Packetwatch.net

RANCID in FreeBSD



Last modified: Dec. 24, 2012

Contents
1 - Summary
2 - Dependencies
3 - RANCID installation
4 - Service configuration
5 - Website frontend
6 - Service check


1 - Summary

This guide will show you how to install rancid in FreeBSD. RANCID is used to
monitor configurations for devices like routers, firewalls and switches and
uses CVS or Subversion to keep history of the changes. This has been tested in
FreeBSD 9.0 i386/amd64.


2 - Dependencies

Install the apache package. Apache is a web server that will host the web pages
that display the server data.
# sudo pkg_add -r apache22
Password:

Find where the apache daemon was installed to.
# pkg_info -L apache-2.2.* | grep sbin
/usr/local/sbin/ab
/usr/local/sbin/apachectl
/usr/local/sbin/apxs
/usr/local/sbin/checkgid
/usr/local/sbin/dbmmanage
/usr/local/sbin/envvars
/usr/local/sbin/htcacheclean
/usr/local/sbin/htdbm
/usr/local/sbin/htdigest
/usr/local/sbin/htpasswd
/usr/local/sbin/httpd
/usr/local/sbin/httxt2dbm
/usr/local/sbin/logresolve
/usr/local/sbin/rotatelogs
/usr/local/sbin/split-logfile

Find the options for the apache service.
# pkg_info -L apache-2.2.* | grep rc.d
/usr/local/etc/rc.d/apache22
/usr/local/etc/rc.d/htcacheclean
# grep -e 'bool\|str' /usr/local/etc/rc.d/apache22
# apache22_enable (bool):      Set to "NO" by default.
# apache22_profiles (str):     Set to "" by default.
# apache22limits_enable (bool):Set to "NO" by default.
# apache22_flags (str):        Set to "" by default.
# apache22limits_args (str):   Default to "-e -C daemon"
# apache22_http_accept_enable (bool): Set to "NO" by default.
# apache22_fib (str):         Set an altered default network view for apache

Edit /etc/rc.conf.local so that the apache service will start when the system
starts up. Somewhere in the file add the following.
  apache22_enable="YES"
# sudo vi /etc/rc.conf.local
Password:

Find where the configuration file should be put.
# grep httpd.conf /usr/local/etc/rc.d/apache22 
required_files=/usr/local/etc/apache22/httpd.conf
# strings /usr/local/sbin/httpd | grep httpd.conf
 -D SERVER_CONFIG_FILE="etc/apache22/httpd.conf"
etc/apache22/httpd.conf
        directive in your httpd.conf file to list a non-root

You will need to modify the original configuration file. Add the following. In
this example, I set the websites to be stored in an alernate directory. By the
way, there is already a group named it which includes an account for the web
developers.
  Listen 0.0.0.0:80
  ServerName server.test.com
  DocumentRoot "/data/websites/test/server"
  <Directory "/data/websites/test/server">
      Options Indexes FollowSymLinks
      AllowOverride None
      Order allow,deny
      Allow from all
  </Directory>
  ErrorLog syslog
  LogLevel warn
  LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" commonvhost
  CustomLog "|/usr/bin/logger -t httpd" commonvhost
  NameVirtualHost *:80
  NameVirtualHost *:443
  <VirtualHost *:80>
          ServerName server.test.com
          Redirect / https://server.test.com/
  </VirtualHost>
  <VirtualHost *:443>
          ServerName server.test.com
          ServerAdmin root@localhost
          DocumentRoot /data/websites/test/server
  </VirtualHost>
# pkg_info -L apache-2.2.* | grep httpd.conf
/usr/local/share/examples/apache22/httpd.conf
# sudo cp /usr/local/etc/apache22/httpd.conf /usr/local/etc/apache22/httpd.conf.example
Password:
# sudo vi /usr/local/etc/apache22/httpd.conf
Password:
# sudo mkdir -p /data/websites/test/server
Password:
# sudo mkdir -p /data/logs/httpd
Password:
# sudo chown -R root:it /data/logs/httpd/
Password:
# sudo chmod -R 755 /data/logs/httpd/
Password:

Copy in the SSL certificate files. Create the configuration file to have the
following for SSL.
  Listen 0.0.0.0:443 http
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl    .crl
  SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
  SSLSessionCacheTimeout  300
  SSLMutex  "file:/var/run/ssl_mutex"
  <VirtualHost _default_:443>
  ErrorLog syslog
  LogLevel warn
  SSLEngine on
  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile "/usr/local/etc/apache22/ssl/domain.cer"
  SSLCertificateKeyFile "/usr/local/etc/apache22/ssl/domain.key.alt"
  SSLCertificateChainFile "/usr/local/etc/apache22/ssl/domain.crt"
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
  </FilesMatch>
  BrowserMatch ".*MSIE.*" \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
  CustomLog "|/usr/bin/logger -t httpd" commonvhost
  </VirtualHost>
# sudo mkdir /usr/local/etc/apache22/ssl
Password:
# grep ^Include /usr/local/etc/apache22/httpd.conf
Include etc/apache22/Includes/*.conf
# sudo vi /usr/local/etc/apache22/Includes/ssl.conf
Password:

Configure syslog appropriately.

Install the dependencies need to install the rancid package.
# sudo pkg_add -r portupgrade
Password:
# sudo portsnap fetch extract
Password:
There is an entry in /usr/ports/UPDATING regarding pcre.
# vi /usr/ports/UPDATING
# sudo portupgrade devel/pcre
Password:
# sudo pkg_add -r subversion
Password:
There is an entry in /usr/ports/UPDATING regarding pkg-config.
# vi /usr/ports/UPDATING
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:


3 - RANCID installation

Install the rancid package.
# sudo pkg_add -r rancid
Password:
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:


4 - Service configuration

Find where the configuration file should be put.
# pkg_info -L rancid-* | grep rancid.conf
/usr/local/man/man5/rancid.conf.5.gz
/usr/local/etc/rancid/rancid.conf.sample
/usr/local/share/rancid/rancid.conf.sample

You will need to modify the original configuration file. Have the following.
SVN will be used instead of CVS.
  BASEDIR=/data/monitoring/rancid; export BASEDIR
  CVSROOT=$BASEDIR/svn; export CVSROOT
  FILTER_PWDS=YES; export FILTER_PWDS
  LIST_OF_GROUPS="devices"
  LOGDIR=/data/logs/rancid; export LOGDIR
  NOCOMMSTR=YES; export NOCOMMSTR
  OLDTIME=2; export OLDTIME
  PAR_COUNT=15; export PAR_COUNT
  PATH=/usr/local/libexec/rancid:/usr/bin:/usr/local/bin:/usr/sbin:\
    /usr/local/sbin:/bin:/sbin; export PATH
  RCSSYS=svn; export RCSSYS
  TERM=network;export TERM
  TMPDIR=/tmp; export TMPDIR
  umask 027
# sudo cp /usr/local/etc/rancid/rancid.conf.sample /usr/local/etc/rancid/rancid.conf
Password:
# sudo cp /usr/local/etc/rancid/rancid.conf /usr/local/etc/rancid/rancid.conf.example
Password:
# sudo chmod 644 /usr/local/etc/rancid/rancid.conf
Password:
# sudo vi /usr/local/etc/rancid/rancid.conf
Password:
# sudo mkdir /data/monitoring/
Password:
# sudo cp -Rp /usr/local/var/rancid/ /data/monitoring/rancid/
Password:
# sudo mkdir /data/logs/rancid
Password:
# sudo chown -R root:it /data/logs/rancid/
Password:
# sudo chmod -R 777 /data/logs/rancid/
Password:

Create a group named rancid and then a user named rancid.
# sudo pw groupadd rancid
Password:
# sudo pw useradd rancid -c 'Rancid' -d /home/rancid -g rancid -G rancid -m -s /bin/csh
Password:
# sudo passwd rancid
Password:

Set ownership and permissions for the rancid base directory.
# grep ^www /etc/group
www:*:80:
# sudo chown -R rancid:www /data/monitoring/rancid/
Password:
# sudo chmod -R 775 /data/monitoring/rancid/
Password:

Create a symbolic link for clogin.
# pkg_info -L rancid-* | grep libexec | grep clogin
/usr/local/libexec/rancid/clogin
# sudo ln -s /usr/local/libexec/rancid/clogin /usr/local/sbin/clogin
Password:

Switch users and become the rancid user. Create a .cloginrc file. Here are
entries for a Cisco router and a Cisco wireless access point.
  # router.test.com
  add user router.test.com user
  add password router.test.com user_password enable_password
  add method router.test.com ssh

  # wap.test.com
  add user wap.test.com user
  add password wap.test.com user_password enable_password
  add method wap.test.com ssh
# su - rancid
Password:
# pkg_info -L rancid-* | grep cloginrc
/usr/local/man/man5/cloginrc.5.gz
/usr/local/share/rancid/cloginrc.sample
# cp /usr/local/share/rancid/cloginrc.sample .cloginrc
# chown rancid:rancid .cloginrc
# chmod 600 .cloginrc
# vi .cloginrc

Test trying to log into the two Cisco devices.
# clogin router.test.com
# clogin wap.test.com

Create the directory structure in the rancid directory.
# rancid-cvs

Add the two Cisco devices to the device database.
  router.test.com:cisco:up
  wap.test.com:cisco:up
# vi /data/monitoring/rancid/devices/router.db

Get the device configurations.
# rancid-run

Look over the log file and exit.
# cat /data/logs/rancid/devices.*
# exit

Create a cronjob for the rancid user to run checks every hour.
# sudo touch /var/cron/allow
Password:
Add the root and rancid users.
  root
  rancid
# sudo vi /var/cron/allow
Password:
# sudo chmod 400 /var/cron/allow
Password:
# su - rancid
Password:
Add the following job.
  0	*	*	*	*	/usr/local/bin/rancid-run
# crontab -e
# exit


5 - Website frontend

Install the viewvc package. ViewVC is a website frontend for svn repositories.
# sudo pkg_add -r viewvc
Password:
# sudo portupgrade -fo devel/pkgconf pkg-config-\*
Password:

You will need to modify the original configuration file. Have only the
following.
  [general]
  svn_roots = devices: /data/monitoring/rancid/svn
  default_root = devices

  [utilities]
  svn = /usr/local/bin/svn
  diff = /usr/bin/diff

  [options]
  root_as_url_component = 0
  use_localtime = 1

  [templates]

  [cvsdb]

  [vhosts]

  [authz-forbidden]

  [authz-forbiddenre]

  [authz-svnauthz]

  [query
# pkg_info -L viewvc-* | grep viewvc.conf
/usr/local/viewvc/viewvc.conf.dist
# sudo cp /usr/local/viewvc/viewvc.conf /usr/local/viewvc/viewvc.conf.example
Password:
# sudo vi /usr/local/viewvc/viewvc.conf
Password:

Create the following file for rancid for apache.
  #
  # rancid configuration file for Apache Web server
  #

  <Directory "/data/websites/test/server">
      AuthType Basic
      AuthName "Restricted"
      AuthUserFile /usr/local/etc/apache22/htaccounts
      Require user Administrator
      DirectoryIndex viewvc.cgi
      AddHandler cgi-script cgi
      AllowOverride None
      Options ExecCGI Indexes
      Order allow,deny
      Allow from all
  </Directory>
# grep ^Include /usr/local/etc/apache22/httpd.conf
Include etc/apache22/Includes/*.conf
# sudo vi /usr/local/etc/apache22/Includes/rancid.conf
Password:

Create a user account using htpasswd that will be allowed to view the rancid
information.
# pkg_info -L apache-2.2.* | grep bin | grep htpasswd
/usr/local/sbin/htpasswd
# sudo /usr/local/sbin/htpasswd -c -s /usr/local/etc/apache22/htaccounts Administrator
Password:
New password: ********
Re-type new password: ********
Adding password for user Administrator

Copy the viewvc cgi scripts and set ownership and permissions. By the way,
there is already a group named it which includes and account for the web
developers. When apaache was installed a user named www was created.
# pkg_info -L viewvc-* | grep '/cgi'
/usr/local/viewvc/bin/cgi/viewvc.cgi
/usr/local/viewvc/bin/cgi/query.cgi
# sudo cp -Rp /usr/local/viewvc/bin/cgi/ /data/websites/test/server/
Password:
# grep ^www /etc/passwd
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
# sudo chown -R www:it /data/websites/
Password:
# sudo chmod -R 774 /data/websites/
Password:

Before starting the apache service, make sure that tcp ports 80, 443 are open
in case you are running firewall soft. Here are some sample rules.
  tcp_services="{ 80, 443 }"
  pass in on $ext_if proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
# sudo cp /etc/pf.conf /etc/pf.conf.example
Password:
# sudo vi /etc/pf.conf
Password:
# sudo pfctl -f -n /etc/pf.conf
Password:
# su - root
Password:
# pfctl -F all && pfctl -f /etc/pf.conf
# logout

Start the apache service.
# sudo /usr/local/etc/rc.d/apache22 start
Password:

Navigate your web browser to https://server.test.com/. You will be prompted for
a username and password. After you login, you can click on devices and then
configs. The two Cisco devices will be listed and will have the configurations.


6 - Service check

Reboot your computer. Log in like normal and check to see that the httpd,
service is running. That's it, now you have rancid running in FreeBSD.
# sudo shutdown -r now
Password:
# sudo /usr/local/etc/rc.d/apache22 status
Password:
apache22 is running as pid 1456.


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.