背景:网络设备如何备份?关于这个问题笔者尝试了多种,比如:通告FTP下载配置文件,通过ssh软件登录设备记录当前配置等,在一次偶然的机会中找到了Oxidized(开源软件),可以增量备份网络设备,支持国产厂商,网工的福音。
笔者系统底层使用Redhat 8 分支(RockyLinux)演示安装
Oxidized的相关介绍:https://github.com/ytti/oxidized
Nginx相关介绍:https://nginx.org/en/docs/
系统更新缓慢请自行替换国内源:https://zhuanlan.zhihu.com/p/450990973
一 、更新系统
sudo dnf update
二、安装依赖软件包
sudo dnf groupinstall "Development Tools"
sudo dnf install make cmake which sqlite-devel openssl-devel ruby ruby-devel libicu-devel -y
三、查看ruby版本,建议使用2.3版本以上
ruby -v
四、进入 root 用户,通过gem 安装 oxidized、oxidized-script、oxidized-web
此处报错请检查第二步依赖软件是否安装完成
su root
gem install oxidized
gem install oxidized-script oxidized-web
五、 执行 oxidized 启动它,此时会提示编辑配置文件
oxidized
六、编辑配置文件 vi ~/.config/oxidized/config 将下面内容替换至文件中
---
username: username
password: password
model: junos
resolve_dns: true
interval: 3600
log: ~/.config/oxidized/logs/oxidized.log
use_syslog: false
debug: false
threads: 30
timeout: 20
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 0.0.0.0:8888
next_adds_job: false
vars: {}
groups: {}
models: {}
pid: "~/.config/oxidized/pid"
crash:
directory: "~/.config/oxidized/crashes"
hostnames: false
stats:
history_size: 10
input:
default: ssh, telnet
debug: false
ssh:
secure: false
ftp:
passive: true
utf8_encoded: true
output:
default: git
git:
user: Oxidized
email: [email protected]
repo: "~/.config/oxidized/git-repos/default.git"
source:
default: csv
csv:
file: "~/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
map:
name: 0
ip: 1
model: 2
username: 3
password: 4
group: 5
gpg: false
model_map:
juniper: junos
cisco: ios
需要将配置文件同步到github 备份的细节请参考:https://github.com/ytti/oxidized/wiki
output:
default: git
git:
user: "your name"
email: [email protected]
repo: "/home/oxidized/.config/oxidized/oxidized.git"
cd /home/oxidized/.config/oxidized/oxidized.git
git config --global user.name "your name"
git config --global user.email "[email protected]"
git remote add origin [email protected]:yourgitrepousername/oxidized.git
git push -u origin master
七、创建一个设备配置文件 vi ~/.config/oxidized/router.db 添加网络设备,对应map中的格式
H3C:10.100.0.1:comware:admin:password:group1
HUAWEI:10.100.0.2:vrp:admin:password:group2
CISCO:10.100.0.3:ios:admin:password:group3
八、创建设备配置存储目录,放通防火墙端口,启动oxidized
mkdir -p ~/.config/oxidized/configs
8.2 放通防火墙端口
firewall-cmd --zone=public --add-port=8888/tcp --permanent
firewall-cmd --reload
8.3 访问 http://192.168.12.136:8888 IP为你本机地址
Last Status: 绿色(备份正常), 蓝色(正在备份), 红色(备份失败)
Last Update: 上一次备份的时间(配置文件里面默认1个小时 自定义修改interval的值即可)
Last Changed: 配置文件发生改变的时间
Actions: 点击第一个图标就能看到设备备份文件内容,第二个图标为配置文件比对, 第三个图标为手动强制备份
九、systemctl 管理 Oxidized
9.1 将systemctl 管理文件复制到systemctl 目录
查文件位置 sudo find / -name oxidized.service
cp /usr/local/share/gems/gems/oxidized-0.28.0/extra/oxidized.service /etc/systemd/system/
9.2 复制完成后编辑配置文件,启动用户修改为root
vi /etc/systemd/system/oxidized.service
9.3 通过systemctl 管理 Oxidized 服务启动、开机启动、当前状态
systemctl start oxidized.service
systemctl enable oxidized.service
systemctl status oxidized.service
十 安全加固,由于Oxidized 没有提供认证机制,通过Nginx认证
10.1 安装、启动、开机自启Nginx
sudo dnf install nginx httpd-tools -y
systemctl start nginx
systemctl enable nginx
查看Nginx状态 systemctl status nginx 是否正常运行
10.2 创建Nginx认证用户密码
htpasswd -c /etc/nginx/.htpasswd username
如果忘记了密码,编辑 /etc/nginx/.htpasswd 下删除指定用户,笔者只创建了一个admin用户
10.3 配置Nginx代理
首先修改oxidized配置文件只监听本机的请求 vi ~/.config/oxidized/config
修改完成后重启oxidized服务 systemctl restart oxidized.service
username: username
password: password
model: junos
resolve_dns: true
interval: 3600
log: ~/.config/oxidized/logs/oxidized.log
use_syslog: false
debug: false
threads: 30
timeout: 20
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 127.0.0.1:8888
其次配置Nginx代理 vi /etc/nginx/nginx.conf
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
auth_basic "oxidized auth access";
auth_basic_user_file /etc/nginx/.htpasswd;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://127.0.0.1:8888/;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
10.4 防火墙放通Nginx的80端
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
10.5 如果无法打开页面请关闭selinux vi /etc/selinux/config 修改完成后,重启系统生效,不想关闭的大佬可以自行编写selinux 规则。
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
访问 http://192.168.12.136/ 加固完成
参考文献1:https://github.com/ytti/oxidized#centos-oracle-linux-red-hat-linux
参考文献2:nginx documentation