arnoldv2
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
arnoldv2 [2008/04/02 12:36] bredal |
arnoldv2 [2008/04/30 09:38] (current) morten |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| //This document is under construction.// | //This document is under construction.// | ||
| - | {{tools:arnold.png|}} Arnold is a subsystem to NAV-v3, first released in NAV-v3.1. Arnold is a port-blocker, and now vlan changer, and was originally made to be able to easier remove mischievers from the campus-internet. | + | {{tools:arnold.png|}} Arnold is a subsystem to NAV 3, first released in NAV 3.1. Arnold is a port-blocker and vlan changer, and was originally made to be able to easier remove mischievers from the campus-internet. |
| This document will give you information about how Arnold works and how to use and configure it. A FAQ-section will be added as questions are received. | This document will give you information about how Arnold works and how to use and configure it. A FAQ-section will be added as questions are received. | ||
| + | |||
| + | ===== What does Arnold do? ===== | ||
| + | |||
| + | Arnold is a system that blocks or changes vlan on (from now on referred to as a "detention") switch-ports by using SNMP-set commands. It does this based one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP. | ||
| + | |||
| + | :!: NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the [[seedessentials#registering_a_new_ip_device|edit database tool]]. | ||
| + | |||
| + | Arnold does not scan or in any other way detect or judge mischievers, it leaves that to the persons or scripts giving it input. It is like the executioner getting the "Chop"-signal, happily blocking away doing its job. | ||
| ===== New features in arnold v2 ===== | ===== New features in arnold v2 ===== | ||
| Line 17: | Line 25: | ||
| * Both ip and mac-addresses may be used to detain a computer. | * Both ip and mac-addresses may be used to detain a computer. | ||
| * Given address does not have to be active at the moment to be detained. | * Given address does not have to be active at the moment to be detained. | ||
| - | * Better and more options when enabling (enable also refers to "unquarantining") ports. | + | * More and better options when enabling (enable also refers to "unquarantining") ports. |
| * Vlans can now be specified to limit the area of a predefined detention. If an address is outside or moves outside this area, a detention will not be enforced. | * Vlans can now be specified to limit the area of a predefined detention. If an address is outside or moves outside this area, a detention will not be enforced. | ||
| - | |||
| - | |||
| - | |||
| - | ===== What does Arnold do? ===== | ||
| - | |||
| - | Arnold is a system that blocks or changes vlan on (from now on referred to as a "detention") switch-ports by using SNMP-set commands. It does this based one or more ip or mac-addresses given as input on runtime. Based on the address it uses the NAV-database to locate the correct switch-port to detain, and attempts to detain it using SNMP. | ||
| - | |||
| - | :!: NB: It is important that the write-community is set in the NAV-database, otherwise Arnold will not be able to detain or enable ports on the switch. You specifiy write community when you add or edit a new netbox in the [[seedessentials#registering_a_new_ip_device|edit database tool]]. | ||
| - | |||
| - | Arnold does not scan or in any other way detect or judge mischievers, it leaves that to the persons or scripts giving it input. It is like the executioner getting the "Chop"-signal, happily blocking away doing its job. | ||
| - | |||
| - | |||
| ====== Running Arnold ====== | ====== Running Arnold ====== | ||
| Arnold consists of a couple of scripts (including a arnold-module), a web-interface and a database. For basic use you will never have to touch the scripts, just use the web-interface to disable and enable ports. Arnold should be ready to use without any fuzz as long as the NAV-database is up to date. Some of the features requires some editing in config-files, which is documented later in this document. | Arnold consists of a couple of scripts (including a arnold-module), a web-interface and a database. For basic use you will never have to touch the scripts, just use the web-interface to disable and enable ports. Arnold should be ready to use without any fuzz as long as the NAV-database is up to date. Some of the features requires some editing in config-files, which is documented later in this document. | ||
| + | |||
| Line 70: | Line 67: | ||
| * **Exponential increase:** is a nifty feature that detains previous mischievers for a longer timespan for each new detention. More details in the "Details"-section. | * **Exponential increase:** is a nifty feature that detains previous mischievers for a longer timespan for each new detention. More details in the "Details"-section. | ||
| * **Detention duration:** is the same as auto enable - it decides the timespan the port is disabled. | * **Detention duration:** is the same as auto enable - it decides the timespan the port is disabled. | ||
| - | * **Active:** check this to activate the predefined detention, uncheck to disable it. | + | * **Active on vlans:** lets you limit the vlans the detentions are enforced on. If a computer is on a vlan not specified in this field, it will not be detained. If left blank, all vlans are used. The format is a comma-separated list of vlannumbers (e.g. 123,234). |
| + | * **Active:** check this to activate the predefined detention, uncheck to disable it. Disabled predefined detentions will do nothing when asked to detain computers. | ||
| **How to use a predefined detention** | **How to use a predefined detention** | ||
| - | The only way to use a predefined detention is by using the ''start_arnold.pl''-script. When you have defined a predefined detention you should make a cron-job or some other way of running ''start_arnold.pl'' automatically whenever you want. | + | The only way to use a predefined detention is by using the ''start_arnold.pl''-script. When you have defined a predefined detention you should make a cron-job or some other way of running ''start_arnold.pl'' automatically whenever you want. See section about start_arnold.py. |
| - | + | ||
| - | Examples: | + | |
| - | <code> | + | |
| - | Create some examples here. | + | |
| - | </code> | + | |
| ===== The scripts ===== | ===== The scripts ===== | ||
| Line 90: | Line 82: | ||
| * **start_arnold.py:** is used in combination with a //predefined detention// to invoke a series of detentions. | * **start_arnold.py:** is used in combination with a //predefined detention// to invoke a series of detentions. | ||
| * **t1000.py:** is the "pursuer of justice". It makes sure that if someone moves to another port, the detention is enforced there aswell. | * **t1000.py:** is the "pursuer of justice". It makes sure that if someone moves to another port, the detention is enforced there aswell. | ||
| - | |||
| - | |||
| ==== arnold.py ==== | ==== arnold.py ==== | ||
| Line 101: | Line 91: | ||
| ''autoenable.py'' is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing. | ''autoenable.py'' is run by cron and should not need to be run by any other user. All it does is fetch all disabled ports with an autoenable-value and enable that port if the time is due. Running it manually does the same thing. | ||
| - | |||
| - | |||
| - | |||
| ==== start_arnold.py ==== | ==== start_arnold.py ==== | ||
| Line 116: | Line 103: | ||
| This will ensure a clean and tidy run of arnold and some detained ports. Of course you can also use ''start_arnold.py'' to just pipe a local list of addresses in, quick and easy. The main advantage is that all options are set and you have an easy way to "feed" Arnold. | This will ensure a clean and tidy run of arnold and some detained ports. Of course you can also use ''start_arnold.py'' to just pipe a local list of addresses in, quick and easy. The main advantage is that all options are set and you have an easy way to "feed" Arnold. | ||
| - | |||
| - | |||
| ==== t1000.py ==== | ==== t1000.py ==== | ||
| Line 137: | Line 122: | ||
| * **loglevel** defines the different loglevel for each of arnold's scripts (the webinterface logs to the default weblog-file, and that loglevel is not defined here). | * **loglevel** defines the different loglevel for each of arnold's scripts (the webinterface logs to the default weblog-file, and that loglevel is not defined here). | ||
| * **arnoldweb** has just one config option, which sets the default detention method when loading the webinterface. | * **arnoldweb** has just one config option, which sets the default detention method when loading the webinterface. | ||
| - | |||
| ====nonblock.conf==== | ====nonblock.conf==== | ||
| ''nav/etc/arnold/nonblock.conf'' is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be detained. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default. | ''nav/etc/arnold/nonblock.conf'' is not really a config-file but an exception list. Some computers (ip-addresses) does not want to be detained. If you want to grant them their wish, enter their ip-address in this file. The format is cleary defined in the file, and is quite flexible. You also have the possibility to define equipment-types that you don't want to block. This is a rather depricated option, but some switches that does not support snmp-set are included by default. | ||
| - | |||
| ====Mailtemplates==== | ====Mailtemplates==== | ||
| Line 150: | Line 133: | ||
| If you make a //predefined detention// you will notice a textfield called "Path to mailfile". Arnold may send mail to those listed as responsible for the address it tries to detain. Who is responsible is fetched from the NAV-database (the contact address defined for an organisation). But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the "Path to mailfile"-textfield. A description on how to make a template is in the ''README''-file located in the ''mailtemplates/''-folder. | If you make a //predefined detention// you will notice a textfield called "Path to mailfile". Arnold may send mail to those listed as responsible for the address it tries to detain. Who is responsible is fetched from the NAV-database (the contact address defined for an organisation). But Arnold does not know what you want to tell these people, so you have to write the general format of the mail yourself. This template is what you write and place in the mailtemplates-folder, and the name of the file you make (which contains your template) is placed in the "Path to mailfile"-textfield. A description on how to make a template is in the ''README''-file located in the ''mailtemplates/''-folder. | ||
| + | ====== Logging ====== | ||
| - | ====== Details ====== | + | The arnold scripts logs to individual files stored in ''nav/var/log/arnold''. The webinterface logs to the default webfront log, usually ''nav/var/log/webfront.log''. The loglevel used for each script is defined in arnold.conf. |
| - | + | ||
| - | More details. | + | |
| - | + | ||
| - | Logs of arnold-activity are stored in ''nav/var/log/arnold''. | + | |
| - | + | ||
| - | + | ||
| - | ====== Arnold - why the name? ====== | + | |
| - | + | ||
| - | The story. | + | |
arnoldv2.1207139768.txt.gz · Last modified: 2008/04/02 12:36 by bredal
Page Tools
