Categories
Computing

Sauvegarde et archivage des configurations des équipements avec Rancid sous GNU/Linux Debian

Pré-requis

Un compte de service rancid renseigné dans l’annuaire Active Directory

Un cluster Pacemaker/Corosync avec une ressource DRBD

Les noeuds du cluster sont membres du domaine Active Directory

Un serveur Apache2 sur chaque nœud du cluster

Un serveur TACACS+ sur chaque nœud du cluster

La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.

Configuration de TACACS+

Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :

vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Relancer les serveurs TACACS+ :

# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload

Installation et configuration de Rancid

Installer Rancid :

# aptitude update && aptitude install rancid

Sauvegarder le fichier de configuration de Rancid :

# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original

Modifier la configuration de Rancid :

# vim /etc/rancid/rancid.conf
# rancid 2.3.3
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below).  In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up.  Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached.  The value should be greater than the number
# of hours between your rancid-run cron job.  Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
#   rancid-group:       joe,moe@foo
#   rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here.  "@" must be
# included, as this is simply appended to the usual recipients.  It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk".  This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers.  Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS

Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :

# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs

Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :

# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/

Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.

Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :

# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc

Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :

# chown root:root /var/lib/rancid/bin/h3c*

Renseigner le modèle H3C dans Rancid :

# vim /var/lib/rancid/bin/rancid-fe

Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :

# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs

Compléter la liste des équipements pour chacun des groupes :

$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status
sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status
sw4.home.local:h3c:up

Lancer une première collecte de la configuration des équipements :

$ /var/lib/rancid/bin/rancid-run

Installation et configuration de CVSWeb

Installer CVSWeb :

# aptitude install cvsweb

Sauvegarder la configuration de CVSWeb :

# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original

Modifier la configuration de CVSWeb :

# vim /etc/cvsweb/cvsweb.conf
#                                                                  -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller    <zeller@think.de>
#     1999      H. Nordstrom <hno@hem.passagen.se>
#     2000-2002 A. MUSHA     <knu@FreeBSD.org>
#     2002-2005 V. Skyttä    <scop@FreeBSD.org>
#          based on work by Bill Fenner  <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#

#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#

# Set the path for the following commands:
#   cvs, rlog, rcsdiff
#   gzip (if you enable $allow_compress)
#   (g)tar, zip (if you enable $allow_tar)
#   cvsgraph (if you enable $allow_graph)
#   enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);

# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
        $CMD{$_} = search_path($_);
}
$CMD{tar}   = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');

# CVS roots
#
# CVSweb can handle several CVS repositories at once.  Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here.  The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs.  If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root.  For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported.  Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display',  '/path/to/cvsroot']
#
@CVSrepositories = (
#       'local'   => ['Local Repository', '/var/lib/cvs'],
#       'freebsd' => ['FreeBSD',          '/var/ncvs'],
#       'openbsd' => ['OpenBSD',          '/var/ncvs'],
#       'netbsd'  => ['NetBSD',           '/var/ncvs'],
#       'ruby'    => ['Ruby',             '/var/anoncvs/ruby'],
        'Rancid'     => ['My Network Devices', '/var/lib/rancid/CVS'],
);

# The default CVS root.  Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';

# Mirror sites.  The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
#     'Other location'  => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
#     'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);

# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
#    advocacy
#    alpha
#    bin
#    conf
#    docs
#    gnu
#    i386
#    kern
#    misc
#    pending
#    ports
#    sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";

# Manual gateway linking.  This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";

# Defaults for user definable options.
#
%DEFAULTVALUE = (

    # sortby: File sort order
    #   file   Sort by filename
    #   rev    Sort by revision number
    #   date   Sort by commit date
    #   author Sort by author
    #   log    Sort by log message
    "sortby" => "file",

    # ignorecase: Ignore case in sorts (filenames, authors, log messages)
    #   0      Honor case
    #   1      Ignore case
    "ignorecase" => "0",

    # hideattic: Hide or show files in Attic
    #   1      Hide files in Attic
    #   0      Show files in Attic
    "hideattic" => "1",

    # logsort: Sort order for CVS logs
    #   date   Sort revisions by date
    #   rev    Sort revision by revision number
    #   cvs    Don't sort them. Same order as CVS/RCS shows them.
    "logsort" => "date",

    # f: Default diff format
    #   h      Human readable
    #   u      Unified diff
    #   c      Context diff
    #   s      Side by side
    #   uc     Unified diff, enscript colored (falls back to "u" w/o enscript)
    #   cc     Context diff, enscript colored (falls back to "c" w/o enscript)
    #   sc     Side by side, enscript colored (falls back to "s" w/o enscript)
    "f" => "u",

    # hidecvsroot: Don't show the CVSROOT directory.  Note that this is
    # just the default for a user settable option (like others in this
    # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
    # See @ForbiddenFiles for that.
    #   1      Do not include the top-level CVSROOT directory in dir listings
    #   0      Treat the top-level CVSROOT directory just like all other dirs
    "hidecvsroot" => "0",

    # hidenonreadable: Don't show files and directories that cannot be read
    # in directory listings.
    #   1      Hide non-readable entries
    #   0      Show non-readable entries
    "hidenonreadable" => "1",

    # ln: Show line numbers in HTMLized views
    #   1      Show line numbers
    #   0      Don't show line numbers
    "ln" => "0",
);

#
# Layout options (see also the included CSS file)
#

# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';

# The title of the Page on startup.  This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";

# The address is shown on the footer.  This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';

$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT

$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT

# Icons for the web UI.  If ICON-URL is empty, the TEXT representation is
# used.  If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons.  If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';

# format:          TEXT       ICON-URL                  width height
%ICONS = (
     back    => [('[BACK]',   "$iconsdir/back.gif",      20,   22)],
     dir     => [('[DIR]',    "$iconsdir/dir.gif",       20,   22)],
     file    => [('[TXT]',    "$iconsdir/text.gif",      20,   22)],
     binfile => [('[BIN]',    "$iconsdir/binary.gif",    20,   22)],
     graph   => [('[GRAPH]',  "$iconsdir/minigraph.png", 16,   16)],
);
undef $iconsdir;

# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';

# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;

# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity

# Cell padding for directory table.
#
$tablepadding = 2;

# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present.  Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
    qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
    qr|/\.cvspass$|o,       # Ditto.  Just in case.
   #qr|^my/+secret/+dir|o,
);

# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;

#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>

# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;

# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;

# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
    qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
    qr/\.rb$/o         => "^[\t ]*\\(class\\|module\\|def\\) ",
);

# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;

# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;

# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;

# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc.  Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
#   name: the name to show in the UI for this diff type
#   cmd:  full path to executable
#   args: arguments as an array ref (not string!, defaults to no arguments)
#   type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
  #'text/xml' => [
  #  { name => 'XMLdiff',
  #    cmd  => $CMD{xmldiff},
  #  },
  #  { name => 'XMLdiff (XUpdate)',
  #    cmd  => $CMD{xmldiff},
  #    args => [ qw(-x) ],
  #    type => 'text/xml',
  #  },
  #],
);

#
# Mime types
#

# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
#    substitution mode is b (ie. the file was checked in as binary to CVS),
#    'text/plain' otherwise.

# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup.  You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
        "html"  => "text/html",
        "shtml" => "text/html",
        "gif"   => "image/gif",
        "jpeg"  => "image/jpeg",
        "jpg"   => "image/jpeg",
        "png"   => "image/png",
        "xpm"   => "image/xpm",
#       "*"     => "text/plain",
);

# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';

# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';

# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
#  : $where =~ m,/zh[/_-], ? 'big5'
#  : $where =~ m,/ja[/_-], ? 'x-euc-jp'
#  : $where =~ m,/ko[/_-], ? 'x-euc-kr'
#  : 'iso-8859-1';

# Output filter
#
$output_filter = '';

# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';

##############
# Misc
##############

# Allow annotation of files?  See also @annotate_options below.
#
$allow_annotate = 1;

# Allow HTMLized versions of files?
#
$allow_markup = 1;

# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views?  Default: yes.
#
#$allow_mailtos = 0;

## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.

# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;

# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;

# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;

# Allow compression with gzip in general?  Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;

# Use JavaScript in the UI?
#
$use_java_script = 1;

# Show a form for setting options in the directory view?
#
$edit_option_form = 1;

# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;

# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;

# Preformat when viewing file contents?  This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;

# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width.  It uses the value from them if found,
# falling back to the value of $tabstop if not.  Default: 8.
#
#$tabstop = 4;

# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");

# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content.  In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent.  If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;

# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs.  A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;

# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;

# Path to the CvsGraph configuration file.  Only used if $allow_cvsgraph
# is true.  Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file.  Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";

# URL to the CVSHistory script.  This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";

# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space.  For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags.  See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;

# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();

# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();

# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);

# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS.  For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1.  A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});

# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;

# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);

# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;

# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);

# Enscript highlight rule to filename regex mappings.  The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
  (
   'ada'          => qr/\.ad(s|b|a)$/o,
   'asm'          => qr/\.[Ss]$/o,
   'awk'          => qr/\.awk$/o,
   'bash'         => qr/\.(bash(_profile|rc)|inputrc)$/o,
   'c'            => qr/\.(c|h)$/o,
   'changelog'    => qr/^changelog$/io,
   'cpp'          => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
   'csh'          => qr/\.(csh(rc)?|log(in|out)|history)$/o,
   'elisp'        => qr/\.e(l|macs)$/o,
   'fortran'      => qr/\.[fF]$/o,
   'haskell'      => qr/\.(l?h|l?g)s$/o,
   'html'         => qr/\.x?html?$/o,
   'idl'          => qr/\.idl$/o,
   'inf'          => qr/\.inf$/io,
   'java'         => qr/\.java$/o,
   'javascript'   => qr/\.(js|pac)$/o,
   'ksh'          => qr/\.ksh$/o,
   'm4'           => qr/\.m4$/o,
   'makefile'     => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
   'matlab'       => qr/\.m$/o,
   'nroff'        => qr/\.man$/o,
   'pascal'       => qr/\.p(as|p)?$/io,
   'perl'         => qr/\.p(m|(er)?l)$/io,
   'postscript'   => qr/\.e?ps$/io,
   'python'       => qr/\.py$/o,
   'rfc'          => qr/\b((rfc|draft)\..*\.txt)$/o,
   'scheme'       => qr/\.(scm|scheme)$/o,
   'sh'           => qr/\.sh$/o,
   'skill'        => qr/\.il$/o,
   'sql'          => qr/\.sql$/o,
   'states'       => qr/\.st$/o,
   'synopsys'     => qr/\.s(cr|yn(th)?)$/o,
   'tcl'          => qr/\.tcl$/o,
   'tcsh'         => qr/\.tcshrc$/o,
   'tex'          => qr/\.tex$/o,
   'vba'          => qr/\.vba$/o,
   'verilog'      => qr/\.(v|vh)$/o,
   'vhdl'         => qr/\.vhdl?$/o,
   'vrml'         => qr/\.wrl$/o,
   'wmlscript'    => qr/\.wmls(cript)?$/o,
   'zsh'          => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
  );

# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log.  Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;

# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in.  This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
  my $confdir = catdir(dirname(__FILE__), 'conf.d');
  if (opendir(CONFD, $confdir)) {
    my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
    close(CONFD);
    for my $conffile (grep(-f && -r _, @files)) {
      ($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
      do "$conffile" or config_error($conffile, $@);
    }
  }
}

1;

# EOF

Créer le répertoire pour le VHost Apache cvs.home.local :

# mkdir /var/www/cvs.home.local/

Créer un répertoire pour les clés et certificats SSL utilisés par Apache :

# mkdir /etc/apache2/ssl/

Placer la clés et les certificats adéquats :

  • ca.crt
  • wildcard.home.local.crt
  • wildcard.home.local.key

Créer la configuration du VHost Apache cvs.home.local :

# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     (.*)    https://%{SERVER_NAME}$1
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        DocumentRoot /var/www/cvs.home.local/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Location />
                Order deny,allow
                Deny from all
                Allow from 10.20.30.0/24

                AuthUserFile /etc/apache2/passwd
                AuthName "!HOME! Restricted Access !HOME!"
                AuthType Basic
                Require user admin

                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
        </Location>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /cvsweb /usr/share/cvsweb

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     ^/$    /cgi-bin/cvsweb  [R]
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
        ServerSignature Off

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
                SSLCACertificateFile /etc/apache2/ssl/ca.crt
        </IfModule>
</VirtualHost>

Activer les modules Apache nécessaires :

# a2enmod rewrite ssl cgi

Activer le VHost Apache cvs.home.local :

# a2ensite cvs.home.local

Relancer Apache2 :

# /etc/init.d/apache2 reload

Automatisation des sauvegardes

Ajouter une tâches sur les deux noeuds du cluster :

# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau
30 19 * * *     root    ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null
Categories
Computing

Installation et configuration d’un cluster Pacemaker/CoroSync sous GNU/Linux Debian 6 (Squeeze)

Installation et pré-configuration de CoroSync

remarque: les actions suivantes sont à réaliser sur les deux noeuds.

Installer les paquets nécessaires :

# aptitude install corosync pacemaker

Autoriser le démarrage de CoroSync :

# sed -i 's/START=no/START=yes/' /etc/default/corosync

Sauvegarder la configuration par défaut de CoroSync :

# cp /etc/corosync/corosync.conf /etc/corosync/corosync.conf.original

Modifier le fichier hosts :

# sed -i 's/^10.20.*$/10.20.30.1\tvm-debian1.france.local\tvm-debian1\n10.20.30.2\tvm-debian2.france.local\tvm-debian2/' /etc/hosts

Générer une paire de clés RSA pour SSH (sans mot de passe) :

# ssh-keygen -b 2048

Copier la clé publique sur le second noeud :

# if hostname | grep -q 1; then ssh-copy-id $(hostname | sed 's/1/2/'); else ssh-copy-id $(hostname | sed 's/2/1/'); fi

remarque: les actions suivantes sont à réaliser sur le premier noeud.

Générer des I/O :

# dd if=/dev/urandom of=/tmp/temp bs=1024 count=1000000&

En parallèle, générer une clé pour Corosync :

# corosync-keygen

Supprimer le fichier temporaire précédemment créé :

# rm /tmp/temp

Copier la clé précédemment générée sur le second noeud :

# scp /etc/corosync/authkey sfrafilx02:/etc/corosync/authkey

remarque: les actions suivantes sont à réaliser sur les deux noeuds.

Modifier le fichier de configuration de Corosync

# vim /etc/corosync/corosync.conf
# Please read the openais.conf.5 manual page

totem {
        version: 2

        # How long before declaring a token lost (ms)
        token: 3000

        # How many token retransmits before forming a new configuration
        token_retransmits_before_loss_const: 10

        # How long to wait for join messages in the membership protocol (ms)
        join: 60

        # How long to wait for consensus to be achieved before starting a new round of membership configuration (ms)
        consensus: 3600

        # Turn off the virtual synchrony filter
        vsftype: none

        # Number of messages that may be sent by one processor on receipt of the token
        max_messages: 20

        # Limit generated nodeids to 31-bits (positive signed integers)
        clear_node_high_bit: yes

        # Disable encryption
        secauth: off

        # How many threads to use for encryption/decryption
        threads: 0

        # Optionally assign a fixed node id (integer)
        # nodeid: 1234

        # This specifies the mode of redundant ring, which may be none, active, or passive.
        rrp_mode: none

        interface {
                # The following values need to be set based on your environment
                ringnumber: 0
                bindnetaddr: 10.20.30.1
                mcastaddr: 226.94.1.1
                mcastport: 5405
        }
}

amf {
        mode: disabled
}

service {
        # Load the Pacemaker Cluster Resource Manager
        ver:       0
        name:      pacemaker
        use_mgmtd: 1
}

aisexec {
        user:   root
        group:  root
}

logging {
        fileline: off
        to_stderr: yes
        to_logfile: yes
        logfile: /var/log/corosync.log
        logfile_priority: info
        to_syslog: no
        syslog_facility: daemon
        debug: off
        timestamp: on
        logger_subsys {
                subsys: AMF
                debug: off
                tags: enter|leave|trace1|trace2|trace3|trace4|trace6
        }
}

Démarrer CoroSync :

# /etc/init.d/corosync start

Vérifier l’état du cluster :

# crm_mon -1

Préparation des agents pour l’Open Cluster Framework (OCF)

Ajouter un agent OCF HTTPCheck :

# mkdir /usr/lib/ocf/resource.d/myscripts
# vim /usr/lib/ocf/resource.d/myscripts/HTTPCheck
#!/bin/sh
#
#
#       HTTPCheck OCF RA. It checks the accessibility of a Web resource.
#
# Copyright (c) 2004 SUSE LINUX AG, Lars Marowsky-Bré
#                    All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of version 2 of the GNU General Public License as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it would be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Further, this software is distributed without any warranty that it is
# free of the rightful claim of any third person regarding infringement
# or the like.  Any license provided herein, whether implied or
# otherwise, applies only to this software file.  Patent licenses, if
# any, provided herein do not apply to combinations of this program with
# other software, or any other product whatsoever.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write the Free Software Foundation,
# Inc., 59 Temple Place - Suite 330, Boston MA 02111-1307, USA.
#
#######################################################################
# OCF parameters:
#   OCF_RESKEY_url    : Web resource URL
#
#######################################################################
# Initialization:

. ${OCF_ROOT}/resource.d/heartbeat/.ocf-shellfuncs

#######################################################################

meta_data() {
        cat <<END
<?xml version="1.0"?>
<!DOCTYPE resource-agent SYSTEM "ra-api-1.dtd">
<resource-agent name="HTTPCheck" version="0.9">
<version>1.0</version>

<longdesc lang="en">
This is HTTPCheck Resource Agent.
It checks the accessibility of a Web resource using wget binary.
Remember that you can configure wget options through /etc/wgetrc
configuration file.
</longdesc>
<shortdesc lang="en">HTTPCheck resource agent</shortdesc>

<parameters>

<parameter name="url" unique="0" required="1">
<longdesc lang="en">
This is a required parameter. This parameter specifies the Web resource to check.
</longdesc>
<shortdesc lang="en">Web resource</shortdesc>
<content type="string" default="www.debian.org" />
</parameter>

<parameter name="state" unique="1">
<longdesc lang="en">
Location to store the resource state in.
</longdesc>
<shortdesc lang="en">State file</shortdesc>
<content type="string" default="${HA_VARRUN}/OCF-{OCF_RESOURCE_INSTANCE}.state" />
</parameter>

</parameters>

<actions>
<action name="start"        timeout="15" />
<action name="stop"         timeout="15" />
<action name="monitor"      timeout="15" interval="10" depth="0" start-delay="0" />
<action name="meta-data"    timeout="5" />
<action name="validate-all"   timeout="30" />
</actions>
</resource-agent>
END
}

#######################################################################

httpcheck_usage() {
        cat <<END
usage: $0 {start|stop|monitor|validate-all|meta-data}

Expects to have a fully populated OCF RA-compliant environment set.
END
}

httpcheck_start() {
    httpcheck_monitor
    if [ $? =  $OCF_SUCCESS ]; then
        return $OCF_SUCCESS
    fi
    /usr/bin/wget -q -t 1 -T 4 --no-dns-cache --no-cache -4 -O ${OCF_RESKEY_state} $OCF_RESKEY_url
}

httpcheck_stop() {
    httpcheck_monitor
    if [ $? != $OCF_NOT_RUNNING ]; then
        rm ${OCF_RESKEY_state}
    fi
    return $OCF_SUCCESS
}

httpcheck_monitor() {
    # Monitor _MUST!_ differentiate correctly between running
    # (SUCCESS), failed (ERROR) or _cleanly_ stopped (NOT RUNNING).
    # That is THREE states, not just yes/no.

    if [ ! -f ${OCF_RESKEY_state} ]; then
        return $OCF_NOT_RUNNING
    else
        if /usr/bin/wget -q -t 1 -T 4 --no-dns-cache --no-cache -4 -O ${OCF_RESKEY_state} $OCF_RESKEY_url; then
            return $OCF_SUCCESS
        else
            return $OCF_ERR_GENERIC
        fi
    fi
}

httpcheck_validate() {

    # Is the state directory writable?
    state_dir=`dirname "$OCF_RESKEY_state"`
    touch "$state_dir/$$"
    if [ $? != 0 ]; then
        return $OCF_ERR_ARGS
    fi
    rm "$state_dir/$$"

    return $OCF_SUCCESS
}

: ${OCF_RESKEY_CRM_meta_interval=0}
: ${OCF_RESKEY_CRM_meta_globally_unique:="true"}

if [ "x$OCF_RESKEY_state" = "x" ]; then
    if [ ${OCF_RESKEY_CRM_meta_globally_unique} = "false" ]; then
        state="${HA_VARRUN}/OCF-${OCF_RESOURCE_INSTANCE}.state"

        # Strip off the trailing clone marker
        OCF_RESKEY_state=`echo $state | sed s/:[0-9][0-9]*\.state/.state/`
    else
        OCF_RESKEY_state="${HA_VARRUN}/OCF-${OCF_RESOURCE_INSTANCE}.state"
    fi
fi

if [ "x$OCF_RESKEY_url" = "x" ]; then
    OCF_RESKEY_url="www.debian.org"
fi

case $__OCF_ACTION in
meta-data)      meta_data;;
start)          httpcheck_start;;
stop)           httpcheck_stop;;
monitor)        httpcheck_monitor;;
validate-all)   httpcheck_validate;;
usage|help)     httpcheck_usage
                exit $OCF_SUCCESS
                ;;
*)              httpcheck_usage
                exit $OCF_ERR_UNIMPLEMENTED
                ;;
esac
rc=$?
ocf_log debug "${OCF_RESOURCE_INSTANCE} $__OCF_ACTION : $rc"
exit $rc
# chmod +x /usr/lib/ocf/resource.d/myscripts/HTTPCheck

Corriger l’agent OCF Squid :

# cp /usr/lib/ocf/resource.d/heartbeat/Squid /usr/lib/ocf/resource.d/heartbeat/Squid.original
# vim /usr/lib/ocf/resource.d/heartbeat/Squid
  ligne 198 : awk '/(tcp.*[0-9]+\.[0-9]+\.+[0-9]+\.[0-9]+:'$SQUID_PORT' |tcp.*:::'$SQUID_PORT' )/{

Configuration du cluster Pacemaker (CRM)

remarque: les actions suivantes sont à réaliser sur le premier noeud. Configurer les ressources du cluster :

# crm configure property stonith-enabled=false
# crm configure property no-quorum-policy=ignore
# crm configure rsc_defaults resource-stickiness=100
# crm configure primitive ClusterIP ocf:heartbeat:IPaddr2 \
      params ip=10.20.30.3 cidr_netmask=24 \
      op monitor interval=30
# crm configure primitive Proxy ocf:heartbeat:Squid \
      params squid_exe="/usr/sbin/squid3" squid_conf="/etc/squid3/squid.conf" squid_pidfile="/var/run/squid3.pid" squid_port="3128" squid_stop_timeout="30" \
      op start interval="0" timeout="60s" \
      op stop interval="0" timeout="120s" \
      op monitor interval="20s" timeout="30s"
# crm configure primitive HTTPCheck ocf:myscripts:HTTPCheck \
      params url="kb.france.local" \
      op monitor interval="120s"
# crm configure primitive WebSite lsb:apache2 op monitor interval="60sec"
# crm configure location proxy-prefer-node1 Proxy 50: vm-debian1
# crm configure location website-prefer-node1 WebSite 50: vm-debian1
# crm configure colocation proxy-with-clusterip inf: Proxy ClusterIP
# crm configure colocation website-with-clusterip inf: WebSite ClusterIP
# crm configure colocation httpcheck-with-proxy inf: HTTPCheck Proxy
# crm configure order apache-after-clusterip inf: ClusterIP WebSite
# crm configure order squid-after-clusterip inf: ClusterIP Proxy
# crm configure order httpcheck-after-proxy inf: Proxy HTTPCheck