Oxidized kasutamine: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
| 17. rida: | 17. rida: | ||
seade-01 seade-02 seade-03 seade-nn |
seade-01 seade-02 seade-03 seade-nn |
||
| | | | |
| | | | |
||
| + | |||
internet - vpn |
internet - vpn |
||
| + | | | |
||
| − | |||
| − | ___|___ |
+ | ___|___ ___|___ |
| − | | | oxidized | |
+ | | | oxidized | | gitea |
| − | | | | |
+ | | | | | |
| − | |_______| lokaalne git repo | |
+ | |_______| lokaalne git repo |_______| remote git repo |
| | |
| | |
||
| | |
| | |
||
Redaktsioon: 4. juuni 2026, kell 03:52
Sissejuhatus
TODO
Oxidized tarkvara https://github.com/ytti/oxidized ...
Tööpõhimõte
Väited
- Tekitatakse pisike võrguseadme mock linux kasutaja abil
- Tekitatakse docker põhine oxidized
Võrguskeem
seade-01 seade-02 seade-03 seade-nn
| | | |
internet - vpn
| |
___|___ ___|___
| | oxidized | | gitea
| | | |
|_______| lokaalne git repo |_______| remote git repo
| |
| |
--|--------------------------------------------------|---
kus
- oxidized kopeerib seadmetest seadistused enda lokaalsesse git reposse
- oxidized seadistuses kirjeldatud nn hook sünkroniseerib-kopeerib lokaalsest gitist andmeid remote git peale
- oxidized ja gitea omavad mõlemad webgui liidest
- oxidized ja gitea on mõlemad docker konteinerid
- oxidized ei kasuta sql vms andmebaasi, andmeid hoitakse failisüsteemis (ehedalt ja git repona)
- gitea kasutab vajadusel postgresql andmebaasi kasutajate jms hoidmiseks, vaikimisi kasutab sqlite3 baasi; ja git'i
Mock switch - Linux kasutaja shell script
Mock switch seisneb Linux operatsioonisüsteemi tavalise kasutaja tekitamises, mille shell on asendatud nt sellise skriptiga
root@zabbix-pub-01:~# grep cisco /etc/passwd cisco:x:1001:1001::/home/cisco:/home/cisco/router_cli.sh
ja
root@zabbix-pub-01:~# cat /home/cisco/router_cli.sh
#!/bin/bash
# 1. Print a fake Cisco login welcome and prompt instantly on connection
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
echo ""
echo -n "mock-edge-sw01#"
# 2. Enter an infinite loop to read incoming commands interactively
while true; do
# Read the next command passed over the terminal stream
read -r CMD
# Clean up trailing carriage returns (\r) sent by network tools
CMD=$(echo "$CMD" | tr -d '\r' | tr -d '"' | tr -d "'")
case "$CMD" in
"show run"|"show running-config"|"show startup-config")
cat /home/cisco/mock_cisco.cfg
;;
"show version")
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
;;
"terminal length 0"|"terminal width 0"|"enable"|"")
# Return success silently for environment setup instructions
;;
"exit"|"quit")
echo "Closing connection."
exit 0
;;
*)
# If Oxidized sends an unhandled cleanup command, absorb it silently
;;
esac
# CRITICAL: Print the Cisco prompt back to the stream so Oxidized
# knows the command finished and it is safe to send the next line!
echo -n "mock-edge-sw01#"
done
ning näidis seadistusfail st switch conf
root@zabbix-pub-01:~# cat /home/cisco/mock_cisco.cfg ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end
Kasutamise testimiseks
root@dh-minio-01:~# ssh cisco@192.168.10.193 cisco@192.168.10.193's password: Cisco IOS Software, Simulation Engine Version 1.0(MOCK) mock-edge-sw01#show run ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end mock-edge-sw01#exit Closing connection. Connection to 192.168.10.193 closed. root@dh-minio-01:~# imreoolberg@Imres-MacBook-Air ~ %
Paigaldamine - Docker
Docker compose ja volume ressurssidele vajalikud kataloogid
# mkdir -p /srv/oxidized/dc # mkdir -p /srv/oxidized/volume/home/oxidized/.config/oxidized # chmod 0777 /srv/oxidized/volume/home/oxidized/.config/oxidized
Docker compose faili näidis
# cd /srv/oxidized/dc
# cat docker-compose-oxidized.yaml
name: p_oxidized
services:
svc_oxidized:
image: oxidized/oxidized:latest
container_name: cn_oxidized
restart: unless-stopped
ports:
- "8888:8888" # Web UI and REST API
volumes:
- '/srv/oxidized/volume/home/oxidized/.config/oxidized:/home/oxidized/.config/oxidized'
- '/srv/oxidized/volume/home/oxidized/.ssh:/home/oxidized/.ssh'
environment:
- CONFIG_RELOAD_INTERVAL=600
- TZ=Europe/Tallinn
networks:
- nw_oxidized
networks:
nw_oxidized:
name: nw_oxidized
driver: bridge
Oxidized seadistamine
- oxidized seadistusfail - /srv/oxidized/volume/home/oxidized/.config/oxidized/config - moodustab ise konteineri käivitamisel alguseks sobiva sisuga
- ruuterite-switchide-jms-seadmete ligipääsufail - /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db - inimene moodustab
- config failis tuleks kasutada alustuseks username ja password väärtustena reaalset mock ligipääsu; selleks et router.db toimiks ligipääsu osas tuleb map: direktiiviga töötada
Ligipääsude fail, nt (sisaldab linux põhist mock'i)
# cat /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 192.168.10.193:cisco:cisco:parool
Käivitamine
root@dh-minio-01:/srv/oxidized/dc# docker compose -f docker-compose-oxidized.yml up -d root@dh-minio-01:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4ab02b28a9ca oxidized/oxidized:latest "/usr/bin/dumb-init …" 45 minutes ago Up 24 minutes 0.0.0.0:8888->8888/tcp, [::]:8888->8888/tcp cn_oxidized
Ootus on et failisüsteemi tekib
root@dh-minio-01:/srv/oxidized# find /srv/oxidized/volume -type f -ls 134710 4 -rw-r--r-- 1 30000 30000 250 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/configs/192.168.10.193 155498 4 -rw-r--r-- 1 30000 30000 33 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 134694 4 -rw-r--r-- 1 30000 30000 2 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/pid 173784 4 -rw-r--r-- 1 30000 30000 921 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/config 173789 4 -rw-r--r-- 1 30000 30000 1942 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/crash
kus
- configs/192.168.10.193 - varundus teksti kujul
Konteineris toimuv
root@dh-minio-01:~# docker exec -ti 4a ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 70 25.0 0.0 6392 3764 pts/0 Rs+ 11:35 0:00 ps auxf root 1 0.0 0.0 2420 1368 ? Ss 11:15 0:00 /usr/bin/dumb-init -- runsvdir -P /etc/service root 7 0.0 0.0 2588 1484 ? Ss 11:15 0:00 runsvdir -P /etc/service root 8 0.0 0.0 2436 1460 ? Ss 11:15 0:00 \_ runsv oxidized oxidized 11 0.0 1.0 1348956 61436 ? Sl 11:15 0:01 | \_ /usr/bin/ruby3.3 /usr/local/bin/oxidized root 9 0.0 0.0 2436 1552 ? Ss 11:15 0:00 \_ runsv auto-reload-config root 12 0.0 0.0 4056 3220 ? S 11:15 0:00 | \_ /bin/bash ./run root 62 0.0 0.0 2580 1616 ? S 11:35 0:00 | \_ sleep 600 root 10 0.0 0.0 2436 1484 ? Ss 11:15 0:00 \_ runsv update-ca-certificates root 13 0.0 0.0 4056 3276 ? S 11:15 0:00 \_ /bin/bash ./run root 14 0.0 0.0 2580 1580 ? S 11:15 0:00 \_ sleep infinity
Ruby sisu
root@dh-minio-01:~# docker exec -ti 4a gem list oxidized rugged *** LOCAL GEMS *** oxidized (0.37.0) oxidized-web (0.18.1) *** LOCAL GEMS *** rugged (1.9.0)
Oxidized seadistamine
Kogu oxidized rakenduse seadistusfail
root@dh-minio-01:/srv/oxidized/dc# cat ../volume/home/oxidized/.config/oxidized/config
---
username: cisco
password: parool
model: junos
resolve_dns: true
interval: 3600
debug: false
run_once: false
threads: 30
use_max_threads: false
timeout: 20
timelimit: 300
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
next_adds_job: false
vars: {}
groups: {}
group_map: {}
models: {}
pid: "/home/oxidized/.config/oxidized/pid"
extensions:
oxidized-web:
load: false
crash:
directory: "/home/oxidized/.config/oxidized/crashes"
hostnames: false
stats:
history_size: 10
input:
default: ssh, telnet
debug: false
ssh:
secure: false
ftp:
passive: true
utf8_encoded: true
output:
default: file
file:
directory: "/home/oxidized/.config/oxidized/configs"
source:
default: csv
csv:
file: "/home/oxidized/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
field:
name: 0
model: 1
map:
name: 0
model: 1
username: 2
password: 3
gpg: false
model_map:
juniper: junos
cisco: ios
kus
- source -> csv -> field ja -> map tuleb kohendada nt selliseks nagu ülal toodud, et ta oskaks router.db failist kasutada kasutajanime ja parooli
Webgui
Webgui kasutamiseks tuleb käivitada nn veebiserveri konteineris
root@dh-minio-01:~# grep rest /srv/oxidized/volume/home/oxidized/.config/oxidized/config rest: 0.0.0.0:8888
paistab brauseris
kus
- TODO
lokaalse git repo kasutamine varunduseks
Väited
- võimalik on kasutada lokaalset git repot storage lahendusena
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
Tulemusena
...
remote git repo liidestamine süsteemiga
Väited
- remote git repo liidestatakse mitte iseseisva nö storage lahendusena, aga toetava git lahendusena
- remote git repo kasutamise eelduseks on lokaalse git repo kasutamine
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
hooks:
push_to_remote:
type: githubrepo
events: [post_store]
remote_repo: ssh://git@192.168.10.163:2222/oxidized/devices-backups.git
publickey: /home/oxidized/.ssh/id_ed25519-gitea.pub
privatekey: /home/oxidized/.ssh/id_ed25519-gitea
....
kus
- git@ on tehniliselt kasutajanimi, aga kõik kasutajad pöörduvad selle kasutajanimega
- kasutaja identiteet tehakse git repo poolel kindlaks ssh võtme alusel
ssh kasutaja autentimise ettevalmistamine, tekitada priv ja pub võtmed
host# ssh-keygen -f /srv/oxidized/volume/home/oxidized/.ssh/id_ed25519-gitea
kohendada docker compose failis kasutaja:grupp sobivaks, vaatates eeskujuks olemasolevaid, nt
host# chown -R 30000:30000 /srv/oxidized/volume/home/oxidized/.ssh
Paigutada pub võti gitea webgui peal sobivasse kohta.
Veenduda ssh töötamises, nt
root@dh-minio-01:/srv/oxidized/dc# docker exec -ti cn_oxidized bash root@75b0bf77531a:/# su - oxidized oxidized@75b0bf77531a:~$ ssh -i .ssh/id_ed25519-gitea git@192.168.10.163 -p 2222 PTY allocation request failed on channel 0 Hi there, admin! You've successfully authenticated with the key named from-oxidized, but Gitea does not provide shell access. If this is unexpected, please log in with password and setup Gitea under another user. Connection to 192.168.10.163 closed.
Oxidized webguis versioonid paistavad nii
Gitea webguis versioonid paistavad nii
