arnold
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
|
arnold [2010/04/14 17:44] caden |
arnold [2012/11/12 09:23] bredal [NAV 3.13] |
||
|---|---|---|---|
| Line 9: | Line 9: | ||
| ===== What does Arnold do? ===== | ===== What does Arnold do? ===== | ||
| - | Arnold is a system that blocks or changes vlan on (from now on referred to as a "detention") switch-ports by using SNMP-set commands. It does this based one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP. | + | Arnold is a system that blocks or changes vlan on (from now on referred to as a "detention") switch-ports by using SNMP-set commands. It does this based on one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP. |
| - | :!: NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the [[seedessentials#registering_a_new_ip_device|edit database tool]]. | + | :!: NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the [[seedessentials#registering_a_new_ip_device|seed database tool]]. |
| - | Arnold does not scan or in any other way detect or judge mischievers, it leaves that to the persons or scripts giving it input. It is like the executioner getting the "Chop"-signal, happily blocking away doing its job. | ||
| - | ===== New features in arnold v2 ===== | ||
| - | |||
| - | The main addition to arnold in version 2 (that came with NAV 3.4) is the ability to change vlans on ports instead of just blocking them. This is done so that if you have available quarantine vlans defined on your network, you can put computers on those vlans instead of blocking them. Putting computers in a quarantine vlan is more helpful and convenient for the user of the computer than suddenly losing the internet connection, which often leads to frustration and helpdesk calls. The action of changing a vlan on a port with the help of Arnold is called a //quarantine//. | ||
| - | |||
| - | Other new features: | ||
| - | * Totally rewritten in python by some [[http://cvresumewriters.com/cv-writer.php|cv writer]] to better interface with the rest of NAV. | ||
| - | * Arnold Python module makes it easy for developers to use arnold-functionality in other scripts and webpages. | ||
| - | * New concept - //detention// - introduced. A detention is the action done to a computer to "punish" it, and refers to both a quarantine and a block. | ||
| - | * Both ip and mac-addresses may be used to detain a computer. | ||
| - | * Given address does not have to be active at the moment to be detained. | ||
| - | * More and better options when enabling (enable also refers to "unquarantining") ports. | ||
| - | * Vlans can now be specified to limit the area of a predefined detention. If an address is outside or moves outside this area, a detention will not be enforced. | ||
| ====== Running Arnold ====== | ====== Running Arnold ====== | ||
| Line 41: | Line 28: | ||
| * **Blocked ports:** All currently detained ports. This is the default page. | * **Blocked ports:** All currently detained ports. This is the default page. | ||
| * **Search:** Search the database. | * **Search:** Search the database. | ||
| - | * **Add detentionreason:** When detaining a port, you will need a reason for it. Here is where you add such reasons. Nothing stops you from making a "For fun"-tuple, but it might be frowned upon by some. | + | * **Add detentionreason:** When detaining a port, you will need a reason for it. Here is where you add such reasons. :!: The reasons used in Predefined detentions are not available for use in manual detentions anymore. |
| * **Manual detention:** This page lets you detain a computer or switchport on your network. All you need is an ip or mac-address and a reason. :!: Note that to quarantine a computer you need to first define a quarantine vlan in the "Add Quarantine vlan" section. | * **Manual detention:** This page lets you detain a computer or switchport on your network. All you need is an ip or mac-address and a reason. :!: Note that to quarantine a computer you need to first define a quarantine vlan in the "Add Quarantine vlan" section. | ||
| * **Predefined detentions:** Here you add predefined detentions that may be used by for instance scripts. | * **Predefined detentions:** Here you add predefined detentions that may be used by for instance scripts. | ||
| Line 72: | Line 59: | ||
| **How to use a predefined detention** | **How to use a predefined detention** | ||
| - | The only way to use a predefined detention is by using the ''start_arnold.pl''-script. When you have defined a predefined detention you should make a cron-job or some other way of running ''start_arnold.pl'' automatically whenever you want. See section about start_arnold.py. | + | The only way to use a predefined detention is by using the ''start_arnold.py''-script. When you have defined a predefined detention you should make a cron-job or some other way of running ''start_arnold.py'' automatically whenever you want. See section about start_arnold.py. |
| ===== The scripts ===== | ===== The scripts ===== | ||
| - | Arnold consists of four scripts, which all are located in the ''nav/bin'' directory. | + | Arnold consists of three scripts, which all are located in the ''nav/bin'' directory. |
| - | * **arnold.py:** is a script that gives you basic arnold-functions from a shell. Using the webinterface is preferred though. | ||
| * **autoenable.py:** enables ports based on the autoenable-variable. | * **autoenable.py:** enables ports based on the autoenable-variable. | ||
| * **start_arnold.py:** is used in combination with a //predefined detention// to invoke a series of detentions. | * **start_arnold.py:** is used in combination with a //predefined detention// to invoke a series of detentions. | ||
| Line 85: | Line 71: | ||
| ==== arnold.py ==== | ==== arnold.py ==== | ||
| - | This used to be the workhorse of the system. This is no longer the case as the python module 'arnold' now does all the work. This script is used now for basic use of arnold via a shell. You can run ''arnold.py -h'' to get a list of options. | + | This script is removed, and may or may not come alive again depending on demand. |
| ==== autoenable.py ==== | ==== autoenable.py ==== | ||
| Line 122: | Line 107: | ||
| * **arnold** is the section that contains information about what database to use and on what networking equipment Arnold should be able to detain ports. You also define email-addresses here. | * **arnold** is the section that contains information about what database to use and on what networking equipment Arnold should be able to detain ports. You also define email-addresses here. | ||
| - | * **loglevel** defines the different loglevel for each of arnold's scripts (the webinterface logs to the default weblog-file, and that loglevel is not defined here). | + | * **loglevel** :!: is not in use anymore. Use logging.conf for setting specific loglevels. |
| * **arnoldweb** has just one config option, which sets the default detention method when loading the webinterface. | * **arnoldweb** has just one config option, which sets the default detention method when loading the webinterface. | ||
| Line 137: | Line 122: | ||
| ====== Logging ====== | ====== Logging ====== | ||
| - | The arnold scripts logs to individual files stored in ''nav/var/log/arnold''. The webinterface logs to the default webfront log, usually ''nav/var/log/webfront.log''. The loglevel used for each script is defined in arnold.conf. | + | The arnold scripts logs to individual files stored in ''nav/var/log/arnold''. The webinterface logs to STDERR, which apache most probably puts in it's error.log. The loglevel used for each script is defined in logging.conf. |
| + | |||
| + | ====== Changes ====== | ||
| + | |||
| + | ===== NAV 3.13 ===== | ||
| + | |||
| + | Arnold needed to be rewritten to not use mod_python and to use django models. Also, the code was in dire need of a cleanup. The rewrite tried to make as little changes as possible and at the same time fix the bugs that were reported. | ||
| + | |||
| + | Some changes were introduced though: | ||
| + | * The shell-script for interacting with arnold is gone. If there is an outcry for it, it will be reintroduced. | ||
| + | * The workflow when manually detaining was altered to something better. | ||
| + | * The reasons used for automatic detentions are no longer available when manually detaining. This is done to be able to differ between manual and automatic detentions. If you detain for the same reason both manually and automatically, just create two similar reasons. | ||
| + | * Logleves are no longer set in arnold.conf. Use logging.conf to alter loglevels for the scripts and web. | ||
| + | * Some bugs were found that was not reported. | ||
| + | * The "Open on move"-option in a predefined detention was never used. This is fixed. | ||
| + | * Pursuing was not done in some cases. | ||
| + | * Reported bugs that are fixed: | ||
| + | * #341703 Manual detention does not pursue client | ||
| + | * #361530 Predefined detention does not exponentially increase detentions | ||
| + | * #744932 Arnold should give warning if snmp write is not configured | ||
| + | |||
| + | ===== NAV 3.4 ===== | ||
| + | |||
| + | The main addition to arnold in version 2 (that came with NAV 3.4) is the ability to change vlans on ports instead of just blocking them. This is done so that if you have available quarantine vlans defined on your network, you can put computers on those vlans instead of blocking them. Putting computers in a quarantine vlan is more helpful and convenient for the user of the computer than suddenly losing the internet connection, which often leads to frustration and helpdesk calls. The action of changing a vlan on a port with the help of Arnold is called a //quarantine//. | ||
| + | |||
| + | Other new features: | ||
| + | * Totally rewritten in python to better interface with the rest of NAV. | ||
| + | * Arnold Python module makes it easy for developers to use arnold-functionality in other scripts and webpages. | ||
| + | * New concept - //detention// - introduced. A detention is the action done to a computer to "punish" it, and refers to both a quarantine and a block. | ||
| + | * Both ip and mac-addresses may be used to detain a computer. | ||
| + | * Given address does not have to be active at the moment to be detained. | ||
| + | * More and better options when enabling (enable also refers to "unquarantining") ports. | ||
| + | * Vlans can now be specified to limit the area of a predefined detention. If an address is outside or moves outside this area, a detention will not be enforced. | ||
arnold.txt · Last modified: 2016/01/06 13:54 by morten
Page Tools
