Oxidized kasutamine: erinevus redaktsioonide vahel
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
(→Misc) |
|||
| (ei näidata sama kasutaja 41 vahepealset redaktsiooni) | |||
| 2. rida: | 2. rida: | ||
TODO |
TODO |
||
| + | |||
| + | Oxidized tarkvara https://github.com/ytti/oxidized ... |
||
===Tööpõhimõte=== |
===Tööpõhimõte=== |
||
| + | Väited |
||
| − | TODO |
||
| + | |||
| + | * Tekitatakse pisike võrguseadme mock linux kasutaja abil |
||
| + | * Tekitatakse docker põhine oxidized |
||
| + | |||
| + | Võrguskeem |
||
| + | |||
| + | <pre> |
||
| + | seade-01 seade-02 seade-03 seade-nn |
||
| + | | | | | |
||
| + | |||
| + | |||
| + | internet - vpn |
||
| + | |||
| + | | | |
||
| + | ___|___ ___|___ |
||
| + | | | oxidized | | gitea |
||
| + | | | | | |
||
| + | |_______| lokaalne git repo |_______| remote git repo |
||
| + | | | |
||
| + | | | |
||
| + | --|--------------------------------------------------|--- |
||
| + | |||
| + | </pre> |
||
| + | |||
| + | kus |
||
| + | |||
| + | * oxidized kopeerib seadmetest seadistused enda lokaalsesse git reposse |
||
| + | * oxidized seadistuses kirjeldatud nn hook sünkroniseerib-kopeerib lokaalsest gitist andmeid remote git peale |
||
| + | * oxidized ja gitea omavad mõlemad webgui liidest |
||
| + | * oxidized ja gitea on mõlemad docker konteinerid |
||
| + | * oxidized ei kasuta sql vms andmebaasi, andmeid hoitakse failisüsteemis (ehedalt ja git repona) |
||
| + | * gitea kasutab vajadusel postgresql andmebaasi kasutajate jms hoidmiseks, vaikimisi kasutab sqlite3 baasi; ja git'i |
||
===Mock switch - Linux kasutaja shell script=== |
===Mock switch - Linux kasutaja shell script=== |
||
| 60. rida: | 94. rida: | ||
</pre> |
</pre> |
||
| + | koos enablega |
||
| − | Kasutamiseks |
||
<pre> |
<pre> |
||
| + | #!/bin/bash |
||
| − | imreoolberg@Imres-MacBook-Air ~ % ssh cisco@192.168.10.193 "show run" |
||
| + | |||
| + | # 1. Print a fake Cisco login welcome and start with USER privilege prompt (>) |
||
| + | echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)" |
||
| + | echo "" |
||
| + | echo -n "mock-edge-sw01>" # <--- Note the '>' here! |
||
| + | |||
| + | # Keep track of whether we are in enable mode or not |
||
| + | IS_ENABLED=false |
||
| + | |||
| + | # 2. Enter the infinite loop |
||
| + | while true; do |
||
| + | read -r CMD |
||
| + | CMD=$(echo "$CMD" | tr -d '\r' | tr -d '"' | tr -d "'") |
||
| + | |||
| + | # If Oxidized sends 'enable', simulate the password challenge |
||
| + | if [ "$CMD" = "enable" ] && [ "$IS_ENABLED" = false ]; then |
||
| + | echo -n "Password: " |
||
| + | read -r EN_PASS # Blindly absorb the enable password sent by Oxidized |
||
| + | IS_ENABLED=true |
||
| + | echo -n "mock-edge-sw01#" # Send the privileged prompt! |
||
| + | continue |
||
| + | fi |
||
| + | |||
| + | # Process commands based on state |
||
| + | case "$CMD" in |
||
| + | "show run"|"show running-config"|"show startup-config") |
||
| + | if [ "$IS_ENABLED" = true ]; then |
||
| + | cat /home/cisco/mock_cisco.cfg |
||
| + | else |
||
| + | echo "% Unauthorized command." |
||
| + | fi |
||
| + | ;; |
||
| + | "show version") |
||
| + | echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)" |
||
| + | ;; |
||
| + | "terminal length 0"|"terminal width 0"|"") |
||
| + | # Return success silently for environment setup instructions |
||
| + | ;; |
||
| + | "exit"|"quit") |
||
| + | echo "Closing connection." |
||
| + | exit 0 |
||
| + | ;; |
||
| + | *) |
||
| + | # Absorbs unhandled strings |
||
| + | ;; |
||
| + | esac |
||
| + | |||
| + | # Print the correct trailing prompt depending on our simulated privilege level |
||
| + | if [ "$IS_ENABLED" = true ]; then |
||
| + | echo -n "mock-edge-sw01#" |
||
| + | else |
||
| + | echo -n "mock-edge-sw01>" |
||
| + | fi |
||
| + | done |
||
| + | </pre> |
||
| + | |||
| + | ning näidis seadistusfail st switch conf |
||
| + | |||
| + | <pre> |
||
| + | root@zabbix-pub-01:~# cat /home/cisco/mock_cisco.cfg |
||
| + | ! |
||
| + | hostname mock-edge-sw01 |
||
| + | ! |
||
| + | interface GigabitEthernet1/1 |
||
| + | description Uplink to Core |
||
| + | switchport mode trunk |
||
| + | ! |
||
| + | interface GigabitEthernet1/2 |
||
| + | description Connected to Zabbix Proxy |
||
| + | switchport access vlan 10 |
||
| + | ! |
||
| + | end |
||
| + | </pre> |
||
| + | |||
| + | ja vaigistada banneri esitamine |
||
| + | |||
| + | <pre> |
||
| + | root@zabbix-pub-01:~# touch /home/cisco/.hushlogin |
||
| + | root@zabbix-pub-01:~# chown cisco:cisco /home/cisco/.hushlogin |
||
| + | </pre> |
||
| + | |||
| + | Kasutamise testimiseks |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:~# ssh cisco@192.168.10.193 |
||
cisco@192.168.10.193's password: |
cisco@192.168.10.193's password: |
||
| + | Cisco IOS Software, Simulation Engine Version 1.0(MOCK) |
||
| + | |||
| + | mock-edge-sw01#show run |
||
! |
! |
||
hostname mock-edge-sw01 |
hostname mock-edge-sw01 |
||
| 77. rida: | 199. rida: | ||
! |
! |
||
end |
end |
||
| + | mock-edge-sw01#exit |
||
| + | Closing connection. |
||
| + | Connection to 192.168.10.193 closed. |
||
| + | root@dh-minio-01:~# |
||
imreoolberg@Imres-MacBook-Air ~ % |
imreoolberg@Imres-MacBook-Air ~ % |
||
</pre> |
</pre> |
||
| 94. rida: | 220. rida: | ||
<pre> |
<pre> |
||
# cd /srv/oxidized/dc |
# cd /srv/oxidized/dc |
||
| − | # cat docker-compose-oxidized. |
+ | # cat docker-compose-oxidized.yaml |
| + | name: p_oxidized |
||
services: |
services: |
||
| + | svc_oxidized: |
||
| − | oxidized: |
||
image: oxidized/oxidized:latest |
image: oxidized/oxidized:latest |
||
| − | container_name: |
+ | container_name: cn_oxidized |
restart: unless-stopped |
restart: unless-stopped |
||
| + | |||
ports: |
ports: |
||
| − | - "8888:8888" |
+ | - "8888:8888" # Web UI and REST API |
volumes: |
volumes: |
||
- '/srv/oxidized/volume/home/oxidized/.config/oxidized:/home/oxidized/.config/oxidized' |
- '/srv/oxidized/volume/home/oxidized/.config/oxidized:/home/oxidized/.config/oxidized' |
||
| + | - '/srv/oxidized/volume/home/oxidized/.ssh:/home/oxidized/.ssh' |
||
| + | |||
environment: |
environment: |
||
- CONFIG_RELOAD_INTERVAL=600 |
- CONFIG_RELOAD_INTERVAL=600 |
||
| + | - TZ=Europe/Tallinn |
||
| − | networks: |
||
| − | - oxidized-net |
||
| + | networks: |
||
| − | volumes: |
||
| + | - nw_oxidized |
||
| − | oxidized-output: |
||
networks: |
networks: |
||
| + | nw_oxidized: |
||
| − | oxidized-net: |
||
| + | name: nw_oxidized |
||
driver: bridge |
driver: bridge |
||
</pre> |
</pre> |
||
| 119. rida: | 249. rida: | ||
Oxidized seadistamine |
Oxidized seadistamine |
||
| − | * oxidized seadistusfail - /srv/oxidized/volume/home/oxidized/.config/oxidized/config - moodustab ise alguseks sobiva sisuga |
+ | * oxidized seadistusfail - /srv/oxidized/volume/home/oxidized/.config/oxidized/config - moodustab ise konteineri käivitamisel alguseks sobiva sisuga |
| − | * ruuterite-switchide-jms-seadmete ligipääsufail - /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db |
+ | * ruuterite-switchide-jms-seadmete ligipääsufail - /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db - inimene moodustab |
| + | * config failis tuleks kasutada alustuseks username ja password väärtustena reaalset mock ligipääsu; selleks et router.db toimiks ligipääsu osas tuleb map: direktiiviga töötada |
||
Ligipääsude fail, nt (sisaldab linux põhist mock'i) |
Ligipääsude fail, nt (sisaldab linux põhist mock'i) |
||
| 133. rida: | 264. rida: | ||
<pre> |
<pre> |
||
root@dh-minio-01:/srv/oxidized/dc# docker compose -f docker-compose-oxidized.yml up -d |
root@dh-minio-01:/srv/oxidized/dc# docker compose -f docker-compose-oxidized.yml up -d |
||
| + | |||
| + | root@dh-minio-01:~# docker ps |
||
| + | CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES |
||
| + | 4ab02b28a9ca oxidized/oxidized:latest "/usr/bin/dumb-init …" 45 minutes ago Up 24 minutes 0.0.0.0:8888->8888/tcp, [::]:8888->8888/tcp cn_oxidized |
||
</pre> |
</pre> |
||
| 150. rida: | 285. rida: | ||
* configs/192.168.10.193 - varundus teksti kujul |
* configs/192.168.10.193 - varundus teksti kujul |
||
| + | Konteineris toimuv |
||
| − | Webgui |
||
| + | <pre> |
||
| − | TODO |
||
| + | root@dh-minio-01:~# docker exec -ti 4a ps auxf |
||
| + | USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND |
||
| + | root 70 25.0 0.0 6392 3764 pts/0 Rs+ 11:35 0:00 ps auxf |
||
| + | root 1 0.0 0.0 2420 1368 ? Ss 11:15 0:00 /usr/bin/dumb-init -- runsvdir -P /etc/service |
||
| + | root 7 0.0 0.0 2588 1484 ? Ss 11:15 0:00 runsvdir -P /etc/service |
||
| + | root 8 0.0 0.0 2436 1460 ? Ss 11:15 0:00 \_ runsv oxidized |
||
| + | oxidized 11 0.0 1.0 1348956 61436 ? Sl 11:15 0:01 | \_ /usr/bin/ruby3.3 /usr/local/bin/oxidized |
||
| + | root 9 0.0 0.0 2436 1552 ? Ss 11:15 0:00 \_ runsv auto-reload-config |
||
| + | root 12 0.0 0.0 4056 3220 ? S 11:15 0:00 | \_ /bin/bash ./run |
||
| + | root 62 0.0 0.0 2580 1616 ? S 11:35 0:00 | \_ sleep 600 |
||
| + | root 10 0.0 0.0 2436 1484 ? Ss 11:15 0:00 \_ runsv update-ca-certificates |
||
| + | root 13 0.0 0.0 4056 3276 ? S 11:15 0:00 \_ /bin/bash ./run |
||
| + | root 14 0.0 0.0 2580 1580 ? S 11:15 0:00 \_ sleep infinity |
||
| + | </pre> |
||
| + | Ruby sisu |
||
| − | ===Kasulikud lisamaterjalid=== |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:~# docker exec -ti 4a gem list oxidized rugged |
||
| + | |||
| + | *** LOCAL GEMS *** |
||
| + | |||
| + | oxidized (0.37.0) |
||
| + | oxidized-web (0.18.1) |
||
| + | |||
| + | *** LOCAL GEMS *** |
||
| + | |||
| + | rugged (1.9.0) |
||
| + | </pre> |
||
| + | |||
| + | ===Oxidized seadistamine=== |
||
| + | |||
| + | Kogu oxidized rakenduse seadistusfail |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:/srv/oxidized/dc# cat ../volume/home/oxidized/.config/oxidized/config |
||
| + | --- |
||
| + | username: cisco |
||
| + | password: parool |
||
| + | model: junos |
||
| + | resolve_dns: true |
||
| + | interval: 3600 |
||
| + | debug: false |
||
| + | run_once: false |
||
| + | threads: 30 |
||
| + | use_max_threads: false |
||
| + | timeout: 20 |
||
| + | timelimit: 300 |
||
| + | retries: 3 |
||
| + | prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ |
||
| + | next_adds_job: false |
||
| + | vars: {} |
||
| + | groups: {} |
||
| + | group_map: {} |
||
| + | models: {} |
||
| + | pid: "/home/oxidized/.config/oxidized/pid" |
||
| + | extensions: |
||
| + | oxidized-web: |
||
| + | load: false |
||
| + | crash: |
||
| + | directory: "/home/oxidized/.config/oxidized/crashes" |
||
| + | hostnames: false |
||
| + | stats: |
||
| + | history_size: 10 |
||
| + | input: |
||
| + | default: ssh, telnet |
||
| + | debug: false |
||
| + | ssh: |
||
| + | secure: false |
||
| + | ftp: |
||
| + | passive: true |
||
| + | utf8_encoded: true |
||
| + | output: |
||
| + | default: file |
||
| + | file: |
||
| + | directory: "/home/oxidized/.config/oxidized/configs" |
||
| + | source: |
||
| + | default: csv |
||
| + | csv: |
||
| + | file: "/home/oxidized/.config/oxidized/router.db" |
||
| + | delimiter: !ruby/regexp /:/ |
||
| + | field: |
||
| + | name: 0 |
||
| + | model: 1 |
||
| + | map: |
||
| + | name: 0 |
||
| + | model: 1 |
||
| + | username: 2 |
||
| + | password: 3 |
||
| + | gpg: false |
||
| + | model_map: |
||
| + | juniper: junos |
||
| + | cisco: ios |
||
| + | </pre> |
||
| + | |||
| + | kus |
||
| + | |||
| + | * source -> csv -> field ja -> map tuleb kohendada nt selliseks nagu ülal toodud, et ta oskaks router.db failist kasutada kasutajanime ja parooli |
||
| + | * output > default -> file muudetakse allpool git vastu |
||
| + | |||
| + | ===Webgui=== |
||
| + | |||
| + | Webgui kasutamiseks tuleb käivitada nn veebiserveri konteineris |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:~# grep rest /srv/oxidized/volume/home/oxidized/.config/oxidized/config |
||
| + | rest: 0.0.0.0:8888 |
||
| + | </pre> |
||
| + | |||
| + | paistab brauseris |
||
| + | |||
| + | [[Fail:20260603-oxidized-01.png|900px]] |
||
| + | |||
| + | kus |
||
* TODO |
* TODO |
||
| + | |||
| + | ===lokaalse git repo kasutamine varunduseks=== |
||
| + | |||
| + | Väited |
||
| + | |||
| + | * võimalik on kasutada lokaalset git repot storage lahendusena |
||
| + | |||
| + | Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond |
||
| + | |||
| + | <pre> |
||
| + | .. |
||
| + | output: |
||
| + | default: git |
||
| + | git: |
||
| + | user: Oxidized Robot |
||
| + | email: oxidized@auul.pri.ee |
||
| + | repo: /home/oxidized/.config/oxidized/devices-backups.git |
||
| + | ... |
||
| + | </pre> |
||
| + | |||
| + | Tulemusena |
||
| + | |||
| + | <pre> |
||
| + | ... |
||
| + | </pre> |
||
| + | |||
| + | ===remote git repo liidestamine süsteemiga=== |
||
| + | |||
| + | Väited |
||
| + | |||
| + | * remote git repo liidestatakse mitte iseseisva nö storage lahendusena, aga toetava git lahendusena |
||
| + | * remote git repo kasutamise eelduseks on lokaalse git repo kasutamine |
||
| + | |||
| + | Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond |
||
| + | |||
| + | <pre> |
||
| + | .. |
||
| + | output: |
||
| + | default: git |
||
| + | git: |
||
| + | user: Oxidized Robot |
||
| + | email: oxidized@auul.pri.ee |
||
| + | repo: /home/oxidized/.config/oxidized/devices-backups.git |
||
| + | ... |
||
| + | |||
| + | hooks: |
||
| + | push_to_remote: |
||
| + | type: githubrepo |
||
| + | events: [post_store] |
||
| + | remote_repo: ssh://git@192.168.10.163:2222/oxidized/devices-backups.git |
||
| + | publickey: /home/oxidized/.ssh/id_ed25519-gitea.pub |
||
| + | privatekey: /home/oxidized/.ssh/id_ed25519-gitea |
||
| + | |||
| + | .... |
||
| + | </pre> |
||
| + | |||
| + | kus |
||
| + | |||
| + | * git@ on tehniliselt kasutajanimi, aga kõik kasutajad pöörduvad selle kasutajanimega |
||
| + | * kasutaja identiteet tehakse git repo poolel kindlaks ssh võtme alusel |
||
| + | |||
| + | ssh kasutaja autentimise ettevalmistamine, tekitada priv ja pub võtmed |
||
| + | |||
| + | host# ssh-keygen -f /srv/oxidized/volume/home/oxidized/.ssh/id_ed25519-gitea |
||
| + | |||
| + | kohendada docker compose failis kasutaja:grupp sobivaks, vaatates eeskujuks olemasolevaid, nt |
||
| + | |||
| + | <pre> |
||
| + | host# chown -R 30000:30000 /srv/oxidized/volume/home/oxidized/.ssh |
||
| + | </pre> |
||
| + | |||
| + | Paigutada pub võti gitea webgui peal sobivasse kohta. |
||
| + | |||
| + | Veenduda ssh töötamises, nt |
||
| + | |||
| + | <pre> |
||
| + | root@dh-minio-01:/srv/oxidized/dc# docker exec -ti cn_oxidized bash |
||
| + | |||
| + | root@75b0bf77531a:/# su - oxidized |
||
| + | |||
| + | oxidized@75b0bf77531a:~$ ssh -i .ssh/id_ed25519-gitea git@192.168.10.163 -p 2222 |
||
| + | PTY allocation request failed on channel 0 |
||
| + | Hi there, admin! You've successfully authenticated with the key named from-oxidized, but Gitea does not provide shell access. |
||
| + | If this is unexpected, please log in with password and setup Gitea under another user. |
||
| + | Connection to 192.168.10.163 closed. |
||
| + | </pre> |
||
| + | |||
| + | Oxidized webguis versioonid paistavad nii |
||
| + | |||
| + | [[Fail:20260603-oxidized-02.png|900px]] |
||
| + | |||
| + | Gitea webguis versioonid paistavad nii |
||
| + | |||
| + | [[Fail:20260603-oxidized-03.png|900px]] |
||
| + | |||
| + | ===Misc=== |
||
| + | |||
| + | <pre> |
||
| + | username: oxidezed |
||
| + | password: parool |
||
| + | model: cisco |
||
| + | interval: 7200 |
||
| + | use_syslog: true |
||
| + | debug: false |
||
| + | threads: 30 |
||
| + | timeout: 120 |
||
| + | retries: 3 |
||
| + | prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/ |
||
| + | rest: 0.0.0.0:8888 |
||
| + | vars: |
||
| + | enable: parool |
||
| + | remove_secret: true |
||
| + | auth_methods: [ "password", "keyboard-interactive" ] |
||
| + | pid: "~/.config/oxidized/pid" |
||
| + | input: |
||
| + | default: ssh |
||
| + | debug: ~/.config/oxidized/log_input |
||
| + | ssh: |
||
| + | secure: false |
||
| + | output: |
||
| + | default: git |
||
| + | git: |
||
| + | user: oxidized |
||
| + | email: imre@imre |
||
| + | repo: "~/devices.git" |
||
| + | #output: |
||
| + | # default: file |
||
| + | # file: |
||
| + | # directory: "/opt/oxidized/.config/oxidized/configs" |
||
| + | |||
| + | source: |
||
| + | default: csv |
||
| + | csv: |
||
| + | file: "~/.config/oxidized/router.db" |
||
| + | delimiter: !ruby/regexp /:/ |
||
| + | map: |
||
| + | name: 0 |
||
| + | model: 1 |
||
| + | status: 2 |
||
| + | group: 3 |
||
| + | model_map: |
||
| + | cisco: ios |
||
| + | |||
| + | groups: |
||
| + | GR_AUUL: |
||
| + | username: cisco |
||
| + | password: parool |
||
| + | vars: |
||
| + | ssh_port: 22264 |
||
| + | models: {} |
||
| + | </pre> |
||
| + | |||
| + | <pre> |
||
| + | imre@imre-mac ~ % diff gem-list-20260607-rv-oxidized.txt gem-list-20260607-imre-oxidized.txt |
||
| + | 1,3c1,3 |
||
| + | < asetus (0.3.0) |
||
| + | < backports (3.23.0) |
||
| + | < bcrypt_pbkdf (1.1.0) |
||
| + | --- |
||
| + | > asetus (0.4.0) |
||
| + | > backports (3.25.3) |
||
| + | > bcrypt_pbkdf (1.1.2) |
||
| + | 6c6 |
||
| + | < bundler (default: 2.1.2) |
||
| + | --- |
||
| + | > bundler (2.1.4, default: 2.1.2) |
||
| + | 8c8 |
||
| + | < charlock_holmes (0.7.7) |
||
| + | --- |
||
| + | > charlock_holmes (0.7.9) |
||
| + | 14c14 |
||
| + | < ed25519 (1.2.4) |
||
| + | --- |
||
| + | > ed25519 (1.3.0) |
||
| + | 25c25 |
||
| + | < htmlentities (4.3.4) |
||
| + | --- |
||
| + | > htmlentities (4.4.2) |
||
| + | 29c29 |
||
| + | < json (default: 2.3.0) |
||
| + | --- |
||
| + | > json (2.19.8, default: 2.3.0) |
||
| + | 32a33 |
||
| + | > molinillo (0.6.4) |
||
| + | 34a36 |
||
| + | > net-http-persistent (2.9.4) |
||
| + | 56,57c58,59 |
||
| + | < rb-fsevent (0.11.0) |
||
| + | < rb-inotify (0.10.1) |
||
| + | --- |
||
| + | > rb-fsevent (0.11.2) |
||
| + | > rb-inotify (0.11.1) |
||
| + | 64c66 |
||
| + | < rugged (0.28.5) |
||
| + | --- |
||
| + | > rugged (0.99.0, 0.28.5) |
||
| + | 71c73 |
||
| + | < slop (4.9.1, 3.6.0) |
||
| + | --- |
||
| + | > slop (4.10.1, 4.9.1, 3.6.0) |
||
| + | 74c76 |
||
| + | < temple (0.8.2) |
||
| + | --- |
||
| + | > temple (0.10.4) |
||
| + | 76c78,79 |
||
| + | < tilt (2.0.10) |
||
| + | --- |
||
| + | > thor (0.19.4) |
||
| + | > tilt (2.7.0) |
||
| + | </pre> |
||
| + | |||
| + | ===Kasulikud lisamaterjalid=== |
||
| + | |||
| + | * https://oneuptime.com/blog/post/2026-02-08-how-to-run-oxidized-in-docker-for-network-config-backup/view |
||
| + | * https://hub.docker.com/r/oxidized/oxidized |
||
| + | * [[:Gitea kasutamine]] |
||
Viimane redaktsioon: 8. juuni 2026, kell 03:53
Sissejuhatus
TODO
Oxidized tarkvara https://github.com/ytti/oxidized ...
Tööpõhimõte
Väited
- Tekitatakse pisike võrguseadme mock linux kasutaja abil
- Tekitatakse docker põhine oxidized
Võrguskeem
seade-01 seade-02 seade-03 seade-nn
| | | |
internet - vpn
| |
___|___ ___|___
| | oxidized | | gitea
| | | |
|_______| lokaalne git repo |_______| remote git repo
| |
| |
--|--------------------------------------------------|---
kus
- oxidized kopeerib seadmetest seadistused enda lokaalsesse git reposse
- oxidized seadistuses kirjeldatud nn hook sünkroniseerib-kopeerib lokaalsest gitist andmeid remote git peale
- oxidized ja gitea omavad mõlemad webgui liidest
- oxidized ja gitea on mõlemad docker konteinerid
- oxidized ei kasuta sql vms andmebaasi, andmeid hoitakse failisüsteemis (ehedalt ja git repona)
- gitea kasutab vajadusel postgresql andmebaasi kasutajate jms hoidmiseks, vaikimisi kasutab sqlite3 baasi; ja git'i
Mock switch - Linux kasutaja shell script
Mock switch seisneb Linux operatsioonisüsteemi tavalise kasutaja tekitamises, mille shell on asendatud nt sellise skriptiga
root@zabbix-pub-01:~# grep cisco /etc/passwd cisco:x:1001:1001::/home/cisco:/home/cisco/router_cli.sh
ja
root@zabbix-pub-01:~# cat /home/cisco/router_cli.sh
#!/bin/bash
# 1. Print a fake Cisco login welcome and prompt instantly on connection
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
echo ""
echo -n "mock-edge-sw01#"
# 2. Enter an infinite loop to read incoming commands interactively
while true; do
# Read the next command passed over the terminal stream
read -r CMD
# Clean up trailing carriage returns (\r) sent by network tools
CMD=$(echo "$CMD" | tr -d '\r' | tr -d '"' | tr -d "'")
case "$CMD" in
"show run"|"show running-config"|"show startup-config")
cat /home/cisco/mock_cisco.cfg
;;
"show version")
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
;;
"terminal length 0"|"terminal width 0"|"enable"|"")
# Return success silently for environment setup instructions
;;
"exit"|"quit")
echo "Closing connection."
exit 0
;;
*)
# If Oxidized sends an unhandled cleanup command, absorb it silently
;;
esac
# CRITICAL: Print the Cisco prompt back to the stream so Oxidized
# knows the command finished and it is safe to send the next line!
echo -n "mock-edge-sw01#"
done
koos enablega
#!/bin/bash
# 1. Print a fake Cisco login welcome and start with USER privilege prompt (>)
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
echo ""
echo -n "mock-edge-sw01>" # <--- Note the '>' here!
# Keep track of whether we are in enable mode or not
IS_ENABLED=false
# 2. Enter the infinite loop
while true; do
read -r CMD
CMD=$(echo "$CMD" | tr -d '\r' | tr -d '"' | tr -d "'")
# If Oxidized sends 'enable', simulate the password challenge
if [ "$CMD" = "enable" ] && [ "$IS_ENABLED" = false ]; then
echo -n "Password: "
read -r EN_PASS # Blindly absorb the enable password sent by Oxidized
IS_ENABLED=true
echo -n "mock-edge-sw01#" # Send the privileged prompt!
continue
fi
# Process commands based on state
case "$CMD" in
"show run"|"show running-config"|"show startup-config")
if [ "$IS_ENABLED" = true ]; then
cat /home/cisco/mock_cisco.cfg
else
echo "% Unauthorized command."
fi
;;
"show version")
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
;;
"terminal length 0"|"terminal width 0"|"")
# Return success silently for environment setup instructions
;;
"exit"|"quit")
echo "Closing connection."
exit 0
;;
*)
# Absorbs unhandled strings
;;
esac
# Print the correct trailing prompt depending on our simulated privilege level
if [ "$IS_ENABLED" = true ]; then
echo -n "mock-edge-sw01#"
else
echo -n "mock-edge-sw01>"
fi
done
ning näidis seadistusfail st switch conf
root@zabbix-pub-01:~# cat /home/cisco/mock_cisco.cfg ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end
ja vaigistada banneri esitamine
root@zabbix-pub-01:~# touch /home/cisco/.hushlogin root@zabbix-pub-01:~# chown cisco:cisco /home/cisco/.hushlogin
Kasutamise testimiseks
root@dh-minio-01:~# ssh cisco@192.168.10.193 cisco@192.168.10.193's password: Cisco IOS Software, Simulation Engine Version 1.0(MOCK) mock-edge-sw01#show run ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end mock-edge-sw01#exit Closing connection. Connection to 192.168.10.193 closed. root@dh-minio-01:~# imreoolberg@Imres-MacBook-Air ~ %
Paigaldamine - Docker
Docker compose ja volume ressurssidele vajalikud kataloogid
# mkdir -p /srv/oxidized/dc # mkdir -p /srv/oxidized/volume/home/oxidized/.config/oxidized # chmod 0777 /srv/oxidized/volume/home/oxidized/.config/oxidized
Docker compose faili näidis
# cd /srv/oxidized/dc
# cat docker-compose-oxidized.yaml
name: p_oxidized
services:
svc_oxidized:
image: oxidized/oxidized:latest
container_name: cn_oxidized
restart: unless-stopped
ports:
- "8888:8888" # Web UI and REST API
volumes:
- '/srv/oxidized/volume/home/oxidized/.config/oxidized:/home/oxidized/.config/oxidized'
- '/srv/oxidized/volume/home/oxidized/.ssh:/home/oxidized/.ssh'
environment:
- CONFIG_RELOAD_INTERVAL=600
- TZ=Europe/Tallinn
networks:
- nw_oxidized
networks:
nw_oxidized:
name: nw_oxidized
driver: bridge
Oxidized seadistamine
- oxidized seadistusfail - /srv/oxidized/volume/home/oxidized/.config/oxidized/config - moodustab ise konteineri käivitamisel alguseks sobiva sisuga
- ruuterite-switchide-jms-seadmete ligipääsufail - /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db - inimene moodustab
- config failis tuleks kasutada alustuseks username ja password väärtustena reaalset mock ligipääsu; selleks et router.db toimiks ligipääsu osas tuleb map: direktiiviga töötada
Ligipääsude fail, nt (sisaldab linux põhist mock'i)
# cat /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 192.168.10.193:cisco:cisco:parool
Käivitamine
root@dh-minio-01:/srv/oxidized/dc# docker compose -f docker-compose-oxidized.yml up -d root@dh-minio-01:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4ab02b28a9ca oxidized/oxidized:latest "/usr/bin/dumb-init …" 45 minutes ago Up 24 minutes 0.0.0.0:8888->8888/tcp, [::]:8888->8888/tcp cn_oxidized
Ootus on et failisüsteemi tekib
root@dh-minio-01:/srv/oxidized# find /srv/oxidized/volume -type f -ls 134710 4 -rw-r--r-- 1 30000 30000 250 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/configs/192.168.10.193 155498 4 -rw-r--r-- 1 30000 30000 33 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 134694 4 -rw-r--r-- 1 30000 30000 2 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/pid 173784 4 -rw-r--r-- 1 30000 30000 921 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/config 173789 4 -rw-r--r-- 1 30000 30000 1942 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/crash
kus
- configs/192.168.10.193 - varundus teksti kujul
Konteineris toimuv
root@dh-minio-01:~# docker exec -ti 4a ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 70 25.0 0.0 6392 3764 pts/0 Rs+ 11:35 0:00 ps auxf root 1 0.0 0.0 2420 1368 ? Ss 11:15 0:00 /usr/bin/dumb-init -- runsvdir -P /etc/service root 7 0.0 0.0 2588 1484 ? Ss 11:15 0:00 runsvdir -P /etc/service root 8 0.0 0.0 2436 1460 ? Ss 11:15 0:00 \_ runsv oxidized oxidized 11 0.0 1.0 1348956 61436 ? Sl 11:15 0:01 | \_ /usr/bin/ruby3.3 /usr/local/bin/oxidized root 9 0.0 0.0 2436 1552 ? Ss 11:15 0:00 \_ runsv auto-reload-config root 12 0.0 0.0 4056 3220 ? S 11:15 0:00 | \_ /bin/bash ./run root 62 0.0 0.0 2580 1616 ? S 11:35 0:00 | \_ sleep 600 root 10 0.0 0.0 2436 1484 ? Ss 11:15 0:00 \_ runsv update-ca-certificates root 13 0.0 0.0 4056 3276 ? S 11:15 0:00 \_ /bin/bash ./run root 14 0.0 0.0 2580 1580 ? S 11:15 0:00 \_ sleep infinity
Ruby sisu
root@dh-minio-01:~# docker exec -ti 4a gem list oxidized rugged *** LOCAL GEMS *** oxidized (0.37.0) oxidized-web (0.18.1) *** LOCAL GEMS *** rugged (1.9.0)
Oxidized seadistamine
Kogu oxidized rakenduse seadistusfail
root@dh-minio-01:/srv/oxidized/dc# cat ../volume/home/oxidized/.config/oxidized/config
---
username: cisco
password: parool
model: junos
resolve_dns: true
interval: 3600
debug: false
run_once: false
threads: 30
use_max_threads: false
timeout: 20
timelimit: 300
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
next_adds_job: false
vars: {}
groups: {}
group_map: {}
models: {}
pid: "/home/oxidized/.config/oxidized/pid"
extensions:
oxidized-web:
load: false
crash:
directory: "/home/oxidized/.config/oxidized/crashes"
hostnames: false
stats:
history_size: 10
input:
default: ssh, telnet
debug: false
ssh:
secure: false
ftp:
passive: true
utf8_encoded: true
output:
default: file
file:
directory: "/home/oxidized/.config/oxidized/configs"
source:
default: csv
csv:
file: "/home/oxidized/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
field:
name: 0
model: 1
map:
name: 0
model: 1
username: 2
password: 3
gpg: false
model_map:
juniper: junos
cisco: ios
kus
- source -> csv -> field ja -> map tuleb kohendada nt selliseks nagu ülal toodud, et ta oskaks router.db failist kasutada kasutajanime ja parooli
- output > default -> file muudetakse allpool git vastu
Webgui
Webgui kasutamiseks tuleb käivitada nn veebiserveri konteineris
root@dh-minio-01:~# grep rest /srv/oxidized/volume/home/oxidized/.config/oxidized/config rest: 0.0.0.0:8888
paistab brauseris
kus
- TODO
lokaalse git repo kasutamine varunduseks
Väited
- võimalik on kasutada lokaalset git repot storage lahendusena
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
Tulemusena
...
remote git repo liidestamine süsteemiga
Väited
- remote git repo liidestatakse mitte iseseisva nö storage lahendusena, aga toetava git lahendusena
- remote git repo kasutamise eelduseks on lokaalse git repo kasutamine
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
hooks:
push_to_remote:
type: githubrepo
events: [post_store]
remote_repo: ssh://git@192.168.10.163:2222/oxidized/devices-backups.git
publickey: /home/oxidized/.ssh/id_ed25519-gitea.pub
privatekey: /home/oxidized/.ssh/id_ed25519-gitea
....
kus
- git@ on tehniliselt kasutajanimi, aga kõik kasutajad pöörduvad selle kasutajanimega
- kasutaja identiteet tehakse git repo poolel kindlaks ssh võtme alusel
ssh kasutaja autentimise ettevalmistamine, tekitada priv ja pub võtmed
host# ssh-keygen -f /srv/oxidized/volume/home/oxidized/.ssh/id_ed25519-gitea
kohendada docker compose failis kasutaja:grupp sobivaks, vaatates eeskujuks olemasolevaid, nt
host# chown -R 30000:30000 /srv/oxidized/volume/home/oxidized/.ssh
Paigutada pub võti gitea webgui peal sobivasse kohta.
Veenduda ssh töötamises, nt
root@dh-minio-01:/srv/oxidized/dc# docker exec -ti cn_oxidized bash root@75b0bf77531a:/# su - oxidized oxidized@75b0bf77531a:~$ ssh -i .ssh/id_ed25519-gitea git@192.168.10.163 -p 2222 PTY allocation request failed on channel 0 Hi there, admin! You've successfully authenticated with the key named from-oxidized, but Gitea does not provide shell access. If this is unexpected, please log in with password and setup Gitea under another user. Connection to 192.168.10.163 closed.
Oxidized webguis versioonid paistavad nii
Gitea webguis versioonid paistavad nii
Misc
username: oxidezed
password: parool
model: cisco
interval: 7200
use_syslog: true
debug: false
threads: 30
timeout: 120
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 0.0.0.0:8888
vars:
enable: parool
remove_secret: true
auth_methods: [ "password", "keyboard-interactive" ]
pid: "~/.config/oxidized/pid"
input:
default: ssh
debug: ~/.config/oxidized/log_input
ssh:
secure: false
output:
default: git
git:
user: oxidized
email: imre@imre
repo: "~/devices.git"
#output:
# default: file
# file:
# directory: "/opt/oxidized/.config/oxidized/configs"
source:
default: csv
csv:
file: "~/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
map:
name: 0
model: 1
status: 2
group: 3
model_map:
cisco: ios
groups:
GR_AUUL:
username: cisco
password: parool
vars:
ssh_port: 22264
models: {}
imre@imre-mac ~ % diff gem-list-20260607-rv-oxidized.txt gem-list-20260607-imre-oxidized.txt 1,3c1,3 < asetus (0.3.0) < backports (3.23.0) < bcrypt_pbkdf (1.1.0) --- > asetus (0.4.0) > backports (3.25.3) > bcrypt_pbkdf (1.1.2) 6c6 < bundler (default: 2.1.2) --- > bundler (2.1.4, default: 2.1.2) 8c8 < charlock_holmes (0.7.7) --- > charlock_holmes (0.7.9) 14c14 < ed25519 (1.2.4) --- > ed25519 (1.3.0) 25c25 < htmlentities (4.3.4) --- > htmlentities (4.4.2) 29c29 < json (default: 2.3.0) --- > json (2.19.8, default: 2.3.0) 32a33 > molinillo (0.6.4) 34a36 > net-http-persistent (2.9.4) 56,57c58,59 < rb-fsevent (0.11.0) < rb-inotify (0.10.1) --- > rb-fsevent (0.11.2) > rb-inotify (0.11.1) 64c66 < rugged (0.28.5) --- > rugged (0.99.0, 0.28.5) 71c73 < slop (4.9.1, 3.6.0) --- > slop (4.10.1, 4.9.1, 3.6.0) 74c76 < temple (0.8.2) --- > temple (0.10.4) 76c78,79 < tilt (2.0.10) --- > thor (0.19.4) > tilt (2.7.0)
