In this post I want to walk though the steps to install Rancid on CentOS 7 minimal. Rancid is a great tool to help monitor a device configuration for any changes. It also keeps track of them by using CVS (Concurrent Version System) for backups, so you can go back and compare versions or revert to a previous configuration. Rancid supports multiple hardware from Cisco, HP, Dell, Juniper and more. This is all open-source so you can create custom scripts or add commands to really make this a personal repository that fits your company. During this install guide several things are required when we install Rancid, I have tired to make this as simple as possible but its not just a type and watch it install. You have to customize some of the scripts to make Rancid work like it should. Read it though and follow along.
So I’m already assuming that you have CentOS 7 minimal installed, with connection to the internet, and have just the root account with a password. You can pick up the latest CentOS at http://www.centos.org/
Login as the root account and let’s update this thing and accept any updates before we do anything else.
We now need to install all the prerequisites needed for Rancid and some other tools we’ll need for troubleshooting (if needed)
yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python
Since we installed Apache we will want to change the firewall rules on our system to allow HTTP and (HTTPS if we want it)
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
Reload the Firewall to save changes
Enable the Apache service to start on bootup and let’s start it up for the first time.
systemctl enable httpd.service systemctl start httpd.service
After you enable Apache you should see a sample webpage from Apache when you browse to your server’s IP address with a browser. We now need to add a group for the rancid user.
Next we will create a user called rancid and put this user under the group we just created which is netadm. We will also put in the home directory for this rancid user.
useradd -g netadm -c "Networking Backups" -d /home/rancid rancid
Let’s be a little organized and create a directory to put all of our installation files. Once created let’s change directories to that tar folder we just created.
Move to the tar folder
We will download the latest version of Rancid which at the
time of this writing is 3.1(3-1-16) UPDATE: Current version is 3.4.1 I updated the download paths below, 🙂
Extract the tar ball we just downloaded:
tar -zxvf rancid-3.4.1.tar.gz
Move into the rancid-3.1 folder:
Run/type in the following followed by enter. This get’s Rancid ready for install.
After all of the output clears run the install.
Now let’s copy and modify some permissions
cp cloginrc.sample /home/rancid/.cloginrc chmod 0640 /home/rancid/.cloginrc chown -R rancid:netadm /home/rancid/.cloginrc chown -R rancid:netadm /usr/local/rancid/ chmod 775 /usr/local/rancid/
We have to edit the rancid configuration file and put our devices in groups. Find “list of rancid groups” and uncomment it. Type in the groups you would like, for example (Routers Switches)
nano /usr/local/rancid/etc/rancid.conf ... # list of rancid groups LIST_OF_GROUPS="Routers Switches" # more groups... #LIST_OF_GROUPS="$LIST_OF_GROUPS noc billybobisp" # ...
Switch to the Rancid user account
Run the following, this creates a CVS Repository with the groups you just entered in the List of Groups.
/usr/local/rancid/bin/rancid-cvs No conflicts created by this import cvs checkout: Updating Routers Directory /usr/local/rancid/var/CVS/Routers/configs added to the repository cvs commit: Examining configs cvs add: scheduling file `router.db' for addition cvs add: use 'cvs commit' to add this file permanently RCS file: /usr/local/rancid/var/CVS/Routers/router.db,v done Checking in router.db; /usr/local/rancid/var/CVS/Routers/router.db,v -- router.db initial revision: 1.1 done No conflicts created by this import cvs checkout: Updating Switches Directory /usr/local/rancid/var/CVS/Switches/configs added to the repository cvs commit: Examining configs cvs add: scheduling file `router.db' for addition cvs add: use 'cvs commit' to add this file permanently RCS file: /usr/local/rancid/var/CVS/Switches/router.db,v done Checking in router.db; /usr/local/rancid/var/CVS/Switches/router.db,v -- router.db initial revision: 1.1 done [rancid@rancid ~]$
After the command runs logout of Rancid user and go back to root. Move back to TAR folder.
Next we will want to download ViewVC and as of this writing the
latest the version is 1.1.23.(3-1-16) UPDATE: Current Version of ViewVC is 1.1.24, I updated the paths below, 🙂
Extract the tarball
tar -zxvf viewvc-1.1.24.tar.gz
Move to the ViewVC folder and run the installer, accept the defaults.
cd viewvc-1.1.24 ./viewvc-install
We now need to modify the ViewVC configuration file, basically telling ViewVC where the CVS repo is.
Find the following and edit as shown below:
... ## Example: ## cvs_roots = cvsroot: /opt/cvs/repos1, ## anotherroot: /usr/local/cvs/repos2 ## #cvs_roots = cvs: ## svn_roots: Specifies each of the Subversion roots (repositories) on ## your system and assigns names to them. Each root should be given by ... ## Example: ## root_parents = /opt/svn: svn, ## /opt/cvs: cvs ## root_parents = /usr/local/rancid/var/CVS : cvs ## default_root: This is the name of the default root. Valid names ... ## Example: ## rcs_dir = /usr/bin/ ## rcs_dir = /usr/local/bin ## cvsnt: Location of cvsnt program. ViewVC can use CVSNT (www.cvsnt.org) ... ## use_rcsparse: Use the rcsparse Python module to retrieve CVS ## repository information instead of invoking rcs utilities [EXPERIMENTAL] ## use_rcsparse = 1 ...
We need to copy some files and change permissions for ViewVC.
cp /usr/local/viewvc-1.1.24/bin/cgi/*.cgi /var/www/cgi-bin chmod +x /var/www/cgi-bin/*.cgi chown apache:apache /var/www/cgi-bin/*.cgi
For this example we will use HTTP for ViewVC, although you could use HTTPS just have to modify the Apache (HTTPD file)
I put the following at the bottom of the HTTPD file
# Custom Rancid Config <VirtualHost *:80> DocumentRoot /var/www ScriptAlias /cgi-bin/ "/var/www/cgi-bin" ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi ScriptAlias /query /var/www/cgi-bin/query.cgi <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> </VirtualHost>
We are almost done, we now need to turn on Mariadb which ViewVC uses, and start up the secure installation. (Accept all defaults and type in a root password for MariaDB.
systemctl enable mariadb systemctl start mariadb sudo mysql_secure_installation
Go back into MariaDB and create a ViewVC user and use the password you just created.
mysql -u root -p
Enter the following: (Replace YourPassowrdHere with something else)
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY 'YourPasswordHere'; GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; quit
Make the ViewVC Database with the username and password you just created. (Accept the defaults)
/usr/local/viewvc-1.1.24/bin/make-database MySQL Hostname (leave blank for default): MySQL Port (leave blank for default): MySQL User: VIEWVC MySQL Password: YourPasswordHere ViewVC Database Name [default: ViewVC]: Database created successfully. Don't forget to configure the [cvsdb] section of your viewvc.conf file.
Go back to MariaDB (MySQL) with the root password
mysql -u root -p
Create a Read-Only account for ViewVC on the MySQL database. (Replace YourROPassowrdHere with something else)
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY 'YourROPasswordHere'; GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; quit
We now need to configure the ViewVC configuration file with the user names and passwords to that we created in MySQL.
Find cvsdb and change it to something like this:
##--------------------------------------------------------------------------- [cvsdb] ## enabled: Enable database integration feature. ## enabled = 1 ## host: Database hostname. Leave unset to use a local Unix socket ## connection. ## host = localhost ## post: Database listening port. ## port = 3306 ## database_name: ViewVC database name. ## database_name = ViewVC ## user: Username of user with read/write privileges to the database ## specified by the 'database_name' configuration option. ## user = VIEWVC ## passwd: Password of user with read/write privileges to the database ## specified by the 'database_name' configuration option. ## passwd = YourPasswordHere ## readonly_user: Username of user with read privileges to the database ## specified by the 'database_name' configuration option. ## readonly_user = VIEWVCRO ## readonly_passwd: Password of user with read privileges to the database ## specified by the 'database_name' configuration option. ## readonly_passwd = YourROPasswordHere
Run the following command to build the Database.
/usr/local/viewvc-1.1.24/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/
Reboot the server once online you should be able view the Repository at http://rancid-servicer-ip/viewvc
If you see the groups that we created we looking good so far. To finish this installation off we need to setup Rancid to send emails. Usually you have to add the Rancid to the allowed senders list on your email infrastructure. Rancid uses aliases to send emails we need to edit the aliases file.
Depending on your infrastructure you might have different teams of people for different equipment that rancid is monitoring. Or you are running one-man-shop either way you can specify. In this example I’m using only one email address and created a new aliases called Rancid all of this is at the bottom of the aliases file.
# Custom Rancid Configuration (Put an Email Here) rancid: email@example.com # Custom Rancid Configuration rancid-admin-Routers: rancid rancid-Routers: rancid rancid-admin-Switches: rancid rancid-Switches: rancid
Depending on what you created in your List of Groups in the rancid configuration file you might have more or less. (In this example we just created Routers and Switches) We must specify these in the aliases file otherwise Rancid wont send emails for these groups. Once we are done editing you want to let our Rancid box know about the new aliases we just created. Type in the following command to update.
In this example postfix is already installed so we just need to edit the postfix configuration file.
Find and uncomment “relayhost” and type either the domain name (if you have MX records) the FQDN or IP address of your email system.
relayhost = mycompanydomain.com relayhost = email.mycompanydomain.com #relayhost = [mailserver.isp.tld] #relayhost = uucphost #relayhost = [an.ip.add.ress]
Start up posfix and enable it on boot
systemctl start postfix systemctl enable postfix
Finished! We have just installed Rancid along with made some helpful tweaks like getting an upfront web page to view the configurations instead of CLI as well as setting up Rancid to email us if anything changes or if there are issues with connecting to any equipment. I’ll put the brakes here and in the next post we will go over how to customize rancid to log into devices and grab configurations. I hope this install guide is helpful and let me know if you have any questions. Enjoy New Year! 🙂
If you can’t wait for me then you can check Shrubbery at http://www.shrubbery.net/rancid/
Read the README file once you download Rancid.
You can also check threads from Rancid Discussions at http://www.gossamer-threads.com/lists/rancid/