Install RaNCID With Gitweb on CentOS 8

Welcome to the new “Rescue 404” series, this edition will cover the
installation and configuration of the “Really Awesome New Cisco config
Differ”, more commonly referred to as RaNCID. The package is maintained
by Shrubbery Networks and utilizes CVS, Subversion or GIT to maintain configuration change histories.

Most articles on the web regarding RaNCID are old, geared towards CentOS ≤7
or Ubuntu and are configured using fairly dated front-ends, namely: CVSWEB; or ViewVC. As my company is currently standardizing on RHEL 8 and CentOS 8 for all non-Windows services I required a more current solution than what was available, this is what I’ve come up with. 

I assume that the reader already has a working CentOS 8 installation as well as a basic comfort level of navigating the Linux command line.

Server Preparation

This configuration requires among other packages: PERL; GIT; and POSTFIX. To install the required packages run the following from the command line:

yum install -y diffutils perl tcl expect git gitweb gcc make postfix wget httpd mod_ssl

Setup a user to run RaNCID:

useradd rancid
passwd rancid

Finally we download, configure and install the RaNCID package. To keep it simple we will use /opt/rancid for the configuration. Run the following:

wget https://shrubbery.net/pub/rancid/rancid-3.10.tar.gz -P /tmp
tar zxvf /tmp/rancid-3.10.tar.gz -C /tmp/
cd /tmp/rancid-3.10
./configure --prefix=/opt/rancid --localstatedir=/opt/rancid --with-git --host=localhost
make && make install

Assuming all was successful you now have an unconfigured RaNCID installation that uses GIT to capture configuration differences. To begin RaNCIDs configuration a file named .cloginrc needs be created and permissioned properly:

touch /opt/rancid/.cloginrc
chown -R rancid:rancid /opt/rancid/
chmod 0600 /opt/rancid/.cloginrc

Application Configuration

The .cloginrc file contains among other things the methods and credentials to connect to your devices, this will obviously need to be customized for your environment. Here are a few common options (you can read the man page here) to demonstrate RaNCIDs customization capabilities:

add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add userprompt HOST1 {.*\r\n.*\r\n.*\r\n.*\r\nHOST1>}
add userprompt HOST2 {.*\r\n.*\r\n.*\r\n.*\r\nHOST2>}
add user * admin
add password HOST1 Password EnablePassword
add password HOST2 Password EnablePassword
add password * Password EnablePassword
add method * ssh

The above sample adds specific encryption cyphers to all hosts; configures what output to expect at the user prompt for HOST1 and HOST2; adds the user admin for all devices; Configures a specific enable password for HOST1 and HOST2; adds an enable password for all other devices; and finally adds SSH as an authentication method.

RaNCID will manage our Cisco firewalls and switches using an application group named: CiscoDevices. Update the configuration /opt/rancid/etc/rancid.conf. This file is documented with comments 
regarding the different options, for our purposes we need only add the following directive:

LIST_OF_GROUPS="CiscoDevices"

Depending on your needs you can have more than one group,  if you do please note the list is space delimited.

Next we create a symbolic link to the .cloginrc in the rancid user’s home directory and configure permissions on /opt/rancid and its contents:

ln -s /opt/rancid/.cloginrc /home/rancid/ 
chmod -R 750 /opt/rancid/*
chmod 0600 /opt/rancid/.cloginrc

Run RaNCID to generate the repository, you will execute the command in the context of the rancid user created earlier:

su - rancid
/opt/rancid/bin/rancid-cvs

The rancid-cvs script will establish your base repository and generate a file named router.db located: /opt/rancid/CiscoDevices/router.db. This file will maintain a list of the devices RaNCID will be connecting to, the records are semi-colon delimited and each entry begins with the device host name (must be resolvable via DNS or hosts file), followed by the device type, and ending with either an “up” or “down” status. For example:

dev-fw1.domain.com;cisco;up
dev-switch1.domain.com;cisco;up

To test your connectivity enter the “rancid” user’s command context and and try connecting to the device configured above by executing:

su - rancid
 /opt/rancid/bin/clogin -f /opt/rancid/.cloginrc dev-fw1.domain.com

If everything has been successful so far you should be connected to the device CLI and can execute commands as if you had manually connected to it via SSH. 

So far you can connect to RaNCID, it’s now time to initialize your GIT repository. This will create an empty record for each configured device which will be populated with their configurations upon subsequent executions:

su - rancid
 /opt/rancid/bin/rancid-run

RaNCID with GIT is now configured!

Automate With A CRON Job

I doubt you’re going to want to constantly connect to your RaNCID instance and manually run it so let’s automate – Cron is where Linux jobs are scheduled. Cron is an arcane art form unto itself and is beyond the scope of this article, for a good primer check out this article by Mark Drake from Digital Ocean. Enter crontab using the rancid user context:
su - rancid
crontab -e

Add the line below to crontab to schedule RaNCID to execute hourly. 

1 * * * * /opt/rancid/bin/rancid-run #hourly device dump

Save and exit (for those totally unfamiliar with cron, type :wq and press enter to save the changes and quit crontab).

Notifications

Postfix was installed during the “Server Preparation” phase and will be used to notify interested users of the events RaNCID will send. The first thing to do is to setup a relay host by updating /etc/postfix/main.cf (NOTE: email server setup and options are numerous and will depend on your specific environment). My email infrastructure allows servers to relay if they are on a trusted subnet so “relayhost” will be the only directive I require.
relayhost = smtp.domain.com
Restart Postfix
systemctl restart postfix
Now to configure the Postfix aliases RaNCID will use to send email. This is a two step process: the first is to update the /etc/aliases file; the second is to run the newaliases command to make Postfix aware of the changes. RaNCID is programmed to send to two different addresses per group specified in the  /opt/rancid/etc/rancid.conf file: an admin address for error messages; and a general group for operational notifications. The Admin alias should always be formatted as rancid-admin-GROUPNAME and the general alias rancid-GROUPNAME, as my groupname is CiscoDevices my aliases will be rancid-admin-CiscoDevices and rancid-CiscoDevices.

The file itself is colon delimited and ordered as alias: emailAddress. Mine looks like:

rancid-admin-CiscoDevices: admin@goldstein-solution-demos.com
rancid-CiscoDevices: rancidAdmins@goldstein-solution-demos.com

After you save the aliases make Postfix aware of the changes by running (make sure to run as root):

newaliases

Front End Setup

For viewability let’s configure Apache. The following commands: auto start the Apache daemon; add firewall rules allowing for inbound http and https; add “rancid” user to the “apache” group
systemctl enable httpd
systemctl daemon-reload
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload
usermod -g apache rancid

Installing “gitweb” during the Server Preparation phase created a file named gitweb.conf located: /etc/gitweb.conf. We will use this file to provide our custom settings and site variables to gitweb (any variables directly edited in the gitweb program will be overwritten during subsequent upgrades).The only directive required to get us running is our $projectroot so add a line similar to:

our $projectroot = "/opt/rancid/CiscoDevices";

To make it easier to browse, let’s configure gitweb to be the root of our site. Update the DocumentRoot directive /etc/httpd/conf/httpd.conf:

DocumentRoot "/var/www/git"

Now all we’ve left to do is grant the apache group rights and restart the Apache daemon

chown rancid:apache -R /opt/rancid/
systemctl restart httpd

Securing The System

Now that we have a system that can connect to any Cisco device on our network we need to configure at least some rudimentary security. At a minimum we want to encrypt the client/server communications with TLS and configure basic front-end authentication. While the generation, and retrieval of an SSL certificate is well beyond the scope of this article, once you have them you will upload the certificate to /etc/pki/tls/certs/ and the private key to /etc/pki/tls/private/

Once your certs are in-place we need to make Apache aware of them. Additionally we will configure the web server to require strong encryption when clients connect. Update /etc/httpd/conf.d/ssl.conf, ensuring that the following directives are uncommented and configured with the correct settings (note that in a dev environment you can omit the last two directives of the snippet below in which case Apache will used a self-signed certificate):

ServerName rancid.domain.com
SSLEngine on
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/SSL_CERT.crt
SSLCertificateKeyFile /etc/pki/tls/private/SSL_DECRYPTED_KEY.key

For ease of management and organizational purposes create a new Apache configuration file 

touch /etc/httpd/conf.d/custom.conf

Update the new configuration file to redirect all traffic over port 80 to SSL on port 443 by adding the following VirtualHost directives

   <VirtualHost *:80>
     ServerAlias rancid.domain.com
     Redirect permanent / https://rancid.domain.com/
   </VirtualHost>
We will use the htpasswd command to create and manage credentials for our front-end users. We want the .htpasswd file to be generated in the root of the site we are protecting, in our case: /var/www/git. Once the file is created we need to update its permissions so that Apache can read it. Run the following  (type password twice when prompted):
htpasswd -c /var/www/git/.htpasswd rancid-www
chmod 644 /var/www/git/.htpasswd
Lastly we will configure gitweb for basic authentication, update; /etc/httpd/conf.d/gitweb.conf
ADD:
        AllowOverride None	
        AuthType Basic
	AuthName "This Is A Restricted Site"
	AuthUserFile /var/www/git/.htpasswd
	Require valid-user
One last Apache restart and we should be in business!
systemctl restart httpd
David Goldstein on Linkedin
David Goldstein
David has been innovating enterprise-class solutions for over two decades. His exposure to a variety of industries and regulatory regimes has given him the breadth of knowledge and hands-on experience to successfully navigate the current technology landscape and provide dependable solutions no matter how seemingly mundane or complex. Technologically agnostic with an operational bent, David's philosophy is firmly rooted in the concept of the "Data Custodian" and as such architects solution's with safety, accessibility, redundancy, and integrity of the data always at the top of mind.

As a holistic information fiduciary David leverages proven industry standards and best practices that will optimize your processes and systems to maximize performance and minimize complexity. David has managed projects in varying phases of development, be it greenfield builds or forklift moves, backup design and architecture, infrastructure monitoring and alerting, scripting and automation, communications and network infrastructure, policy review and auditing, rack and stacks and virtualization.

He doesn't just get IT, he groks IT.

Leave a Reply

Your email address will not be published. Required fields are marked *