Rancid+Subversion (SVN)管理Cisco配置(1)
- 安裝SVN
- 配置SVN
修改/home/svn/cisco下的conf/svnserve.conf,改爲
[general]
anon-access = none # 不允許匿名登錄
auth-access = write # 可以用戶讀寫
[users]
rancid = rancid
- 用戶svn+ssh訪問
1.安裝OpenSSH。CentOS 5 已經缺省安裝。
$ ssh-keygen -b 1024 -t dsa -N passphrase -f mykey #認證方式利用DSA公開密匙加密算法進行加密,兩把密鑰的配對認證方式使服務器運作更安全。其中passphrase爲密鑰密碼,必須修改成你需要的密碼;mykey爲文件名。
這時生成兩個文件私鑰mykey和公鑰mykey.pub。
$ mkdir .ssh
$ cp mykey.pub /home/cisco/.ssh/authorized_keys #拷貝公鑰到.ssh/authorized_keys,文件名必須是authorized_keys,以上針對服務器端。
下載網址:[url]http://www.chiark.greenend.org.uk/~sgtatham/putty/[/url]
下載到如 E:\Program Files\putty
1) 將mykey拷貝到windows客戶端,雙擊運行puttygen。
2) 選擇菜單conversions->Import Key,選擇文件mykey。
點擊按鈕Save private key,保存文件名爲mykey.PPK。
Session->Host Name: IP地址
Session->Protocol: SSH
Session->Saved Sessions: MyConnection
SSH->Prefered SSH Protocol version: 2
SSH->Auth->Private Key file for auth: E:\Program Files\putty\mykey.ppk,可以替換爲實際目錄。
測試MyConnection連接是否成功。
1) 鼠標右鍵選擇TortoiseSVN->RepoBrowser
2) 輸入URL
svn+ssh://svn@MyConnection/home/svn/svnroot
3) 會提示輸入密碼兩次,每進入一個目錄都需要輸入兩次密碼。
putty的MyConnection設置裏connection->Data->Auto Login username: svn
svn+ssh://MyConnection/home/svn/svnroot
1) 設置TortoiseSVN->Settings->Network->SSH client: E:\Program Files\TortoiseSVN\bin\TortoisePlink.exe
2) 運行pageant,點擊右鍵->Add Key,將私鑰文件加入。
3) svn+ssh://cisco@svn服務器/home/svn/cisco
- 安裝Rancid
#mkdir /usr/local/rancid/tar
# cd /usr/local/rancid/tar
# wget [url]ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a2.tar.gz[/url]
–01:14:26– [url]ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a2.tar.gz[/url]
=> `rancid-2.3.2a2.tar.gz’
…
…
…
100%[==============================>] 280,435 153.28K/s
01:14:58 (152.78 KB/s) - `rancid-2.3.2a2.tar.gz' saved [280,435]
# tar -xvzf rancid-2.3.2a2.tar.gz
rancid-2.3.2a2/bin/Makefile.am
rancid-2.3.2a2/bin/Makefile.in
rancid-2.3.2a2/bin/alogin.in
...
...
...
rancid-2.3.2a2/man/lg.conf.5.in
rancid-2.3.2a2/man/rancid.conf.5.in
rancid-2.3.2a2/man/lg_intro.1.in
3.進入壓縮後的目錄,該目錄下面有一個READMEt提供很詳細的安裝說明,可以看一下。這裏我採用默認的安裝路徑進行安裝。
# cd rancid-2.3.2a2
[root@test rancid-2.3.2a2]#
[root@test rancid-2.3.2a2]# less README
4. 開始編譯Rancid 包,–prefix 是用來設置安裝路徑的,如果不設置–prefix 那麼就按照默認的安裝路徑來安裝Rancid. 我們的安裝路徑是/usr/local/rancid/ ,是Rancid 這個用戶的家目錄.
[root@test rancid-2.3.2a2]# ./configure –prefix=/usr/local/rancid/
checking for a BSD-compatible install… /usr/bin/install -c
checking whether build environment is sane… yes
checking for gawk… gawk
…
…
…
config.status: creating include/config.h
config.status: include/config.h is unchanged
config.status: executing depfiles commands
[root@test rancid-2.3.2a2]#
5.正式開始安裝
[root@test rancid-2.3.2a2]# make install
Making install in .
gmake[1]: Entering directory `/usr/local/rancid/tar/rancid-2.3.2a2′
gmake[2]: Entering directory `/usr/local/rancid/tar/rancid-2.3.2a2′
gmake[2]: Nothing to be done for `install-exec-am’.
test -z “/usr/local/rancid//share/rancid” || mkdir -p — “/usr/local/rancid//share/rancid”
…
…
…
/usr/bin/install -c ‘downreport’ ‘/usr/local/rancid//share/rancid/downreport’
gmake[2]: Leaving directory `/usr/local/rancid/tar/rancid-2.3.2a2/share’
gmake[1]: Leaving directory `/usr/local/rancid/tar/rancid-2.3.2a2/share’
[root@test rancid-2.3.2a2]#
6.拷貝實例password文件cloginrc.sample 爲 /usr/local/rancid/.cloginrc.
[root@test rancid-2.3.2a2]# cp cloginrc.sample /usr/local/rancid/.cloginrc
[root@test rancid-2.3.2a2]#
7.由於這個password文件的密碼是明文形式保存的,出於安全性考慮設定該password文件的訪問權限,對rancid和netadm組成員可讀,另外改變rancid目錄的ownership和權限.
[root@test rancid-2.3.2a2]# chmod 0640 /usr/local/rancid/.cloginrc
[root@test rancid-2.3.2a2]# chown -R rancid:netadm /usr/local/rancid/
[root@test rancid-2.3.2a2]# chmod 770 /usr/local/rancid/
- 配置Rancid
[root@bigboy rancid-2.3.2a2]# vi /usr/local/rancid/etc/rancid.conf
#
# Sample rancid.conf
#
LIST_OF_GROUPS=”Switch”#這裏可以批量創建多個組,中間用空格分開
FILTER_PWDS=NO; export FILTER_PWDS
NOCOMMSTR=NO; export NOCOMMSTR
2.一下步驟需要su到rancid用戶下進行。
[root@test rancid-2.3.2a2]# su - rancid
3.執行rancid-cvs 命令可以自動創建目錄 /usr/local/rancid/var/CVS/Switch 並且生成相應的數據庫文件設備清單文件等等。在執行rancid-run 之前需要修改router.db文件指定設備的地址等等.
[rancid@test ~]$ /usr/local/rancid/bin/rancid-cvs
No conflicts created by this import
cvs checkout: Updating Switch
cvs checkout: Updating Switch/configs
cvs add: scheduling file `router.db’ for addition
cvs add: use ‘cvs commit’ to add this file permanently
RCS file: /usr/local/rancid/var/CVS/Switch/router.db,v
done
Checking in router.db;
/usr/local/rancid//var/CVS/networking/router.db,v <– router.db
initial revision: 1.1
done
[rancid@test ~]$
4.配置router.db文件
vi /local/usr/rancid/var/CVS/Switch/router.db
192.168.1.1:cisco:up #router.db 的格式爲 dns-name-or-ip-address:device-type:status,我們舉例一個地址爲192.168.0.1的交換機
5.配置.clogin.rc文件
vi /local/usr/rancid/.clogin.rc
#
# Sample .clogin.rc file
#
####################################################################
#
# Device 192.168.1.16 has a unique username and password, but
# doesn't logins do not get the enable prompt.
#
# If the device prompts for a username, Rancid will use the Linux
# "rancid" username and the first password in the list. If only a
# login password is requested, rancid uses the first password in the
# list. The second password is the "enable" password.
#
####################################################################
add password 192.168.0.1 {telnet-password} {enable-password}
####################################################################
#
# Devices with DNS names ending in my-web-site.org in the router.db
# file or beginning with 172.16. have a different set of passwords.
#
# If the device prompts for a username, Rancid will use the Linux
# "rancid" username and the first password in the list. If only a
# login password is requested, rancid uses the first password in the
# list. The second password is the "enable" password.
#
####################################################################
add password *.my-web-site.org {telnet-password} {enable-password}
add password 172.16.* {telnet-password} {enable-password}####################################################################
#
# Everything else uses these passwords. Rancid will attempt to use
# telnet then SSH for logins
#
####################################################################add password * {telnet-password} {enable-password}
add method * telnet ssh
- 簡單測試
[rancid@test ~]$ bin/clogin 192.168.0.1
192.168.0.1
spawn telnet 192.168.0.1
Trying 192.168.0.1…
Connected to (192.168.0.1).
Escape character is ‘^]’.
User Access Verification
Password:
Type help or '?' for a list of available commands.
pixfirewall> enable
Password: ********
pixfirewall#
pixfirewall# exit
LogoffConnection closed by foreign host.
[rancid@test ~]$2.執行rancid-run,和rancid-cvs可以用來測試備份是否成功:
[rancid@test ~]$ bin/rancid-run
[rancid@test ~]$ bin/rancid-cvs
然後你可以去尋找備份文件是否產生。
- 添加到crontab使之週期性執行比較備份
[rancid@test ~]$ crontab -e
#
# Rancid user's crontab file
#
# Run config differ hourly
1 * * * * /usr/local/rancid/bin/rancid-run
# Clean out config differ logs
50 23 * * * /usr/bin/find /usr/local/rancid/var/logs -type f -mtime +2 -exec rm {} \;