/anoncvs/ruby'], 'Rancid' => ['My Network Devices', '/var/lib/rancid/CVS'], ); # The default CVS root. Note that @CVSrepositories is list, not a hash, # so you'll want to use 2 * 0-based-index-number here; or set this directly # to the default's symbolic name. Unless specified, the first valid one in # @CVSrepositories is used as the default. # # For example: # #$cvstreedefault = $CVSrepositories[2 * 0]; #$cvstreedefault = 'local'; # Mirror sites. The keys will be used as link texts, and the values are # URLs pointing to the corresponding mirrors. # #%MIRRORS = ( # 'Other location' => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/', # 'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/', #); # Bug tracking system linking options ("PR" means Problem Report, as in GNATS) # This will be done only for views for which $allow_*_extra below is true. # #@prcategories = qw( # advocacy # alpha # bin # conf # docs # gnu # i386 # kern # misc # pending # ports # sparc #); #$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s"; #$prkeyword = "PR"; # Manual gateway linking. This will be done only for views for which # $allow_*_extra below is true. # $mancgi = "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html"; # Defaults for user definable options. # %DEFAULTVALUE = ( # sortby: File sort order # file Sort by filename # rev Sort by revision number # date Sort by commit date # author Sort by author # log Sort by log message "sortby" => "file", # ignorecase: Ignore case in sorts (filenames, authors, log messages) # 0 Honor case # 1 Ignore case "ignorecase" => "0", # hideattic: Hide or show files in Attic # 1 Hide files in Attic # 0 Show files in Attic "hideattic" => "1", # logsort: Sort order for CVS logs # date Sort revisions by date # rev Sort revision by revision number # cvs Don't sort them. Same order as CVS/RCS shows them. "logsort" => "date", # f: Default diff format # h Human readable # u Unified diff # c Context diff # s Side by side # uc Unified diff, enscript colored (falls back to "u" w/o enscript) # cc Context diff, enscript colored (falls back to "c" w/o enscript) # sc Side by side, enscript colored (falls back to "s" w/o enscript) "f" => "u", # hidecvsroot: Don't show the CVSROOT directory. Note that this is # just the default for a user settable option (like others in this # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT. # See @ForbiddenFiles for that. # 1 Do not include the top-level CVSROOT directory in dir listings # 0 Treat the top-level CVSROOT directory just like all other dirs "hidecvsroot" => "0", # hidenonreadable: Don't show files and directories that cannot be read # in directory listings. # 1 Hide non-readable entries # 0 Show non-readable entries "hidenonreadable" => "1", # ln: Show line numbers in HTMLized views # 1 Show line numbers # 0 Don't show line numbers "ln" => "0", ); # # Layout options (see also the included CSS file) # # Wanna have a logo on the page ? # #$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>'; # The title of the Page on startup. This will be put inside <h1> and <title> # tags, and HTML escaped. # $defaulttitle = "My Network CVS Repository"; # The address is shown on the footer. This will be put inside a <address> tag. # $address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>'; $long_intro = <<EOT; <p>Dépôt CVS pour l'archivage des configuration des équipements actifs de mon réseau. </p> EOT $short_instruction = <<EOT; <p> Click on a directory to enter that directory. Click on a file to display its revision history and to get a chance to display diffs between revisions. </p> EOT # Icons for the web UI. If ICON-URL is empty, the TEXT representation is # used. If you do not want to have a tool tip for an icon, set TEXT empty. # The width and height of the icon allow the browser to correctly display # the table while still loading the icons. If these icons are too large, # check out the "mini" versions in the icons/ directory; they have a # width/height of 16/16. # my $iconsdir = '/cvsweb/icons'; # format: TEXT ICON-URL width height %ICONS = ( back => [('[BACK]', "$iconsdir/back.gif", 20, 22)], dir => [('[DIR]', "$iconsdir/dir.gif", 20, 22)], file => [('[TXT]', "$iconsdir/text.gif", 20, 22)], binfile => [('[BIN]', "$iconsdir/binary.gif", 20, 22)], graph => [('[GRAPH]', "$iconsdir/minigraph.png", 16, 16)], ); undef $iconsdir; # An URL where to find the CSS. # $cssurl = '/cvsweb/css/cvsweb.css'; # The length to which the last log entry should be truncated when shown # in the directory view. # $shortLogLen = 80; # Show author of last change? # $show_author = 0; # Off for Debian for security by obscurity # Cell padding for directory table. # $tablepadding = 2; # Regular expressions for files and directories which should be hidden. # Each regexp is compared against a path relative to a CVS root, after # stripping the trailing ",v" if present. Matching files and directories # are not displayed. # @ForbiddenFiles = ( qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though. qr|/\.cvspass$|o, # Ditto. Just in case. #qr|^my/+secret/+dir|o, ); # Use CVSROOT/descriptions for describing the directories/modules? # See INSTALL, section 9. # $use_descriptions = 0; # # Human readable diff. # # (c) 1998 H. Zeller <zeller@think.de> # # Generates two columns of color encoded diff; much like xdiff or GNU Emacs' # ediff-mode. # # The diff-stuff is a piece of code I once made for cvs2html which is under # GPL, see http://www.sslug.dk/cvs2html # (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk> # Make lines breakable so that the columns do not exceed the width of the # browser? # $hr_breakable = 1; # Print function names in diffs (unified and context only). # See the -p option in the diff(1) man page. # $showfunc = 1; # For each pair of regexps, files that match the first regexp will be diff'ed # with an -F option using the second regexp (unified and context only). # See the -F option in the diff(1) man page. # %funcline_regexp = ( qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ", qr/\.rb$/o => "^[\t ]*\\(class\\|module\\|def\\) ", ); # Ignore whitespace in human readable diffs? ('-w' option to diff) # $hr_ignwhite = 0; # Ignore diffs which are caused by keyword substitution, $Id and friends? # ('-kk' option to rcsdiff) # $hr_ignkeysubst = 1; # The width of the textinput of the "request diff" form. # $inputTextSize = 12; # Custom per MIME type diff tools, used for comparing binary files such as # spreadsheets, images etc. Each key is a MIME type in lowercase. # Each value is an array ref of available diff tools for that type, each of # which is a hash ref with values (mandatory where default not listed): # name: the name to show in the UI for this diff type # cmd: full path to executable # args: arguments as an array ref (not string!, defaults to no arguments) # type: output MIME type (defaults to text/plain) # %DIFF_COMMANDS = ( #'text/xml' => [ # { name => 'XMLdiff', # cmd => $CMD{xmldiff}, # }, # { name => 'XMLdiff (XUpdate)', # cmd => $CMD{xmldiff}, # args => [ qw(-x) ], # type => 'text/xml', # }, #], ); # # Mime types # # The MIME type lookup works like this: # 1) Look up from %MTYPES below with the file name extension (suffix). # 2) If not found, use the MIME::Types(3) module if it's available. # 3) If not found, lookup from the $mime_types file (see below). # 4) If not found, try %MTYPES{'*'}. # 5) If not found, use 'application/octet-stream' if the file's keyword # substitution mode is b (ie. the file was checked in as binary to CVS), # 'text/plain' otherwise. # Quick MIME type lookup; maps filename extensions to MIME types. # Add common mappings here for fast lookup. You can also use this # to override MIME::Types(3) or the $mime_types file (see below). # %MTYPES = ( "html" => "text/html", "shtml" => "text/html", "gif" => "image/gif", "jpeg" => "image/jpeg", "jpg" => "image/jpeg", "png" => "image/png", "xpm" => "image/xpm", # "*" => "text/plain", ); # The traditional mime.types file, eg. the one from Apache is fine. # See above where this gets used. # $mime_types = '/etc/mime.types'; # Charset appended to the Content-Type HTTP header for text/* MIME types. # Note that the web server may default to some charset which may take effect # if you leave this parameter empty or unset. # For Apache, see also the AddDefaultCharset directive. # $charset = ''; # e.g. #$charset = $where =~ m,/ru[/_-], ? 'koi8-r' # : $where =~ m,/zh[/_-], ? 'big5' # : $where =~ m,/ja[/_-], ? 'x-euc-jp' # : $where =~ m,/ko[/_-], ? 'x-euc-kr' # : 'iso-8859-1'; # Output filter # $output_filter = ''; # e.g. ## unify/convert Japanese code into EUC-JP #$output_filter= '/usr/local/bin/nkf -e'; ############## # Misc ############## # Allow annotation of files? See also @annotate_options below. # $allow_annotate = 1; # Allow HTMLized versions of files? # $allow_markup = 1; # Allow CVSweb to create mailto: links from email addresses in various # HTMLized views? Default: yes. # #$allow_mailtos = 0; ## Extra hyperlinking means hyperlinks to bug tracking systems and manual page ## gateways, see $prcgi and $mancgi and related options above. # Allow extra hyperlinking (such as PR cross-references) in logs? # Default: yes. # #$allow_log_extra = 0; # Allow extra hyperlinking in directory views? # $allow_dir_extra = 1; # Allow extra hyperlinking in source code/formatted diff views? # $allow_source_extra = 1; # Allow compression with gzip in general? Note that this also requires # that the browser supports it, and will be disabled on the fly when necessary. # #$allow_compress = 1; # Use JavaScript in the UI? # $use_java_script = 1; # Show a form for setting options in the directory view? # $edit_option_form = 1; # Show last changelog message for subdirectories? # The current implementation makes many assumptions and may show the # incorrect file at some times. The main assumption is that the last # modified file has the newest filedate. But some CVS operations # touch the file even when a new version isn't checked in, and TAG # based browsing essentially puts this out of order unless the last # checkin was on the same tag as you are viewing. # Enable this if you like the feature, but don't rely on correct results. # #$show_subdir_lastmod = 1; # Show CVS log when viewing file contents? # $show_log_in_markup = 1; # Preformat when viewing file contents? This should be turned off # when you have files in the repository that are in a multibyte # encoding which uses HTML special characters ([<>&"]) as part of a # multibyte character. (such as iso-2022-jp, ShiftJIS, etc.) # Otherwise those files will get screwed up in markup. # # Note: enscript(1) highlighting is preferred over the built-in preformatting, # ie. this has no effect if $allow_enscript is true and enscript can highlight # the file. # #$preformat_in_markup = 1; # Default tab width used to expand tabs to spaces in various HTMLized views. # Note that CVSweb scans the first few lines of sources for some common editor # directives controlling the tab width. It uses the value from them if found, # falling back to the value of $tabstop if not. Default: 8. # #$tabstop = 4; # If you wish to display absolute times in your local timezone, # then define @mytz and fill in the strings for your standard and # daylight time. Note that you must also make sure the system # timezone is correctly set. # #@mytz=("EST", "EDT"); # CVSweb is friendly to caches by sending the HTTP Last-Modified # header corresponding to the sent content. In the case of a # checkout, this may require running rcslog on the file solely for the # purpose of retrieving the timestamp to be sent. If you have a slow # server, you may want to turn this off for a small performance gain. # $use_moddate = 1; # Maximum number of filenames to pass to rlog(1) in one command. # If you see "Failed to spawn GNU rlog" errors with directories containing # lots of files, experiment by setting this to different values and see if # the error still occurs. A good value to start from would be eg. 200. # Just comment this out if you're not bitten by the problem. # #$file_list_len = 200; # Allow graphical representations of file revisions and branches with CvsGraph? # $allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0; # Path to the CvsGraph configuration file. Only used if $allow_cvsgraph # is true. Leave this empty or comment it out to make cvsgraph(1) use its # default configuration file. Note that CVSweb will override some of the # settings in the configuration file with command line options, see # doGraph() and doGraphView() in cvsweb.cgi for details. # #$cvsgraph_config = "/etc/cvsgraph.conf"; # URL to the CVSHistory script. This should be absolute (but does not need # to include the host and port if the script is on the same server as # CVSweb). #$cvshistory_url = "/cgi-bin/cvshistory.cgi"; # Whether to allow downloading a tarball or a zip of the current directory. # While downloading of the entire repository is disallowed, depending on # the directory this may take a lot of time and disk space. For some CVS # versions, the user account running CVSweb needs write access to # CVSROOT/val-tags. See also the tar, gzip and zip options below. # #$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0; # Options to pass to tar(1). # For example: @tar_options = qw(--ignore-failed-read); # GNU tar has some useful options against unexpected errors. # Other useful options include "--owner=0" and "--group=0", see # the tar(1) (or gtar(1)) manpage for details. # @tar_options = qw(); # Options to pass to gzip(1) when compressing a tarball to download. # For example: @gzip_options = qw(-3); # Try lower compression level than 6 (default) if you want faster # compression, or higher for better compression. # @gzip_options = qw(); # Options to pass to zip(1) when compressing a zip archive to download. # For example: @zip_options = qw(-3); # Try lower compression level than 6 (default) if you want faster # compression, or higher for better compression. # @zip_options = qw(-q); # Options to pass to cvs(1). # For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you # can use the '-l' option to prevent cvs from writing to the history file. # For other cvs versions, either suppress history logging by using the # LogHistory parameter in CVSROOT/config or make sure that the CVSweb user # can read and write to CVSROOT/history. # FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access # mode) option, which considerably speeds up checkouts over NFS. For other # platforms, the -R option and the CVSREADONLYFS environment variable are # available in cvs >= 1.12.1. A similar effect is provided by -u on NetBSD. # @cvs_options = qw(-f); push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd'); push @cvs_options, '-u' if ($^O eq 'netbsd'); # Only affects cvs >= 1.12.1, but doesn't hurt older ones. $ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS}); # Options to pass to the 'cvs annotate' command, usually the normal # @cvs_options are good enough here. # To make annotate work against a read only repository, add -n, ie.: # @annotate_options = (@cvs_options, '-n'); # @annotate_options = @cvs_options; # Options to pass to rcsdiff(1). # Probably the only useful one here is -q (suppress diagnostic output). # @rcsdiff_options = qw(-q); # Enables syntax highlighting using GNU Enscript if set. # You will need GNU Enscript version 1.6.3 or newer for this to work. # #$allow_enscript = $CMD{enscript} ? 1 : 0; # Options to pass to enscript(1). # Do not set the -q, --language, -o or --highlight options here. # Most useful styles are probably emacs, emacs_verbose and msvc. # @enscript_options = qw(--style=emacs --color=1); # Enscript highlight rule to filename regex mappings. The set of useful # mappings depends on what highlight rules the system has installed. # %enscript_types = ( 'ada' => qr/\.ad(s|b|a)$/o, 'asm' => qr/\.[Ss]$/o, 'awk' => qr/\.awk$/o, 'bash' => qr/\.(bash(_profile|rc)|inputrc)$/o, 'c' => qr/\.(c|h)$/o, 'changelog' => qr/^changelog$/io, 'cpp' => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o, 'csh' => qr/\.(csh(rc)?|log(in|out)|history)$/o, 'elisp' => qr/\.e(l|macs)$/o, 'fortran' => qr/\.[fF]$/o, 'haskell' => qr/\.(l?h|l?g)s$/o, 'html' => qr/\.x?html?$/o, 'idl' => qr/\.idl$/o, 'inf' => qr/\.inf$/io, 'java' => qr/\.java$/o, 'javascript' => qr/\.(js|pac)$/o, 'ksh' => qr/\.ksh$/o, 'm4' => qr/\.m4$/o, 'makefile' => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o, 'matlab' => qr/\.m$/o, 'nroff' => qr/\.man$/o, 'pascal' => qr/\.p(as|p)?$/io, 'perl' => qr/\.p(m|(er)?l)$/io, 'postscript' => qr/\.e?ps$/io, 'python' => qr/\.py$/o, 'rfc' => qr/\b((rfc|draft)\..*\.txt)$/o, 'scheme' => qr/\.(scm|scheme)$/o, 'sh' => qr/\.sh$/o, 'skill' => qr/\.il$/o, 'sql' => qr/\.sql$/o, 'states' => qr/\.st$/o, 'synopsys' => qr/\.s(cr|yn(th)?)$/o, 'tcl' => qr/\.tcl$/o, 'tcsh' => qr/\.tcshrc$/o, 'tex' => qr/\.tex$/o, 'vba' => qr/\.vba$/o, 'verilog' => qr/\.(v|vh)$/o, 'vhdl' => qr/\.vhdl?$/o, 'vrml' => qr/\.wrl$/o, 'wmlscript' => qr/\.wmls(cript)?$/o, 'zsh' => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o, ); # Troubleshooting: in case of problems, setting this to 1 will cause more # error output into your web server error log. Under normal operation, # this should be set to 0 or commented out. # #$DEBUG = 1; # Enable this to let CVSweb load extra configuration files from the "conf.d" # subdirectory of the directory this file is located in. This enables site # specific configuration without having to modify this "master" configuration # file (except for enabling this functionality below :) # if (0) { my $confdir = catdir(dirname(__FILE__), 'conf.d'); if (opendir(CONFD, $confdir)) { my @files = sort(map(catfile($confdir, $_), readdir(CONFD))); close(CONFD); for my $conffile (grep(-f && -r _, @files)) { ($conffile) = ($conffile =~ /(.+\.conf)$/) or next; do "$conffile" or config_error($conffile, $@); } } } 1; # EOF
Créer le répertoire pour le VHost Apache cvs.home.local :
# mkdir /var/www/cvs.home.local/
Créer un répertoire pour les clés et certificats SSL utilisés par Apache :
# mkdir /etc/apache2/ssl/
Placer la clés et les certificats adéquats :
- ca.crt
- wildcard.home.local.crt
- wildcard.home.local.key
Créer la configuration du VHost Apache cvs.home.local :
# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80> ServerAdmin webmaster@home.local ServerName cvs.home.local <IfModule mod_rewrite.c> RewriteEngine On RewriteRule (.*) https://%{SERVER_NAME}$1 </IfModule> </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@home.local ServerName cvs.home.local DocumentRoot /var/www/cvs.home.local/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Location /> Order deny,allow Deny from all Allow from 10.20.30.0/24 AuthUserFile /etc/apache2/passwd AuthName "!HOME! Restricted Access !HOME!" AuthType Basic Require user admin # This directive allows us to have apache2's default start page # in /apache2-default/, but still have / go to the right place #RedirectMatch ^/$ /apache2-default/ </Location> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> Alias /cvsweb /usr/share/cvsweb <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^/$ /cgi-bin/cvsweb [R] </IfModule> ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined ServerSignature Off <IfModule mod_ssl.c> SSLEngine on SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key SSLCACertificateFile /etc/apache2/ssl/ca.crt </IfModule> </VirtualHost>
Activer les modules Apache nécessaires :
# a2enmod rewrite ssl cgi
Activer le VHost Apache cvs.home.local :
# a2ensite cvs.home.local
Relancer Apache2 :
# /etc/init.d/apache2 reload
Automatisation des sauvegardes
Ajouter une tâches sur les deux noeuds du cluster :
# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau 30 19 * * * root ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null