Oxidized kasutamine
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Oxidized tarkvara https://github.com/ytti/oxidized ...
Tööpõhimõte
Väited
- Tekitatakse pisike võrguseadme mock linux kasutaja abil
- Tekitatakse docker põhine oxidized
Mock switch - Linux kasutaja shell script
Mock switch seisneb Linux operatsioonisüsteemi tavalise kasutaja tekitamises, mille shell on asendatud nt sellise skriptiga
root@zabbix-pub-01:~# grep cisco /etc/passwd cisco:x:1001:1001::/home/cisco:/home/cisco/router_cli.sh
ja
root@zabbix-pub-01:~# cat /home/cisco/router_cli.sh
#!/bin/bash
# 1. Print a fake Cisco login welcome and prompt instantly on connection
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
echo ""
echo -n "mock-edge-sw01#"
# 2. Enter an infinite loop to read incoming commands interactively
while true; do
# Read the next command passed over the terminal stream
read -r CMD
# Clean up trailing carriage returns (\r) sent by network tools
CMD=$(echo "$CMD" | tr -d '\r' | tr -d '"' | tr -d "'")
case "$CMD" in
"show run"|"show running-config"|"show startup-config")
cat /home/cisco/mock_cisco.cfg
;;
"show version")
echo "Cisco IOS Software, Simulation Engine Version 1.0(MOCK)"
;;
"terminal length 0"|"terminal width 0"|"enable"|"")
# Return success silently for environment setup instructions
;;
"exit"|"quit")
echo "Closing connection."
exit 0
;;
*)
# If Oxidized sends an unhandled cleanup command, absorb it silently
;;
esac
# CRITICAL: Print the Cisco prompt back to the stream so Oxidized
# knows the command finished and it is safe to send the next line!
echo -n "mock-edge-sw01#"
done
ning näidis seadistusfail st switch conf
root@zabbix-pub-01:~# cat /home/cisco/mock_cisco.cfg ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end
Kasutamise testimiseks
root@dh-minio-01:~# ssh cisco@192.168.10.193 cisco@192.168.10.193's password: Cisco IOS Software, Simulation Engine Version 1.0(MOCK) mock-edge-sw01#show run ! hostname mock-edge-sw01 ! interface GigabitEthernet1/1 description Uplink to Core switchport mode trunk ! interface GigabitEthernet1/2 description Connected to Zabbix Proxy switchport access vlan 10 ! end mock-edge-sw01#exit Closing connection. Connection to 192.168.10.193 closed. root@dh-minio-01:~# imreoolberg@Imres-MacBook-Air ~ %
Paigaldamine - Docker
Docker compose ja volume ressurssidele vajalikud kataloogid
# mkdir -p /srv/oxidized/dc # mkdir -p /srv/oxidized/volume/home/oxidized/.config/oxidized # chmod 0777 /srv/oxidized/volume/home/oxidized/.config/oxidized
Docker compose faili näidis
# cd /srv/oxidized/dc
# cat docker-compose-oxidized.yaml
name: p_oxidized
services:
svc_oxidized:
image: oxidized/oxidized:latest
container_name: cn_oxidized
restart: unless-stopped
ports:
- "8888:8888" # Web UI and REST API
volumes:
- '/srv/oxidized/volume/home/oxidized/.config/oxidized:/home/oxidized/.config/oxidized'
- '/srv/oxidized/volume/home/oxidized/.ssh:/home/oxidized/.ssh'
environment:
- CONFIG_RELOAD_INTERVAL=600
- TZ=Europe/Tallinn
networks:
- nw_oxidized
networks:
nw_oxidized:
name: nw_oxidized
driver: bridge
Oxidized seadistamine
- oxidized seadistusfail - /srv/oxidized/volume/home/oxidized/.config/oxidized/config - moodustab ise konteineri käivitamisel alguseks sobiva sisuga
- ruuterite-switchide-jms-seadmete ligipääsufail - /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db - inimene moodustab
- config failis tuleks kasutada alustuseks username ja password väärtustena reaalset mock ligipääsu; selleks et router.db toimiks ligipääsu osas tuleb map: direktiiviga töötada
Ligipääsude fail, nt (sisaldab linux põhist mock'i)
# cat /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 192.168.10.193:cisco:cisco:parool
Käivitamine
root@dh-minio-01:/srv/oxidized/dc# docker compose -f docker-compose-oxidized.yml up -d root@dh-minio-01:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 4ab02b28a9ca oxidized/oxidized:latest "/usr/bin/dumb-init …" 45 minutes ago Up 24 minutes 0.0.0.0:8888->8888/tcp, [::]:8888->8888/tcp cn_oxidized
Ootus on et failisüsteemi tekib
root@dh-minio-01:/srv/oxidized# find /srv/oxidized/volume -type f -ls 134710 4 -rw-r--r-- 1 30000 30000 250 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/configs/192.168.10.193 155498 4 -rw-r--r-- 1 30000 30000 33 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/router.db 134694 4 -rw-r--r-- 1 30000 30000 2 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/pid 173784 4 -rw-r--r-- 1 30000 30000 921 Jun 3 14:15 /srv/oxidized/volume/home/oxidized/.config/oxidized/config 173789 4 -rw-r--r-- 1 30000 30000 1942 Jun 3 14:04 /srv/oxidized/volume/home/oxidized/.config/oxidized/crash
kus
- configs/192.168.10.193 - varundus teksti kujul
Konteineris toimuv
root@dh-minio-01:~# docker exec -ti 4a ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 70 25.0 0.0 6392 3764 pts/0 Rs+ 11:35 0:00 ps auxf root 1 0.0 0.0 2420 1368 ? Ss 11:15 0:00 /usr/bin/dumb-init -- runsvdir -P /etc/service root 7 0.0 0.0 2588 1484 ? Ss 11:15 0:00 runsvdir -P /etc/service root 8 0.0 0.0 2436 1460 ? Ss 11:15 0:00 \_ runsv oxidized oxidized 11 0.0 1.0 1348956 61436 ? Sl 11:15 0:01 | \_ /usr/bin/ruby3.3 /usr/local/bin/oxidized root 9 0.0 0.0 2436 1552 ? Ss 11:15 0:00 \_ runsv auto-reload-config root 12 0.0 0.0 4056 3220 ? S 11:15 0:00 | \_ /bin/bash ./run root 62 0.0 0.0 2580 1616 ? S 11:35 0:00 | \_ sleep 600 root 10 0.0 0.0 2436 1484 ? Ss 11:15 0:00 \_ runsv update-ca-certificates root 13 0.0 0.0 4056 3276 ? S 11:15 0:00 \_ /bin/bash ./run root 14 0.0 0.0 2580 1580 ? S 11:15 0:00 \_ sleep infinity
Ruby sisu
root@dh-minio-01:~# docker exec -ti 4a gem list oxidized rugged *** LOCAL GEMS *** oxidized (0.37.0) oxidized-web (0.18.1) *** LOCAL GEMS *** rugged (1.9.0)
Oxidized seadistamine
Kogu oxidized rakenduse seadistusfail
root@dh-minio-01:/srv/oxidized/dc# cat ../volume/home/oxidized/.config/oxidized/config
---
username: cisco
password: parool
model: junos
resolve_dns: true
interval: 3600
debug: false
run_once: false
threads: 30
use_max_threads: false
timeout: 20
timelimit: 300
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
next_adds_job: false
vars: {}
groups: {}
group_map: {}
models: {}
pid: "/home/oxidized/.config/oxidized/pid"
extensions:
oxidized-web:
load: false
crash:
directory: "/home/oxidized/.config/oxidized/crashes"
hostnames: false
stats:
history_size: 10
input:
default: ssh, telnet
debug: false
ssh:
secure: false
ftp:
passive: true
utf8_encoded: true
output:
default: file
file:
directory: "/home/oxidized/.config/oxidized/configs"
source:
default: csv
csv:
file: "/home/oxidized/.config/oxidized/router.db"
delimiter: !ruby/regexp /:/
field:
name: 0
model: 1
map:
name: 0
model: 1
username: 2
password: 3
gpg: false
model_map:
juniper: junos
cisco: ios
kus
- source -> csv -> field ja -> map tuleb kohendada nt selliseks nagu ülal toodud, et ta oskaks router.db failist kasutada kasutajanime ja parooli
Webgui
Webgui kasutamiseks tuleb käivitada nn veebiserveri konteineris
root@dh-minio-01:~# grep rest /srv/oxidized/volume/home/oxidized/.config/oxidized/config rest: 0.0.0.0:8888
paistab brauseris
kus
- TODO
lokaalse git repo kasutamine varunduseks
Väited
- võimalik on kasutada lokaalset git repot storage lahendusena
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
Tulemusena
...
remote git repo liidestamine süsteemiga
Väited
- remote git repo liidestatakse mitte iseseisva nö storage lahendusena, aga toetava git lahendusena
- remote git repo kasutamise eelduseks on lokaalse git repo kasutamine
Nö tavalisele oxidized seadistusfaili sees peab olema sarnane output osakond
..
output:
default: git
git:
user: Oxidized Robot
email: oxidized@auul.pri.ee
repo: /home/oxidized/.config/oxidized/devices-backups.git
...
hooks:
push_to_remote:
type: githubrepo
events: [post_store]
remote_repo: ssh://git@192.168.10.163:2222/admin/devices-backups.git
publickey: /home/oxidized/.ssh/id_ed25519-gitea.pub
privatekey: /home/oxidized/.ssh/id_ed25519-gitea
....
kus
- git@ on tehniliselt kasutajanimi, aga kõik kasutajad pöörduvad selle kasutajanimega
- kasutaja identiteet tehakse git repo poolel kindlaks ssh võtme alusel
ssh kasutaja autentimise ettevalmistamine, tekitada priv ja pub võtmed
host# ssh-keygen -f /srv/oxidized/volume/home/oxidized/.ssh/id_ed25519-gitea
kohendada docker compose failis kasutaja:grupp sobivaks, vaatates eeskujuks olemasolevaid, nt
host# chown -R 30000:30000 /srv/oxidized/volume/home/oxidized/.ssh
Paigutada pub võti gitea webgui peal sobivasse kohta.
Veenduda ssh töötamises, nt
root@dh-minio-01:/srv/oxidized/dc# docexec -ti cn_oxidized bash root@75b0bf77531a:/# su - oxidized oxidized@75b0bf77531a:~$ ssh -i .ssh/id_ed25519-gitea git@192.168.10.163 PTY allocation request failed on channel 0 Hi there, admin! You've successfully authenticated with the key named from-oxidized, but Gitea does not provide shell access. If this is unexpected, please log in with password and setup Gitea under another user. Connection to 192.168.10.163 closed.
