Setup RANCID and ViewVC (Part One)

KB ID 0001331

Problem

There are couple of good posts out there on setting up Rancid (Really Awesome New Cisco Config Differ). Some even show you how to set it up with ViewVC (Formally ViewVCS, basically a nice web based GUI front end, that does version control and highlights differences). It does this using a system called CVS (Concurrent Version System, hence the original name.)

Then I had to do some more searching to get it to back up my Cisco ASA firewalls and get the whole thing automated, which Ill cover in Part Two.

OS: CentOS 7 x64

Rancid: 3.4.1

ViewVC: 1.1.24

Solution

Once it’s built, let’s update our server;

yum upgrade
yum update
Answer any questions with 'y' for yes.

Update CentOS

Lets install all the components we need;

yum install nano wget ftp telnet mariadb-server mariadb perl tcl expect gcc cvs rcs httpd autoconf php-common php-gd php-pear php-pecl-memcache php-mysql php-xml mod_ssl MySQL-python

We only need a simple web server, so set the firewall accordingly (I’m opening http (TCP 80) and https (TCP 443) but we will only configure http in this example);

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Rancid Firewall Settings

We have already installed Apache (web server), so we need to start it up, then set it to ‘auto-start’ with the server. Then create a group, and a user (rancid), and place that user in the group we created. Finally create a directory for us to ‘unzip’ rancid into.

systemctl enable httpd.service
systemctl start httpd.service
groupadd netadm
useradd -g netadm -c "Networking Backups" -d /home/rancid rancid
mkdir /home/rancid/tar

Rancid User Settings

Move into the directory, we just created then download RANCID, unzip it, then install it.

cd /home/rancid/tar/
wget ftp://ftp.shrubbery.net/pub/rancid/rancid-3.4.1.tar.gz
tar -zxvf rancid-3.4.1.tar.gz
cd rancid-3.4.1
./configure --prefix=/usr/local/rancid
make install

Download Rancid

Copy over the ‘clogin’ file, (more on this later). Then set the ownership and and permissions on the rancid files and directories.

cp cloginrc.sample /home/rancid/.cloginrc
chmod 0640 /home/rancid/.cloginrc
chown -R rancid:netadm /home/rancid/.cloginrc
chown -R rancid:netadm /usr/local/rancid/
chmod 775 /usr/local/rancid/

Rancid User Permissions

Now to set the ‘top level’ groups. Above I’ve got Firewalls and Switches, you might want to create a group for each customer you are backing up, or each site. (the design is up to you), but these are the ‘folder names’ you will see when you first log into the ViewVC web front end. Next you need to edit the main Rancid configuration file;

nano /usr/local/rancid/etc/rancid.conf

Uncomment and add your groups, i.e.
LIST_OF_GROUPS=”Firewalls Switches

Rancid Top Level Catagories

Save and Exit the file, (in nano that’s CTRL+X, then Y to save, and finally {Enter}.) Now we need to change to the rancid user we created earlier, (remembering to swap back to ‘root’ afterwards). We do this to create the folder structure for the groups we just created. Most importantly this creates the router.db file(s) which lives in each group/folder. This file specifies what the devices are, and where they are, that you will be backing up.

Rancid Add Catagories to Database

su -rancid

Or 'su rancid' if you are logged in as root

/usr/local/rancid/bin/rancid-cvs
su

Download and install ViewVC.

Download ViewVC

Install ViewVC

cd /home/rancid/tar/
wget http://viewvc.tigris.org/files/documents/3330/49471/viewvc-1.1.24.tar.gz
tar -zxvf viewvc-1.1.24.tar.gz
cd viewvc-1.1.24
./viewvc-install

Open the ViewVC config file;

 

Edit ViewVC config

nano /usr/local/viewvc-1.1.24/viewvc.conf

Uncomment and change the values, (as shown above).

root_parents = /usr/local/rancid/var/CVS : cvs
rcs_dir = /usr/local/bin
use_rcsparse = 1

Now to enable ViewVC to work with Apache, we need to copy over some CGI, and set some permissions.

Apache Permissions ViewVC

cp /usr/local/viewvc-1.1.24/bin/cgi/*.cgi /var/www/cgi-bin
chmod +x /var/www/cgi-bin/*.cgi
chown apache:apache /var/www/cgi-bin/*.cgi

Then in the Apache config file, scroll to the end and add the following text, (don’t forget to save and exit the file).

Apache Config For ViewVC

nano /etc/httpd/conf/httpd.conf

Paste the following (at the bottom)

# Custom Rancid Config

<VirtualHost>
        DocumentRoot /var/www
        ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
        ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
        ScriptAlias /query /var/www/cgi-bin/query.cgi
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
</VirtualHost>

We already installed MariaDB, (similar to MySQL) earlier, we just need to start it up, then set it to auto start with the server. Out of the box, MariaDB is a little insecure, so there’s a process of hardening it called ‘mysql_secure_installation’.

Note: the first time you run the secure installation it will ask for a password, this is the root password for MariaDB NOT the Linux root password, this will be {blank} so just hit {Enter}, then Yes to set the password, and set the MySQL/MariaDB root password (NEVER LOSE OR FORGET THIS). You will need it in a minute anyway, for all the other questions simply press {Enter} to accept the defaults.

ViewVC and MariaDB

systemctl enable mariadb
systemctl start mariadb
sudo mysql_secure_installation

Now that MariaDB is installed, we need to create a user in SQL that ViewVC will use, to do that we need to log into SQL using the root password you just setup.

Configure MariaDB for ViewVC

mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVC'@'localhost' IDENTIFIED BY ‘Password123’;
GRANT ALL PRIVILEGES ON *.* TO 'VIEWVC'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit

Note: sometime it does not like you copying and pasting the first ‘CREATE USER…’ line, (I don’t know why.) If it complains, type it out manually!

Now that is set up we can get ViewVC to create its database.

Configure ViewVC for MariaDB

cd /usr/local/viewvc-1.1.24/bin
./make-database

Use the following settings when prompted;

MySQL Hostname (leave blank for default):{Enter}

MySQL Port (leave blank for default):{Enter}

MySQL User: VIEWVC

MySQL Password: Password123

ViewVC Database Name [default: ViewVC]:{Enter}

Then, (the same as you did earlier,) create another user in MariaDB, that will be a ‘read-only’ user.

Create ViewVC Read Only User

mysql -u root -p
Enter your SQL root password
CREATE USER 'VIEWVCRO'@'localhost' IDENTIFIED BY ‘Password456’;
GRANT SELECT ON ViewVC.* TO 'VIEWVCRO'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit

Edit the ViewVC configuration so that it uses all the parameters you have setup;

nano /usr/local/viewvc-1.1.24/viewvc.conf

 

Configure ViewVC Read OnlyUnConfigure ViewVC

Scroll down to the [csvdb] section, then uncomment and change the values shown (above,) so that look like.

enabled = 1
host = localhost
port = 3306
database_name = ViewVC
user = VIEWVC
passwd = Password123
readonly_user = VIEWVCRO
readonly_passwd = Password456

Then get ViewVC to ‘rebuild’ the database .

Build ViewVC Database

/usr/local/viewvc-1.1.24/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/

Reboot the server, and if you browse to http://{ip-or-hostname}/viewvc you should see something like this;

Rancid ViewVC GUI

 

In Part Two we will add some Cisco Devices (Switches and ASA Firewalls) and schedule the backups.

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

17 Comments

  1. Have you looked at rConfig? It’s a nice FOSS alternative

    Post a Reply
    • HI Tom,
      I have not but I certainly will do,
      Regards
      Pete

      Post a Reply
    • rconfig is the worst piece of code i’ve ever seen with tones of security issues. You should alway use rancid instead.

      Post a Reply
    • Get some error

      /usr/local/viewvc-1.1.24/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/

      [root@localhost bin]# /usr/local/viewvc-1.2.2/bin/cvsdbadmin rebuild /usr/local/rancid/var/CVS/CVSROOT/
      Traceback (most recent call last):
      File “/usr/local/viewvc-1.2.2/bin/cvsdbadmin”, line 42, in
      import cvsdb
      File “/usr/local/viewvc-1.2.2/lib/cvsdb.py”, line 20, in
      import dbi
      File “/usr/local/viewvc-1.2.2/lib/dbi.py”, line 18, in
      import MySQLdb
      ImportError: No module named MySQLdb

      Post a Reply
  2. Thanks for this post. I installed it in VMWare workstation 10. Then I configured a router in GNS3 and interlinked them. The CentOS (having Rancid+ViewVC) can ping the Router but can’t take configuration back up.

    Any suggestion? Thanks again.

    Post a Reply
    • You need to look in the Rancid Log, that will point you in the right direction.

      P

      Post a Reply
  3. Hi Pete!

    Thanks for the post. I had a quick question. I’m having trouble to get the apache server running without issue. It fails to start with the issue “Syntax error on line 357 of /etc/httpd/conf/httpd.conf” as revealed by the “sytemctl status httpd.service” command. That line corresponds to the start of the custom config (“” and onward). I pasted the config directly so not quite sure why it’s having trouble. Any ideas?

    Post a Reply
    • Hey! I figured out the issue. I believe the syntax for “Virtual Host” above should be “Virtaul Host *:80” instead of just “Virtual Host”.

      Post a Reply
    • Actual command line is as below it is “missing *:80”.

      DocumentRoot /var/www
      ScriptAlias /cgi-bin/ “/var/www/cgi-bin”
      ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
      ScriptAlias /query /var/www/cgi-bin/query.cgi

      AllowOverride None
      Options None
      Order allow,deny
      Allow from all

      Post a Reply
  4. Re:
    CREATE USER ‘VIEWVC’@’localhost’ IDENTIFIED BY ‘Password123’;
    Note: sometime it does not like you copying and pasting the first ‘CREATE USER…’ line, (I don’t know why.) If it complains, type it out manually!

    It is due to the “smartquotes” around the “Password123” string.
    BAD: ‘Password123’
    GOOD: ‘Password123’

    Post a Reply
  5. Hi guys,

    I’d like to contribute a comment. After following all the steps I had problems accessing the repository via browser.
    You must added the ip address after as you can see below:

    # Custom Rancid Config

    DocumentRoot /var/www
    ScriptAlias /cgi-bin/ “/var/www/cgi-bin”
    ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
    ScriptAlias /query /var/www/cgi-bin/query.cgi

    AllowOverride All
    Options None
    Order allow,deny
    Allow from all

    PeteLong,

    Thanks for your great post.

    Post a Reply
  6. I just wanted to post and add that I followed the whole config and noticed that there was something missing from this part

    # Custom Rancid Config

    was changed to
    DocumentRoot /var/www
    ScriptAlias /cgi-bin/ “/var/www/cgi-bin”
    ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
    ScriptAlias /query /var/www/cgi-bin/query.cgi

    AllowOverride None
    Options None
    Order allow,deny
    Allow from all

    Everything else seems to be working properly!

    Cheers

    Post a Reply
  7. Ran into ERR_CONNECTION_REFUSED when opening http://{ip-or-hostname}/viewvc, the fix was partially correct in the above posts. The /etc/httpd/conf/httpd.conf config is missing *:80 in the original header, adding *:80 resolved the webpage issue.

    [root@localhost ~]# nano /etc/httpd/conf/httpd.conf

    Paste the following (at the bottom)

    # Custom Rancid Config

    DocumentRoot /var/www
    ScriptAlias /cgi-bin/ “/var/www/cgi-bin”
    ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
    ScriptAlias /query /var/www/cgi-bin/query.cgi

    AllowOverride None
    Options None
    Order allow,deny
    Allow from all

    Thanks for an awesome article, this definitely helped a complete Linux noob get RANCID up and running!

    Post a Reply
    • Looks like the bracketed text is not showing up in the comments so I’ve removed them for clarity:

      [root@localhost ~]# nano /etc/httpd/conf/httpd.conf

      Paste the following (at the bottom, remember to add the original brackets)

      # Custom Rancid Config

      VirtualHost *:80
      DocumentRoot /var/www
      ScriptAlias /cgi-bin/ “/var/www/cgi-bin”
      ScriptAlias /viewvc /var/www/cgi-bin/viewvc.cgi
      ScriptAlias /query /var/www/cgi-bin/query.cgi
      Directory “/var/www/cgi-bin”
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
      /Directory
      /VirtualHost

      Post a Reply
  8. Hi, nice procedure.
    Is there a way to protect viewvc with a password?
    I mean the web interface is open to everyone, but it contain sensible informations..

    Post a Reply
  9. Hi,
    Great procedure
    thank you all

    Post a Reply
  10. I’ve used this procedure before and it worked. Now, is it possible to install Rancid on an environment without internet access?

    Thanks!

    Post a Reply

Leave a Reply to Hilton Cancel reply

Your email address will not be published. Required fields are marked *