centos7.9部署oxidized自动备份交换机配置
分类:运维技术日期:2021-03-17 - 22:13:47作者:老谢
安装部署
实实在在不想用ubuntu server,为了后面配合zabbix做配置变更的告警出发,docker后期的配置zabbix会更麻烦,所以经过一天的折腾,oxidized成功部署在了centos7.9上,docker的部署方式在本文后半段,需要的话请往后面翻。
系统版本号:CentOS Linux release 7.9.2009 (Core)
部署步骤
yum update #更新前,建议更换国内yum源,开局可以直接更新,正式放到生产后不建议使用update更新所有rpm包 #记得关闭selinux yum install centos-release-scl #安装centos-release-scl软件源 yum install rh-ruby23 rh-ruby23-ruby-devel #安装ruby2.3版本,系统自带为2.0的ruby scl enable rh-ruby23 bash #这一步非常重要,开启ruby的环境变量,否则oxidized无法启动 yum install make cmake which sqlite-devel openssl-devel libssh2-devel ruby gcc ruby-devel libicu-devel gcc-c++ #安装相关的依赖 gem install oxidized #安装主角 gem install oxidized-script oxidized-web #安装web界面 ruby -v [root@localhost ~]# ruby -v ruby 2.3.8p459 (2018-10-18 revision 65136) [x86_64-linux] #检查ruby版本是否正确,应大于2.3 which ruby [root@localhost ~]# which ruby /opt/rh/rh-ruby23/root/usr/bin/ruby #检查ruby路径 vim /etc/profile.d/rh-ruby22.sh #!/bin/bash source /opt/rh/rh-ruby23/enable export X_SCLS="`scl enable rh-ruby23 'echo $X_SCLS'`" export PATH=$PATH:/opt/rh/rh-ruby23/root/usr/bin/ruby #配置环境变量的自启动 ln -s /opt/rh/rh-ruby23/root/usr/local/bin/oxidized /usr/local/bin/oxidized vim /lib/systemd/system/oxidized.service # /lib/systemd/system/oxidized.service [Unit] Description=Oxidized - Network Device Configuration Backup Tool After=network-online.target multi-user.target Wants=network-online.target [Service] ExecStart=/usr/local/bin/oxidized KillSignal=SIGKILL User=root [Install] WantedBy=multi-user.target #以上使用root用户运行oxidized,一定要确保已经做了/usr/local/bin/oxidized的ls链接 chmod +x /lib/systemd/system/oxidized.service vi /etc/ld.so.conf #增加 /opt/rh/rh-ruby23/root/usr/lib64 ldconfig ldconfig -v #检查有没有ruby的so库 chmod +x /lib/systemd/system/oxidized.service #接着需要创建router.db和config配置文件,这些请参考以下docker的配置流程,完全一致 [root@localhost ~]# systemctl enable oxidized.service Created symlink from /etc/systemd/system/multi-user.target.wants/oxidized.service to /usr/lib/systemd/system/oxidized.service. [root@localhost ~]# systemctl start oxidized.service [root@localhost ~]# systemctl status oxidized.service ● oxidized.service - Oxidized - Network Device Configuration Backup Tool Loaded: loaded (/usr/lib/systemd/system/oxidized.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2021-03-24 18:59:37 CST; 2s ago Main PID: 6767 (oxidized) CGroup: /system.slice/oxidized.service └─6767 puma 3.11.4 (tcp://0.0.0.0:8888) [/] Mar 24 18:59:37 localhost.localdomain oxidized[6767]: I, [2021-03-24T18:59:37.635254 #6767] INFO -- : Oxidized starting, running as pid 6767 Mar 24 18:59:37 localhost.localdomain oxidized[6767]: I, [2021-03-24T18:59:37.635810 #6767] INFO -- : lib/oxidized/nodes.rb: Loading nodes Mar 24 18:59:37 localhost.localdomain oxidized[6767]: I, [2021-03-24T18:59:37.711327 #6767] INFO -- : lib/oxidized/nodes.rb: Loaded 1 nodes Mar 24 18:59:37 localhost.localdomain oxidized[6767]: Puma starting in single mode... Mar 24 18:59:37 localhost.localdomain oxidized[6767]: * Version 3.11.4 (ruby 2.3.8-p459), codename: Love Song Mar 24 18:59:37 localhost.localdomain oxidized[6767]: * Min threads: 0, max threads: 16 Mar 24 18:59:37 localhost.localdomain oxidized[6767]: * Environment: development Mar 24 18:59:37 localhost.localdomain oxidized[6767]: * Listening on tcp://0.0.0.0:8888 Mar 24 18:59:37 localhost.localdomain oxidized[6767]: Use Ctrl-C to stop Mar 24 18:59:39 localhost.localdomain oxidized[6767]: W, [2021-03-24T18:59:39.990844 #6767] WARN -- : /192.168.1.1 status no_connection, retry attempt 1 [root@localhost ~]# firewall-cmd --zone=public --add-port=8585/tcp --permanent systemctl reload firewalld.service |
如果不配置router.db是无法启动oxidized服务的,NGINX、时间等其他问题,也都和docker部署配置一致,请往下参考即可,最后请记得关闭防火墙或放行oxidized的web端口:)
docker部署
早就听说过oxidized的大名,一直没环境折腾,刚好新做一个项目,有一定规模的交换机,手动备份费时费力,自动备份也比较单一没办法做到配置版本回溯比对,于是想用oxidized来实现初步的运维自动化建设,在centos使用gem安装oxidized的时候各种问题,网上资料也很少,实在不想费劲折腾也不想用Ubuntu,就选择使用docker进行部署,系统使用centos7.9minimal版本。
更新系统软件包(yum update)、关闭SELINUX这种系统的基线设置本文不予阐述,请根据自己的业务需求初始化自己的业务环境。
docker安装
sudo yum remove docker \ docker-client \ docker-client-latest \ docker-common \ docker-latest \ docker-latest-logrotate \ docker-logrotate \ docker-engine #先卸载干净系统可能存在的docker软件包 sudo yum install -y yum-utils \ device-mapper-persistent-data \ lvm2 sudo yum-config-manager \ --add-repo \ https://download.docker.com/linux/centos/docker-ce.repo sudo yum install docker-ce docker-ce-cli containerd.io sudo systemctl start docker sudo systemctl enable docker sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-'EOF' { "registry-mirrors": ["https://obm1t8sr.mirror.aliyuncs.com"] } EO sudo systemctl daemon-reload sudo systemctl restart docker #详细请参考:https://blog.csdn.net/yangwenxue_admin/article/details/105347451 |
oxidized镜像
docker pull oxidized/oxidized:latest mkdir /etc/oxidized docker run --name='oxidized' -itd -v /etc/oxidized:/root/.config/oxidized -p 127.0.0.1:8888:8888/tcp -t oxidized/oxidized #挂载本地/data/oxidized目录到容器内的/root/.config/oxidized目录下,将容器的8888端口映射到127.0.0.1的8888端口 #可以使用iptables -t nat -nL对iptables的NAT规则进行检查 |
docker logs oxidized #查看oxidized容器的日志 cd /etc/oxidized touch router.db #暂时使用router.db作为数据源,编辑该文件,格式示例:192.168.1.1:ios:admin:admin:enablepass |
config配置文件
--- username: username password: password model: junos resolve_dns: true interval: 3600 use_syslog: false debug: false threads: 30 timeout: 20 retries: 3 prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ rest: 0.0.0.0:8888 next_adds_job: false vars: auth_methods: ["none", "publickey", "password", "keyboard-interactive"] groups: {} models: {} pid: "/root/.config/oxidized/pid" crash: directory: "/root/.config/oxidized/crashes" hostnames: false stats: history_size: 10 input: default: ssh, telnet debug: false ssh: secure: false ftp: passive: true utf8_encoded: true output: default: git git: user: Oxidized email: o@example.com repo: "/home/oxidized/.config/oxidized/oxidized.git" source: default: csv csv: file: "/root/.config/oxidized/router.db" delimiter: !ruby/regexp /:/ map: name: 0 model: 1 username : 2 password : 3 vars_map: enable : 4 gpg: false model_map: juniper: junos cisco: ios #以上将开启oxidized的历史版本功能,其中map后面的1、2、3…等对应router.db中:分割的字段 output: default: file file: directory: "/root/.config/oxidized/configs" #如果希望将备份文件存放在目录中,请将output修改为以上,如果即希望保存文件也希望保存历史版本,可以对接gitlab,由于对gitlab不熟悉目前没有进一步的折腾 |
以上感谢“网络自动化与安全”群中的. Toby、Game两位大佬的技术支持!
oxidized时间的问题
为了oxidized的时间有意义,需要对时间进行校准确保时间的准确性
docker exec -it oxidized /bin/bash mkdir -P /usr/share/zoneinfo/Asia vi /var/lib/gems/2.5.0/gems/oxidized-web-0.13.1/lib/oxidized/web/public/scripts/oxidized.js #找到timeZone字段,将上面一行注释掉,并删掉timeZone参数(//var timeZone = date.toString().match(/\(.*\)/)[0].match(/[A-Z]/g).join('');) #以上js修改可以参考:https://cloud.tencent.com/developer/article/1657021 exit #以上进入oxidized容器,并在容器中创建时区目录以及修改ui的js文件中时区参数,操作完成后退出容器bash docker cp /usr/share/zoneinfo/Asia/ oxidized:/usr/share/zoneinfo/Asia docker cp /etc/localtime oxidized:/etc/localtime #复制系统的时区文件给oxidized容器 yum -y install ntpdate ntpdate ntp1.aliyun.com shutdown -r now #重启系统后,再启动oxidized容器,时间将变得正常,别问我为啥要重启,我也不知道,但重启过时间确实就ok了 #2021.3.24更新:直接安装测试注释以上无效,但是hour变量直接+8倒是可以的,如下: var convertTime = function() { /* Convert UTC times to local browser times * Requires that the times on the server are UTC * Requires a class name of `time` to be set on element desired to be changed * Requires that element have a text in the format of `YYYY-mm-dd HH:MM:SS` * See ytti/oxidized-web #16 */ $('.time').each(function() { var content = $(this).text(); if(content === 'never' || content === 'unknown' || content === '') { return; } var utcTime = content.split(' '); var date = new Date(utcTime[0] + 'T' + utcTime[1] + 'Z'); var year = date.getFullYear(); var month = ("0"+(date.getMonth()+1)).slice(-2); var day = ("0" + date.getDate()).slice(-2); var hour = ("8" + date.getHours()).slice(-2); var minute = ("0" + date.getMinutes()).slice(-2); var second = ("0" + date.getSeconds()).slice(-2); //var timeZone = date.toString().match(/\(.*\)/)[0].match(/[A-Z]/g).join(''); $(this).text(year + '-' + month + '-' + day + ' ' + hour + ':' + minute + ':' + second + ' '); }); }; |
Nginx反代设置
oxidized本身不包含用户身份验证的模块,所以需要依靠nginx的认证模块,调用.htpasswd来进行用户身份认证,这非常重要,毕竟设备配置中可能会保存一些重要的信息!
因为仅仅需要用到nginx的反代功能,所以直接yum安装即可,比编译安装起来方便的多。
yum install epel-release yum install -y nginx #在nginx.conf中添加include /etc/nginx/vhost/*.conf; 这存粹个人习惯,你爱怎么用nginx都行,配置直接写在nginx.conf都可以 mkdir /etc/nginx/vhost/ vim /etc/nginx/vhost/oxidized.conf server { listen 8585; server_name 172.16.11.227; auth_basic "SDFYY SWCFG MANAGER UI WEB"; auth_basic_user_file /etc/nginx/.htpasswd; location / { proxy_pass http://127.0.0.1:8888/; } access_log /var/log/nginx/access_oxidized.log; error_log /var/log/nginx/error_oxidized.log; } #在run容器的命令中,将oxidized容器的8888端口NAT给了127.0.0.1的8888端口,故只需要反代127.0.0.1的8888即可 [root@localhost ~]# iptables -t nat -nL ..... MASQUERADE tcp -- 172.17.0.2 172.17.0.2 tcp dpt:8888 Chain DOCKER (2 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 DNAT tcp -- 0.0.0.0/0 127.0.0.1 tcp dpt:8888 to:172.17.0.2:8888 ..... |
其中.htpasswd的生成方法有很多,最简单可以在https://tool.oschina.net/htpasswd直接在线生成,但是这样会增加你的密码被md5字典收录的风险:)
重要参考#1:https://www.shuzhiduo.com/A/pRdBqbwn5n/
重要参考#2:https://kknews.cc/code/on2nzpo.html
重要参考#4:https://www.opscaff.com/2018/04/18/oxidized-%E6%9C%80%E5%A5%BD%E7%94%A8%E7%9A%84%E7%BD%91%E7%BB%9C%E8%AE%BE%E5%A4%87%E5%A4%87%E4%BB%BD%E7%B3%BB%E7%BB%9F/
重要参考#5:https://zhuanlan.zhihu.com/p/351533336
重要参考#6:https://cloud.tencent.com/developer/article/1657021
大佬厉害了