Categories
Computing

Sauvegarde et archivage des configurations des équipements avec Rancid sous GNU/Linux Debian

Pré-requis

Un compte de service rancid renseigné dans l’annuaire Active Directory

Un cluster Pacemaker/Corosync avec une ressource DRBD

Les noeuds du cluster sont membres du domaine Active Directory

Un serveur Apache2 sur chaque nœud du cluster

Un serveur TACACS+ sur chaque nœud du cluster

La clé et le certificat du du VHost pour CVSWeb ainsi que le certificat de la CA.

Configuration de TACACS+

Renseigner l’utilisateur rancid au sein des serveurs TACACS+ :

vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.
vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

user = rancid {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Relancer les serveurs TACACS+ :

# /etc/init.d/tacacs_plus reload
# /etc/init.d/tacacs_plus_nortel reload

Installation et configuration de Rancid

Installer Rancid :

# aptitude update && aptitude install rancid

Sauvegarder le fichier de configuration de Rancid :

# cp /etc/rancid/rancid.conf /etc/rancid/rancid.conf.original

Modifier la configuration de Rancid :

# vim /etc/rancid/rancid.conf
# rancid 2.3.3
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
TERM=network;export TERM
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Under BASEDIR (i.e.: --localstatedir), there will be a "logs" directory for
# the logs from rancid and a directory for each group of routers defined in
# LIST_OF_GROUPS (below).  In addition to these, there will be a "CVS"
# directory which is the cvs (or Subversion) repository.
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.
BASEDIR=/var/lib/rancid; export BASEDIR
PATH=/usr/lib/rancid/bin:/usr/bin:/usr/sbin:/bin:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=$BASEDIR/logs; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=cvs; export RCSSYS
#
# if ACLSORT is NO, access-lists will NOT be sorted.
#ACLSORT=YES; export ACLSORT
#
# if NOPIPE is set, temp files will be used instead of a cmd pipe during
# collection from the router(s).
#NOPIPE=YES; export NOPIPE
#
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
#FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
#NOCOMMSTR=YES; export NOCOMMSTR
#
# How many times failed collections are retried (for each run) before
# giving up.  Minimum: 1
#MAX_ROUNDS=4; export MAX_ROUNDS
#
# How many hours should pass before complaining about routers that
# can not be reached.  The value should be greater than the number
# of hours between your rancid-run cron job.  Default: 24
#OLDTIME=4; export OLDTIME
#
# How many hours should pass before complaining that a group's collection
# (the age of it's lock file) is hung.
#LOCKTIME=4; export LOCKTIME
#
# The number of devices to collect simultaneously.
#PAR_COUNT=5; export PAR_COUNT
#
# list of rancid groups
#LIST_OF_GROUPS="sl joebobisp"
# more groups...
LIST_OF_GROUPS="GRP1 GRP2 GRP3"
#
# For each group, define a list of people to receive the diffs.
# in sendmail's /etc/aliases.
#   rancid-group:       joe,moe@foo
#   rancid-admin-group: hostmaster
# be sure to read ../README regarding aliases.
#
# If your MTA configuration is broken or you want mail to be forwarded to a
# domain not the same as the local one, define that domain here.  "@" must be
# included, as this is simply appended to the usual recipients.  It is NOT
# appended to recipients specified in rancid-run's -m option.
#MAILDOMAIN="@example.com"; export MAILDOMAIN
#
# By default, rancid mail is marked with precedence "bulk".  This may be
# changed by setting the MAILHEADERS variable; for example no header by setting
# it to "" or adding X- style headers.  Individual headers must be separated
# by a \n.
#MAILHEADERS="Precedence: bulk"; export MAILHEADERS

Sur le noeud actif du cluster, déplacer l’arborescence de travail de Rancid sur le disque DRBD :

# mv /var/lib/rancid /cluster/
# ln -s /cluster/rancid /var/lib/
# rm /var/lib/rancid/logs && ln -s /var/log/rancid /cluster/rancid/logs

Sur le noeud passif du cluster, détruire l’arborescence de travail de Rancid et pointer sur la ressource DRBD :

# rm -rf /var/lib/rancid
# ln -s /cluster/rancid /var/lib/

Remarque : les actions à effectuer sur l’arborescence /var/lib/rancid ne sont à réaliser que sur le noeud actif sur lequel est monter la ressource DRBD, sous /cluster.

Ajouter un fichier de configuration pour les paramètres de connexion de l’utilisateurs rancid sur les équipements :

# vim /var/lib/rancid/.cloginrc
add cyphertype sw1.home.local {aes128-cbc}
add cyphertype sw2.home.local {aes128-cbc}
add cyphertype sw3.home.local {aes128-cbc}
add cyphertype sw4.home.local {aes128-cbc}
add noenable * {1}
add autoenable * {1}
add user * {rancid}
add password * {-----------}
# chmod 600 /var/lib/rancid/.cloginrc && chown rancid:rancid /var/lib/rancid/.cloginrc

Récupérer les add-ons H3C pour Rancid (h3clogin et h3crancid) et les placer sous /var/lib/rancid/bin/ (penser à vérifier l’interpréteur renseigné dans l’en-tête de ces scripts) :

# chown root:root /var/lib/rancid/bin/h3c*

Renseigner le modèle H3C dans Rancid :

# vim /var/lib/rancid/bin/rancid-fe

Créer l’arborescence CVS et les fichiers de configuration associés au groupes renseignés dans Rancid :

# usermod -s /bin/bash rancid
# su - rancid
$ /var/lib/rancid/bin/rancid-cvs

Compléter la liste des équipements pour chacun des groupes :

$ vim /var/lib/rancid/GRP1/router.db
#hostname:os:status
sw1.home.local:h3c:up
sw2.home.local:h3c:up
$ vim /var/lib/rancid/GRP2/router.db
#hostname:os:status
sw3.home.local:h3c:up
$ vim /var/lib/rancid/GRP3/router.db
#hostname:os:status
sw4.home.local:h3c:up

Lancer une première collecte de la configuration des équipements :

$ /var/lib/rancid/bin/rancid-run

Installation et configuration de CVSWeb

Installer CVSWeb :

# aptitude install cvsweb

Sauvegarder la configuration de CVSWeb :

# cp /etc/cvsweb/cvsweb.conf /etc/cvsweb/cvsweb.conf.original

Modifier la configuration de CVSWeb :

# vim /etc/cvsweb/cvsweb.conf
#                                                                  -*- perl -*-
# Configuration of cvsweb.cgi, a web interface to CVS repositories.
#
# (c) 1998-1999 H. Zeller    <zeller@think.de>
#     1999      H. Nordstrom <hno@hem.passagen.se>
#     2000-2002 A. MUSHA     <knu@FreeBSD.org>
#     2002-2005 V. Skyttä    <scop@FreeBSD.org>
#          based on work by Bill Fenner  <fenner@FreeBSD.org>
#
# $FreeBSD: projects/cvsweb/cvsweb.conf,v 1.97 2005/06/19 09:13:50 scop Exp $
# $Id: cvsweb.conf,v 1.29 2001/07/23 09:14:52 hzeller Exp $
# $Idaemons: /home/cvs/cvsweb/cvsweb.conf,v 1.27 2001/08/01 09:48:39 knu Exp $
#

#
# Unless otherwise noted, all boolean parameters here default to off
# when no value for them has been explicitly set.
#

# Set the path for the following commands:
#   cvs, rlog, rcsdiff
#   gzip (if you enable $allow_compress)
#   (g)tar, zip (if you enable $allow_tar)
#   cvsgraph (if you enable $allow_graph)
#   enscript (if you enable $allow_enscript)
#
@command_path = qw(/bin /usr/bin /usr/local/bin);

# Search the above directories for each command (prefer gtar over tar).
#
for (qw(cvs rlog rcsdiff gzip gtar zip cvsgraph enscript)) {
        $CMD{$_} = search_path($_);
}
$CMD{tar}   = delete($CMD{gtar}) if $CMD{gtar};
$CMD{tar} ||= search_path('tar');

# CVS roots
#
# CVSweb can handle several CVS repositories at once.  Enter short (internal)
# symbolic repository names, their names in the UI and the actual locations
# here.  The repositories will be listed in the order they're specified here.
#
# Obviously, CVSweb will need read access to these repository dirs.  If you
# receive an error that no valid CVS roots were found, double-check the file
# permissions and any other attributes your system may have for the repository
# directories, such as SELinux file contexts.
#
# CVSweb will also load per-cvsroot configuration files if they exist.
# The symbolic_name (see below) of the CVS root will be concatenated into the
# name of the main (this) configuration file along with a hyphen, and that
# file will be loaded for that particular CVS root.  For examples, see
# cvsweb.conf-* in the CVSweb distribution.
#
# Note that only local repositories are currently supported.  Things like
# :pserver:someone@xyz.com:/data/cvsroot won't work.
#
# 'symbolic_name' => ['Name to display',  '/path/to/cvsroot']
#
@CVSrepositories = (
#       'local'   => ['Local Repository', '/var/lib/cvs'],
#       'freebsd' => ['FreeBSD',          '/var/ncvs'],
#       'openbsd' => ['OpenBSD',          '/var/ncvs'],
#       'netbsd'  => ['NetBSD',           '/var/ncvs'],
#       'ruby'    => ['Ruby',             '/var/anoncvs/ruby'],
        'Rancid'     => ['My Network Devices', '/var/lib/rancid/CVS'],
);

# The default CVS root.  Note that @CVSrepositories is list, not a hash,
# so you'll want to use 2 * 0-based-index-number here; or set this directly
# to the default's symbolic name. Unless specified, the first valid one in
# @CVSrepositories is used as the default.
#
# For example:
#
#$cvstreedefault = $CVSrepositories[2 * 0];
#$cvstreedefault = 'local';

# Mirror sites.  The keys will be used as link texts, and the values are
# URLs pointing to the corresponding mirrors.
#
#%MIRRORS = (
#     'Other location'  => 'http://192.168.0.1/cgi-bin/cvsweb.cgi/',
#     'Yet another one' => 'http://192.168.0.2/cgi-bin/cvsweb.cgi/',
#);

# Bug tracking system linking options ("PR" means Problem Report, as in GNATS)
# This will be done only for views for which $allow_*_extra below is true.
#
#@prcategories = qw(
#    advocacy
#    alpha
#    bin
#    conf
#    docs
#    gnu
#    i386
#    kern
#    misc
#    pending
#    ports
#    sparc
#);
#$prcgi = "http://www.FreeBSD.org/cgi/query-pr.cgi?pr=%s";
#$prkeyword = "PR";

# Manual gateway linking.  This will be done only for views for which
# $allow_*_extra below is true.
#
$mancgi =
    "http://www.FreeBSD.org/cgi/man.cgi?apropos=0&sektion=%s&query=%s&manpath=FreeBSD+5.0-current&format=html";

# Defaults for user definable options.
#
%DEFAULTVALUE = (

    # sortby: File sort order
    #   file   Sort by filename
    #   rev    Sort by revision number
    #   date   Sort by commit date
    #   author Sort by author
    #   log    Sort by log message
    "sortby" => "file",

    # ignorecase: Ignore case in sorts (filenames, authors, log messages)
    #   0      Honor case
    #   1      Ignore case
    "ignorecase" => "0",

    # hideattic: Hide or show files in Attic
    #   1      Hide files in Attic
    #   0      Show files in Attic
    "hideattic" => "1",

    # logsort: Sort order for CVS logs
    #   date   Sort revisions by date
    #   rev    Sort revision by revision number
    #   cvs    Don't sort them. Same order as CVS/RCS shows them.
    "logsort" => "date",

    # f: Default diff format
    #   h      Human readable
    #   u      Unified diff
    #   c      Context diff
    #   s      Side by side
    #   uc     Unified diff, enscript colored (falls back to "u" w/o enscript)
    #   cc     Context diff, enscript colored (falls back to "c" w/o enscript)
    #   sc     Side by side, enscript colored (falls back to "s" w/o enscript)
    "f" => "u",

    # hidecvsroot: Don't show the CVSROOT directory.  Note that this is
    # just the default for a user settable option (like others in this
    # %DEFAULTVALUE hash); it won't really prevent access to CVSROOT.
    # See @ForbiddenFiles for that.
    #   1      Do not include the top-level CVSROOT directory in dir listings
    #   0      Treat the top-level CVSROOT directory just like all other dirs
    "hidecvsroot" => "0",

    # hidenonreadable: Don't show files and directories that cannot be read
    # in directory listings.
    #   1      Hide non-readable entries
    #   0      Show non-readable entries
    "hidenonreadable" => "1",

    # ln: Show line numbers in HTMLized views
    #   1      Show line numbers
    #   0      Don't show line numbers
    "ln" => "0",
);

#
# Layout options (see also the included CSS file)
#

# Wanna have a logo on the page ?
#
#$logo = '<p><img src="/icons/apache_pb.gif" alt="Powered by Apache" /></p>';

# The title of the Page on startup.  This will be put inside <h1> and <title>
# tags, and HTML escaped.
#
$defaulttitle = "My Network CVS Repository";

# The address is shown on the footer.  This will be put inside a <address> tag.
#
$address = '<span style="font-size: smaller">My Network CVS <<a href="mailto:network-cvs@home.local">network-cvs@home.local</a>></span>';

$long_intro = <<EOT;
<p>Dépôt CVS pour l'archivage des configuration des équipements
actifs de mon réseau.
</p>
EOT

$short_instruction = <<EOT;
<p>
Click on a directory to enter that directory. Click on a file to display
its revision history and to get a chance to display diffs between revisions.
</p>
EOT

# Icons for the web UI.  If ICON-URL is empty, the TEXT representation is
# used.  If you do not want to have a tool tip for an icon, set TEXT empty.
# The width and height of the icon allow the browser to correctly display
# the table while still loading the icons.  If these icons are too large,
# check out the "mini" versions in the icons/ directory; they have a
# width/height of 16/16.
#
my $iconsdir = '/cvsweb/icons';

# format:          TEXT       ICON-URL                  width height
%ICONS = (
     back    => [('[BACK]',   "$iconsdir/back.gif",      20,   22)],
     dir     => [('[DIR]',    "$iconsdir/dir.gif",       20,   22)],
     file    => [('[TXT]',    "$iconsdir/text.gif",      20,   22)],
     binfile => [('[BIN]',    "$iconsdir/binary.gif",    20,   22)],
     graph   => [('[GRAPH]',  "$iconsdir/minigraph.png", 16,   16)],
);
undef $iconsdir;

# An URL where to find the CSS.
#
$cssurl = '/cvsweb/css/cvsweb.css';

# The length to which the last log entry should be truncated when shown
# in the directory view.
#
$shortLogLen = 80;

# Show author of last change?
#
$show_author = 0; # Off for Debian for security by obscurity

# Cell padding for directory table.
#
$tablepadding = 2;

# Regular expressions for files and directories which should be hidden.
# Each regexp is compared against a path relative to a CVS root, after
# stripping the trailing ",v" if present.  Matching files and directories
# are not displayed.
#
@ForbiddenFiles = (
    qr|^CVSROOT/+passwd$|o, # CVSROOT/passwd should not be 'cvs add'ed though.
    qr|/\.cvspass$|o,       # Ditto.  Just in case.
   #qr|^my/+secret/+dir|o,
);

# Use CVSROOT/descriptions for describing the directories/modules?
# See INSTALL, section 9.
#
$use_descriptions = 0;

#
# Human readable diff.
#
# (c) 1998 H. Zeller <zeller@think.de>
#
# Generates two columns of color encoded diff; much like xdiff or GNU Emacs'
# ediff-mode.
#
# The diff-stuff is a piece of code I once made for cvs2html which is under
# GPL, see http://www.sslug.dk/cvs2html
# (c) 1997/98 Peter Toft <pto@sslug.imm.dtu.dk>

# Make lines breakable so that the columns do not exceed the width of the
# browser?
#
$hr_breakable = 1;

# Print function names in diffs (unified and context only).
# See the -p option in the diff(1) man page.
#
$showfunc = 1;

# For each pair of regexps, files that match the first regexp will be diff'ed
# with an -F option using the second regexp (unified and context only).
# See the -F option in the diff(1) man page.
#
%funcline_regexp = (
    qr/\.(?:4th|fr)$/o => "\\(^\\|[ \t]\\): ",
    qr/\.rb$/o         => "^[\t ]*\\(class\\|module\\|def\\) ",
);

# Ignore whitespace in human readable diffs? ('-w' option to diff)
#
$hr_ignwhite = 0;

# Ignore diffs which are caused by keyword substitution, $Id and friends?
# ('-kk' option to rcsdiff)
#
$hr_ignkeysubst = 1;

# The width of the textinput of the "request diff" form.
#
$inputTextSize = 12;

# Custom per MIME type diff tools, used for comparing binary files such as
# spreadsheets, images etc.  Each key is a MIME type in lowercase.
# Each value is an array ref of available diff tools for that type, each of
# which is a hash ref with values (mandatory where default not listed):
#   name: the name to show in the UI for this diff type
#   cmd:  full path to executable
#   args: arguments as an array ref (not string!, defaults to no arguments)
#   type: output MIME type (defaults to text/plain)
#
%DIFF_COMMANDS = (
  #'text/xml' => [
  #  { name => 'XMLdiff',
  #    cmd  => $CMD{xmldiff},
  #  },
  #  { name => 'XMLdiff (XUpdate)',
  #    cmd  => $CMD{xmldiff},
  #    args => [ qw(-x) ],
  #    type => 'text/xml',
  #  },
  #],
);

#
# Mime types
#

# The MIME type lookup works like this:
# 1) Look up from %MTYPES below with the file name extension (suffix).
# 2) If not found, use the MIME::Types(3) module if it's available.
# 3) If not found, lookup from the $mime_types file (see below).
# 4) If not found, try %MTYPES{'*'}.
# 5) If not found, use 'application/octet-stream' if the file's keyword
#    substitution mode is b (ie. the file was checked in as binary to CVS),
#    'text/plain' otherwise.

# Quick MIME type lookup; maps filename extensions to MIME types.
# Add common mappings here for fast lookup.  You can also use this
# to override MIME::Types(3) or the $mime_types file (see below).
#
%MTYPES = (
        "html"  => "text/html",
        "shtml" => "text/html",
        "gif"   => "image/gif",
        "jpeg"  => "image/jpeg",
        "jpg"   => "image/jpeg",
        "png"   => "image/png",
        "xpm"   => "image/xpm",
#       "*"     => "text/plain",
);

# The traditional mime.types file, eg. the one from Apache is fine.
# See above where this gets used.
#
$mime_types = '/etc/mime.types';

# Charset appended to the Content-Type HTTP header for text/* MIME types.
# Note that the web server may default to some charset which may take effect
# if you leave this parameter empty or unset.
# For Apache, see also the AddDefaultCharset directive.
#
$charset = '';

# e.g.
#$charset = $where =~ m,/ru[/_-], ? 'koi8-r'
#  : $where =~ m,/zh[/_-], ? 'big5'
#  : $where =~ m,/ja[/_-], ? 'x-euc-jp'
#  : $where =~ m,/ko[/_-], ? 'x-euc-kr'
#  : 'iso-8859-1';

# Output filter
#
$output_filter = '';

# e.g.
## unify/convert Japanese code into EUC-JP
#$output_filter= '/usr/local/bin/nkf -e';

##############
# Misc
##############

# Allow annotation of files?  See also @annotate_options below.
#
$allow_annotate = 1;

# Allow HTMLized versions of files?
#
$allow_markup = 1;

# Allow CVSweb to create mailto: links from email addresses in various
# HTMLized views?  Default: yes.
#
#$allow_mailtos = 0;

## Extra hyperlinking means hyperlinks to bug tracking systems and manual page
## gateways, see $prcgi and $mancgi and related options above.

# Allow extra hyperlinking (such as PR cross-references) in logs?
# Default: yes.
#
#$allow_log_extra = 0;

# Allow extra hyperlinking in directory views?
#
$allow_dir_extra = 1;

# Allow extra hyperlinking in source code/formatted diff views?
#
$allow_source_extra = 1;

# Allow compression with gzip in general?  Note that this also requires
# that the browser supports it, and will be disabled on the fly when necessary.
#
#$allow_compress = 1;

# Use JavaScript in the UI?
#
$use_java_script = 1;

# Show a form for setting options in the directory view?
#
$edit_option_form = 1;

# Show last changelog message for subdirectories?
# The current implementation makes many assumptions and may show the
# incorrect file at some times. The main assumption is that the last
# modified file has the newest filedate. But some CVS operations
# touch the file even when a new version isn't checked in, and TAG
# based browsing essentially puts this out of order unless the last
# checkin was on the same tag as you are viewing.
# Enable this if you like the feature, but don't rely on correct results.
#
#$show_subdir_lastmod = 1;

# Show CVS log when viewing file contents?
#
$show_log_in_markup = 1;

# Preformat when viewing file contents?  This should be turned off
# when you have files in the repository that are in a multibyte
# encoding which uses HTML special characters ([<>&"]) as part of a
# multibyte character. (such as iso-2022-jp, ShiftJIS, etc.)
# Otherwise those files will get screwed up in markup.
#
# Note: enscript(1) highlighting is preferred over the built-in preformatting,
# ie. this has no effect if $allow_enscript is true and enscript can highlight
# the file.
#
#$preformat_in_markup = 1;

# Default tab width used to expand tabs to spaces in various HTMLized views.
# Note that CVSweb scans the first few lines of sources for some common editor
# directives controlling the tab width.  It uses the value from them if found,
# falling back to the value of $tabstop if not.  Default: 8.
#
#$tabstop = 4;

# If you wish to display absolute times in your local timezone,
# then define @mytz and fill in the strings for your standard and
# daylight time. Note that you must also make sure the system
# timezone is correctly set.
#
#@mytz=("EST", "EDT");

# CVSweb is friendly to caches by sending the HTTP Last-Modified
# header corresponding to the sent content.  In the case of a
# checkout, this may require running rcslog on the file solely for the
# purpose of retrieving the timestamp to be sent.  If you have a slow
# server, you may want to turn this off for a small performance gain.
#
$use_moddate = 1;

# Maximum number of filenames to pass to rlog(1) in one command.
# If you see "Failed to spawn GNU rlog" errors with directories containing
# lots of files, experiment by setting this to different values and see if
# the error still occurs.  A good value to start from would be eg. 200.
# Just comment this out if you're not bitten by the problem.
#
#$file_list_len = 200;

# Allow graphical representations of file revisions and branches with CvsGraph?
#
$allow_cvsgraph = $CMD{cvsgraph} ? 1 : 0;

# Path to the CvsGraph configuration file.  Only used if $allow_cvsgraph
# is true.  Leave this empty or comment it out to make cvsgraph(1) use its
# default configuration file.  Note that CVSweb will override some of the
# settings in the configuration file with command line options, see
# doGraph() and doGraphView() in cvsweb.cgi for details.
#
#$cvsgraph_config = "/etc/cvsgraph.conf";

# URL to the CVSHistory script.  This should be absolute (but does not need
# to include the host and port if the script is on the same server as
# CVSweb).
#$cvshistory_url = "/cgi-bin/cvshistory.cgi";

# Whether to allow downloading a tarball or a zip of the current directory.
# While downloading of the entire repository is disallowed, depending on
# the directory this may take a lot of time and disk space.  For some CVS
# versions, the user account running CVSweb needs write access to
# CVSROOT/val-tags.  See also the tar, gzip and zip options below.
#
#$allow_tar = (($CMD{tar} && $CMD{gzip}) || $CMD{zip}) ? 1 : 0;

# Options to pass to tar(1).
# For example: @tar_options = qw(--ignore-failed-read);
# GNU tar has some useful options against unexpected errors.
# Other useful options include "--owner=0" and "--group=0", see
# the tar(1) (or gtar(1)) manpage for details.
#
@tar_options = qw();

# Options to pass to gzip(1) when compressing a tarball to download.
# For example: @gzip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@gzip_options = qw();

# Options to pass to zip(1) when compressing a zip archive to download.
# For example: @zip_options = qw(-3);
# Try lower compression level than 6 (default) if you want faster
# compression, or higher for better compression.
#
@zip_options = qw(-q);

# Options to pass to cvs(1).
# For cvs versions 1.11 to 1.11.6 (broken in < 1.11, removed in 1.11.7), you
# can use the '-l' option to prevent cvs from writing to the history file.
# For other cvs versions, either suppress history logging by using the
# LogHistory parameter in CVSROOT/config or make sure that the CVSweb user
# can read and write to CVSROOT/history.
# FreeBSD's and OpenBSD's cvs(1) has long since supported -R (read only access
# mode) option, which considerably speeds up checkouts over NFS.  For other
# platforms, the -R option and the CVSREADONLYFS environment variable are
# available in cvs >= 1.12.1.  A similar effect is provided by -u on NetBSD.
#
@cvs_options = qw(-f);
push @cvs_options, '-R' if ($^O eq 'freebsd' || $^O eq 'openbsd');
push @cvs_options, '-u' if ($^O eq 'netbsd');
# Only affects cvs >= 1.12.1, but doesn't hurt older ones.
$ENV{CVSREADONLYFS} = 1 unless exists($ENV{CVSREADONLYFS});

# Options to pass to the 'cvs annotate' command, usually the normal
# @cvs_options are good enough here.
# To make annotate work against a read only repository, add -n, ie.:
# @annotate_options = (@cvs_options, '-n');
#
@annotate_options = @cvs_options;

# Options to pass to rcsdiff(1).
# Probably the only useful one here is -q (suppress diagnostic output).
#
@rcsdiff_options = qw(-q);

# Enables syntax highlighting using GNU Enscript if set.
# You will need GNU Enscript version 1.6.3 or newer for this to work.
#
#$allow_enscript = $CMD{enscript} ? 1 : 0;

# Options to pass to enscript(1).
# Do not set the -q, --language, -o or --highlight options here.
# Most useful styles are probably emacs, emacs_verbose and msvc.
#
@enscript_options = qw(--style=emacs --color=1);

# Enscript highlight rule to filename regex mappings.  The set of useful
# mappings depends on what highlight rules the system has installed.
#
%enscript_types =
  (
   'ada'          => qr/\.ad(s|b|a)$/o,
   'asm'          => qr/\.[Ss]$/o,
   'awk'          => qr/\.awk$/o,
   'bash'         => qr/\.(bash(_profile|rc)|inputrc)$/o,
   'c'            => qr/\.(c|h)$/o,
   'changelog'    => qr/^changelog$/io,
   'cpp'          => qr/\.(c\+\+|C|H|cpp|cc|cxx)$/o,
   'csh'          => qr/\.(csh(rc)?|log(in|out)|history)$/o,
   'elisp'        => qr/\.e(l|macs)$/o,
   'fortran'      => qr/\.[fF]$/o,
   'haskell'      => qr/\.(l?h|l?g)s$/o,
   'html'         => qr/\.x?html?$/o,
   'idl'          => qr/\.idl$/o,
   'inf'          => qr/\.inf$/io,
   'java'         => qr/\.java$/o,
   'javascript'   => qr/\.(js|pac)$/o,
   'ksh'          => qr/\.ksh$/o,
   'm4'           => qr/\.m4$/o,
   'makefile'     => qr/(GNU)?[Mm]akefile(?!\.PL\b)|\.(ma?ke?|am)$/o,
   'matlab'       => qr/\.m$/o,
   'nroff'        => qr/\.man$/o,
   'pascal'       => qr/\.p(as|p)?$/io,
   'perl'         => qr/\.p(m|(er)?l)$/io,
   'postscript'   => qr/\.e?ps$/io,
   'python'       => qr/\.py$/o,
   'rfc'          => qr/\b((rfc|draft)\..*\.txt)$/o,
   'scheme'       => qr/\.(scm|scheme)$/o,
   'sh'           => qr/\.sh$/o,
   'skill'        => qr/\.il$/o,
   'sql'          => qr/\.sql$/o,
   'states'       => qr/\.st$/o,
   'synopsys'     => qr/\.s(cr|yn(th)?)$/o,
   'tcl'          => qr/\.tcl$/o,
   'tcsh'         => qr/\.tcshrc$/o,
   'tex'          => qr/\.tex$/o,
   'vba'          => qr/\.vba$/o,
   'verilog'      => qr/\.(v|vh)$/o,
   'vhdl'         => qr/\.vhdl?$/o,
   'vrml'         => qr/\.wrl$/o,
   'wmlscript'    => qr/\.wmls(cript)?$/o,
   'zsh'          => qr/\.(zsh(env|rc)|z(profile|log(in|out)))$/o,
  );

# Troubleshooting: in case of problems, setting this to 1 will cause more
# error output into your web server error log.  Under normal operation,
# this should be set to 0 or commented out.
#
#$DEBUG = 1;

# Enable this to let CVSweb load extra configuration files from the "conf.d"
# subdirectory of the directory this file is located in.  This enables site
# specific configuration without having to modify this "master" configuration
# file (except for enabling this functionality below :)
#
if (0) {
  my $confdir = catdir(dirname(__FILE__), 'conf.d');
  if (opendir(CONFD, $confdir)) {
    my @files = sort(map(catfile($confdir, $_), readdir(CONFD)));
    close(CONFD);
    for my $conffile (grep(-f && -r _, @files)) {
      ($conffile) = ($conffile =~ /(.+\.conf)$/) or next;
      do "$conffile" or config_error($conffile, $@);
    }
  }
}

1;

# EOF

Créer le répertoire pour le VHost Apache cvs.home.local :

# mkdir /var/www/cvs.home.local/

Créer un répertoire pour les clés et certificats SSL utilisés par Apache :

# mkdir /etc/apache2/ssl/

Placer la clés et les certificats adéquats :

  • ca.crt
  • wildcard.home.local.crt
  • wildcard.home.local.key

Créer la configuration du VHost Apache cvs.home.local :

# vim /etc/apache2/sites-available/cvs.home.local
<VirtualHost *:80>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     (.*)    https://%{SERVER_NAME}$1
        </IfModule>

</VirtualHost>

<VirtualHost *:443>
        ServerAdmin webmaster@home.local
        ServerName cvs.home.local

        DocumentRoot /var/www/cvs.home.local/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Location />
                Order deny,allow
                Deny from all
                Allow from 10.20.30.0/24

                AuthUserFile /etc/apache2/passwd
                AuthName "!HOME! Restricted Access !HOME!"
                AuthType Basic
                Require user admin

                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                #RedirectMatch ^/$ /apache2-default/
        </Location>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        Alias /cvsweb /usr/share/cvsweb

        <IfModule mod_rewrite.c>
                RewriteEngine   On
                RewriteRule     ^/$    /cgi-bin/cvsweb  [R]
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/cvs.home.local-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/cvs.home.local-access.log combined
        ServerSignature Off

        <IfModule mod_ssl.c>
                SSLEngine on
                SSLCertificateFile /etc/apache2/ssl/wildcard.home.local.crt
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard.home.local.key
                SSLCACertificateFile /etc/apache2/ssl/ca.crt
        </IfModule>
</VirtualHost>

Activer les modules Apache nécessaires :

# a2enmod rewrite ssl cgi

Activer le VHost Apache cvs.home.local :

# a2ensite cvs.home.local

Relancer Apache2 :

# /etc/init.d/apache2 reload

Automatisation des sauvegardes

Ajouter une tâches sur les deux noeuds du cluster :

# vim /etc/crontab
# Sauvegarde des equipements actifs de mon reseau
30 19 * * *     root    ( crm_resource --resource ClusterFS --locate | grep $HOSTNAME &> /dev/null ) && ( ! ps -e | grep rancid-run ) && sudo -u rancid /var/lib/rancid/bin/rancid-run &> /dev/null
Categories
Computing

Authentification centralisée avec tac plus sous GNU/Linux Debian

Pré-requis

Création du groupe GNETWORK dans l’annuaire Active Directory.

Les deux serveurs doivent être membres du domaine HOME.

Installation et configuration

Installer TACACS+ :

# aptitude update && aptitude install tacacs+

Sauvegarder le fichier de configuration de TACACS+ :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus.conf.original

Editer le fichier de configuration de TACACS+ :

# > /etc/tacacs+/tac_plus.conf
# vim /etc/tacacs+/tac_plus.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 15
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Créer un fichier de configuration TACACS+ pour Nortel :

# cp /etc/tacacs+/tac_plus.conf /etc/tacacs+/tac_plus_nortel.conf

Editer le fichier de configuration de TACACS+ pour Nortel :

# vim /etc/tacacs+/tac_plus_nortel.conf
# Created by Henry-Nicolas Tourneur(henry.nicolas@tourneur.be)
# See man(5) tac_plus.conf for more details

# Define where to log accounting data, this is the default.

accounting file = /var/log/tac_plus_nortel.acct

# This is the key that clients have to use to access Tacacs+

key = "abcdefgh"

# Groups

group = admins {
        default service = permit
        login = PAM
        service = exec {
                priv-lvl = 6
                idletime = 10
        }
}

# Users

user = test1 {
        member = admins
}

user = test2 {
        member = admins
}

# Much more features are availables, like ACL, more service compatibilities,
# commands authorization, scripting authorization.
# See the man page for those features.

Editer le fichier de configuration des options par défaut de TACACS+ :

# vim /etc/default/tacacs+
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus.conf -d16"

Créer un fichier de configuration des options par défaut de TACACS+ pour Nortel :

# cp /etc/default/tacacs+ /etc/default/tacacs+_nortel

Editer le fichier de configuration des options par défaut de TACACS+ pour Nortel :

# vim /etc/default/tacacs+_nortel
# This is the configuration file for /etc/init.d/tacacs+
# You can overwrite default arguments passed to the daemon here.
# See man(8) tac_plus


DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949 -d16 -l /var/log/tac_plus_nortel.log"

Créer un script d’init pour le serveur TACACS+ pour Nortel et le rendre exécutable :

# cp /etc/init.d/tacacs_plus /etc/init.d/tacacs_plus_nortel && chmod +x /etc/init.d/tacacs_plus_nortel

Modifier le script d’init pour le serveur TACACS+ pour Nortel :

# vim /etc/init.d/tacacs_plus_nortel
#!/bin/sh
### BEGIN INIT INFO
# Provides:          tacacs+_nortel
# Required-Start:    $network $local_fs $syslog $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Should-Start:      $named
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: TACACS+ authentication daemon for Nortel
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

DAEMON=/usr/sbin/tac_plus
NAME="tacacs+_nortel"
DESC="TACACS+ authentication daemon for Nortel"
LOGDIR=/var/log/
STARTTIME=1

PIDFILE="/var/run/tac_plus.pid.4949"

test -x $DAEMON || exit 0

. /lib/lsb/init-functions

# Default options, these can be overriden by the information
# at /etc/default/$NAME
DAEMON_OPTS="-C /etc/tacacs+/tac_plus_nortel.conf -p 4949"          # Additional options given to the server


LOGFILE=$LOGDIR/tac_plus_nortel.log  # Server logfile

# Include defaults if available
if [ -f /etc/default/$NAME ] ; then
        . /etc/default/$NAME
fi

# Check that the user exists (if we set a user)
# Does the user exist?
if [ -n "$DAEMONUSER" ] ; then
    if getent passwd | grep -q "^$DAEMONUSER:"; then
        # Obtain the uid and gid
        DAEMONUID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $3}'`
        DAEMONGID=`getent passwd |grep "^$DAEMONUSER:" | awk -F : '{print $4}'`
    else
        log_failure_msg "The user $DAEMONUSER, required to run $NAME does not exist."
        exit 1
    fi
fi


set -e

running_pid() {
# Check if a given process pid's cmdline matches a given name
    pid=$1
    name=$2
    [ -z "$pid" ] && return 1
    [ ! -d /proc/$pid ] &&  return 1
    cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
    # Is this the expected server
    [ "$cmd" != "$name" ] &&  return 1
    return 0
}

running() {
# Check if the process is running looking at /proc
# (works for all users)

    # No pidfile, probably no daemon present
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE`
    running_pid $pid $DAEMON || return 1
    return 0
}

start_server() {
# Start the process using the wrapper
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
               --exec $DAEMON -- $DAEMON_OPTS
        errcode=$?
        return $errcode
}

stop_server() {
# Stop the process using the wrapper
        if [ -z "$DAEMONUSER" ] ; then
            killproc -p $PIDFILE $DAEMON
            errcode=$?
        else
# if we are using a daemonuser then look for process that match
            start-stop-daemon --stop --quiet --pidfile $PIDFILE \
                        --user $DAEMONUSER \
                        --exec $DAEMON
            errcode=$?
        fi

        return $errcode
}

reload_server() {
    [ ! -f "$PIDFILE" ] && return 1
    pid=`cat $PIDFILE` # This is the daemon's pid
    # Send a SIGHUP
    kill -1 $pid
    return $?
}

force_stop() {
# Force the process to die killing it manually
        [ ! -e "$PIDFILE" ] && return
        if running ; then
                kill -15 $pid
        # Is it really dead?
                sleep "$DIETIME"s
                if running ; then
                        kill -9 $pid
                        sleep "$DIETIME"s
                        if running ; then
                                echo "Cannot kill $NAME (pid=$pid)!"
                                exit 1
                        fi
                fi
        fi
        rm -f $PIDFILE
}


case "$1" in
  start)
        log_daemon_msg "Starting $DESC " "$NAME"
        # Check if it's running first
        if running ;  then
            log_progress_msg "apparently already running"
            log_end_msg 0
            exit 0
        fi
        if start_server ; then
            # NOTE: Some servers might die some time after they start,
            # this code will detect this issue if STARTTIME is set
            # to a reasonable value
            [ -n "$STARTTIME" ] && sleep $STARTTIME # Wait some time
            if  running ;  then
                # It's ok, the server started and is running
                log_end_msg 0
            else
                # It is not running after we did start
                log_end_msg 1
            fi
        else
            # Either we could not start it
            log_end_msg 1
        fi
        ;;
  stop)
        log_daemon_msg "Stopping $DESC" "$NAME"
        if running ; then
            # Only stop the server if we see it running
                        errcode=0
            stop_server || errcode=$?
            log_end_msg $errcode
        else
            # If it's not running don't do anything
            log_progress_msg "apparently not running"
            log_end_msg 0
            exit 0
        fi
        ;;
  force-stop)
        # First try to stop gracefully the program
        $0 stop
        if running; then
            # If it's still running try to kill it more forcefully
            log_daemon_msg "Stopping (force) $DESC" "$NAME"
                        errcode=0
            force_stop || errcode=$?
            log_end_msg $errcode
        fi
        ;;
  restart|force-reload)
        log_daemon_msg "Restarting $DESC" "$NAME"
                errcode=0
        stop_server || errcode=$?
        # Wait some sensible amount, some server need this
        [ -n "$DIETIME" ] && sleep $DIETIME
        start_server || errcode=$?
        [ -n "$STARTTIME" ] && sleep $STARTTIME
        running || errcode=$?
        log_end_msg $errcode
        ;;
  status)

        log_daemon_msg "Checking status of $DESC" "$NAME"
        if running ;  then
            log_progress_msg "running"
            log_end_msg 0
        else
            log_progress_msg "apparently not running"
            log_end_msg 1
            exit 1
        fi
        ;;
  # Use this if the daemon cannot reload
  reload)
        log_daemon_msg "Reloading $DESC configuration files" "$NAME"
        if reload_server ; then
                if running ; then
                        log_end_msg 0
                else
                        log_progress_msg "$NAME not running"
                        log_end_msg 1
                fi
        else
                log_progress_msg "Reload failled"
                log_end_msg 1
        fi
        ;;
  *)
        N=/etc/init.d/$NAME
        echo "Usage: $N {start|stop|force-stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Activer le script d’init pour le serveur TACACS+ pour Nortel :

# insserv tacacs_plus_nortel

Relancer le serveur TACACS+ :

# /etc/init.d/tacacs_plus restart

Lancer le serveur TACACS+ our Nortel :

# /etc/init.d/tacacs_plus_nortel start

Configuration des équipements

3Com 5500G-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 key accounting abcdefgh
 user-name-format without-domain
#
domain mytac
 scheme hwtacacs-scheme mytac local
 access-limit enable 10
#
 domain default enable mytac
#

H3C S5500-52C-EI

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

3Com 4210G 48-Port

#
hwtacacs scheme mytac
 primary authentication 10.20.30.1
 secondary authentication 10.20.30.2
 primary authorization 10.20.30.1
 secondary authorization 10.20.30.2
 primary accounting 10.20.30.1
 secondary accounting 10.20.30.2
 key authentication abcdefgh
 key authorization abcdefgh
 user-name-format without-domain
#
domain mytac
 authentication login hwtacacs-scheme mytac local
 authorization login hwtacacs-scheme mytac local
 access-limit enable 10
 state active
 idle-cut disable
 self-service-url disable
#
 domain default enable mytac
#

Cisco WS-CBS3020-HPQ

!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
!
tacacs-server host 10.20.30.1 timeout 5
tacacs-server host 10.20.30.2 timeout 5
tacacs-server directed-request
tacacs-server key abcdefgh
!

Nortel Application Switch 2208 E

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
secbd e
on
apply

HP ProLiant BL p-Class C-GbE2 Interconnect Switch

Remarque : une instance spécifique du serveur TACACS+ écoute sur le port TCP/4949 pour les équipements Nortel (les privilèges diffèrent des autres équipements) Remarque : l’utilisateur notacacs doit être utilisé, avec le mot de passe du compte admin local, dans le cas d’un dysfonctionnement du serveur TACACS+

/cfg/sys/tacacs+
port 4949
prisrv 10.20.30.1
secsrv 10.20.30.2
secret
secret2
telnet e
on
apply