网络运维管理的网络设备在量级较小的时候,传统的网络配置备份通常是人肉登陆手动备份,随着管理网络设备越来越多,进阶的方式通常会使用脚本自动抓取配置,通过 FTP 等把配置上传到某处存储,但如果可以有一个备份系统不需要你使用脚本、不限设备厂商可以支持国内外主流的网络设备、同时有web界面,能够查看配置差异对比,同时可以同时同步配置到内部 Gitlab。Oxidized 作为一款免费开源的软件,完美解决了以上的所有需求。
官网链接:https://github.com/ytti/oxidized
系统环境:Centos7 卸载系统自带的 Ruby 版本(因为自带的是 2.0.0,需要高于此版本)
sudo yum remove ruby ruby-devel
安装开发部署工具
sudo yum groupinstall "Development Tools"
安装 Ruby2.4.5 版本
wget https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.5.tar.gz
tar -zxvf ruby-2.4.5.tar.gz
cd ruby-2.4.5
./configure
make
sudo make install
安装所有依赖环境
yum install make cmake which sqlite-devel openssl-devel libssh2-devel ruby gcc ruby-devel libicu-devel gcc-c++
安装 Oxidized
gem install oxidized
gem install oxidized-script oxidized-web
安装完成后首次运行 Oxidized,会提示去编辑配置文件
oxidized
edit ~/.config/oxidized/config
Oxidized 安装完成后,所有配置文件路径统一在 ~/.config/oxidized/
,config
为主配置文件;crash
可以查到 Oxidized 所有的原始模块路径,不需要配置;logs
日志存储
cd ~/.config/oxidized/
[root@Oxidized-01 oxidized]# ls
config crash logs
按照路径提示编辑配置文件vi ~/.config/oxidized/config
---
username: username
password: password
model: ios
interval: 3600
use_syslog: false
debug: false
threads: 30
timeout: 20
retries: 3
prompt: !ruby/regexp /^([\w.@-]+[#>]\s?)$/
rest: 192.168.53.83:8080
next_adds_job: false
vars: {}
groups: {}
models: {}
pid: /root/opt/.config/oxidized/pid
input:
default: ssh, telnet
debug: false
ssh:
secure: false
output:
default: file
file:
directory: /root/opt/.config/oxidized/configs
source:
default: csv
csv:
file: /root/opt/.config/oxidized/router.db
delimiter: !ruby/regexp /:/
map:
name: 0
model: 1
ip: 2
group: 3
username: 4
password: 5
vars_map:
enable: 6
comware_cmdline: 6
gpg: false
model_map:
juniper: junos
cisco: ios
配置文件中主要参数说明
username: username : 用户名 这个参数不用改,会从router.db读取.
password: password : 密码 这个参数也不用改,会从router.db读取.
model: junos : 模型 这个参数也不用改,会从router.db读取.
interval: 3600 : 备份周期 单位是秒,也就是默认一个小时备份一次
threads: 30 :线程
timeout: 20 : 超时
retries: 3 : 重试次数
input: 连接设备模式
output: 导出配置模式
router.db : 存储主机基本信息的地方(IP地址,用户名,密码等)
map:主机连接的顺序格式
编辑完配置文件后,在相同路径下创建一个 router.db
文件,用来存储主机基本信息并被 config
文件调用vi ~/.config/oxidized/router.db
dc01.a52.30u.net.csw1:ios:172.16.0.1:DC01:test:test
dc01.a52.27u.net.csw2:ios:172.16.0.2:DC01:test:test
dc01.a064.39.42u.net.bbs:comware:10.3.2.12:DC01:test:test
dc01.dl.net.fw1:vrp:10.2.2.15:DC01:test:test
dc01.dl.net.fw2:vrp:10.2.2.16:DC01:test:test
dc01.public.net.fw1:vrp:10.2.2.17:DC01:test:test
dc01.public.net.fw2:vrp:10.2.2.18:DC01:test:test
dc01.a27.42u.net.rsw:ios:10.2.2.2:DC01:test:test
再次运行 Oxidized,测试备份设备配置成功
[root@Oxidized-01 ~]# oxidized
I, [2019-05-07T20:02:05.560860 #3199] INFO -- : Oxidized starting, running as pid 3199
I, [2019-05-07T20:02:05.561604 #3199] INFO -- : lib/oxidized/nodes.rb: Loading nodes
I, [2019-05-07T20:02:05.635852 #3199] INFO -- : lib/oxidized/nodes.rb: Loaded 1 nodes
Puma starting in single mode...
* Version 3.11.4 (ruby 2.3.8-p459), codename: Love Song
* Min threads: 0, max threads: 16
* Environment: development
* Listening on tcp://192.168.53.83:80
Use Ctrl-C to stop
I, [2019-05-07T20:02:12.920349 #3199] INFO -- : Configuration updated for /10.2.2.4
登录 web 管理界面可以进行配置查看、配置对比等操作
把 Oxidized nohub 设置为后台运行
nohup oxidized >> /var/log/oxidized.log 2>&1 &
每次更新设备只需要在 router.db 文件里按照现有格式更新,更新完找到 Oxidized 进程号 kill 对应的进程号,重启服务即可
安装 nginx 服务
sudo yum install nginx
安装 httpd 服务
sudo yum install httpd-tools
创建一个认证目录文件夹用于存储认证用户信息
sudo mkdir /usr/local/nginx/
sudo chown -R 777 /usr/local/nginx/
创建 web 登录认证用户
htpasswd -c /usr/local/nginx/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
配置 nginx 反向代理到 Oxidized 并启用认证vi /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
#user nginx;
user root;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
# listen 8080 default_server;
# listen [::]:8080 default_server;
listen 80;
listen [::]:80;
server_name 10.0.0.201;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://10.0.0.201:8080;
proxy_http_version 1.1;
auth_basic "Welcome to Oxidized WEB Login";
auth_basic_user_file /usr/local/nginx/.htpasswd;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
nginx 配置文件里的认证路径要给读写访问权限,启动 nginx
sudo chown -R 777 /usr/local/nginx/
sudo systemctl enable nginx
sudo systemctl start nginx
登录 web 界面提示输入用户名密码,用之前创建的用户认证成功后跳转到 Oxidized
Oxidized 备份配置自动 push 到 Gitlab(建议做,按个人喜好,懒没整理文档)
不管你管理十几台网络设备或者是几千台网络甚至上万台设备都可以使用 Oxidized,最终的性能瓶颈取决于服务部署的机器性能
注意:近期几篇文章会偏网络一些,来源于我的好友网管赵四。