Monday, December 31, 2012

Using Rancid to backup your configs (Part 2)

In part 1 of this guide, we configured Rancid to backup your router configs.  Now we need to configure an SSL web interface for CVS.

The web interface I am using is ViewVC.  ViewVC is made up of a cgi script and a MySQL database backend.We'll also need to install RCS, and some python packages.  All of this is done as the root user.

    Download ViewVC and RCS:
    • wget ftp://ftp.cs.purdue.edu/pub/RCS/rcs-5.8.tar.gz
    • wget http://viewvc.tigris.org/files/documents/3330/49243/viewvc-1.1.17.tar.gz
          Download ez_setup to get the python packages we need.  Create its own directory to store the files.
          • mkdir ~/python
          • cd ~/python
          • wget http://peak.telecommunity.com/dist/ez_setup.py
          • Type: python ./ez_setup.py
          • Then run easy_install babel 
          • easy_install Genshi
          • easy_install Pygments
          • easy_install docutils
          • easy_install textile
          • easy_install python-mysqldb
          Unpack and install RCS:
          • cd ~
          • tar -zxvf rcs-5.8.tar.gz
          • cd rcs-5.8
          • ./configure
          • make
          • make install  
          Unpack and install ViewVC:
          • cd ~
          • tar -zxvf viewvc-1.1.17.tar.gz
          • cd viewvc-1.1.17
          • ./viewvc-install 
          Edit the ViewVC config file:
          • nano /usr/local/viewvc-1.1.17/viewvc.conf
          • Change the following to look like this, adding any missing options:
          • #cvs_roots = cvs: (Yes, it needs the leading #)
          • root_parents = /usr/local/rancid/var/CVS : cvs
          • rcs_path = /usr/local/bin/
          • address = <a href=mailto:youradmin@yourdomain.com>IT Support</a>
          • use_enscript = 1
          • enscript_path = /usr/bin/
          • use_highlight = 1
          • highlight_path = /usr/bin
          Move the viewvc.cgi file to the right place and set the proper permissions and attributes:
          • cp /usr/local/viewvc-1.1.17/bin/cgi/*.cgi /var/www/cgi-bin
          • chmod +x /var/www/cgi-bin/*.cgi
          • chown apache:apache /var/www/cgi-bin/*.cgi
          Create server key pair to enable ssl on the web server:
          • mkdir /etc/httpd/certificate
          • cd /etc/httpd/certificate
          • Generate the private key, when prompted supply a passphrase of your choosing: openssl genrsa -aes256 -out server.key 2048
          • Generate a certificate request based on the private key you just generated.  Fill in the prompts as appropriate: openssl req -new -key server.key -out server.csr
          • Submit the request to the CA of your choosing.  In my case, I am using a certificate issued by our own Microsoft Enterprise CA.
          • Put the issued certificate in the folder with the private key.  In my case, I called the file server.cer
          • If you leave the passphrase on the private key, you will need to enter it everytime the server is rebooted, or apache is restarted.  You can remove the passphrase with this command, entering your passphrase when prompted:
          • cp server.key server.key.org
            openssl rsa -in server.key.org -out server.key
          Configure apache and iptables for ViewVC:
          • nano /etc/httpd/conf/httpd.conf
          • Add the following to the config, I added mine at the bottom of the file:
          • NameVirtualHost *:443

            <VirtualHost *:443>
                DocumentRoot /var/www
                ServerName rancid.mydomain.com
                ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
                ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
                ScriptAlias /query /var/www/cgi-bin/query.cgi
                ServerSignature On
                SSLEngine on
                SSLProtocol all -SSLv2
                SSLCertificateFile /etc/httpd/certificate/server.cer
                SSLCertificateKeyFile /etc/httpd/certificate/server.key

            <Directory "/var/www/cgi-bin">
                AllowOverride None
                Options None
                Order allow,deny
            </Directory>

            </VirtualHost>
          • Edit iptables to allow apache to listen to incoming connections on port 443
          • nano /etc/sysconfig/iptables
          • Add the following line above the rule permitting inbound SSH:
          • -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
          • Restart apache service httpd restart
          Configure MySQL and create the ViewVC users as well as the ViewVC database.
          • Start MySQL: service mysqld start
          • Set the MySQL root user password, where yourpassword is a password of your choosing: mysqladmin -u root -password yourpassword
          • Create a ViewVC user and grant them permissions to create and use a database.
          • mysql -u root -p - Enter the password you just set when prompted.
          • CREATE USER 'youruser'@'localhost' IDENTIFIED BY 'yourpassword'; Where youruser and yourpassword are of your choosing.  You will need this username and password in a minute.
          • GRANT ALL PRIVILEGES ON *.* TO 'youruser'@'localhost' WITH GRANT OPTION;
          • FLUSH PRIVILEGES;
          • Exit MySQL quit
          • Now you need to create the database supplying the credentials you just created when prompted. Keep the default database name, ViewVC: /usr/local/viewvc-1.1.17/bin/make-database
          • We need a read-only database user:
          • mysql -u root -p
          • CREATE USER 'youruserRO'@'localhost' IDENTIFIED BY 'yourpassword';
          • GRANT SELECT ON ViewVC.* TO 'youruserRO'@'localhost' WITH GRANT OPTION;
          • FLUSH PRIVILEGES;
          • quit
          • Edit the ViewVC config file to tell it how to access the database:
          • nano /usr/local/viewvc-1.1.17/viewvc.conf
          • Add this to the [cvsdb] section of the config file:
          • enabled = 1
            host = localhost
            port = 3306
            database_name = ViewVC
            user = youruser
            passwd = yourpasssword
            readonly_user = youruserRO
            readonly_passwd = yourpassword
            row_limit = 1000 
          • Populate the ViewVC database with the info from CVS, type this all on one line: /usr/local/viewvc-1.1.17/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT
          The last step is to ensure that MySQL and apache start when the server boots up.  The following will do just that.
          • chkconfig --levels 2345 mysqld on
            chkconfig --levels 2345 httpd on
            You should now have a working web interface for CVS.  Navigate to https://ipaddress or hostname/viewvc. You should see the repository groups specified in part 1 of this guide.  If you click on a group name, you should see configs, and if you click that, you should see the devices we added in part 1.

            Part 3 of this guide will cover configuring email notifications as well as having Rancid poll your devices when a change is made to their configuration.

              7 comments:

              1. Hi Brian. Thanks for this blog - is a great help to setup rancid. We have run into an issue with viewvc where we get an "OSError: [Errno 13] Permission denied: '/usr/local/rancid/var/CVS'" Have you come across this? apache is the owner and even tried a chmod 777 but still get the same issue. Have found some other forum posts with people having the same issue, but no solution! Thanks

                ReplyDelete
                Replies
                1. I followed the instructions exactly from part 1 and 2, and had the same issue. The problem was the permissions on the /usr/local/rancid/ directory. I set that to chmod 775 and fixed the issue:

                  chmod 775 /usr/local/rancid

                  Delete
                2. Please I am geting issue on the browser. It is saying Not Found - The requested URL /viewvc was not found on this server.

                  here are logs
                  [client 192.168.80.15] File does not exist: /var/www/html/viewvc
                  [root@localhost ~]# cat /var/log/httpd/ssl_access_log
                  192.168.80.15 - - [22/Feb/2014:19:07:21 +0100] "GET /viewvc HTTP/1.1" 404 283
                  192.168.80.15 - - [22/Feb/2014:19:18:17 +0100] "GET /query HTTP/1.1" 404 282
                  192.168.80.15 - - [22/Feb/2014:19:18:29 +0100] "GET / HTTP/1.1" 403 5039
                  192.168.80.15 - - [22/Feb/2014:19:23:18 +0100] "GET /viewvc HTTP/1.1" 404 283
                  192.168.80.15 - - [22/Feb/2014:19:34:59 +0100] "GET /viewvc HTTP/1.1" 404 283
                  [root@localhost ~]# cat /var/log/httpd/ssl_error_log
                  [Sat Feb 22 19:07:21 2014] [error] [client 192.168.80.15] File does not exist: /var/www/html/viewvc
                  [Sat Feb 22 19:18:17 2014] [error] [client 192.168.80.15] File does not exist: /var/www/html/query
                  [Sat Feb 22 19:18:29 2014] [error] [client 192.168.80.15] Directory index forbidden by Options directive: /var/www/html/
                  [Sat Feb 22 19:23:18 2014] [error] [client 192.168.80.15] File does not exist: /var/www/html/viewvc
                  [Sat Feb 22 19:34:59 2014] [error] [client 192.168.80.15] File does not exist: /var/www/html/viewvc
                  [root@localhost ~]#

                  Please, if someone can guide me.

                  Thanks al ot

                  Delete
              2. Hi,
                Thank you for the tutorial. I have everything configured up until populating the ViewVC DB with info from CVS (the last step). When running,/usr/local/viewvc-1.1.17/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT, I receive the following _mysql_exceptions.OperationalError: (1045, "Access denied for user 'root'@'localhost' (using password: NO)").
                I am able to log into mySQL with the account I created. I am not using an special characters for the passwords; I have reset the root password and uninstall/reinstalled mysql. Do you have any ideas on what would cause this?

                Thanks!

                ReplyDelete
              3. Hi Brian, Can we install web based rancid using 80 port instead of 443 port??

                ReplyDelete
                Replies
                1. Certainly. You should be able to use the default virtual host. I'm not a pro at configuring apache, but I think it is pretty straight forward. The documentation at www.apache.org is pretty good, and there are tutorials for basic apache configs all over the internet. I only went with SSL for my setup becuase it is a requirement for my environment.

                  Delete
              4. Hi Brian.

                I was having this kind of issue in the browser.

                Not Found

                The requested URL /viewvc was not found on this server.

                Can you help me please. This is the log from /var/log/httpd/ssl_access.log

                [root@localhost ~]# cat /var/log/httpd/ssl_access_log
                192.168.80.15 - - [19/Feb/2014:23:15:10 +0100] "GET /viewvc HTTP/1.1" 404 283
                192.168.80.15 - - [19/Feb/2014:23:15:11 +0100] "GET /favicon.ico HTTP/1.1" 404 288
                192.168.80.15 - - [19/Feb/2014:23:15:11 +0100] "GET /favicon.ico HTTP/1.1" 404 288
                [root@localhost ~]# "GET /favicon.ico HTTP/1.1" 404 288
                -bash: GET /favicon.ico HTTP/1.1: No such file or directory


                Thanks.

                ReplyDelete

              Tell me what you think!