From david_laporte at harvard.edu Tue Nov 1 18:09:22 2005 From: david_laporte at harvard.edu (David LaPorte) Date: Tue, 01 Nov 2005 13:09:22 -0500 Subject: RANCID ACL sorting? Message-ID: <4367AF52.4030402@harvard.edu> I've noticed an issue (I think) with the way that RANCID determines whether a configuration has changed. I've written some code around RANCID's CVS repository to check the "live" ACLs against those on our TFTP server to ensure consistency. What I've noticed is that if the order of entries in an ACL changes, RANCID does not check the new config into CVS. I believe this is due to sorting the ACLs before comparing, although I haven't dug through the code deeply enough to be certain. Does anyone know if this is the case? If so, would it be considered a bug or is it operating as designed? thanks! Dave From mstefani at redhat.com Wed Nov 2 11:34:22 2005 From: mstefani at redhat.com (Michael Stefaniuc) Date: Wed, 2 Nov 2005 12:34:22 +0100 Subject: License question In-Reply-To: <43665F65.8020705@rem.com> References: <4366532E.9010206@redhat.com> <43665F65.8020705@rem.com> Message-ID: <20051102113422.GA7015@redhat.com> On Mon, Oct 31, 2005 at 01:16:05PM -0500, Hank Kilmer wrote: > The intent of the license to to maintain recognition but still allow > free use. Full ACK here. > We have discussed updating the license to make it more > "standard" and clear - more later on that. Please do so. I know license discussions drift easily into big flame wars that can go on for months but a known license can ease the adoption of a software. There is already a license jungle in the OSS world. > You are free to use it as described. Thanks, will do. > -Hank Just to crosscheck it: Hank Kilmer and Henry Kilmer (the name in the COPYING file) are the same person. Google seems to confirm this e.g. http://pgp.mit.edu:11371/pks/lookup?search=hank%40rem.com&op=index bye michael > Michael Stefaniuc wrote: > >while trying to improve the rancid spec file i got from Dan Pfleger so i > >can start testing rancid i run into a non technical problem: the > >license. I have read the COPYING file and there is the "non-commerical > >purposes" limitation for copying, modifying and redistribution. But > >there is no mention of "use" of the software in there. > >I googled around and what i found is that FreshMeat shows as license > >"Other/Proprietary License" > >(http://themes.freshmeat.net/projects/rancid/) and Debian marks it as > >"non-free" (http://packages.debian.org/unstable/source/rancid). Couldn't > >find any previous license discussions for rancid that's why i'm asking now. > >To me the software looks like an advertising BSD license with some > >non-commercial restrictions but IANAL so i asked one. His answer was: "I > >would ask that you contact the maintainers and ask that they clarify > >that the non-commercial restriction applies only to re-distribution, not > >to use, copying or modification." > > > >What we want to do is to use the rancid internaly at Red Hat, not to > >sell it, not to distribute it and not to sell any services based on it. > >Only pure internal use. > > > >bye > > michael > -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From hank at rem.com Wed Nov 2 15:35:35 2005 From: hank at rem.com (Hank Kilmer) Date: Wed, 02 Nov 2005 10:35:35 -0500 Subject: License question In-Reply-To: <20051102113422.GA7015@redhat.com> References: <4366532E.9010206@redhat.com> <43665F65.8020705@rem.com> <20051102113422.GA7015@redhat.com> Message-ID: <4368DCC7.3080907@rem.com> Michael Stefaniuc wrote: > Just to crosscheck it: Hank Kilmer and Henry Kilmer (the name in the > COPYING file) are the same person. Google seems to confirm this e.g. > http://pgp.mit.edu:11371/pks/lookup?search=hank%40rem.com&op=index Most certainly. There are other nick names I respond too as well but aren't for public consumption ;-) -Hank From scarter at pobox.com Thu Nov 3 21:59:16 2005 From: scarter at pobox.com (Steve Carter) Date: Thu, 3 Nov 2005 14:59:16 -0700 Subject: tftp config problems Message-ID: <20051103215916.GA54857@pobox.com> I have a config file on a TFTP server that I want to upload into the running config on a Cisco Cat5 running IOS: switch#sh ver Cisco Internetwork Operating System Software IOS (tm) C3750 Software (C3750-I9-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2) but when I run the following command: $ /usr/local/libexec/rancid/clogin -c 'conf n;host;199.199.199.199;switch-confg;;wr' switch switch spawn telnet switch Trying 199.199.199.198... Connected to switch Escape character is '^]'. Username: scarter Password: switch# switch#term length 0 switch#conf n Error: TIMEOUT reached $ obviously, I can paste the commands in my config file and I can manually run the 'conf n' commands at the switch prompt. I want to do this so I can update a large number of devices by embedding these commands into a shell script. Any ideas? -Steve From david_laporte at harvard.edu Thu Nov 3 22:52:11 2005 From: david_laporte at harvard.edu (David LaPorte) Date: Thu, 03 Nov 2005 17:52:11 -0500 Subject: tftp config problems In-Reply-To: <20051103215916.GA54857@pobox.com> References: <20051103215916.GA54857@pobox.com> Message-ID: <436A949B.8030305@harvard.edu> try using "\n", eg: $ /usr/local/libexec/rancid/clogin -c "conf n\nhost\n199.199.199.199\nswitch-confg\n;wr" switch Steve Carter wrote: > I have a config file on a TFTP server that I want to upload into the > running config on a Cisco Cat5 running IOS: > > switch#sh ver > Cisco Internetwork Operating System Software IOS (tm) C3750 Software > (C3750-I9-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2) > > but when I run the following command: > > $ /usr/local/libexec/rancid/clogin -c 'conf n;host;199.199.199.199;switch-confg;;wr' switch > switch > spawn telnet switch > Trying 199.199.199.198... > Connected to switch > Escape character is '^]'. > > Username: scarter > Password: > > switch# > switch#term length 0 > switch#conf n > > > Error: TIMEOUT reached > $ > > obviously, I can paste the commands in my config file and I can manually > run the 'conf n' commands at the switch prompt. I want to do this so I > can update a large number of devices by embedding these commands into a > shell script. > > Any ideas? > > -Steve -- David LaPorte, CISSP, CCNP Security Manager, Network and Server Systems Harvard University Information Systems ----------------------------------------------- Email: david_laporte at harvard.edu PGP: 0x4DC3E508 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 From scarter at pobox.com Fri Nov 4 01:10:10 2005 From: scarter at pobox.com (Steve Carter) Date: Thu, 3 Nov 2005 18:10:10 -0700 Subject: tftp config problems In-Reply-To: <436A949B.8030305@harvard.edu> References: <20051103215916.GA54857@pobox.com> <436A949B.8030305@harvard.edu> Message-ID: <20051104011010.GB58919@pobox.com> Awesome, works perfectly, thank you ... I'm so behind the times ... pretty sure ';' used to work ... :) * David LaPorte said: > try using "\n", eg: > > $ /usr/local/libexec/rancid/clogin -c "conf > n\nhost\n199.199.199.199\nswitch-confg\n;wr" switch > > Steve Carter wrote: > > I have a config file on a TFTP server that I want to upload into the > > running config on a Cisco Cat5 running IOS: > > > > switch#sh ver > > Cisco Internetwork Operating System Software IOS (tm) C3750 Software > > (C3750-I9-M), Version 12.1(19)EA1c, RELEASE SOFTWARE (fc2) > > > > but when I run the following command: > > > > $ /usr/local/libexec/rancid/clogin -c 'conf n;host;199.199.199.199;switch-confg;;wr' switch > > switch > > spawn telnet switch > > Trying 199.199.199.198... > > Connected to switch > > Escape character is '^]'. > > > > Username: scarter > > Password: > > > > switch# > > switch#term length 0 > > switch#conf n > > > > > > Error: TIMEOUT reached > > $ > > > > obviously, I can paste the commands in my config file and I can manually > > run the 'conf n' commands at the switch prompt. I want to do this so I > > can update a large number of devices by embedding these commands into a > > shell script. > > > > Any ideas? > > > > -Steve > > -- > David LaPorte, CISSP, CCNP > Security Manager, Network and Server Systems > Harvard University Information Systems > ----------------------------------------------- > Email: david_laporte at harvard.edu > PGP: 0x4DC3E508 > 4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508 > From rancid at veggiechinese.net Tue Nov 8 20:11:03 2005 From: rancid at veggiechinese.net (William Yardley) Date: Tue, 8 Nov 2005 12:11:03 -0800 Subject: existing CVS repo? Message-ID: <20051108201103.GE15127@mitch.veggiechinese.net> Is it possible (without heavily modifying the source) to use RANCID with an existing CVS repository / module (just putting it in a subdir like repo:module/rancid/), or, if not, is it possible to use a new module in an existing repository? w From heas at shrubbery.net Tue Nov 8 20:48:39 2005 From: heas at shrubbery.net (john heasley) Date: Tue, 8 Nov 2005 20:48:39 +0000 Subject: existing CVS repo? In-Reply-To: <20051108201103.GE15127@mitch.veggiechinese.net> References: <20051108201103.GE15127@mitch.veggiechinese.net> Message-ID: <20051108204839.GO19915@shrubbery.net> Tue, Nov 08, 2005 at 12:11:03PM -0800, William Yardley: > Is it possible (without heavily modifying the source) to use RANCID with > an existing CVS repository / module (just putting it in a subdir like > repo:module/rancid/), or, if not, is it possible to use a new module in > an existing repository? > > w modules, no, it is not. rancid-cvs specifically creates new modules, and i've come to the conclusion that this is easier in terms of supporting folks when they have cvs issues. as for sharing a repository, possibly. i've never tried, but you can. try setting CVSROOT in rancid.conf and/or symlinking ~rancidusr/CVS to the other respository. From sha at onland.dk Mon Nov 14 15:40:32 2005 From: sha at onland.dk (Soren Hansen) Date: Mon, 14 Nov 2005 16:40:32 +0100 Subject: CSS problem Message-ID: <4378AFF0.9050401@onland.dk> Hi, I'm trying to figure out what goes wrong when adding two cisco content switches. I have added them to router.db with type css. I can clogin to them using: add user css?office.intra.telia.dk root add autoenable css?office.intra.telia.dk 1 add password css?office.intra.telia.dk myrealpassword dummypw When I do a rancid-run, the configs are not retireved. Running cssrancid goes like this: rancid at lanwan-mon$ cssrancid -d css1office.intra.telia.dk executing clogin -t 90 -c"term length 65535;copy profile user-profile;show version;show boot;show run" css1office.intra.telia.dk HIT COMMAND:css1office# term length 65535 HIT COMMAND:css1office# term length 65535 css1office.intra.telia.dk: found unexpected command - "term length 65535" HIT COMMAND:css1office# copy profile user-profile HIT COMMAND:css1office# copy profile user-profile css1office.intra.telia.dk: found unexpected command - "copy profile user-profile" HIT COMMAND:css1office# show version In ShowVersion: css1office# show version HIT COMMAND:css1office# show boot In ShowBoot: css1office# show boot HIT COMMAND:css1office# show run In ShowRun: css1office# show run css1office.intra.telia.dk: End of run not found css1office.intra.telia.dk: End of run not found The file css1office.intra.telia.dk looks like a full config. Same goes with an almost identical css2office. Ideas? /S?ren From srau at rauhaus.org Tue Nov 15 17:27:54 2005 From: srau at rauhaus.org (Stafford A. Rau) Date: Tue, 15 Nov 2005 09:27:54 -0800 Subject: Missing "Image: Software:" for some platforms Message-ID: <20051115172753.GA15129@rauhaus.org> I'd like to be able to extract the running IOS version for all of our Cisco platforms from the rancid configs, but we're missing the '!Image: Software:' lines from some of them. Specifically, I don't see it for our 7609s, 6509s (running native IOS), and less importantly, our PIXes. I'd be quite happy to supply any command output from those devices to facilitate this feature request. We're running rancid version 2.3.1. Thanks, --Stafford From srau at rauhaus.org Tue Nov 15 17:45:16 2005 From: srau at rauhaus.org (Stafford A. Rau) Date: Tue, 15 Nov 2005 09:45:16 -0800 Subject: Missing "Image: Software:" for some platforms In-Reply-To: <20051115172753.GA15129@rauhaus.org> References: <20051115172753.GA15129@rauhaus.org> Message-ID: <20051115174516.GB15129@rauhaus.org> * Stafford A. Rau [051115 09:28]: > > Specifically, I don't see it for our 7609s, 6509s (running native IOS), > and less importantly, our PIXes. Ignore the PIX comment - I see the version is there in the "PIX Version" line right in the config. --Stafford From randy at psg.com Wed Nov 16 18:19:38 2005 From: randy at psg.com (Randy Bush) Date: Wed, 16 Nov 2005 10:19:38 -0800 Subject: j 7.4 Message-ID: <17275.30778.913460.836155@roam.psg.com> it looks as if going from junos 7.3 to 7.4 creates a bit of diffs. sigh. also, how can i get it to dump the config with apply-groups expanded | except ##? randy From randy at psg.com Wed Nov 16 18:39:13 2005 From: randy at psg.com (Randy Bush) Date: Wed, 16 Nov 2005 10:39:13 -0800 Subject: j 7.4 References: <17275.30778.913460.836155@roam.psg.com> Message-ID: <17275.31953.332732.688331@roam.psg.com> >> also, how can i get it to dump the config with apply-groups expanded >> | except ##? > I believe this is what you are looking for. > show configuration | display inheritance i know how to type it. what i want is for rancid to do it for the diffs randy From ablock at netbusters.com Wed Nov 16 18:38:25 2005 From: ablock at netbusters.com (Aaron Block) Date: Wed, 16 Nov 2005 13:38:25 -0500 (EST) Subject: j 7.4 In-Reply-To: <17275.30778.913460.836155@roam.psg.com> References: <17275.30778.913460.836155@roam.psg.com> Message-ID: On Wed, 16 Nov 2005, Randy Bush wrote: > also, how can i get it to dump the config with apply-groups expanded > | except ##? I believe this is what you are looking for. show configuration | display inheritance Pup From mstefani at redhat.com Mon Nov 21 16:49:37 2005 From: mstefani at redhat.com (Michael Stefaniuc) Date: Mon, 21 Nov 2005 17:49:37 +0100 Subject: rancid spec file Message-ID: <4381FAA1.4000603@redhat.com> Hello, attached is an improved rancid spec file based on Dan Pfleger's original one. Changes are in the changelog of the spec file. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rancid.spec Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20051121/286345a3/attachment.ksh -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: rancid-2.3.1-nolg.patch Url: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20051121/286345a3/attachment-0001.ksh From mstefani at redhat.com Tue Nov 22 17:52:02 2005 From: mstefani at redhat.com (Michael Stefaniuc) Date: Tue, 22 Nov 2005 18:52:02 +0100 Subject: Cisco (Altera) VPN concentrators? Message-ID: <43835AC2.1000805@redhat.com> Hello, does anybody have a rancid script to get the config file out of the Cisco VPN3k (formerly Altera) concentrators? Those have a stupid menu driven system and no cli. The format of the config file is not very user friendly either but i still prefer to back it up ;). Alternatively a generic rancid wrapper that is able to feed a file into the rancid cvs would do too as i already have a script to scp the config file from the VPN3k. thanks bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From jejs+rancid at sahala.org Tue Nov 22 22:26:48 2005 From: jejs+rancid at sahala.org (joshua sahala) Date: Tue, 22 Nov 2005 15:26:48 -0700 Subject: RadWare boxen Message-ID: <20051122222648.GJ31134@aurvandil.sahala.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I was wondering if anyone here had modified RANCID to work with the RadWare WSD boxen...We've got several of them here, with more on the way, and it would be nice to have them 'watched' thanks /joshua - -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. - Douglas Adams - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDg5soJr8VjiIHVH0RAlVRAKCVWSs4rBvN2INnAbvF3kZWMDaHIgCgzn63 khtwVMsMGGKuR6/iC0MTI+A= =uxz1 -----END PGP SIGNATURE----- From sha at jetjack.onland.dk Wed Nov 23 12:46:25 2005 From: sha at jetjack.onland.dk (Soren Hansen) Date: Wed, 23 Nov 2005 13:46:25 +0100 Subject: CSS problem In-Reply-To: <4378AFF0.9050401@onland.dk> References: <4378AFF0.9050401@onland.dk> Message-ID: <20051123124625.GA49357@jetjack.onland.dk> Upgrading to 2.3.2a3 fixed the problem. /S?ren On Mon, Nov 14, 2005 at 04:40:32PM +0100, Soren Hansen wrote: > Hi, > I'm trying to figure out what goes wrong when adding two cisco content > switches. > I have added them to router.db with type css. > I can clogin to them using: > add user css?office.intra.telia.dk root > add autoenable css?office.intra.telia.dk 1 > add password css?office.intra.telia.dk myrealpassword dummypw > > When I do a rancid-run, the configs are not retireved. > > Running cssrancid goes like this: > rancid at lanwan-mon$ cssrancid -d css1office.intra.telia.dk > executing clogin -t 90 -c"term length 65535;copy profile > user-profile;show version;show boot;show run" css1office.intra.telia.dk > HIT COMMAND:css1office# term length 65535 > HIT COMMAND:css1office# term length 65535 > css1office.intra.telia.dk: found unexpected command - "term length 65535" > HIT COMMAND:css1office# copy profile user-profile > HIT COMMAND:css1office# copy profile user-profile > css1office.intra.telia.dk: found unexpected command - "copy profile > user-profile" > HIT COMMAND:css1office# show version > In ShowVersion: css1office# show version > HIT COMMAND:css1office# show boot > In ShowBoot: css1office# show boot > HIT COMMAND:css1office# show run > In ShowRun: css1office# show run > css1office.intra.telia.dk: End of run not found > css1office.intra.telia.dk: End of run not found > > The file css1office.intra.telia.dk looks like a full config. > > Same goes with an almost identical css2office. > > Ideas? > > /S?ren From mailinglists at unix-scripts.com Wed Nov 23 23:18:55 2005 From: mailinglists at unix-scripts.com (Shaun) Date: Wed, 23 Nov 2005 15:18:55 -0800 Subject: Rancid+Cisco privs? Message-ID: I just setup rancid and all it working fine but now I want to secure things a bit. Right now the user rancid logs into my Cisco gear with has a priv of 15 but I want to lock this user down so that the user only have privs to do what rancid needs to do. I'm not very familiar with rancid, it's my first time using it so I'm not really sure what it's doing in the back end. I searched around a bit but couldn't really find much on this subject. Right now all my equipment rancid it polling is IOS. Will a priv 1 be enough access for rancid? ~~Shaun From eravin at panix.com Thu Nov 24 03:17:49 2005 From: eravin at panix.com (Ed Ravin) Date: Wed, 23 Nov 2005 22:17:49 -0500 Subject: Rancid+Cisco privs? In-Reply-To: References: Message-ID: <20051124031749.GA26564@panix.com> On Wed, Nov 23, 2005 at 03:18:55PM -0800, Shaun wrote: > I just setup rancid and all it working fine but now I want to secure things > a bit. Right now the user rancid logs into my Cisco gear with has a priv of > 15 but I want to lock this user down so that the user only have privs to do > what rancid needs to do. I'm not very familiar with rancid, it's my first > time using it so I'm not really sure what it's doing in the back end. Read through the clogin program - you'll get to a nice long table of commands that are sent to the router. All of them are sent, even the ones your router doesn't support. That's what it does in the back end - the output of the commands that work on your router (including the config) get saved in a CVS archive. A few things get adjusted for various subtle reasons, like trimming of passwords to avoid accidental disclosure or sorting of some structures to avoid non-meaningful difference notices, but that's basically it. > I searched around a bit but couldn't really find much on this subject. > Right now all my equipment rancid it polling is IOS. > > Will a priv 1 be enough access for rancid? No. To see the configuration file, you need privilege 15. Although if you have a TACACS server you can give lower privilege levels the ability to execute the "show config" command, it won't actually show you anything, because without privilege 15 a user is denied access to that data. On the other hand, it should be possible using a TACACS server to set up an account so it had privilege 15 but was only able to execute a limited subset of commands, namely the ones needed by RANCID and no others. That would at least prevent the rancid user from changing the config or other mischief. I wasn't able to get it working when I tried, but perhaps I'm just not familiar enough with the innards of TACACS configurations. From saku+rancid at ytti.fi Thu Nov 24 07:16:26 2005 From: saku+rancid at ytti.fi (Saku Ytti) Date: Thu, 24 Nov 2005 09:16:26 +0200 Subject: Rancid+Cisco privs? In-Reply-To: References: Message-ID: <20051124071626.GC17452@ytti.fi> On (2005-11-23 15:18 -0800), Shaun wrote: > I just setup rancid and all it working fine but now I want to secure things > a bit. Right now the user rancid logs into my Cisco gear with has a priv of > 15 but I want to lock this user down so that the user only have privs to do > what rancid needs to do. I'm not very familiar with rancid, it's my first > time using it so I'm not really sure what it's doing in the back end. I > searched around a bit but couldn't really find much on this subject. Right > now all my equipment rancid it polling is IOS. > > Will a priv 1 be enough access for rancid? Reading NVRAM is priviledged command always, so priv 1 will not help you. However if you're running cutting edge IOS you have 'views' where you can add just the commands you need. -- ++ytti From lerik at nolink.net Thu Nov 24 11:13:47 2005 From: lerik at nolink.net (Lars Erik Gullerud) Date: Thu, 24 Nov 2005 12:13:47 +0100 (CET) Subject: Rancid+Cisco privs? In-Reply-To: References: Message-ID: <20051124120924.U136@electra.nolink.net> On Wed, 23 Nov 2005, Shaun wrote: > I just setup rancid and all it working fine but now I want to secure things > a bit. Right now the user rancid logs into my Cisco gear with has a priv of > 15 but I want to lock this user down so that the user only have privs to do > what rancid needs to do. I'm not very familiar with rancid, it's my first > time using it so I'm not really sure what it's doing in the back end. I > searched around a bit but couldn't really find much on this subject. Right > now all my equipment rancid it polling is IOS. > > Will a priv 1 be enough access for rancid? What we do is to hack rancid and replace "show running-config" and "write term" with "show startup-config" instead. After that you can play around with lower privileges as you like (we run rancid user as level 2 and allow other commands like the "dir" commands via privilege-lines in IOS). But you can't show the complete running-config without being level 15 or lowering everything else down to rancids level (which is, in effect, the same thing... :) However, this solution means you do not get any config diffs to running-config, so if people forget to do a "write", well, then rancid doesn't catch it. /leg From mailinglists at unix-scripts.com Thu Nov 24 18:33:16 2005 From: mailinglists at unix-scripts.com (Shaun) Date: Thu, 24 Nov 2005 10:33:16 -0800 Subject: Rancid+Cisco privs? References: Message-ID: Thanks all your responces, sounds like, i guess, that i should just run a priv 15 user... might as well save user/passwords then too if somebody gains access to the rancid user they'll have the login/pass from cloginrc anyway and thats not even encrypted ;) -- ~~Shaun From bigwavedave at gmail.com Fri Nov 25 20:11:47 2005 From: bigwavedave at gmail.com (Big Wave Dave) Date: Fri, 25 Nov 2005 12:11:47 -0800 Subject: Cisco (Altera) VPN concentrators? In-Reply-To: <43835AC2.1000805@redhat.com> References: <43835AC2.1000805@redhat.com> Message-ID: <8e124f160511251211g1d73f3bcqfe1a08eec7bb7428@mail.gmail.com> On 11/22/05, Michael Stefaniuc wrote: > Hello, > > does anybody have a rancid script to get the config file out of the > Cisco VPN3k (formerly Altera) concentrators? Those have a stupid menu > driven system and no cli. The format of the config file is not very user > friendly either but i still prefer to back it up ;). > Alternatively a generic rancid wrapper that is able to feed a file into > the rancid cvs would do too as i already have a script to scp the config > file from the VPN3k. > > thanks > bye > michael I would be interested in this too. Dave ---------------------------------------------------------- Are Your Friends Lemmings? -- http://www.lemmingshirts.com From mailinglists at unix-scripts.com Sat Nov 26 18:13:20 2005 From: mailinglists at unix-scripts.com (Shaun Reitan) Date: Sat, 26 Nov 2005 10:13:20 -0800 Subject: getting diff's every hour on my Cisco 2950 Message-ID: I just recently setup rancid and to start i had it just polling my Cisco 3750's but the other night i added a bunch of my Cisco 2950G switches. For some reason rancid keeps sending me diff's for all but one of those switches. These diffs are huge also, just just somthing small changing, in fact it looks like a full dump of everything (initial run). Anybody know what might be happening here... Also i have this error in my logs, i havnt figured out how to correct it but maybe it's part of the cause... starting: Sat Nov 26 10:01:48 PST 2005 Trying to get all of the configs. All routers sucessfully completed. cvs diff: Diffing . cvs diff: Diffing configs cvs commit: Examining . cvs commit: Examining configs cvs commit: Up-to-date check failed for `configs/edge-138.14.irv.xxxxxx.xxx' cvs [commit aborted]: correct above errors first! ending: Sat Nov 26 10:01:58 PST 2005 -- Shaun From justin at grote.name Sun Nov 27 04:15:34 2005 From: justin at grote.name (Justin Grote) Date: Sat, 26 Nov 2005 21:15:34 -0700 Subject: getting diff's every hour on my Cisco 2950 In-Reply-To: References: Message-ID: <438932E6.4090201@grote.name> Shaun Reitan wrote: >Also i have this error in my logs, i havnt figured out how to correct it but >maybe it's part of the cause... > > Google turns up this. http://lists.gnu.org/archive/html/info-cvs/2001-06/msg00882.html I use Subversion as my backend but ran into a simliar situation which required a database rebuild (when I was running on subversion 1.0 when it used the godawful bdb backend. God bless fsfs. -- Justin Grote Network Architect JWG Networks From afort at choqolat.org Sun Nov 27 23:04:28 2005 From: afort at choqolat.org (Andrew Fort) Date: Mon, 28 Nov 2005 10:04:28 +1100 Subject: j 7.4 In-Reply-To: <17275.31953.332732.688331@roam.psg.com> References: <17275.30778.913460.836155@roam.psg.com> <17275.31953.332732.688331@roam.psg.com> Message-ID: <438A3B7C.8070806@choqolat.org> Randy Bush wrote: >>> also, how can i get it to dump the config with apply-groups expanded >>> | except ##? >> I believe this is what you are looking for. >> show configuration | display inheritance > > i know how to type it. what i want is for rancid to do it > for the diffs > > randy > If all you want to do is change the command executed, change two lines in jrancid. I'd give a diff but I'm not sure what version you're on, so look for these two stanza towards the end (~line 484 for me): # Main %commands=( "show chassis clocks" => "ShowChassisClocks", "show chassis environment" => "ShowChassisEnvironment", "show chassis firmware" => "ShowChassisFirmware", "show chassis fpc detail" => "ShowChassisFpcDetail", "show chassis hardware detail" => "ShowChassisHardware", "show chassis routing-engine" => "ShowChassisRoutingEngine", "show chassis scb" => "ShowChassisSCB", "show chassis sfm detail" => "ShowChassisSCB", "show chassis ssb" => "ShowChassisSCB", "show chassis feb" => "ShowChassisSCB", "show chassis cfeb" => "ShowChassisSCB", "show chassis alarms" => "ShowChassisAlarms", "show system boot-messages" => "ShowSystemBootMessages", "show version detail" => "ShowVersion", "show configuration" => "ShowConfiguration" ); @commands=( "show chassis clocks", "show chassis environment", "show chassis firmware", "show chassis fpc detail", "show chassis hardware detail", "show chassis routing-engine", "show chassis scb", "show chassis sfm detail", "show chassis ssb", "show chassis feb", "show chassis cfeb", "show chassis alarms", "show system boot-messages", "show version detail", "show configuration" ); Change the two instances of "show configuration" to the intended command. As long as there's no changes in the parsing required by ShowConfiguration (my limited understanding of junos cli syntax thinks you should be OK), it should work. -andrew From afort at choqolat.org Sun Nov 27 23:10:18 2005 From: afort at choqolat.org (Andrew Fort) Date: Mon, 28 Nov 2005 10:10:18 +1100 Subject: Rancid+Cisco privs? In-Reply-To: References: Message-ID: <438A3CDA.3020103@choqolat.org> Shaun wrote: > Thanks all your responces, sounds like, i guess, that i should just run a > priv 15 user... might as well save user/passwords then too if somebody > gains access to the rancid user they'll have the login/pass from cloginrc > anyway and thats not even encrypted ;) the recommended way is to use TAC+, and TAC+ command authori[sz]ation, so the rancid user can't go to configuration mode. you may find the tac_plus.conf stanza you need in the mailing list archives somewhere. if not, the command list is in bin/rancid towards the end. keep in mind you'll need "exit" in that list, also. cheers -andrew From asp at partan.com Sun Nov 27 23:27:05 2005 From: asp at partan.com (Andrew Partan) Date: Sun, 27 Nov 2005 18:27:05 -0500 Subject: getting diff's every hour on my Cisco 2950 In-Reply-To: References: Message-ID: <20051127232705.GB20686@partan.com> On Sat, Nov 26, 2005 at 10:13:20AM -0800, Shaun Reitan wrote: > Also i have this error in my logs, i havnt figured out how to correct it but > maybe it's part of the cause... > > cvs commit: Up-to-date check failed for `configs/edge-138.14.irv.xxxxxx.xxx' > cvs [commit aborted]: correct above errors first! Something or someone has mucked with your CVS store. See the FAQ, its in there. --asp Q. I keep receiving the same diff for a (or set of) devices, but I know the data is not changing repeatedly. Why? A. This is probably a CVS or filesystem permissions problem. Check the log file from the last run for that group for clues first; it may provide the exact cause. Note: It is very important the following be done as the user who normally runs the rancid collection from cron. Check the cvs status of the device's file. example: guelah [2704] cvs status rtr.shrubbery.net =================================================================== File: yogi.shrubbery.net Status: Up-to-date Working revision: 1.197 Tue Jul 10 15:41:16 2001 Repository revision: 1.197 /usr/local/rancid/var/CVS/shrubbery/configs/rtr.shrubbery.net,v Sticky Tag: (none) Sticky Date: (none) Sticky Options: (none) The Status: should be Up-to-date. If the status is "Unknown", then somehow the file has been created without being cvs add'ed. This should be corrected by removing that device's entry from the group's router.db file, run rancid-run, replace the entry in router.db, and run rancid-run again. If the Status is anything else, someone has most likely been touching the files manually. Sane state can be achieved by removing the file and running cvs update to get a fresh copy from the repository. Check the ownership and permissions of the file and directory and the directory and file in the cvs repository (/CVS/). They should be owned by the user who runs rancid-run from cron. At the very least, the directory and files should be writable by the rancid user. Group and world permissions will determined by the umask (default 027), which is set in /rancid.conf. Likely the easiest way to fix the ownership on the cvs repository is chown -R /CVS / From yuvalba at netvision.net.il Mon Nov 28 13:12:06 2005 From: yuvalba at netvision.net.il (Yuval Ben-Ari) Date: Mon, 28 Nov 2005 15:12:06 +0200 Subject: RANCID sending empty 'routers down' messages Message-ID: I have same problem, platform is Linux with rancid 2.3 I found the problem in the list archives and the workaround of adding fake line like this to router.db stops the false diffs: FIX_DIFF_BUG:cisco:down I only have 1 diff version on the machine: [rancid at ranc1 rancid]$ which diff /usr/bin/diff [rancid at ranc1 rancid]$ diff -v diff (GNU diffutils) 2.8.1 <...> any idea ? > -----Original Message----- > From: owner-rancid-discuss at shrubbery.net > [mailto:owner-rancid-discuss at shrubbery.net] On Behalf Of Jee Kay > Sent: Saturday, October 08, 2005 3:20 PM > To: rancid-discuss at shrubbery.net > Subject: RANCID sending empty 'routers down' messages > > > I have just added a third site to our RANCID config (the previous two > are working fine), but now whenever RANCID runs it sends an empty > 'changes in xxxx routers' with a body of 'Routers changed to down' on > every run. It only does it for this one site, the other two are having > no problems. > > (When I say 'site', I mean another group within RANCID - there is only > one install of the actual software, I'm just adding a new entry to the > LIST_OF_GROUPS variable) > > The only difference between this new site and the other sites is that > it consists of a single router.. would that make any difference? If > not, any idea what might be causing this? > > Thanks in advance, > Ras > > > > From mstefani at redhat.com Mon Nov 28 19:58:39 2005 From: mstefani at redhat.com (Michael Stefaniuc) Date: Mon, 28 Nov 2005 20:58:39 +0100 Subject: Cisco (Altera) VPN concentrators? In-Reply-To: <20051123231810.GT25305@shrubbery.net> References: <43835AC2.1000805@redhat.com> <20051123231810.GT25305@shrubbery.net> Message-ID: <20051128195839.GA17186@redhat.com> On Wed, Nov 23, 2005 at 03:18:10PM -0800, john heasley wrote: > Tue, Nov 22, 2005 at 06:52:02PM +0100, Michael Stefaniuc: > > Hello, > > > > does anybody have a rancid script to get the config file out of the > > Cisco VPN3k (formerly Altera) concentrators? Those have a stupid menu > > driven system and no cli. The format of the config file is not very user > > you are probably out of luck. rancid currently depends on a UI (no snmp > stuff) and menu-driven UIs are very difficult to deal with via expect. I know, i have read the FAQ before sending my email. That's why i asked for a generic rancid wrapper that is able to inject a file (which dosn't matter how it was gathered) into the rancid CVS. > > friendly either but i still prefer to back it up ;). > > Alternatively a generic rancid wrapper that is able to feed a file into > > the rancid cvs would do too as i already have a script to scp the config > > file from the VPN3k. Here is a proposal for such a wrapper. As nothing speaks like code i have attached a proof of concept code which works for me but is a quick hack and NOT ready for production. Use on your own risk. Design: ------- router.db entry: is of the form wrapper. . Example: # VPN concentrator 192.168.1.1:wrapper.vpn3k:up wrancid is the actual wrapper and it is called from rancid-fe (patch attached). What it does is it calls the /usr/share/rancid/wrapper/ file passing it the filename to which to save the config file and the hostname. /usr/share/rancid/wrapper/vpn3k this is the actual workhorse. Here it uses scp and snmp to get the config file and some informations and it drops them to the filename it got from wrancid. That's all. Ugly? Sure it is but it gets the job done (to backup the device; nothing more). And it is easily extensible; just drop a script ("plugin") that is able to get you a file into /usr/share/rancid/wrapper and you're done. The plugin file can be written in any language and dosn't have to use expect. How the plugin file gets to the config file depends on the device polled (scp, ftp, http, trained monkey) and it dosn't realy matter. Possible improvements of wrancid would be to parse .cloginrc and pass the username/password down to the plugin scripts making those easier but that needs to be done securely (no command line and no enviroment). At the moment vpn3k has it hard coded in the file (did i say that it is proof of concept code?). And the scripts would need some error handling too. Comments? bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart -------------- next part -------------- #!/usr/bin/perl -w # # wrancid - Wrapper script for all the devices without a proper cli but # for which there is an other way to get to the config file. # # WARNING: This is only PROOF OF CONCEPT code and will screw up your data # and eat babies!!! # # Copyright 2005 Michael Stefaniuc for Red Hat # # This script is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # use strict; use Getopt::Std; ############# # Variables # ############# my $plugin_dir = '/usr/share/rancid/wrapper'; my %options = (); getopts("f:s:", \%options); my $host = $ARGV[0]; my $script = $options{'s'}; my $file; if (defined($options{'f'})) { $file = $options{'f'}; } else { $file = $host . ".new"; } # Call the plugin script and let it do the work exec("$plugin_dir/$script", "-f", $file, $host) or die "Couldn't execute the '$plugin_dir/$script' script!\n"; -------------- next part -------------- --- rancid-fe.orig 2005-11-28 10:53:11.000000000 -0500 +++ rancid-fe 2005-11-28 11:17:35.000000000 -0500 @@ -49,6 +49,7 @@ elsif ($vendor =~ /^redback$/i) { exec('rrancid', $router); } elsif ($vendor =~ /^riverstone$/i) { exec('rivrancid', $router); } elsif ($vendor =~ /^tnt$/i) { exec('tntrancid', $router); } +elsif ($vendor =~ /^wrapper\.(.+)$/i) { exec('wrancid', '-s', $1, $router); } elsif ($vendor =~ /^zebra$/i) { exec('zrancid', $router); } else { printf(STDERR "unknown router manufacturer for $router: $vendor\n"); -------------- next part -------------- #!/usr/bin/perl -w # # vpn3k - SCP and SNMP Backup script for Cisco VPN 3K concentrators # to be used by the wrancid rancid wrapper # # WARNING: This is only PROOF OF CONCEPT code and will screw up your data # and eat babies!!! # # Copyright 2005 Michael Stefaniuc for Red Hat # # This script is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # ####################################################### # Modules ####################################################### # Load any modules needed use strict; use Getopt::Std; use Net::SCP::Expect; use File::Temp; ####################################################### # Variables ####################################################### # Initialize variables used in this script my $backup_user = "backup"; my $backup_pass = "backup"; my $snmp_community = 'public'; my %options = (); getopts('f:', \%options); my $file = $options{'f'}; my $fh; my $host = $ARGV[0]; (my $tempfh, my $tempfile) = mkstemp( "/tmp/tmpfileXXXXX" ); #close($tempfh); # Open the output file. open($fh, ">", $file) or die "Cannot open output file\n"; print($fh "#RANCID-CONTENT-TYPE: wrapper.vpn3k\n#\n"); # Get some infos from snmp my $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.1.1.0"; my $result = `$snmp_command`; chomp($result); if ($result =~ /VPN 3000 Concentrator Version (\S+) built by (\S+) on (.+)$/i) { my $version = $1; my $compiled = "$3 by $2"; print($fh "#Chassis Type: VPN 3000\n#\n"); $snmp_command = "snmpget -v2c -c $snmp_community -On $host .1.3.6.1.2.1.47.1.1.1.1.11.1"; $result = `$snmp_command`; chomp($result); if ($result =~ /"([^"]+)"/) { print($fh "#Serial Number: $1\n#\n"); } print($fh "#Image: Version: $version\n"); print($fh "#Image: Compiled: $compiled\n#\n"); } # Call scp and download the running config. my $scp_session = Net::SCP::Expect->new(user=>"$backup_user",password=>"$backup_pass"); # the connection sometimes terminates incorrectly but we fully transfered # the file eval { $scp_session->scp("$host:config", $tempfile); }; # Copy the config file over removing the comment at the beginning open($tempfh, "<", $tempfile) or die "Scp seems to have failed\n"; my $line; while ($line = <$tempfh>) { if ($line =~ /^#/) { next; } print($fh $line); } ####### # End # ####### close($fh); close($tempfh); unlink($tempfile);