Wow! CENTOS 8 didn’t last long. As you may have heard by now CENTOS will be front-running RHEL from now on and is no longer considered stable or Enterprise-ready by my company so we are re-standardizing on Ubuntu 20 LTS.
This post is a rehash of the previous “INSTALL RANCID WITH GITWEB ON CENTOS 8” article, configuring the same features for Ubuntu (Rancid w/ GIT; scheduling CRON; setting up email notifications; Apache w/ TLS & basic security). The sequence of the installations is a bit different so if you are not as familiar with Ubuntu as you are with CentOS pay attention, specifically to the Apache/SSL configuration which I find to be much more fragmented on Ubuntu.
I assume that the reader already has a working Ubuntu 20 LTS installation as well as a basic comfort level of navigating the Linux command line.
Server Preparation
This configuration requires among other packages: PERL; GIT; and POSTFIX. To install the required packages run the following from the command line:
apt-get install -y diffutils perl tcl expect git gitweb gcc make wget apache2
Setup a user to run RaNCID:
useradd -s /bin/bash -d /home/rancid/ -m -G sudo rancid passwd rancid
Finally we download, configure and install the RaNCID package. To keep it simple we will use /opt/rancid for the configuration. Run the following:
wget https://shrubbery.net/pub/rancid/rancid-3.10.tar.gz -P /tmp tar zxvf /tmp/rancid-3.10.tar.gz -C /tmp/ cd /tmp/rancid-3.10 ./configure --prefix=/opt/rancid --localstatedir=/opt/rancid --with-git --host=localhost make && make install
Assuming all was successful you now have an unconfigured RaNCID installation that uses GIT to capture configuration differences. To begin RaNCIDs configuration a file named .cloginrc needs be created and permissioned properly:
touch /opt/rancid/.cloginrc chown -R rancid:rancid /opt/rancid/ chmod 0600 /opt/rancid/.cloginrc
Application Configuration
The .cloginrc file contains among other things the methods and credentials to connect to your devices, this will obviously need to be customized for your environment. Here are a few common options (you can read the man page here) to demonstrate RaNCIDs customization capabilities:
add cyphertype * aes128-ctr,aes128-cbc,3des-cbc
add userprompt HOST1 {.*\r\n.*\r\n.*\r\n.*\r\nHOST1>}
add userprompt HOST2 {.*\r\n.*\r\n.*\r\n.*\r\nHOST2>}
add user * admin
add password HOST1 Password EnablePassword
add password HOST2 Password EnablePassword
add password * Password EnablePassword
add method * ssh
The above sample configures specific encryption cyphers for all hosts; configures what output to expect at the user prompt for device HOST1 and device HOST2; adds the user admin for all devices; Configures a specific enable password for device HOST1 and device HOST2; adds an enable password for all other devices; and finally adds SSH as an authentication method.
RaNCID will manage our Cisco firewalls and switches using an application group named: CiscoDevices. Update the configuration /opt/rancid/etc/rancid.conf. This file is documented with comments
regarding the different options, for our purposes we need only add the following directives:
LIST_OF_GROUPS="CiscoDevices" PATH=/opt/rancid/bin:/usr/bin:/usr/local/bin:/usr/sbin; export PATH
Depending on your needs you can have more than one group, if you do please note the list is space delimited.
Next we create a symbolic link to the .cloginrc in the rancid user’s home directory and configure permissions on /opt/rancid and its contents:
ln -s /opt/rancid/.cloginrc /home/rancid/ chmod -R 750 /opt/rancid/* chmod 0600 /opt/rancid/.cloginrc
Run RaNCID to generate the repository, you will execute the command in the context of the rancid user created earlier:
su - rancid /opt/rancid/bin/rancid-cvs
The rancid-cvs script will establish your base repository and generate a file named router.db located: /opt/rancid/CiscoDevices/router.db. This file will maintain a list of the devices RaNCID will be connecting to, the records are semi-colon delimited and each entry begins with the device host name (must be resolvable via DNS or hosts file), followed by the device type, and ending with either an “up” or “down” status. For example:
dev-fw1.domain.com;cisco;up dev-switch1.domain.com;cisco;up
To test your connectivity enter the “rancid” user’s command context and and try connecting to the device configured above by executing:
su - rancid /opt/rancid/bin/clogin -f /opt/rancid/.cloginrc dev-fw1.domain.com
If everything has been successful so far you should be connected to the device CLI and can execute commands as if you had manually connected to it via SSH.
So far you can connect to RaNCID, it’s now time to initialize your GIT repository. This will create an empty record for each configured device which will be populated with their configurations upon subsequent executions:
su - rancid /opt/rancid/bin/rancid-run
Ubuntu requires some SSH tweaking to communicate with my network devices properly and I needed to update /etc/ssh/ssh_config. Beneath the line “Host *” I add:
KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
StrictHostKeyChecking accept-new
Then restart SSH
systemctl restart sshd
RaNCID with GIT is now configured!
Automate With A CRON Job
su - rancid crontab -e
Add the line below to crontab to schedule RaNCID to execute hourly.
1 * * * * /opt/rancid/bin/rancid-run #hourly device dump
Save and exit (for those totally unfamiliar with vi commands, type :wq and press enter to save the changes and quit crontab).
Notifications
apt-get -y install postfix
When the applet appears:
- select Satellite system
- enter FQDN of the RaNCID server
- enter SMTP relay host
Should you need to make adjustments after the installation the configuration file is located: /etc/postfix/main.cf (NOTE: email server setup and options are numerous and will depend on your specific environment). My email infrastructure allows servers to relay if they are on a trusted subnet so “relayhost” will be the only directive I require.
systemctl restart postfix
The file itself is colon delimited and ordered as alias: emailAddress. Mine looks like:
rancid-admin-CiscoDevices: admin@goldstein-solution-demos.com rancid-CiscoDevices: rancidAdmins@goldstein-solution-demos.com
After you save the aliases make Postfix aware of the changes by running (make sure to run as root):
newaliases
Front End Setup
systemctl enable apache2 systemctl daemon-reload a2enmod ssl systemctl restart apache2 ufw enable ufw allow 80/tcp ufw allow 443/tcp ufw reload
mkdir /var/www/git
ln -s /etc/apache2/mods-available/cgi.load /etc/apache2/mods-enabled/cgi.load
ln -s /usr/lib/cgi-bin/gitweb.cgi /var/www/git/gitweb.cgi
ln -s /usr/share/gitweb/static/ /var/www/git/static
usermod -g www-data rancid
AllowOverride None Options +ExecCGI AddHandler cgi-script .cgi .pl .py Require all granted
our $projectroot = "/opt/rancid/CiscoDevices";
Time to finalize permissions and restart Apache
chown rancid:www-data -R /opt/rancid/ chown rancid:www-data -R /var/www/ systemctl restart apache2
Securing The System
No system should be running without TLS protection and while the topic of TLS is too broad for this article, this command will get you running with a self-signed certificate (fill out the information you are prompted for):
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
Copy the defaul-ssl.conf file to the sites-enabled directory:
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/
Update the new default-ssl.conf configuration file to load gitweb and use the self-signed cert. Update /etc/apache2/conf-available/default-ssl.conf:
DocumentRoot /var/www/git DirectoryIndex gitweb.cgi ServerName rancid.FQDN.com SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
ServerAlias rancid.domain.com Redirect permanent / https://rancid.domain.com/
AllowOverride None AuthType Basic AuthName "This Is A Restricted Site" AuthUserFile /var/www/git/.htpasswd Require valid-user Options +ExecCGI AddHandler cgi-script .cgi .pl .py
htpasswd -c /var/www/git/.htpasswd rancid-www chmod 644 /var/www/git/.htpasswd
systemctl restart apache2
As a holistic information fiduciary David leverages proven industry standards and best practices that will optimize your processes and systems to maximize performance and minimize complexity. David has managed projects in varying phases of development, be it greenfield builds or forklift moves, backup design and architecture, infrastructure monitoring and alerting, scripting and automation, communications and network infrastructure, policy review and auditing, rack and stacks and virtualization.
He doesn't just get IT, he groks IT.
very helpful document, it was an easy job post going through the document. Do you have something for RANCID & SVN integration ?
Email: lalitgupta1977@gmail.com
Hi Lalit,
Not knowing anything about your environment I cannot give any specifics but I did find this link in my notes when I was testing builds and deciding which versioning platform to go with. http://www.systemadvise.com/2016/08/rancid-with-websvn-and-centos-for.html
Let me know what OS you are running as well as web servers and desired front end and I will see if I can be of any further assistance.
Thanks David
I am currently on Ubuntu 20.04 and how I simply cannot get the front end for it to work with your broad instruction’s. I keep on landing on the default apache page post SSL implementation.
What does your front end Apache configuration look like? I.e., websvn.conf. Also post the contents of your rancid.conf file, I’m particularly interested in what is assigned to the CVSROOT variable