Last modified: Dec. 24, 2012
Contents
1 - Summary
2 - Dependencies
3 - RANCID installation
4 - Service configuration
5 - Website frontend
6 - Service check
1 - Summary
This guide will show you how to install rancid in FreeBSD. RANCID is used to
monitor configurations for devices like routers, firewalls and switches and
uses CVS or Subversion to keep history of the changes. This has been tested in
FreeBSD 9.0 i386/amd64.
2 - Dependencies
Install the apache package. Apache is a web server that will host the web pages
that display the server data.
# sudo pkg_add -r apache22
Password:
Find where the apache daemon was installed to.
# pkg_info -L apache-2.2.* | grep sbin
/usr/local/sbin/ab
/usr/local/sbin/apachectl
/usr/local/sbin/apxs
/usr/local/sbin/checkgid
/usr/local/sbin/dbmmanage
/usr/local/sbin/envvars
/usr/local/sbin/htcacheclean
/usr/local/sbin/htdbm
/usr/local/sbin/htdigest
/usr/local/sbin/htpasswd
/usr/local/sbin/httpd
/usr/local/sbin/httxt2dbm
/usr/local/sbin/logresolve
/usr/local/sbin/rotatelogs
/usr/local/sbin/split-logfile
Find the options for the apache service.
# pkg_info -L apache-2.2.* | grep rc.d
/usr/local/etc/rc.d/apache22
/usr/local/etc/rc.d/htcacheclean
# grep -e 'bool\|str' /usr/local/etc/rc.d/apache22
# apache22_enable (bool): Set to "NO" by default.
# apache22_profiles (str): Set to "" by default.
# apache22limits_enable (bool):Set to "NO" by default.
# apache22_flags (str): Set to "" by default.
# apache22limits_args (str): Default to "-e -C daemon"
# apache22_http_accept_enable (bool): Set to "NO" by default.
# apache22_fib (str): Set an altered default network view for apache
Edit /etc/rc.conf.local so that the apache service will start when the system
starts up. Somewhere in the file add the following.
apache22_enable="YES"
# sudo vi /etc/rc.conf.local
Password:
Find where the configuration file should be put.
# grep httpd.conf /usr/local/etc/rc.d/apache22
required_files=/usr/local/etc/apache22/httpd.conf
# strings /usr/local/sbin/httpd | grep httpd.conf
-D SERVER_CONFIG_FILE="etc/apache22/httpd.conf"
etc/apache22/httpd.conf
directive in your httpd.conf file to list a non-root
You will need to modify the original configuration file. Add the following. In
this example, I set the websites to be stored in an alernate directory. By the
way, there is already a group named it which includes an account for the web
developers.
Listen 0.0.0.0:80
ServerName server.test.com
DocumentRoot "/data/websites/test/server"
<Directory "/data/websites/test/server">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ErrorLog syslog
LogLevel warn
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" commonvhost
CustomLog "|/usr/bin/logger -t httpd" commonvhost
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerName server.test.com
Redirect / https://server.test.com/
</VirtualHost>
<VirtualHost *:443>
ServerName server.test.com
ServerAdmin root@localhost
DocumentRoot /data/websites/test/server
</VirtualHost>
# pkg_info -L apache-2.2.* | grep httpd.conf
/usr/local/share/examples/apache22/httpd.conf
# sudo cp /usr/local/etc/apache22/httpd.conf /usr/local/etc/apache22/httpd.conf.example
Password:
# sudo vi /usr/local/etc/apache22/httpd.conf
Password:
# sudo mkdir -p /data/websites/test/server
Password:
# sudo mkdir -p /data/logs/httpd
Password:
# sudo chown -R root:it /data/logs/httpd/
Password:
# sudo chmod -R 755 /data/logs/httpd/
Password:
Copy in the SSL certificate files. Create the configuration file to have the
following for SSL.
Listen 0.0.0.0:443 http
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex "file:/var/run/ssl_mutex"
<VirtualHost _default_:443>
ErrorLog syslog
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/usr/local/etc/apache22/ssl/domain.cer"
SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/domain.key.alt"
SSLCertificateChainFile "/usr/local/etc/apache22/ssl/domain.crt"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "|/usr/bin/logger -t httpd" commonvhost
</VirtualHost>
# sudo mkdir /usr/local/etc/apache22/ssl
Password:
# grep ^Include /usr/local/etc/apache22/httpd.conf
Include etc/apache22/Includes/*.conf
# sudo vi /usr/local/etc/apache22/Includes/ssl.conf
Password:
Configure syslog appropriately.
Install the dependencies need to install the rancid package.
# sudo pkg_add -r portupgrade
Password:
# sudo portsnap fetch extract
Password:
There is an entry in /usr/ports/UPDATING regarding pcre.
# vi /usr/ports/UPDATING
# sudo portupgrade devel/pcre
Password:
# sudo pkg_add -r subversion
Password:
There is an entry in /usr/ports/UPDATING regarding pkg-config.
# vi /usr/ports/UPDATING
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:
3 - RANCID installation
Install the rancid package.
# sudo pkg_add -r rancid
Password:
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:
4 - Service configuration
Find where the configuration file should be put.
# pkg_info -L rancid-* | grep rancid.conf
/usr/local/man/man5/rancid.conf.5.gz
/usr/local/etc/rancid/rancid.conf.sample
/usr/local/share/rancid/rancid.conf.sample
You will need to modify the original configuration file. Have the following.
SVN will be used instead of CVS.
BASEDIR=/data/monitoring/rancid; export BASEDIR
CVSROOT=$BASEDIR/svn; export CVSROOT
FILTER_PWDS=YES; export FILTER_PWDS
LIST_OF_GROUPS="devices"
LOGDIR=/data/logs/rancid; export LOGDIR
NOCOMMSTR=YES; export NOCOMMSTR
OLDTIME=2; export OLDTIME
PAR_COUNT=15; export PAR_COUNT
PATH=/usr/local/libexec/rancid:/usr/bin:/usr/local/bin:/usr/sbin:\
/usr/local/sbin:/bin:/sbin; export PATH
RCSSYS=svn; export RCSSYS
TERM=network;export TERM
TMPDIR=/tmp; export TMPDIR
umask 027
# sudo cp /usr/local/etc/rancid/rancid.conf.sample /usr/local/etc/rancid/rancid.conf
Password:
# sudo cp /usr/local/etc/rancid/rancid.conf /usr/local/etc/rancid/rancid.conf.example
Password:
# sudo chmod 644 /usr/local/etc/rancid/rancid.conf
Password:
# sudo vi /usr/local/etc/rancid/rancid.conf
Password:
# sudo mkdir /data/monitoring/
Password:
# sudo cp -Rp /usr/local/var/rancid/ /data/monitoring/rancid/
Password:
# sudo mkdir /data/logs/rancid
Password:
# sudo chown -R root:it /data/logs/rancid/
Password:
# sudo chmod -R 777 /data/logs/rancid/
Password:
Create a group named rancid and then a user named rancid.
# sudo pw groupadd rancid
Password:
# sudo pw useradd rancid -c 'Rancid' -d /home/rancid -g rancid -G rancid -m -s /bin/csh
Password:
# sudo passwd rancid
Password:
Set ownership and permissions for the rancid base directory.
# grep ^www /etc/group
www:*:80:
# sudo chown -R rancid:www /data/monitoring/rancid/
Password:
# sudo chmod -R 775 /data/monitoring/rancid/
Password:
Create a symbolic link for clogin.
# pkg_info -L rancid-* | grep libexec | grep clogin
/usr/local/libexec/rancid/clogin
# sudo ln -s /usr/local/libexec/rancid/clogin /usr/local/sbin/clogin
Password:
Switch users and become the rancid user. Create a .cloginrc file. Here are
entries for a Cisco router and a Cisco wireless access point.
# router.test.com
add user router.test.com user
add password router.test.com user_password enable_password
add method router.test.com ssh
# wap.test.com
add user wap.test.com user
add password wap.test.com user_password enable_password
add method wap.test.com ssh
# su - rancid
Password:
# pkg_info -L rancid-* | grep cloginrc
/usr/local/man/man5/cloginrc.5.gz
/usr/local/share/rancid/cloginrc.sample
# cp /usr/local/share/rancid/cloginrc.sample .cloginrc
# chown rancid:rancid .cloginrc
# chmod 600 .cloginrc
# vi .cloginrc
Test trying to log into the two Cisco devices.
# clogin router.test.com
# clogin wap.test.com
Create the directory structure in the rancid directory.
# rancid-cvs
Add the two Cisco devices to the device database.
router.test.com:cisco:up
wap.test.com:cisco:up
# vi /data/monitoring/rancid/devices/router.db
Get the device configurations.
# rancid-run
Look over the log file and exit.
# cat /data/logs/rancid/devices.*
# exit
Create a cronjob for the rancid user to run checks every hour.
# sudo touch /var/cron/allow
Password:
Add the root and rancid users.
root
rancid
# sudo vi /var/cron/allow
Password:
# sudo chmod 400 /var/cron/allow
Password:
# su - rancid
Password:
Add the following job.
0 * * * * /usr/local/bin/rancid-run
# crontab -e
# exit
5 - Website frontend
Install the viewvc package. ViewVC is a website frontend for svn repositories.
# sudo pkg_add -r viewvc
Password:
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:
You will need to modify the original configuration file. Have only the
following.
[general]
svn_roots = devices: /data/monitoring/rancid/svn
default_root = devices
[utilities]
svn = /usr/local/bin/svn
diff = /usr/bin/diff
[options]
root_as_url_component = 0
use_localtime = 1
[templates]
[cvsdb]
[vhosts]
[authz-forbidden]
[authz-forbiddenre]
[authz-svnauthz]
[query
# pkg_info -L viewvc-* | grep viewvc.conf
/usr/local/viewvc/viewvc.conf.dist
# sudo cp /usr/local/viewvc/viewvc.conf /usr/local/viewvc/viewvc.conf.example
Password:
# sudo vi /usr/local/viewvc/viewvc.conf
Password:
Create the following file for rancid for apache.
#
# rancid configuration file for Apache Web server
#
<Directory "/data/websites/test/server">
AuthType Basic
AuthName "Restricted"
AuthUserFile /usr/local/etc/apache22/htaccounts
Require user Administrator
DirectoryIndex viewvc.cgi
AddHandler cgi-script cgi
AllowOverride None
Options ExecCGI Indexes
Order allow,deny
Allow from all
</Directory>
# grep ^Include /usr/local/etc/apache22/httpd.conf
Include etc/apache22/Includes/*.conf
# sudo vi /usr/local/etc/apache22/Includes/rancid.conf
Password:
Create a user account using htpasswd that will be allowed to view the rancid
information.
# pkg_info -L apache-2.2.* | grep bin | grep htpasswd
/usr/local/sbin/htpasswd
# sudo /usr/local/sbin/htpasswd -c -s /usr/local/etc/apache22/htaccounts Administrator
Password:
New password: ********
Re-type new password: ********
Adding password for user Administrator
Copy the viewvc cgi scripts and set ownership and permissions. By the way,
there is already a group named it which includes and account for the web
developers. When apaache was installed a user named www was created.
# pkg_info -L viewvc-* | grep '/cgi'
/usr/local/viewvc/bin/cgi/viewvc.cgi
/usr/local/viewvc/bin/cgi/query.cgi
# sudo cp -Rp /usr/local/viewvc/bin/cgi/ /data/websites/test/server/
Password:
# grep ^www /etc/passwd
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
# sudo chown -R www:it /data/websites/
Password:
# sudo chmod -R 774 /data/websites/
Password:
Before starting the apache service, make sure that tcp ports 80, 443 are open
in case you are running firewall soft. Here are some sample rules.
tcp_services="{ 80, 443 }"
pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
# sudo cp /etc/pf.conf /etc/pf.conf.example
Password:
# sudo vi /etc/pf.conf
Password:
# sudo pfctl -f -n /etc/pf.conf
Password:
# su - root
Password:
# pfctl -F all && pfctl -f /etc/pf.conf
# logout
Start the apache service.
# sudo /usr/local/etc/rc.d/apache22 start
Password:
Navigate your web browser to https://server.test.com/. You will be prompted for
a username and password. After you login, you can click on devices and then
configs. The two Cisco devices will be listed and will have the configurations.
6 - Service check
Reboot your computer. Log in like normal and check to see that the httpd,
service is running. That's it, now you have rancid running in FreeBSD.
# sudo shutdown -r now
Password:
# sudo /usr/local/etc/rc.d/apache22 status
Password:
apache22 is running as pid 1456.
|
