Intégration d’une ressource DRBD sur un cluster Pacemaker/CoroSync sous GNU/Linux Debian

Partitionnement

Remarque : les actions suivantes sont à réaliser sur les deux noeuds.

Voici le disque dédié à DRBD, sans partition :

# fdisk -l /dev/cciss/c0d1
Disk /dev/cciss/c0d1: 39.4 GB, 39406141440 bytes
255 heads, 32 sectors/track, 9432 cylinders
Units = cylinders of 8160 * 512 = 4177920 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x64476aa0

Disk /dev/cciss/c0d1 doesn't contain a valid partition table

Lancer l’outil de partitionnement de ce même disque :

# cfdisk /dev/cciss/c0d1

Une fois le partitionnement terminé, voici ce que nous obtenons :

# fdisk -l /dev/cciss/c0d1
Disk /dev/cciss/c0d1: 39.4 GB, 39406141440 bytes
255 heads, 32 sectors/track, 9432 cylinders
Units = cylinders of 8160 * 512 = 4177920 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x64476aa0


Device Boot      Start         End      Blocks   Id  System
/dev/cciss/c0d1p1               1        9432    38482544   83  Linux

DRBD ou le RAID 1 over TCP/IP

Remarque : les actions suivantes sont à réaliser sur les deux noeuds. Installer DRBD :

# aptitude install drbd8-utils

Lancer le module approprié :

# modprobe drbd

Vérifier la présence du module :

# lsmod | grep drbd
drbd                  172668  0
lru_cache               4018  1 drbd
cn                      3631  1 drbd

Sauvegarder la configuration d’origine :

# cp /etc/drbd.conf /etc/drbd.conf.original

Configurer DRBD :

# > /etc/drbd.conf
# vim /etc/drbd.conf
global { usage-count no; }
common { syncer { rate 100M; } }
resource r0 {
        protocol C;
        startup {
                wfc-timeout  15;
                degr-wfc-timeout 60;
        }
        net {
                cram-hmac-alg sha1;
                shared-secret "***********";
        }
        on vm-debian1 {
                device /dev/drbd0;
                disk /dev/cciss/c0d1;
                address 10.20.30.1:7788;
                meta-disk internal;
        }
        on vm-debian2 {
                device /dev/drbd0;
                disk /dev/cciss/c0d1;
                address 10.20.30.2:7788;
                meta-disk internal;
        }
}

Initialiser le RAID avec la ressource r0 :

# drbdadm create-md r0
md_offset 39406137344
al_offset 39406104576
bm_offset 39404900352

Found some data

 ==> This might destroy existing data! <==

Do you want to proceed?
[need to type 'yes' to confirm] yes

Writing meta data...
initializing activity log
NOT initialized bitmap
New drbd meta data block successfully created.

Démarrer le service DRBD :

# /etc/init.d/drbd start

Remarque  : les actions suivantes sont à réaliser uniquement sur le premier noeud.

Forcer la réplication des données de la ressource r0 depuis le premier noeud :

# drbdadm -- --overwrite-data-of-peer primary all

Vérifier le status de la ressource r0 :

# cat /proc/drbd

Créer le système de fichiers sur le volume DRBD :

# mkfs.ext3 /dev/drbd0

Intégration de la ressource DRBD sous Pacemaker

Créer le point de montage :

# mkdir /cluster

Exemple de configuration de Pacemaker :

# crm configure show
node vm-debian1
node vm-debian2
primitive ClusterDisk ocf:linbit:drbd \
        params drbd_resource="r0" \
        op monitor interval="15s"
primitive ClusterFS ocf:heartbeat:Filesystem \
        params device="/dev/drbd0" directory="/cluster" fstype="ext3"
primitive ClusterIP ocf:heartbeat:IPaddr2 \
        params ip="10.20.30.10" cidr_netmask="23" \
        op monitor interval="15"
primitive Nagios lsb:nagios \
        op monitor interval="15s" timeout="20s" \
        meta target-role="Stopped"
ms MasterSlaveDisk ClusterDisk \
        meta master-max="1" master-node-max="1" clone-max="2" clone-node-max="1" notify="true" target-role="Started"
colocation Nagios-with-ClusterFS inf: Nagios ClusterFS
colocation mount-ClusterFS-on-Master inf: ClusterFS MasterSlaveDisk:Master
colocation mount-ClusterIP-with-ClusterFS inf: ClusterIP ClusterFS
order Nagios-after-ClusterFS inf: ClusterFS Nagios
order mount-ClusterFS-after-ClusterDisk inf: MasterSlaveDisk:promote ClusterFS:start
order mount-ClusterIP-after-ClusterFS inf: ClusterFS ClusterIP
property $id="cib-bootstrap-options" \
        dc-version="1.0.9-74392a28b7f31d7ddc86689598bd23114f58978b" \
        cluster-infrastructure="openais" \
        expected-quorum-votes="2" \
        stonith-enabled="false" \
        no-quorum-policy="ignore" \
        last-lrm-refresh="1334323679"
rsc_defaults $id="rsc-options" \
        resource-stickiness="100"

Exemple d’un problème de synchronisation

Sur le noeud 1 :

# drbdadm status
<drbd-status version="8.3.7" api="88">
<resources config_file="/etc/drbd.conf">
<resource minor="0" name="r0" cs="StandAlone" ro1="Primary" ro2="Unknown" ds1="UpToDate" ds2="DUnknown" />
</resources>
</drbd-status>

Sur le noeud 2 :

# drbdadm status
<drbd-status version="8.3.7" api="88">
<resources config_file="/etc/drbd.conf">
<resource minor="0" name="r0" cs="StandAlone" ro1="Secondary" ro2="Unknown" ds1="Outdated" ds2="DUnknown" />
</resources>
</drbd-status>

Ce à quoi cela correspond :

You suffer from schizophrenic DRBD, better known as “split brain”.

Basically it means that both nodes became primary on your test resource and started writing to it. The result is an inconsistent resource, which is then called “split brain”. Please read the documentation carefully, you will have to discard the data on one of your nodes and let drbd sync that node from scratch.

Déconnecter le noeud avec les “mauvaises” données :

# drbdadm -- --discard-my-data connect all

Lancer la synchronisation depuis le noeud avec les “bonnes” données :

# drbdadm connect all

Sauvegarde et archivage des configurations des équipements avec Rancid sous GNU/Linux Debian

Pré-requis

Un compte de service rancid renseigné dans l’annuaire Active Directory

Un cluster Pacemaker/Corosync avec une ressource DRBD

Les noeuds du cluster sont membres du domaine Active Directory

Un serveur Apache2 sur chaque nœud du cluster

Un serveur TACACS+ sur chaque nœud du cluster

La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.

Configuration de TACACS+

Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :

vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Relancer les serveurs TACACS+ :

# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload

Installation et configuration de Rancid

Installer Rancid :

# aptitude update && aptitude install rancid

Sauvegarder le fichier de configuration de Rancid :

# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original

Modifier la configuration de Rancid :

# vim /etc/rancid/rancid.conf
# rancid 2.3.3
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below).  In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up.  Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached.  The value should be greater than the number
# of hours between your rancid-run cron job.  Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
#   rancid-group:       joe,moe@foo
#   rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here.  "@" must be
# included, as this is simply appended to the usual recipients.  It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk".  This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers.  Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS

Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :

# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs

Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :

# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/

Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.

Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :

# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc

Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :

# chown root:root /var/lib/rancid/bin/h3c*

Renseigner le modèle H3C dans Rancid :

# vim /var/lib/rancid/bin/rancid-fe

Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :

# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs

Compléter la liste des équipements pour chacun des groupes :

$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status
sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status
sw4.home.local:h3c:up

Lancer une première collecte de la configuration des équipements :

$ /var/lib/rancid/bin/rancid-run

Installation et configuration de CVSWeb

Installer CVSWeb :

# aptitude install cvsweb

Sauvegarder la configuration de CVSWeb :

# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original

Modifier la configuration de CVSWeb :

# vim /etc/cvsweb/cvsweb.conf
#                                                                  -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller    <zeller@think.de>
#     1999      H. Nordstrom <hno@hem.passagen.se>
#     2000-2002 A. MUSHA     <knu@FreeBSD.org>
#     2002-2005 V. Skyttä    <scop@FreeBSD.org>
#          based on work by Bill Fenner  <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#

#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#

# Set the path for the following commands:
#   cvs, rlog, rcsdiff
#   gzip (if you enable $allow_compress)
#   (g)tar, zip (if you enable $allow_tar)
#   cvsgraph (if you enable $allow_graph)
#   enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);

# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
        $CMD{$_} = search_path($_);
}
$CMD{tar}   = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');

# CVS roots
#
# CVSweb can handle several CVS repositories at once.  Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here.  The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs.  If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root.  For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported.  Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display',  '/path/to/cvsroot']
#
@CVSrepositories = (
#       'local'   => ['Local Repository', '/var/lib/cvs'],
#       'freebsd' => ['FreeBSD',          '/var/ncvs'],
#       'openbsd' => ['OpenBSD',          '/var/ncvs'],
#       'netbsd'  => ['NetBSD',           '/var/ncvs'],
#       'ruby'    => ['Ruby',             '/var/anoncvs/ruby'],
        'Rancid'     => ['My Network Devices', '/var/lib/rancid/CVS'],
);

# The default CVS root.  Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';

# Mirror sites.  The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
#     'Other location'  => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
#     'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);

# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
#    advocacy
#    alpha
#    bin
#    conf
#    docs
#    gnu
#    i386
#    kern
#    misc
#    pending
#    ports
#    sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";

# Manual gateway linking.  This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";

# Defaults for user definable options.
#
%DEFAULTVALUE = (

    # sortby: File sort order
    #   file   Sort by filename
    #   rev    Sort by revision number
    #   date   Sort by commit date
    #   author Sort by author
    #   log    Sort by log message
    "sortby" => "file",

    # ignorecase: Ignore case in sorts (filenames, authors, log messages)
    #   0      Honor case
    #   1      Ignore case
    "ignorecase" => "0",

    # hideattic: Hide or show files in Attic
    #   1      Hide files in Attic
    #   0      Show files in Attic
    "hideattic" => "1",

    # logsort: Sort order for CVS logs
    #   date   Sort revisions by date
    #   rev    Sort revision by revision number
    #   cvs    Don't sort them. Same order as CVS/RCS shows them.
    "logsort" => "date",

    # f: Default diff format
    #   h      Human readable
    #   u      Unified diff
    #   c      Context diff
    #   s      Side by side
    #   uc     Unified diff, enscript colored (falls back to "u" w/o enscript)
    #   cc     Context diff, enscript colored (falls back to "c" w/o enscript)
    #   sc     Side by side, enscript colored (falls back to "s" w/o enscript)
    "f" => "u",

    # hidecvsroot: Don't show the CVSROOT directory.  Note that this is
    # just the default for a user settable option (like others in this
    # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
    # See @ForbiddenFiles for that.
    #   1      Do not include the top-level CVSROOT directory in dir listings
    #   0      Treat the top-level CVSROOT directory just like all other dirs
    "hidecvsroot" => "0",

    # hidenonreadable: Don't show files and directories that cannot be read
    # in directory listings.
    #   1      Hide non-readable entries
    #   0      Show non-readable entries
    "hidenonreadable" => "1",

    # ln: Show line numbers in HTMLized views
    #   1      Show line numbers
    #   0      Don't show line numbers
    "ln" => "0",
);

#
# Layout options (see also the included CSS file)
#

# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';

# The title of the Page on startup.  This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";

# The address is shown on the footer.  This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';

$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT

$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT

# Icons for the web UI.  If ICON-URL is empty, the TEXT representation is
# used.  If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons.  If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';

# format:          TEXT       ICON-URL                  width height
%ICONS = (
     back    => [('[BACK]',   "$iconsdir/back.gif",      20,   22)],
     dir     => [('[DIR]',    "$iconsdir/dir.gif",       20,   22)],
     file    => [('[TXT]',    "$iconsdir/text.gif",      20,   22)],
     binfile => [('[BIN]',    "$iconsdir/binary.gif",    20,   22)],
     graph   => [('[GRAPH]',  "$iconsdir/minigraph.png", 16,   16)],
);
undef $iconsdir;

# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';

# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;

# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity

# Cell padding for directory table.
#
$tablepadding = 2;

# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present.  Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
    qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
    qr|/\.cvspass$|o,       # Ditto.  Just in case.
   #qr|^my/+secret/+dir|o,
);

# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;

#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>

# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;

# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;

# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
    qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
    qr/\.rb$/o         => "^[\t ]*\\(class\\|module\\|def\\) ",
);

# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;

# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;

# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;

# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc.  Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
#   name: the name to show in the UI for this diff type
#   cmd:  full path to executable
#   args: arguments as an array ref (not string!, defaults to no arguments)
#   type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
  #'text/xml' => [
  #  { name => 'XMLdiff',
  #    cmd  => $CMD{xmldiff},
  #  },
  #  { name => 'XMLdiff (XUpdate)',
  #    cmd  => $CMD{xmldiff},
  #    args => [ qw(-x) ],
  #    type => 'text/xml',
  #  },
  #],
);

#
# Mime types
#

# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
#    substitution mode is b (ie. the file was checked in as binary to CVS),
#    'text/plain' otherwise.

# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup.  You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
        "html"  => "text/html",
        "shtml" => "text/html",
        "gif"   => "image/gif",
        "jpeg"  => "image/jpeg",
        "jpg"   => "image/jpeg",
        "png"   => "image/png",
        "xpm"   => "image/xpm",
#       "*"     => "text/plain",
);

# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';

# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';

# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
#  : $where =~ m,/zh[/_-], ? 'big5'
#  : $where =~ m,/ja[/_-], ? 'x-euc-jp'
#  : $where =~ m,/ko[/_-], ? 'x-euc-kr'
#  : 'iso-8859-1';

# Output filter
#
$output_filter = '';

# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';

##############
# Misc
##############

# Allow annotation of files?  See also @annotate_options below.
#
$allow_annotate = 1;

# Allow HTMLized versions of files?
#
$allow_markup = 1;

# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views?  Default: yes.
#
#$allow_mailtos = 0;

## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.

# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;

# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;

# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;

# Allow compression with gzip in general?  Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;

# Use JavaScript in the UI?
#
$use_java_script = 1;

# Show a form for setting options in the directory view?
#
$edit_option_form = 1;

# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;

# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;

# Preformat when viewing file contents?  This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;

# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width.  It uses the value from them if found,
# falling back to the value of $tabstop if not.  Default: 8.
#
#$tabstop = 4;

# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");

# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content.  In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent.  If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;

# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs.  A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;

# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;

# Path to the CvsGraph configuration file.  Only used if $allow_cvsgraph
# is true.  Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file.  Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";

# URL to the CVSHistory script.  This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";

# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space.  For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags.  See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;

# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();

# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();

# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);

# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS.  For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1.  A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});

# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;

# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);

# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;

# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);

# Enscript highlight rule to filename regex mappings.  The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
  (
   'ada'          => qr/\.ad(s|b|a)$/o,
   'asm'          => qr/\.[Ss]$/o,
   'awk'          => qr/\.awk$/o,
   'bash'         => qr/\.(bash(_profile|rc)|inputrc)$/o,
   'c'            => qr/\.(c|h)$/o,
   'changelog'    => qr/^changelog$/io,
   'cpp'          => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
   'csh'          => qr/\.(csh(rc)?|log(in|out)|history)$/o,
   'elisp'        => qr/\.e(l|macs)$/o,
   'fortran'      => qr/\.[fF]$/o,
   'haskell'      => qr/\.(l?h|l?g)s$/o,
   'html'         => qr/\.x?html?$/o,
   'idl'          => qr/\.idl$/o,
   'inf'          => qr/\.inf$/io,
   'java'         => qr/\.java$/o,
   'javascript'   => qr/\.(js|pac)$/o,
   'ksh'          => qr/\.ksh$/o,
   'm4'           => qr/\.m4$/o,
   'makefile'     => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
   'matlab'       => qr/\.m$/o,
   'nroff'        => qr/\.man$/o,
   'pascal'       => qr/\.p(as|p)?$/io,
   'perl'         => qr/\.p(m|(er)?l)$/io,
   'postscript'   => qr/\.e?ps$/io,
   'python'       => qr/\.py$/o,
   'rfc'          => qr/\b((rfc|draft)\..*\.txt)$/o,
   'scheme'       => qr/\.(scm|scheme)$/o,
   'sh'           => qr/\.sh$/o,
   'skill'        => qr/\.il$/o,
   'sql'          => qr/\.sql$/o,
   'states'       => qr/\.st$/o,
   'synopsys'     => qr/\.s(cr|yn(th)?)$/o,
   'tcl'          => qr/\.tcl$/o,
   'tcsh'         => qr/\.tcshrc$/o,
   'tex'          => qr/\.tex$/o,
   'vba'          => qr/\.vba$/o,
   'verilog'      => qr/\.(v|vh)$/o,
   'vhdl'         => qr/\.vhdl?$/o,
   'vrml'         => qr/\.wrl$/o,
   'wmlscript'    => qr/\.wmls(cript)?$/o,
   'zsh'          => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
  );

# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log.  Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;

# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in.  This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
  my $confdir = catdir(dirname(__FILE__), 'conf.d');
  if (opendir(CONFD, $confdir)) {
    my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
    close(CONFD);
    for my $conffile (grep(-f && -r _, @files)) {
      ($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
      do "$conffile" or config_error($conffile, $@);
    }
  }
}

1;

# EOF

Créer le répertoire pour le VHost Apache cvs.home.local :

# mkdir /var/www/cvs.home.local/

Créer un répertoire pour les clés et certificats SSL utilisés par Apache :

# mkdir /etc/apache2/ssl/

Placer la clés et les certificats adéquats :

  • ca.crt
  • wildcard.home.local.crt
  • wildcard.home.local.key

Créer la configuration du VHost Apache cvs.home.local :

# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     (.*)    https://%{SERVER_NAME}$1
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        DocumentRoot /var/www/cvs.home.local/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Location />
                Order deny,allow
                Deny from all
                Allow from 10.20.30.0/24

                AuthUserFile /etc/apache2/passwd
                AuthName "!HOME! Restricted Access !HOME!"
                AuthType Basic
                Require user admin

                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
        </Location>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /cvsweb /usr/share/cvsweb

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     ^/$    /cgi-bin/cvsweb  [R]
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
        ServerSignature Off

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
                SSLCACertificateFile /etc/apache2/ssl/ca.crt
        </IfModule>
</VirtualHost>

Activer les modules Apache nécessaires :

# a2enmod rewrite ssl cgi

Activer le VHost Apache cvs.home.local :

# a2ensite cvs.home.local

Relancer Apache2 :

# /etc/init.d/apache2 reload

Automatisation des sauvegardes

Ajouter une tâches sur les deux noeuds du cluster :

# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau
30 19 * * *     root    ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null

Intégration d’un système GNU/Linux Debian dans un domaine Active Directory

Synchronisation d’horloges

Installation du paquet :

# aptitude install ntp

Configuration du NTP :

# vim /etc/ntp.conf
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server ntp.home.local
#server 0.debian.pool.ntp.org iburst
#server 1.debian.pool.ntp.org iburst
#server 2.debian.pool.ntp.org iburst
#server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 10.20.30.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 10.20.30.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Prise en compte de la configuration :

# /etc/init.d/ntp restart

Vérification de la synchronisation NTP :

# ntpq -p

Résolution de noms

Configuration des paramètres de résolution de noms :

# vim /etc/resolv.conf
domain home.local
search home.local
nameserver 10.20.30.2
nameserver 10.20.30.3
nameserver 10.20.30.4

Samba / Winbind

Installation des paquets :

# aptitude install winbind samba-common smbclient

Sauvegarde de la configuration d’origine :

# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

Configuration de Samba/Winbind :

# > /etc/samba/smb.conf
# vim /etc/samba/smb.conf
[global]
    workgroup = HOME
    realm = HOME.LOCAL
    server string = %h server
    security = ADS
    password server = 10.20.30.2, 10.20.30.3, 10.20.30.4
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    announce version = 4
    announce as = NT Workstation
    dns proxy = No
    idmap uid = 167771-335549
    idmap gid = 167771-335549
    winbind use default domain = yes
    invalid users = root
    winbind cache time = 60
    winbind enum users = yes
    winbind enum groups = yes
    winbind cache time = 10
    template homedir = /home/%D/%U
    template shell = /bin/bash
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no
    os level = 0

Création du répertoire racine pour les répertoires personnels des utilisateurs du domaine :

# mkdir /home/HOME

Prise en compte de la configuration :

# /etc/init.d/winbind restart

Kerberos

Installation des paquets :

# aptitude install krb5-user krb5-config

Sauvegarde de la configuration d’origine :

# cp /etc/krb5.conf /etc/krb5.conf.original

Configuration de Kerberos :

# > /etc/krb5.conf
# vim /etc/krb5.conf
[libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = false
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
#       v4_instance_resolve = false
#       v4_name_convert = {
#               host = {
#                       rcmd = host
#                       ftp = ftp
#               }
#               plain = {
#                       something = something-else
#               }
#       }
#       fcc-mit-ticketflags = true

[realms]

HOME.LOCAL = { kdc = 10.20.30.2 kdc = 10.20.30.3 kdc = 10.20.30.4 admin_server = 10.20.30.2 }

[domain_realm]

.home.local = HOME.LOCAL home.local = HOME.LOCAL

[login]

krb4_convert = true krb4_get_tickets = false

[logging]

default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5kdc.log admin-server = FILE:/var/log/krb5adm.log

[appdefaults]

pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Rejoindre le domaine et s’authentifier

Jointure au domaine :

# net -U administrator ads join

(Test) Lister les utilisateurs du domaine :

# wbinfo -u

Modification des paramètres d’authentification :

# vim /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Permettre la création du répertoire personnel d’un utilisateur du domaine :

# vim /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
session [default=1]                     pam_permit.so
# here's the fallback if no module succeeds
session requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required                        pam_unix.so
session required                        pam_mkhomedir.so umask=0022 skel=/etc/skel
session optional                        pam_winbind.so
# end of pam-auth-update config

(Test) Lister la base des utilisateurs pouvant s’authentifier :

# getent passwd

N’autorisez que les membres du groupe “GNETWORK” à accéder en SSH au serveur :

# vim /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Only allow GNETWORK Active Directory group  members
account    required     pam_succeed_if.so user ingroup GNETWORK

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Droits sudo pour le groupe “GNETWORK” :

# vim /etc/sudoers
# /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the man page for details on how to write a sudoers file.
#

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
%GNETWORK    ALL=(ALL) NOPASSWD: ALL

# Allow members of group sudo to execute any command
# (Note that later entries override this, so you might need to move
# it further down)
%sudo ALL=(ALL) ALL
#
#includedir /etc/sudoers.d

Authentification centralisée avec tac plus sous GNU/Linux Debian

Pré-requis

Création du groupe GNETWORK dans l’annuaire Active Directory.

Les deux serveurs doivent être membres du domaine HOME.

Installation et configuration

Installer TACACS+ :

# aptitude update && aptitude install tacacs+

Sauvegarder le fichier de configuration de TACACS+ :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original

Editer le fichier de configuration de TACACS+ :

# > /etc/tacacs+/tac_plus.conf
# vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Créer un fichier de configuration TACACS+ pour Nortel :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf

Editer le fichier de configuration de TACACS+ pour Nortel :

# vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Editer le fichier de configuration des options par défaut de TACACS+ :

# vim /etc/default/tacacs+
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"

Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :

# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel

Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :

# vim /etc/default/tacacs+_nortel
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"

Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :

# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel

Modifier le script d’init pour le serveur TACACS+ pour Nortel :

# vim /etc/init.d/tacacs_plus_nortel
#!/bin/sh
### BEGIN INIT INFO
# Provides:          tacacs+_nortel
# Required-Start:    $network $local_fs $syslog $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Should-Start:      $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: TACACS+ authentication daemon for Nortel
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/sbin/tac_plus
NAME="tacacs+_nortel"
DESC="TACACS+ authentication daemon for Nortel"
LOGDIR=/var/log/
STARTTIME=1

PIDFILE="/var/run/tac_plus.pid.4949"

test -x $DAEMON || exit 0

. /lib/lsb/init-functions

# Default options, these can be overriden by the information
# at /etc/default/$NAME
DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949"          # Additional options given to the server


LOGFILE=$LOGDIR/tac_plus_nortel.log  # Server logfile

# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
        . /etc/default/$NAME
fi

# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
    if getent passwd | grep -q "^$DAEMONUSER:"; then
        # Obtain the uid and gid
        DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
        DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
    else
        log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
        exit 1
    fi
fi


set -e

running_pid() {
# Check if a given process pid's cmdline matches a given name
    pid=$1
    name=$2
    [ -z "$pid" ] && return 1
    [ ! -d /proc/$pid ] &&  return 1
    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
    # Is this the expected server
    [ "$cmd" != "$name" ] &&  return 1
    return 0
}

running() {
# Check if the process is running looking at /proc
# (works for all users)

    # No pidfile, probably no daemon present
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE`
    running_pid $pid $DAEMON || return 1
    return 0
}

start_server() {
# Start the process using the wrapper
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
               --exec $DAEMON -- $DAEMON_OPTS
        errcode=$?
        return $errcode
}

stop_server() {
# Stop the process using the wrapper
        if [ -z "$DAEMONUSER" ] ; then
            killproc -p $PIDFILE $DAEMON
            errcode=$?
        else
# if we are using a daemonuser then look for process that match
            start-stop-daemon --stop --quiet --pidfile $PIDFILE \
                        --user $DAEMONUSER \
                        --exec $DAEMON
            errcode=$?
        fi

        return $errcode
}

reload_server() {
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE` # This is the daemon's pid
    # Send a SIGHUP
    kill -1 $pid
    return $?
}

force_stop() {
# Force the process to die killing it manually
        [ ! -e "$PIDFILE" ] && return
        if running ; then
                kill -15 $pid
        # Is it really dead?
                sleep "$DIETIME"s
                if running ; then
                        kill -9 $pid
                        sleep "$DIETIME"s
                        if running ; then
                                echo "Cannot kill $NAME (pid=$pid)!"
                                exit 1
                        fi
                fi
        fi
        rm -f $PIDFILE
}


case "$1" in
  start)
        log_daemon_msg "Starting $DESC " "$NAME"
        # Check if it's running first
        if running ;  then
            log_progress_msg "apparently already running"
            log_end_msg 0
            exit 0
        fi
        if start_server ; then
            # NOTE: Some servers might die some time after they start,
            # this code will detect this issue if STARTTIME is set
            # to a reasonable value
            [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
            if  running ;  then
                # It's ok, the server started and is running
                log_end_msg 0
            else
                # It is not running after we did start
                log_end_msg 1
            fi
        else
            # Either we could not start it
            log_end_msg 1
        fi
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if running ; then
            # Only stop the server if we see it running
                        errcode=0
            stop_server || errcode=$?
            log_end_msg $errcode
        else
            # If it's not running don't do anything
            log_progress_msg "apparently not running"
            log_end_msg 0
            exit 0
        fi
        ;;
  force-stop)
        # First try to stop gracefully the program
        $0 stop
        if running; then
            # If it's still running try to kill it more forcefully
            log_daemon_msg "Stopping (force) $DESC" "$NAME"
                        errcode=0
            force_stop || errcode=$?
            log_end_msg $errcode
        fi
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
                errcode=0
        stop_server || errcode=$?
        # Wait some sensible amount, some server need this
        [ -n "$DIETIME" ] && sleep $DIETIME
        start_server || errcode=$?
        [ -n "$STARTTIME" ] && sleep $STARTTIME
        running || errcode=$?
        log_end_msg $errcode
        ;;
  status)

        log_daemon_msg "Checking status of $DESC" "$NAME"
        if running ;  then
            log_progress_msg "running"
            log_end_msg 0
        else
            log_progress_msg "apparently not running"
            log_end_msg 1
            exit 1
        fi
        ;;
  # Use this if the daemon cannot reload
  reload)
        log_daemon_msg "Reloading $DESC configuration files" "$NAME"
        if reload_server ; then
                if running ; then
                        log_end_msg 0
                else
                        log_progress_msg "$NAME not running"
                        log_end_msg 1
                fi
        else
                log_progress_msg "Reload failled"
                log_end_msg 1
        fi
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Activer le script d’init pour le serveur TACACS+ pour Nortel :

# insserv tacacs_plus_nortel

Relancer le serveur TACACS+ :

# /etc/init.d/tacacs_plus restart

Lancer le serveur TACACS+ our Nortel :

# /etc/init.d/tacacs_plus_nortel start

Configuration des équipements

3Com 5500G-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 key accounting abcdefgh
 user-name-format without-domain
#
domain mytac
 scheme hwtacacs-scheme mytac local
 access-limit enable 10
#
 domain default enable mytac
#

H3C S5500-52C-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

3Com 4210G 48-Port

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

Cisco WS-CBS3020-HPQ

!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 10.20.30.1 timeout 5
tacacs-server host 10.20.30.2 timeout 5
tacacs-server directed-request
tacacs-server key abcdefgh
!

Nortel Application Switch 2208 E

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
secbd e
on
apply

HP ProLiant BL p-Class C-GbE2 Interconnect Switch

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs+
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
telnet e
on
apply

Installation et configuration de NRPE sous Red Hat Enterprise Linux

Installation de NRPE uniquement via RPM

Récupérer les paquet adéquats sur 1, en fonction de la version de RH et de l’architecture du serveur, et les placer sous /usr/local/src/.

Installer les paquets :

# cd /usr/local/src/
# rpm -ivh fping-2.4-1.b2.3.el4.rf.i386.rpm
# rpm -ivh perl-Crypt-DES-2.05-3.2.el4.rf.i386.rpm
# rpm -ivh perl-Digest-SHA1-2.13-1.el4.rfx.i386.rpm
# rpm -ivh perl-Socket6-0.23-1.el4.rf.i386.rpm
# rpm -ivh perl-Digest-HMAC-1.02-1.el4.rf.noarch.rpm
# rpm -ivh perl-Net-SNMP-5.2.0-1.2.el4.rf.noarch.rpm
# rpm -ivh nagios-plugins-1.4.15-2.el4.rf.i386.rpm
# rpm -ivh nagios-nrpe-2.12-1.el4.rf.i386.rpm

Sauvegarder le fichier d’inventaire des services :

# cp /etc/services /etc/services.original

Renseigner le service NRPE :

# sed -i 's/\(cfengine.*udp.*\)/\1\nnrpe\t\t5666\/tcp\t\t\t# NRPE/' /etc/services

Sauvegarder la configuration de NRPE :

# cp /etc/nagios/nrpe.cfg /etc/nagios/nrpe.cfg.original

Modifier la configuration de NRPE :

# sed -i 's/#server_address=127.0.0.1/server_address=10.20.30.2/;s/allowed_hosts=127.0.0.1/allowed_hosts=10.20.30.1/' /etc/nagios/nrpe.cfg

Paramétrer le démarrage automatique de NRPE :

# chkconfig --level 235 nrpe on

Lancer NRPE :

# service nrpe start

Installation de NRPE via RPM/CPAN

Se rendre dans les répertoire des sources :

# cd /usr/local/src

Installer le paquet fping :

# rpm -ivh fping-2.4-1.b2.3.el4.rf.i386.rpm

Lancer le shell CPAN pour l’installation des modules Perl :

# perl -MCPAN -e shell

Dans le cadre d’un premier lancement, sélectionner les options par défaut et paramétrer un proxy FTP/HTTP.

Installer le module Bundle::CPAN :

cpan[n]> install Bundle::CPAN

Recharger CPAN :

cpan[n]>reload cpan

Quitter CPAN :

cpan[n]> q

Relancer CPAN :

# perl -MCPAN -e shell

Installer le module Net::SNMP :

cpan[n]> install Net::SNMP

Installer le module Nagios::Plugin :

cpan[n]> install Nagios::Plugin

Quitter CPAN :

cpan[n]> q

Installer les paquets nagios-plugins et nagios-nrpe :

# rpm --nodeps -ivh nagios-plugins-1.4.15-2.el4.rf.i386.rpm
# rpm --nodeps -ivh nagios-nrpe-2.12-1.el4.rf.i386.rpm

Renseigner le service NRPE :

# sed -i 's/\(cfengine.*udp.*\)/\1\nnrpe\t\t5666\/tcp\t\t\t# NRPE/' /etc/services

Modifier la configuration de NRPE :

# sed -i 's/#server_address=127.0.0.1/server_address=10.20.30.2/;s/allowed_hosts=127.0.0.1/allowed_hosts=10.20.30.1/' /etc/nagios/nrpe.cfg

Paramétrer le démarrage automatique de NRPE :

# chkconfig --level 235 nrpe on

Lancer NRPE :

# service nrpe start

Installation et configuration d’un cluster Pacemaker/CoroSync sous GNU/Linux Debian 6 (Squeeze)

Installation et pré-configuration de CoroSync

remarque: les actions suivantes sont à réaliser sur les deux noeuds.

Installer les paquets nécessaires :

# aptitude install corosync pacemaker

Autoriser le démarrage de CoroSync :

# sed -i 's/START=no/START=yes/' /etc/default/corosync

Sauvegarder la configuration par défaut de CoroSync :

# cp /etc/corosync/corosync.conf /etc/corosync/corosync.conf.original

Modifier le fichier hosts :

# sed -i 's/^10.20.*$/10.20.30.1\tvm-debian1.france.local\tvm-debian1\n10.20.30.2\tvm-debian2.france.local\tvm-debian2/' /etc/hosts

Générer une paire de clés RSA pour SSH (sans mot de passe) :

# ssh-keygen -b 2048

Copier la clé publique sur le second noeud :

# if hostname | grep -q 1; then ssh-copy-id $(hostname | sed 's/1/2/'); else ssh-copy-id $(hostname | sed 's/2/1/'); fi

remarque: les actions suivantes sont à réaliser sur le premier noeud.

Générer des I/O :

# dd if=/dev/urandom of=/tmp/temp bs=1024 count=1000000&

En parallèle, générer une clé pour Corosync :

# corosync-keygen

Supprimer le fichier temporaire précédemment créé :

# rm /tmp/temp

Copier la clé précédemment générée sur le second noeud :

# scp /etc/corosync/authkey sfrafilx02:/etc/corosync/authkey

remarque: les actions suivantes sont à réaliser sur les deux noeuds.

Modifier le fichier de configuration de Corosync

# vim /etc/corosync/corosync.conf
# Please read the openais.conf.5 manual page

totem {
        version: 2

        # How long before declaring a token lost (ms)
        token: 3000

        # How many token retransmits before forming a new configuration
        token_retransmits_before_loss_const: 10

        # How long to wait for join messages in the membership protocol (ms)
        join: 60

        # How long to wait for consensus to be achieved before starting a new round of membership configuration (ms)
        consensus: 3600

        # Turn off the virtual synchrony filter
        vsftype: none

        # Number of messages that may be sent by one processor on receipt of the token
        max_messages: 20

        # Limit generated nodeids to 31-bits (positive signed integers)
        clear_node_high_bit: yes

        # Disable encryption
        secauth: off

        # How many threads to use for encryption/decryption
        threads: 0

        # Optionally assign a fixed node id (integer)
        # nodeid: 1234

        # This specifies the mode of redundant ring, which may be none, active, or passive.
        rrp_mode: none

        interface {
                # The following values need to be set based on your environment
                ringnumber: 0
                bindnetaddr: 10.20.30.1
                mcastaddr: 226.94.1.1
                mcastport: 5405
        }
}

amf {
        mode: disabled
}

service {
        # Load the Pacemaker Cluster Resource Manager
        ver:       0
        name:      pacemaker
        use_mgmtd: 1
}

aisexec {
        user:   root
        group:  root
}

logging {
        fileline: off
        to_stderr: yes
        to_logfile: yes
        logfile: /var/log/corosync.log
        logfile_priority: info
        to_syslog: no
        syslog_facility: daemon
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off
                tags: enter|leave|trace1|trace2|trace3|trace4|trace6
        }
}

Démarrer CoroSync :

# /etc/init.d/corosync start

Vérifier l’état du cluster :

# crm_mon -1

Préparation des agents pour l’Open Cluster Framework (OCF)

Ajouter un agent OCF HTTPCheck :

# mkdir /usr/lib/ocf/resource.d/myscripts
# vim /usr/lib/ocf/resource.d/myscripts/HTTPCheck
#!/bin/sh
#
#
#       HTTPCheck OCF RA. It checks the accessibility of a Web resource.
#
# Copyright (c) 2004 SUSE LINUX AG, Lars Marowsky-Bré
#                    All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Further, this software is distributed without any warranty that it is
# free of the rightful claim of any third person regarding infringement
# or the like.  Any license provided herein, whether implied or
# otherwise, applies only to this software file.  Patent licenses, if
# any, provided herein do not apply to combinations of this program with
# other software, or any other product whatsoever.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
#
#######################################################################
# OCF parameters:
#   OCF_RESKEY_url    : Web resource URL
#
#######################################################################
# Initialization:

. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs

#######################################################################

meta_data() {
        cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="HTTPCheck" version="0.9">
<version>1.0</version>

<longdesc lang="en">
This is HTTPCheck Resource Agent.
It checks the accessibility of a Web resource using wget binary.
Remember that you can configure wget options through /etc/wgetrc
configuration file.
</longdesc>
<shortdesc lang="en">HTTPCheck resource agent</shortdesc>

<parameters>

<parameter name="url" unique="0" required="1">
<longdesc lang="en">
This is a required parameter. This parameter specifies the Web resource to check.
</longdesc>
<shortdesc lang="en">Web resource</shortdesc>
<content type="string" default="www.debian.org" />
</parameter>

<parameter name="state" unique="1">
<longdesc lang="en">
Location to store the resource state in.
</longdesc>
<shortdesc lang="en">State file</shortdesc>
<content type="string" default="${HA_VARRUN}/OCF-{OCF_RESOURCE_INSTANCE}.state" />
</parameter>

</parameters>

<actions>
<action name="start"        timeout="15" />
<action name="stop"         timeout="15" />
<action name="monitor"      timeout="15" interval="10" depth="0" start-delay="0" />
<action name="meta-data"    timeout="5" />
<action name="validate-all"   timeout="30" />
</actions>
</resource-agent>
END
}

#######################################################################

httpcheck_usage() {
        cat <<END
usage: $0 {start|stop|monitor|validate-all|meta-data}

Expects to have a fully populated OCF RA-compliant environment set.
END
}

httpcheck_start() {
    httpcheck_monitor
    if [ $? =  $OCF_SUCCESS ]; then
        return $OCF_SUCCESS
    fi
    /usr/bin/wget -q -t 1 -T 4 --no-dns-cache --no-cache -4 -O ${OCF_RESKEY_state} $OCF_RESKEY_url
}

httpcheck_stop() {
    httpcheck_monitor
    if [ $? != $OCF_NOT_RUNNING ]; then
        rm ${OCF_RESKEY_state}
    fi
    return $OCF_SUCCESS
}

httpcheck_monitor() {
    # Monitor _MUST!_ differentiate correctly between running
    # (SUCCESS), failed (ERROR) or _cleanly_ stopped (NOT RUNNING).
    # That is THREE states, not just yes/no.

    if [ ! -f ${OCF_RESKEY_state} ]; then
        return $OCF_NOT_RUNNING
    else
        if /usr/bin/wget -q -t 1 -T 4 --no-dns-cache --no-cache -4 -O ${OCF_RESKEY_state} $OCF_RESKEY_url; then
            return $OCF_SUCCESS
        else
            return $OCF_ERR_GENERIC
        fi
    fi
}

httpcheck_validate() {

    # Is the state directory writable?
    state_dir=`dirname "$OCF_RESKEY_state"`
    touch "$state_dir/$$"
    if [ $? != 0 ]; then
        return $OCF_ERR_ARGS
    fi
    rm "$state_dir/$$"

    return $OCF_SUCCESS
}

: ${OCF_RESKEY_CRM_meta_interval=0}
: ${OCF_RESKEY_CRM_meta_globally_unique:="true"}

if [ "x$OCF_RESKEY_state" = "x" ]; then
    if [ ${OCF_RESKEY_CRM_meta_globally_unique} = "false" ]; then
        state="${HA_VARRUN}/OCF-${OCF_RESOURCE_INSTANCE}.state"

        # Strip off the trailing clone marker
        OCF_RESKEY_state=`echo $state | sed s/:[0-9][0-9]*\.state/.state/`
    else
        OCF_RESKEY_state="${HA_VARRUN}/OCF-${OCF_RESOURCE_INSTANCE}.state"
    fi
fi

if [ "x$OCF_RESKEY_url" = "x" ]; then
    OCF_RESKEY_url="www.debian.org"
fi

case $__OCF_ACTION in
meta-data)      meta_data;;
start)          httpcheck_start;;
stop)           httpcheck_stop;;
monitor)        httpcheck_monitor;;
validate-all)   httpcheck_validate;;
usage|help)     httpcheck_usage
                exit $OCF_SUCCESS
                ;;
*)              httpcheck_usage
                exit $OCF_ERR_UNIMPLEMENTED
                ;;
esac
rc=$?
ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
exit $rc
# chmod +x /usr/lib/ocf/resource.d/myscripts/HTTPCheck

Corriger l’agent OCF Squid :

# cp /usr/lib/ocf/resource.d/heartbeat/Squid /usr/lib/ocf/resource.d/heartbeat/Squid.original
# vim /usr/lib/ocf/resource.d/heartbeat/Squid
  ligne 198 : awk '/(tcp.*[0-9]+\.[0-9]+\.+[0-9]+\.[0-9]+:'$SQUID_PORT' |tcp.*:::'$SQUID_PORT' )/{

Configuration du cluster Pacemaker (CRM)

remarque: les actions suivantes sont à réaliser sur le premier noeud. Configurer les ressources du cluster :

# crm configure property stonith-enabled=false
# crm configure property no-quorum-policy=ignore
# crm configure rsc_defaults resource-stickiness=100
# crm configure primitive ClusterIP ocf:heartbeat:IPaddr2 \
      params ip=10.20.30.3 cidr_netmask=24 \
      op monitor interval=30
# crm configure primitive Proxy ocf:heartbeat:Squid \
      params squid_exe="/usr/sbin/squid3" squid_conf="/etc/squid3/squid.conf" squid_pidfile="/var/run/squid3.pid" squid_port="3128" squid_stop_timeout="30" \
      op start interval="0" timeout="60s" \
      op stop interval="0" timeout="120s" \
      op monitor interval="20s" timeout="30s"
# crm configure primitive HTTPCheck ocf:myscripts:HTTPCheck \
      params url="kb.france.local" \
      op monitor interval="120s"
# crm configure primitive WebSite lsb:apache2 op monitor interval="60sec"
# crm configure location proxy-prefer-node1 Proxy 50: vm-debian1
# crm configure location website-prefer-node1 WebSite 50: vm-debian1
# crm configure colocation proxy-with-clusterip inf: Proxy ClusterIP
# crm configure colocation website-with-clusterip inf: WebSite ClusterIP
# crm configure colocation httpcheck-with-proxy inf: HTTPCheck Proxy
# crm configure order apache-after-clusterip inf: ClusterIP WebSite
# crm configure order squid-after-clusterip inf: ClusterIP Proxy
# crm configure order httpcheck-after-proxy inf: Proxy HTTPCheck

Tolérance aux pannes : Channel Bonding sous GNU/Linux Debian 6 (Squeeze)

Le déroulement

Installation des composants

# aptitude install firmware-bnx2 ifenslave

Détection des interfaces

# modprobe -r bnx2 && modprobe bnx2

Retrait de la configuration existante

# ip a d <address/cidr> dev eth1
# ifconfig eth1 down

Options pour les interfaces Bonding

# echo -en "alias bond0 bonding\nalias bond1 bonding\noptions bonding max_bonds=2 mode=1 miimon=100" > /etc/modprobe.d/bonding.conf

Configuration des interfaces

# vim /etc/network/interfaces
auto eth0 eth1 eth2 eth3 bond0 bond1
iface bond0 inet static
       address <ip1>
       netmask <mask1>
       gateway <gw1>
       up /sbin/ifenslave bond0 eth0 eth2
       down /sbin/ifenslave -d bond0 eth0 eth2
iface bond1 inet static
       address <ip2>
       netmask <mask2>
       up /sbin/ifenslave bond1 eth1 eth3
       down /sbin/ifenslave -d bond1 eth1 eth3
       up route add -net <net1> netmask <mask3> gw <gw2>

Montage des interfaces

# /etc/init.d/networking stop
# /etc/init.d/networking start

GNU/Linux Debian (testing) : Nagios (3.2.1) / Centreon (2.1.9)

Sur le futur serveur Nagios/Centreon

Installation de Nagios 3

Installez Nagios 3 :

# apt-get install nagios3

Remarque : il vous sera demandé d’initialiser le mot de passe de l’utilisateur nagiosadmin (compte d’administration par défaut au niveau de l’interface Web)
Vous pouvez d’ores et déjà accéder à l’interface Web de Nagios3 via l’URL http://<@IP_serveur_nagios>/nagios3/

Installation des prérequis pour Centreon

# apt-get install build-essential

Installez le serveur Web Apache2, le language de scripts PHP 5 ainsi que les modules associés :

# apt-get install apache2 php5 php5-mysql php-pear php5-ldap php5-snmp php5-snmp php5-gd

Installez le SGBD MySQL ainsi que des librairies de développement :

# apt-get install mysql-server libmysqlclient-dev

Remarque : il vous sera demandé d’initialiser le mot de passe du superutilisateur (root) de votre SGBD (MySQL). Installez l’outil Round Robin Database ainsi que l’interface Perl pour ce même outil :

# apt-get install rrdtool librrds-perl

Installez le module Config::IniFiles pour Perl :

# apt-get install libconfig-inifiles-perl

Installez le client ainsi que l’agent SNMP, et le module Perl Net::SNMP :

# apt-get install snmp snmpd libnet-snmp-perl

Installez différentes librairies graphiques :

# apt-get install libgd2-xpm libgd2-xpm-dev libpng12-dev

Installation de l’addon NDOUtils

Etant sous Debian GNU/Linux Squeeze, l’extension Nagios Data Output Utils n’est pas packagée. Pour y remédier, ajoutez le dépôt Unstable :

# echo "deb http://ftp.fr.debian.org/debian/ unstable main contrib non-free" >> /etc/apt/sources.list

Ayant à présent des dépôts pour testing et unstable, indiquez votre distribution par défaut (testing) :

# echo "APT::Default-Release \"testing\";" >> /etc/apt/apt.conf

Récupérez la liste des paquets mis à votre dispositions (testing/unstable) :

# apt-get update

Installez l’extention NDOUtils :

# apt-get install ndoutils-nagios3-mysql

Installation de Centreon 2

Récupérez les sources de Centreon 2.1.9 :

# cd /usr/local/src
# wget http://download.centreon.com/index.php?id=143

Décompressez l’archive précédemment téléchargée et lancez le processus d’installation de Centreon (à l’aide d’un template) :

# tar zxvf centreon-2.1.9.tar.gz
# cd centreon-2.1.9
# ./install.sh -f tmpl/vardistrib/debian-lenny

Remarque : le déroulement du script d’installation de Centreon est indiqué dans le fichier texte associé. Rendez-vous sur l’interface Web de votre serveur Centreon, http://<@IP_serveur_nagios>/centreon/, afin de finaliser l’installation.

Sur le client à superviser

Installation de NRPE Server

Installez le serveur Nagios Remote Plugin Executor :

# apt-get install nagios-nrpe-server

Sauvegardez le fichier de configuration d’origine puis éditez-le :

# cp /etc/nagios/nrpe.cfg /etc/nagios/nrpe.cfg.original
# vim /etc/nagios/nrpe.cfg
	log_facility=daemon
	pid_file=/var/run/nagios/nrpe.pid
	server_port=5666
	nrpe_user=nagios
	nrpe_group=nagios
	allowed_hosts=127.0.0.1,11.22.33.2
	dont_blame_nrpe=0
	debug=0
	command_timeout=60
	connection_timeout=300
	command[check_users]=/usr/lib/nagios/plugins/check_users -w 5 -c 10
	command[check_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 30,25,20
	command[check_sda1]=/usr/lib/nagios/plugins/check_disk -w 20% -c 10% -p /dev/sda1
	command[check_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 5 -c 10 -s Z
	command[check_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
	include=/etc/nagios/nrpe_local.cfg
	include_dir=/etc/nagios/nrpe.d/

Redémarrez finalement le serveur NRPE afin de prendre en compte vos modifications :

# /etc/init.d/nagios-nrpe-server restart

La suite très prochainement…

Installation des VMWare Tools sous GNU/Linux Debian

Tout d’abord, installez les prérequis, à savoir un compilateur C, un outil d’aide à la compilation et le fichiers d’en-tête de votre noyau :

$ sudo apt-get install gcc make linux-headers-$(uname -r) 

Dans l’interface du client VMware (ici VMWare Workstation 7.0.1), déroulez le menu VM pour la machine virtuelle en cours d’exécution puis cliquez sur Install VMware Tools. Cela va vous permettre de monter le CDROM contenant les VMware Tools et, bien évidement, de les installer. Remarque : il est préférable d’ouvrir un Shell local dans la mesure où nous risquons de perdre toute connectivité lors de la mise à jour du module des interfaces Ethernet.

$ sudo mount /dev/cdrom /media/cdrom0 
$ tar zxvf /media/cdrom/VMwareTools-8.1.4-227600.tar.gz -C ~ 
$ sudo ~/vmware-tools-distrib/vmware-install.pl 

Répondez alors aux questions posées (les réponses par défaut étant le plus souvent le choix à retenir). Ne reste plus démonter les interfaces Ethernet, décharger les modules pcnet32 et l’ancien vmxnet (dans le cas d’une ancienne installation des VMware Tools), charger le module vmxnet issu de précédente installation, puis remonter les interfaces Ethernet :

$ sudo /etc/init.d/networking stop 
$ sudo rmmod pcnet32 
$ sudo rmmod vmxnet 
$ sudo modprobe vmxnet 
$ sudo /etc/init.d/networking start 

Afin de pouvoir utiliser des interfaces de type VMware VMXNET Ethernet Controller (recommandé par VMWare) au prochain redémarrage, il vous suffit d’ajouter la ligne suivante dans le fichier de configuration de la machine virtuelle (<vm_name>.vmx) : ethernet0.virtualDev = “vmxnet” Remarque : si vous avez plusieurs interfaces, il vous suffit d’ajouter cette ligne plusieurs fois en incrémentant l’id de l’interface (ethernet0, ethernet1, …, ethernetn).

Support du suivi de connexion pour IP Virtual Server

Voici la démarche à suivre pour un système sous GNU/Linux Debian avec le noyau 2.6.32 :

  • Ajoutez votre utilisateur dans le groupe src afin de pouvoir travailler dans le répertoire /usr/src :
$ sudo n3oxid src
  • Installez les paquets nécessaires pour la compilation de votre noyau :
$ sudo apt-get install linux-source-2.6.32 \
  kernel-package libncurses5-dev gcc make binutils \
  zlibc zlib1g-dev build-essential
  • Rendez-vous dans le répertoire où se trouve les sources de votre noyau :
$ cd /usr/src
  • Récupérez le patch NFCT correpondant aux sources de votre noyau :
$ wget http://www.ssi.bg/~ja/nfct/ipvs-nfct-2.6.32-1.diff
  • Décompressez les sources de votre noyau, faites un lien symbolique vers le répertoire contenant les sources et rentrer dans le répertoire en question :
$ tar jxvf linux-source-2.6.32.tar.bz2
$ ln –s linux-source-2.6.32 linux
$ cd linux
  • Appliquer le patch NFCT à vos sources :
$ cat ../ipvs-nfct-2.6.32-1.diff | patch –p1
  • Récupérer la configuration actuelle de votre noyau :
$ cp /boot/config-2.6.32-3-686 .config
  • Configurer les sources de votre noyau :
$ make menuconfig
  • Nettoyer de façon préventive les sources de votre noyau :
$ make-kpkg clean
  • Lancez la compilation :
$ make-kpkg --rootcmd fakeroot --initrd \
  --append-to-version=.perso.`date +%Y%m%d` \
  --revision=1.0 kernel-image kernel_headers
  • Installez votre noyau :
$ sudo dpkg -i ../linux-image-2.6.32.csat.20100427_1.1_i386.deb
$ sudo dpkg -i ../linux-headers-2.6.32.csat.20100427_1.1_i386.deb
  • Mettez à jour votre initramfs :
$ sudo update-initramfs -c -k 2.6.32.csat.20100427 –v
  • Mettez à jour les entrées de votre chargeur de démarrage :
$ sudo update-grub


Remarque : les deux dernières actions sont à effectuer uniquement sous GNU/Linux Debian testing suite à un problème rencontré lors de l’installation du noyau via les paquets “.deb” obtenus après compilation ; la mise à jour de l’initramfs ne se fait pas correctement.