{"id":244,"date":"2022-09-12T10:13:56","date_gmt":"2022-09-12T08:13:56","guid":{"rendered":"https:\/\/whoami.lausitz-event.info\/?p=244"},"modified":"2023-08-25T13:38:49","modified_gmt":"2023-08-25T11:38:49","slug":"netzwerk-backup-versionierung-mit-git","status":"publish","type":"post","link":"https:\/\/whoami.lausitz-event.info\/?p=244","title":{"rendered":"Netzwerk Backup & Versionierung mit GIT"},"content":{"rendered":"\n\n

Irgendwann stellt sich jeder Admin die Frage wie er denn seine Konfigurationen der Netzwerkkomponenten sichern soll. Eine weitere Anforderung ist die Dokumentation der \u00c4nderungen der Netzwerkkomponenten, die Versionierung. Beide Anforderungen sollen m\u00f6glichst automatisiert und sicher umgesetzt werden.<\/p>\n\n\n\n\n\n

GIT<\/h2>\n\n\n\n\n\n

F\u00fcr die Versionierung setzen wir GITEA<\/a> ein, ein freies, selbst gehostetes \"Versionierungssystem\". Wir gehen davon aus das die MySQL Datenbank bereits installiert und einsatzf\u00e4hig ist.<\/p>\n\n\n\n\n\n

mysql -u root -ppassword\ncreate database gitea;\ngrant all on gitea.* to 'gitea'@'localhost' identified by 'gitea';\nflush privileges;\nexit;<\/code><\/pre>\n\n\n\n\n\n
Anlegen eines GIT Users, die Erstellung von Verzeichnissen, sowie die Rechtevergabe auf diesen.<\/p>\n\n\n\n\n\n
groupadd gitea\nuseradd gitea --system --shell \/bin\/bash -m -d \/home\/gitea -g gitea\nmkdir -p \/var\/lib\/gitea\/{custom,data,indexers,public,log}\nchown gitea:gitea \/var\/lib\/gitea\/{data,indexers,log}\nchmod 750 \/var\/lib\/gitea\/{data,indexers,log}\nmkdir \/etc\/gitea\nchown root:gitea \/etc\/gitea\nchmod 770 \/etc\/gitea<\/code><\/pre>\n\n\n\n\n\n
cd \/home\/gitea\nwget -O gitea https:\/\/dl.gitea.com\/gitea\/1.19.0\/gitea-1.19.0-linux-amd64\nchmod +x gitea\nmv gitea \/usr\/local\/bin\/gitea<\/code><\/pre>\n\n\n\n\n\n
vi \/etc\/systemd\/system\/gitea.service<\/p>\n\n\n\n\n\n
[Unit]\nDescription=Gitea (Git with a cup of tea)\nAfter=syslog.target\nAfter=network.target\nAfter=mysqld.service\n\n[Service]\nLimitMEMLOCK=infinity\nLimitNOFILE=65535\nRestartSec=2s\nType=simple\nUser=gitea\nGroup=gitea\nWorkingDirectory=\/var\/lib\/gitea\/\nExecStart=\/usr\/local\/bin\/gitea web -c \/etc\/gitea\/app.ini\nRestart=always\nEnvironment=USER=gitea HOME=\/home\/gitea GITEA_WORK_DIR=\/var\/lib\/gitea\nCapabilityBoundingSet=CAP_NET_BIND_SERVICE\nAmbientCapabilities=CAP_NET_BIND_SERVICE\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n\n\n
systemctl daemon-reload\nsystemctl enable gitea\nsystemctl start gitea<\/code><\/pre>\n\n\n\n\n\n
Nun die Konfiguration unter der URL http:\/\/IP-ADDRESS:3000<\/strong> abschlie\u00dfen. Die im Konfigurationsdialog erfolgten \u00c4nderungen k\u00f6nnt ihr jederzeit in der Datei \/etc\/gitea\/app.ini anpassen. Nach \u00c4nderungen in dieser Datei ist der Dienst gitea mit systemctl restart gitea<\/em><\/strong> neu zu starten.<\/p>\n\n\n\n\n\n
GIT verlangt beim Commit Authentifizierungsangaben. Damit wir unsere Konfigurationssicherung automatisch ablaufen lassen k\u00f6nnen, m\u00fcssen wir den GIT Account in einer Datei hinterlegen. Diese liegt dann im Home Directory (nicht root) des Nutzers, der den GIT Job am Ende ausf\u00fchren muss.<\/p>\n\n\n\n\n\n
~\/.git-credentials<\/strong><\/p>\n\n\n\n\n\n
http://USERNAME:PASSWORD@IP-ADDRESS<\/code><\/pre>\n\n\n\n\n\n
Nun noch folgenden Befehl ausf\u00fchren um die angelegten Credentials zu verwenden.<\/p>\n\n\n\n\n\n
git config --global credential.helper store<\/code><\/pre>\n\n\n\n\n\n
Wir rufen nun die Weboberfl\u00e4che unseres GIT Systems auf http:\/\/IP-ADDRESS:3000 und melden uns mit unserem Nutzer an. Als n\u00e4chstes erstellen wir ein neues Repository.<\/p>\n\n\n\n\n\n
\"\"
Erstellung GIT Repository \"Netzwerkkonfiguration\"<\/em><\/figcaption><\/figure>\n\n\n\n\n\n
Als n\u00e4chstes m\u00fcssen wir m\u00fcssen wir auf unserem System einen Backup Ordner definieren, wo wir k\u00fcnftig unsere Konfigurationen ablegen wollen.<\/p>\n\n\n\n\n\n
mkdir \/backup\nchown gitea:gitea -R \/backup<\/code><\/pre>\n\n\n\n\n\n
Jetzt klonen wir unser zuvor angelegtes GIT Repository.<\/p>\n\n\n\n\n\n
git clone http:\/\/IP-ADDRESS:3000\/Netzwerkkonfiguration.git .<\/code><\/pre>\n\n\n\n\n\n
In dem Pfad \/backup\/Netzwerkkonfiguration<\/strong> werden alle gesicherten Konfigurationen abgelegt und von dort aus nach GIT gepusht. <\/p>\n\n\n\n\n\n
push.sh<\/strong><\/p>\n\n\n\n\n\n
git add switch1.confg\ngit commit -m \"Konfigurationssicherung\" switch1.confg<\/code><\/pre>\n\n\n\n\n\n
Ansible<\/strong><\/h2>\n\n\n\n\n\n
F\u00fcr das Backup Scripting eignet sich perfekt Ansible. F\u00fcr \u00e4ltere Switche, die noch kein SSH anbieten und demzufolge nur per Telnet zu erreichen sind, verwende ich folgendes Playbook:<\/p>\n\n\n\n\n\n
backup_telnet.yml<\/strong><\/p>\n\n\n\n\n\n
---\n- name: Backup Netzwerkkomponenten via Telnet\n  hosts: telnet\n  gather_facts: no\n\n  tasks:\n\n  - name: Touch Files fuer TFTP\n    ansible.builtin.file:\n      path: \/var\/lib\/tftpboot\/{{ inventory_hostname }}.confg\n      state: touch\n      mode: u=rwx,g=rwx,o=rwx\n\n  - name: Setze Besitzer und Dateirechte\n    ansible.builtin.file:\n      path: \/var\/lib\/tftpboot\/{{ inventory_hostname }}.confg\n      owner: nobody\n      group: nobody\n      mode: '0777'\n\n  - name: Backup devices via Telnet and TFTP\n    ansible.netcommon.telnet:\n      user: ADMIN-USERNAME\n      password: ADMIN-PASSWORD\n      login_prompt: \"Username: \"\n      prompts:\n      - \"[>#?]\"\n      command:\n         - \"enable\\nADMIN-PASSWORD\"\n         - copy running-config tftp:\/\/TFTP-SERVER-IP\/{{ inventory_hostname }}.confg\n         - TFTP-SERVER-IP\n         - \"{{ inventory_hostname }}.confg\"\n\n  - name: Copy Konfigurationen ins Webdirectory\n    copy:\n      src: \/var\/lib\/tftpboot\/{{ inventory_hostname }}.confg\n      dest: \/var\/www\/html\/konfigurationen\/{{ inventory_hostname }}\/{{ inventory_hostname }}.confg\n      owner: apache\n      group: apache\n      mode: '0755'<\/code><\/pre>\n\n\n\n\n\n
F\u00fcr das Backup von Fortinet FortiGate Produkten verwende ich folgendes Python Script(Access-Token muss auf der FortiGate erst noch erstellt werden):<\/p>\n\n\n\n\n\n
import requests\n\napi_url = 'https:\/\/IP-ADDRESS-FG<\/strong>\/api\/v2\/monitor\/system\/config\/backup?scope=global&access_token=ACCESS-TOKEN<\/strong>'\n\nrequests.packages.urllib3.disable_warnings()\n\ndata = requests.get(api_url, verify=False)\n\nwith open('\/configs\/fortigate.cfg', 'wb') as f:\n    for line in data:\n        f.write(line)\n\nprint(data.text)\n<\/code><\/pre>\n\n\n","protected":false},"excerpt":{"rendered":"
Irgendwann stellt sich jeder Admin die Frage wie er denn seine Konfigurationen der Netzwerkkomponenten sichern soll. Eine weitere Anforderung ist die Dokumentation der \u00c4nderungen der Netzwerkkomponenten, die Versionierung. Beide Anforderungen sollen m\u00f6glichst automatisiert und sicher umgesetzt werden. GIT F\u00fcr die Versionierung setzen wir GITEA ein, ein freies, selbst gehostetes \"Versionierungssystem\". Wir gehen davon aus das […]<\/p>","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[7,13],"tags":[],"class_list":["post-244","post","type-post","status-publish","format-standard","hentry","category-ansible","category-netzwerke"],"_links":{"self":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=244"}],"version-history":[{"count":13,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions"}],"predecessor-version":[{"id":405,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=\/wp\/v2\/posts\/244\/revisions\/405"}],"wp:attachment":[{"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/whoami.lausitz-event.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}