From mstefani at redhat.com Thu May 4 15:55:47 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Thu, 04 May 2006 17:55:47 +0200 Subject: [rancid] race condition in ssh on CatOS Message-ID: <445A2403.8010202@redhat.com> Hello, in october 2004 there was a small thread about this problem "Bug when using SSH on CatOS devices" (http://www.shrubbery.net/pipermail/rancid-discuss/2004-October/000891.html) but it ended with a quick hack that worked for the older Extreme's but dosn't for CatOS (http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000898.html) The problem with CatOS ssh is that it eats _sometimes_ the echoing of the last packet that made the connection to terminate unlike the Extreme that accordingly to the above was eating only the \n\r. As clogin does a send "exit\r" and that fits in one packet the CatOS ssh will forget to echo that back before terminating the connection. So one gets _sometimes_ Switch> (enable)Connection to switch.foo.bar closed by remote host. Connection to switch.foo.bar closed. I get that not only with cat5rancid but also directly with ssh. Now adapting the proposed patch/hack: TOP: while() { tr/\015//d; if (/> $enable$ ?exit$/) { $clean_run=1; last; } # Check and see if it was a "less clean" run. elsif (/> $enable$ ?exitConnection to (\S+) closed by remote host\./){ $clean_run=1; last; } } by ommiting "exit" isn't hard but is it safe? One can assume that getting Switch> (enable) exitConnection to switch.foo.bar closed by remote host. wont happen in the middle of a cat5run run ever. But is is very likely to get Switch> (enable)Connection to switch.foo.bar closed by remote host. between 2 commands. One cannot safely set $clean_run=1 in that case. The method i used was to split up 'send "exit\r"' in clogin into send "exit" sleep 0.1 send "\r" Alternatively using send -h "exit\r" and using the "hangover" human speed setting (see man expect) works too. This way i reduce the problem to detecting "Switch> (enable) exitConnection ...". Is there a better way to achieve a reliable backup of CatOS devices with rancid using ssh besides having to patch clogin and cat5rancid? Not that patching would be a problem but having the right fix upstream makes future maintanance easier. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From jsutherl at newedgenetworks.com Fri May 5 16:39:02 2006 From: jsutherl at newedgenetworks.com (Sutherland, James) Date: Fri, 5 May 2006 09:39:02 -0700 Subject: [rancid] Infinate loop on clogin Message-ID: Interestingly we managed to accidentally get rancid set so that an Efficient 5871 was set as a cisco. What resulted was an infinite loop that causes rancid to hang forever until the telnet to that device is killed. I wasn't sure if this would be considered a bug, but I thought I'd send it to this list as an example of this problem, which we've seen several times. Example: Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69 172.28.41.69 spawn telnet 172.28.41.69 Trying 172.28.41.69... Connected to 172.28.41.69. Escape character is '^]'. Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** Wrong password! Try logging in again. Login: ****** ^C Fri 8:58am {rancid at prometheus:[~/bin]} From mstefani at redhat.com Fri May 5 16:44:29 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Fri, 05 May 2006 18:44:29 +0200 Subject: [rancid] Re: Infinate loop on clogin In-Reply-To: References: Message-ID: <445B80ED.6000601@redhat.com> Sutherland, James wrote: > Interestingly we managed to accidentally get rancid set so that an > Efficient 5871 was set as a cisco. > > What resulted was an infinite loop that causes rancid to hang forever > until the telnet to that device is killed. > > I wasn't sure if this would be considered a bug, but I thought I'd send > it to this list as an example of this problem, which we've seen several > times. Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to prevent such loops being to disastrous. bye michael > > Example: > Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69 > 172.28.41.69 > spawn telnet 172.28.41.69 > Trying 172.28.41.69... > Connected to 172.28.41.69. > Escape character is '^]'. > > Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > ^C > Fri 8:58am {rancid at prometheus:[~/bin]} > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From heas at shrubbery.net Fri May 5 16:47:55 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 5 May 2006 09:47:55 -0700 Subject: [rancid] Re: Infinate loop on clogin In-Reply-To: <445B80ED.6000601@redhat.com> References: <445B80ED.6000601@redhat.com> Message-ID: <20060505164755.GD12082@shrubbery.net> Fri, May 05, 2006 at 06:44:29PM +0200, Michael Stefaniuc: > Sutherland, James wrote: > > Interestingly we managed to accidentally get rancid set so that an > > Efficient 5871 was set as a cisco. > > > > What resulted was an infinite loop that causes rancid to hang forever > > until the telnet to that device is killed. > > > > I wasn't sure if this would be considered a bug, but I thought I'd send > > it to this list as an example of this problem, which we've seen several > > times. > Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to > prevent such loops being to disastrous. That will do nothing, as the timeout only takes effect when there is no input match. Here, there's obviously a match. > > > > Example: > > Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69 > > 172.28.41.69 > > spawn telnet 172.28.41.69 > > Trying 172.28.41.69... > > Connected to 172.28.41.69. > > Escape character is '^]'. > > > > Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready > > Login: ****** > > Wrong password! Try logging in again. > > Login: ****** So its a bug/bad assumption that devices stop prompting and disconnect after a few login failures. From jsutherl at newedgenetworks.com Fri May 5 16:56:05 2006 From: jsutherl at newedgenetworks.com (Sutherland, James) Date: Fri, 5 May 2006 09:56:05 -0700 Subject: [rancid] Re: Infinate loop on clogin Message-ID: That didn't seem to work for me notice the time stamps: Fri 9:48am {rancid at prometheus:[~]} ./bin/clogin -t 90 172.28.41.69 > /tmp/clogin.test ^C Fri 9:54am {rancid at prometheus:[~]} Just for fun: Fri 9:55am {rancid at prometheus:[~]} grep -c Login /tmp/clogin.test 1714 -----Original Message----- From: Michael Stefaniuc [mailto:mstefani at redhat.com] Sent: Friday, May 05, 2006 9:44 AM To: Sutherland, James Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Infinate loop on clogin Sutherland, James wrote: > Interestingly we managed to accidentally get rancid set so that an > Efficient 5871 was set as a cisco. > > What resulted was an infinite loop that causes rancid to hang forever > until the telnet to that device is killed. > > I wasn't sure if this would be considered a bug, but I thought I'd > send it to this list as an example of this problem, which we've seen > several times. Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to prevent such loops being to disastrous. bye michael > > Example: > Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69 > 172.28.41.69 > spawn telnet 172.28.41.69 > Trying 172.28.41.69... > Connected to 172.28.41.69. > Escape character is '^]'. > > Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > Wrong password! Try logging in again. > Login: ****** > ^C > Fri 8:58am {rancid at prometheus:[~/bin]} > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From heas at shrubbery.net Fri May 5 22:58:17 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 5 May 2006 15:58:17 -0700 Subject: [rancid] Re: race condition in ssh on CatOS In-Reply-To: <445A2403.8010202@redhat.com> References: <445A2403.8010202@redhat.com> Message-ID: <20060505225817.GH12082@shrubbery.net> Thu, May 04, 2006 at 05:55:47PM +0200, Michael Stefaniuc: > Switch> (enable) exitConnection to switch.foo.bar closed by remote host. > wont happen in the middle of a cat5run run ever. But is is very likely > to get > Switch> (enable)Connection to switch.foo.bar closed by remote host. > between 2 commands. One cannot safely set $clean_run=1 in that case. > The method i used was to split up 'send "exit\r"' in clogin into > send "exit" > sleep 0.1 > send "\r" > Alternatively using send -h "exit\r" and using the "hangover" human > speed setting (see man expect) works too. This way i reduce the problem > to detecting "Switch> (enable) exitConnection ...". > > Is there a better way to achieve a reliable backup of CatOS devices with > rancid using ssh besides having to patch clogin and cat5rancid? Not that > patching would be a problem but having the right fix upstream makes > future maintanance easier. Normally I'd say use your support contract to harrass cisco to fix their broken stuff before we make hacks permanent (unless its an Extreme), but I think this has been fixed. Of 43 chassis I collect, only one is failing (I have not looked into why). So, I suggest you try more recent code, try ipservicesk9-mz.122-18.SXF vintage. From mstefani at redhat.com Sat May 6 08:54:48 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Sat, 06 May 2006 10:54:48 +0200 Subject: [rancid] Re: race condition in ssh on CatOS In-Reply-To: <20060505225817.GH12082@shrubbery.net> References: <445A2403.8010202@redhat.com> <20060505225817.GH12082@shrubbery.net> Message-ID: <445C6458.1080607@redhat.com> john heasley wrote: > Thu, May 04, 2006 at 05:55:47PM +0200, Michael Stefaniuc: > >>Switch> (enable) exitConnection to switch.foo.bar closed by remote host. >>wont happen in the middle of a cat5run run ever. But is is very likely >>to get >>Switch> (enable)Connection to switch.foo.bar closed by remote host. >>between 2 commands. One cannot safely set $clean_run=1 in that case. >>The method i used was to split up 'send "exit\r"' in clogin into >>send "exit" >>sleep 0.1 >>send "\r" >>Alternatively using send -h "exit\r" and using the "hangover" human >>speed setting (see man expect) works too. This way i reduce the problem >>to detecting "Switch> (enable) exitConnection ...". >> >>Is there a better way to achieve a reliable backup of CatOS devices with >>rancid using ssh besides having to patch clogin and cat5rancid? Not that >>patching would be a problem but having the right fix upstream makes >>future maintanance easier. > > > Normally I'd say use your support contract to harrass cisco to fix their > broken stuff before we make hacks permanent (unless its an Extreme), but I > think this has been fixed. Of 43 chassis I collect, only one is failing > (I have not looked into why). So, I suggest you try more recent code, try > ipservicesk9-mz.122-18.SXF vintage. I was talking about CatOS. We do not have any problems with backing up IOS devices. Sadly there is no IOS available for the good old Cat2948. I'll have to check the release notes for the newer CatOS versions if they fixed this problem and cross check that on a device under normal operation load. If the problem still persists i'll harrass Cisco. Anyway the proper fix will take quite long so i will have to live with the patch in my rancid tree. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From kanagaraj at aims.com.my Mon May 8 07:21:56 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Mon, 8 May 2006 15:21:56 +0800 Subject: [rancid] Re: Rancid attic devices References: <20060323202728.59206.qmail@web50514.mail.yahoo.com> <20060325210956.GA75327@partan.com> Message-ID: <029301c67270$1685aa00$6b86dfcb@kana> Hi, I have a question regarding the reuse of previous added device on rancid. This is the situation. Previously I've added a device with IP xxx.xxx.xxx.xxx and realised that once it was deleted from router.db, it was placed under attic. Currently I'm planning to use the same IP xxx.xxx.xxx.xxx for another device but at the same time maintain the older device configs as well. What is best way to do this? Thanks Regards, Kanagaraj Krishna From heas at shrubbery.net Mon May 8 07:36:14 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 8 May 2006 00:36:14 -0700 Subject: [rancid] Re: Rancid attic devices In-Reply-To: <029301c67270$1685aa00$6b86dfcb@kana> References: <20060323202728.59206.qmail@web50514.mail.yahoo.com> <20060325210956.GA75327@partan.com> <029301c67270$1685aa00$6b86dfcb@kana> Message-ID: <20060508073614.GI12984@shrubbery.net> Mon, May 08, 2006 at 03:21:56PM +0800, Kanagaraj Krishna: > Hi, > I have a question regarding the reuse of previous added device on > rancid. This is the situation. Previously I've added a device with IP > xxx.xxx.xxx.xxx and realised that once it was deleted from router.db, it > was placed under attic. Currently I'm planning to use the same IP > xxx.xxx.xxx.xxx for another device but at the same time maintain the older > device configs as well. What is best way to do this? Thanks > > Regards, > Kanagaraj Krishna > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss This is really a CVS question. IIRC, when a file is added that was previous "cvs delete"'ed, the files is essentially resurrected. Meaning that you start off from whence you had ended, thus maintaining all the history. I think that applies to subversion as well. If you wanted to maintain them separately, you can goof with the repository -- which I do not encourage -- by renaming the repository file from Attic/foo,v to Attic/foo_old,v or something similar. From Anton.Schweitzer at o2.com Mon May 8 08:13:10 2006 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Mon, 8 May 2006 10:13:10 +0200 Subject: [rancid] No Software: tag in config for 6500/7600 Switches Message-ID: Hi, i did a script for greping all the sofware releases, so i discovered there is no software tag for Cisco 65XX and 76XX. Can anyone tell why there is no "Image:Software:" tag ? Cheers Anton Anton Schweitzer CNO IP Backoffice o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-5632 anton.schweitzer at o2.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060508/36ff17ff/attachment.html From heas at shrubbery.net Mon May 8 08:20:51 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 8 May 2006 01:20:51 -0700 Subject: [rancid] Re: No Software: tag in config for 6500/7600 Switches In-Reply-To: References: Message-ID: <20060508082051.GM12984@shrubbery.net> Mon, May 08, 2006 at 10:13:10AM +0200, Anton.Schweitzer at o2.com: > Hi, > > i did a script for greping all the sofware releases, so i discovered there > is no software tag for Cisco 65XX and 76XX. > > Can anyone tell why there is no "Image:Software:" tag ? > Cisco likes to change formats [for no apparent reason]. The fix is included in ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a4.tar.gz From kanagaraj at aims.com.my Mon May 8 09:52:09 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Mon, 8 May 2006 17:52:09 +0800 Subject: [rancid] Re: correct above errors first! Message-ID: <000f01c67285$128ee7d0$6b86dfcb@kana> Hi, What does the errors below points to.......can't figure it out (from the log) Error 1 cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is back again) cvs [commit aborted]: internal error: no parsed RCS file Added aaa.aaa.aaa.aaa cvs status: aaa.aaa.aaa.aaa should be removed and is still there Trying to get all of the configs. All routers sucessfully completed. cvs diff: Diffing . cvs diff: Diffing configs cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available cvs commit: Examining . cvs commit: Examining configs cvs [commit aborted]: internal error: no parsed RCS file Error 2 cvs diff: Diffing . cvs diff: Diffing configs cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available cvs commit: Examining . cvs commit: Examining configs cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx' cvs [commit aborted]: correct above errors first! ending: Mon May 8 17:41:31 MYT 2006 Thanks, Kanagaraj Krishna -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060508/ca0e3f78/attachment.html From Todd at equivoice.com Mon May 8 13:04:10 2006 From: Todd at equivoice.com (Todd Heide) Date: Mon, 8 May 2006 08:04:10 -0500 Subject: [rancid] Linux n00b questions Message-ID: <082FEA82DC985B4F8A6B412D5AC4E220207A57@exchange.Equivoice.local> Is there a clear concise document describing the steps to get Rancid working on Cisco routers using Tacacs+? I plug my way through Redhat 9.0 fairly well, but when it comes to terminology, I get cross eyed and dumb. Thanks Todd From heas at shrubbery.net Mon May 8 14:47:21 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 8 May 2006 07:47:21 -0700 Subject: [rancid] Re: correct above errors first! In-Reply-To: <000f01c67285$128ee7d0$6b86dfcb@kana> References: <000f01c67285$128ee7d0$6b86dfcb@kana> Message-ID: <20060508144721.GN12984@shrubbery.net> It means that somehow you have a file in group/configs that has not been cvs added; most likely because someone has been making changes manually instead of allow rancid to do it. Mon, May 08, 2006 at 05:52:09PM +0800, Kanagaraj Krishna: > Hi, > What does the errors below points to.......can't figure it out (from the log) > > Error 1 > cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is back again) > cvs [commit aborted]: internal error: no parsed RCS file > Added aaa.aaa.aaa.aaa > > cvs status: aaa.aaa.aaa.aaa should be removed and is still there > > > Trying to get all of the configs. > All routers sucessfully completed. > > cvs diff: Diffing . > cvs diff: Diffing configs > cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available > cvs commit: Examining . > cvs commit: Examining configs > cvs [commit aborted]: internal error: no parsed RCS file > > Error 2 > cvs diff: Diffing . > cvs diff: Diffing configs > cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available > cvs commit: Examining . > cvs commit: Examining configs > cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx' > cvs [commit aborted]: correct above errors first! > > ending: Mon May 8 17:41:31 MYT 2006 > > Thanks, > Kanagaraj Krishna > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From kanagaraj at aims.com.my Tue May 9 01:26:58 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Tue, 9 May 2006 09:26:58 +0800 Subject: [rancid] Re: correct above errors first! References: <000f01c67285$128ee7d0$6b86dfcb@kana> <20060508144721.GN12984@shrubbery.net> Message-ID: <005101c67307$aa351a50$6b86dfcb@kana> Any suggestions in solving this issue? Regards, Kana ----- Original Message ----- From: "john heasley" To: "Kanagaraj Krishna" Cc: Sent: Monday, May 08, 2006 10:47 PM Subject: Re: [rancid] Re: correct above errors first! > It means that somehow you have a file in group/configs that has not been > cvs added; most likely because someone has been making changes manually > instead of allow rancid to do it. > > Mon, May 08, 2006 at 05:52:09PM +0800, Kanagaraj Krishna: > > Hi, > > What does the errors below points to.......can't figure it out (from the log) > > > > Error 1 > > cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is back again) > > cvs [commit aborted]: internal error: no parsed RCS file > > Added aaa.aaa.aaa.aaa > > > > cvs status: aaa.aaa.aaa.aaa should be removed and is still there > > > > > > Trying to get all of the configs. > > All routers sucessfully completed. > > > > cvs diff: Diffing . > > cvs diff: Diffing configs > > cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available > > cvs commit: Examining . > > cvs commit: Examining configs > > cvs [commit aborted]: internal error: no parsed RCS file > > > > Error 2 > > cvs diff: Diffing . > > cvs diff: Diffing configs > > cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available > > cvs commit: Examining . > > cvs commit: Examining configs > > cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx' > > cvs [commit aborted]: correct above errors first! > > > > ending: Mon May 8 17:41:31 MYT 2006 > > > > Thanks, > > Kanagaraj Krishna > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From adamp at nyroc.rr.com Wed May 10 14:49:43 2006 From: adamp at nyroc.rr.com (Adam Pawlukiewicz) Date: Wed, 10 May 2006 10:49:43 -0400 Subject: [rancid] Rancid and Motorola BSR64000 Message-ID: <00dd01c67440$f98575c0$c9035d18@rr.com> Has anyone tried to get rancid to work with a Motorola BSR64000? Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060510/aa63c55c/attachment.html From frnkblk at iname.com Wed May 10 15:12:18 2006 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 10 May 2006 10:12:18 -0500 Subject: [rancid] Re: Rancid and Motorola BSR64000 In-Reply-To: <00dd01c67440$f98575c0$c9035d18@rr.com> Message-ID: I'm looking for the same....let me know if there is a way. Frank _____ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Adam Pawlukiewicz Sent: Wednesday, May 10, 2006 9:50 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Rancid and Motorola BSR64000 Has anyone tried to get rancid to work with a Motorola BSR64000? Adam -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060510/18f3a62a/attachment.html From eravin at panix.com Sat May 13 02:47:49 2006 From: eravin at panix.com (Ed Ravin) Date: Fri, 12 May 2006 22:47:49 -0400 Subject: [rancid] Re: Out of band access to devices? Message-ID: <20060513024749.GA29808@panix.com> On Tue, Aug 16, 2005 at 03:56:04PM +1000, Andrew Pollock wrote: ... > So the only way of managing the devices is via SSHing to the Cyclades and > getting on the console port. We can SSH directly to a specific port of the > Cyclades, and after authenticating, get on the console attached to that > port, and disconnect by way of the standard SSH disconnect break sequence > when we're done. > > I'm wondering if RANCID has evolved over the last nearly 2 years to include > such out of band access to devices, or if it's much of a muchness still? It hasn't, but I finally decided I needed the feature and wrote it up. In my case, I had to ssh to a server and run the "cu" command to get to the serial console, so I set up a generic extension of the ssh method to allow arbitrary arguments on the ssh command line. It looks like this in .cloginrc: add method testrouter {ssh} add sshargs testrouter {-t} {termserver} {cu -l /dev/tty01 -s 9600} I also had to add a match for "Connected" in the login dialog, which "cu" prints when it's ready for you to send data, so clogin would send an empty return to wake up the router's serial port. This isn't sufficiently generic for my taste - I'd prefer something where you can specify the path to the front end program to run (it could be conserver, for example), and I'd want the match and response for "Connected" to also be configurable in .cloginrc. I propose something like this: add spawn_command myrouter /usr/local/bin/conserver add spawn_command_args myrouter {--this} {--that} {termserver01} add spawn_greeting myrouter {termserver01 ready} {connected to myrouter} add spawn_greeting_response myrouter {connect myrouter} {\r\r} So you could have multiple expect/send responses to the front end device before you get the router prompt and do the usual login dialogue (i.e. the above example would listen for "termserver01 ready", then send "connect myrouter\r", then listen for "connected to myrouter", then send "\r\r" to wake up the router and hopefully produce a router login prompt so the rest of clogin could proceed). The current patch for just adding an "sshargs" variable to clogin is a mere 30 lines - if anyone wants it, let me know. If there's any consensus on the "right" way to do this, I'll be happy to code it up for inclusion in a future version of RANCID. Sample invocation: $ ./clogin -t 5 -c 'show ver' testrouter testrouter spawn ssh -t termserver01 cu -l /dev/tty01 -s 9600 Connected. Username: testme Password: Router# Router#term length 0 Router#show ver Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(5a), RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. [...] From morty at frakir.org Wed May 17 03:13:38 2006 From: morty at frakir.org (Mordechai T. Abzug) Date: Tue, 16 May 2006 23:13:38 -0400 Subject: [rancid] rancid, netscreens and console page size Message-ID: <20060517031338.GA29706@red-sonja.frakir.org> I'm using the latest nrancid and nlogin for netscreens. Seems to work nicely, with one caveat: every time we run rancid, paging gets turned off. On netscreens, paging is a global parameter which can only be changed by admin users. This can be very annoying for non-admin users. Patch: *** /tmp/T0EMaOJJ Wed May 17 03:12:01 2006 --- nlogin Wed May 17 02:36:55 2006 *************** *** 412,417 **** --- 412,419 ---- } } } + send "unset console page\r" + expect -re "$prompt" {} send "exit\r" expect { -re "$prompt" { *************** *** 511,516 **** --- 513,520 ---- send "set console page 0\r" expect -re $prompt {} source $sfile + send "unset console page\r" + expect -re "$prompt" {} close } else { label $firewall Thanks! - Morty From listuser at numbnuts.net Wed May 17 19:54:48 2006 From: listuser at numbnuts.net (listuser at numbnuts.net) Date: Wed, 17 May 2006 14:54:48 -0500 (CDT) Subject: [rancid] Re: Rancid and Motorola BSR64000 In-Reply-To: <00dd01c67440$f98575c0$c9035d18@rr.com> Message-ID: I haven't tried it on a BSR64000 but RANCID succesfully locked me out of a BSR1000. It turns out that the code we're running on the 1000 (1.1.19) has a few bugs that pertain to non-gracefully disconnected telnet connections. RANCID killed the connection when it didn't encounter the output it was looking for (and "end" statement IIRC). 3 hung telnet connections later and I could no longer get into the BSR. We had to reboot the thing to fix the problem. I'd love to get support for the BSR as well as the Ariss C3. They are Cisco-like but not quite close enough. Justin On Wed, 10 May 2006, Adam Pawlukiewicz wrote: > Has anyone tried to get rancid to work with a Motorola BSR64000? Adam -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 293185) is spam: Spam: http://canit.linuxnuts.net/b.php?c=s&i=293185&m=045e544411ba Not spam: http://canit.linuxnuts.net/b.php?c=n&i=293185&m=045e544411ba Forget vote: http://canit.linuxnuts.net/b.php?c=f&i=293185&m=045e544411ba ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS From eravin at panix.com Thu May 18 21:50:27 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 18 May 2006 17:50:27 -0400 Subject: [rancid] patch for "out of band" access to devices In-Reply-To: <20060513024749.GA29808@panix.com> References: <20060513024749.GA29808@panix.com> Message-ID: <20060518215027.GA7299@panix.com> On Fri, May 12, 2006 at 10:47:49PM -0400, Ed Ravin wrote: > On Tue, Aug 16, 2005 at 03:56:04PM +1000, Andrew Pollock wrote: > ... > > So the only way of managing the devices is via SSHing to the Cyclades and > > getting on the console port. We can SSH directly to a specific port of the > > Cyclades, and after authenticating, get on the console attached to that > > port, and disconnect by way of the standard SSH disconnect break sequence > > when we're done. > > > > I'm wondering if RANCID has evolved over the last nearly 2 years to include > > such out of band access to devices, or if it's much of a muchness still? As I posted previously, I've implemented this, and I now think/hope it's clean enough to release a patch. Here's how it works in cloginrc: add method testrouter {usercmd} add usercmd testrouter {ssh} {-t} {termserver01} {cu -l /dev/tty01 -s 9600} add usercmd_chat testrouter {Connected.} {\r} The patches below to clogin define a new method, "usercmd" (i.e. instead of "telnet" or "ssh"), which tells clogin to use the exact text supplied in the "usercmd" directive for that router as the command to spawn. Note the way the command line args are delimited, the braces have to be used to mark off the arguments or the spawn command will fail. Since whatever out-of-band gizmo you're using to access the router might need some more interaction to let you get to the router, the usercmd_chat directive is a list of expect/send pairs - match something, send something, match the next something, send something, etc. This is pretty primitive but it should be enough to get through conserver, cu, kermit, or whatever you're using as the out-of-band connector. In the above case, usercmd_chat is defined to "wait for the string 'Connected.' and then send a CR". For Andrew's case above, he might have to do something like: add usercmd routeronc1 {ssh} {-t} {-p 12345} {cyclades01} add usercmd_chat routeronc1 {Login:} {operator\r} {Password:} {secret\r} {Connected.} {\r} to get past the authentication he describes, and then send a CR to the router to get it to display a prompt. I didn't code anything yet for the situation Andrew describes where he wants to send an SSH break sequence when he's done. The attached patch includes a fix to clogin so that it will hang up if it times out after it's already sent "exit" to the router - though it wastes a few more seconds timing out, it is a reliable way to close the connection in my environment. If it turns out someone needs to have more chat interaction upon exit, I'd be happy to code it in. The patch to clogin is attached. The first chunk may need to be applied by hand, since one of the surrounding lines is from my S/Key patches. -- Ed -------------- next part -------------- --- rancid-panix-3/libexec/rancid/clogin 2006-05-13 00:38:40.000000000 -0400 +++ rancid-panix-4/libexec/rancid/clogin 2006-05-15 21:00:20.000000000 -0400 @@ -288,7 +288,7 @@ # Log into the router. proc login { router user userpswd passwd enapasswd cmethod cyphertype } { global spawn_id in_proc do_command do_script platform - global prompt u_prompt p_prompt e_prompt sshcmd + global prompt u_prompt p_prompt e_prompt sshcmd usercmd usercmd_chat global otpinuse set in_proc 1 set uprompt_seen 0 @@ -319,6 +319,22 @@ send_user "\nError: $sshcmd failed: $reason\n" exit 1 } + } elseif [string match "usercmd" $prog] { # user supplies connect cmd + set retval [ catch {eval spawn $usercmd} reason ] + if { $retval } { + send_user "\nError: '$usercmd' failed: $reason\n" + exit 1 + } + if { [llength $usercmd_chat] > 0 } { + #send_user "\nExecuting usercmd_chat: $usercmd_chat\n" + sleep 0.3 + foreach {i j} $usercmd_chat { + expect { + -re $i { eval send "\"$j\""} + timeout { send "\r"; send_user "\nTimeout in usercmd_chat waiting for -re $i: punting with CR\n"; break } + } + } + } } elseif ![string compare $prog "rsh"] { if [ catch {spawn rsh -l $user $router} reason ] { send_user "\nError: rsh failed: $reason\n" @@ -626,7 +642,7 @@ exp_continue } -re "\[\n\r]+" { exp_continue } - timeout { return 0 } + timeout { close; return 0 } eof { return 0 } } set in_proc 0 @@ -752,6 +768,10 @@ set sshcmd [find sshcmd $router] if { "$sshcmd" == "" } { set sshcmd {ssh} } + # If user provides a router-specific connection method, use it + set usercmd [find usercmd $router] + set usercmd_chat [find usercmd_chat $router] + # Login to the router if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} { continue From ch at westend.com Mon May 22 10:21:06 2006 From: ch at westend.com (Christian Hammers) Date: Mon, 22 May 2006 12:21:06 +0200 Subject: [rancid] Patch: Using logger instead of unattended logfiles Message-ID: <20060522102106.GA3474@westend.com> Hi I like to get noticed in case of errors and don't like logfiles that lay forgotten and unattended somewhere in a log/ directory so I piped the output to logger which writes it to the syslog file which is monitored by logcheck. It would be nice if this would be configurable (or default). bye, -christian- --- /home/ch/rancid-run 2006-05-22 11:27:47.419037711 +0200 +++ bin/rancid-run.in 2006-05-22 11:55:51.102623562 +0200 @@ -81,10 +81,6 @@ exit 1 fi -if [ ! -d $LOGDIR ] ; then - mkdir $LOGDIR || (echo "Could not create log directory: $LOGDIR"; exit 1) -fi - for GROUP in $LIST_OF_GROUPS do @@ -131,5 +127,5 @@ echo echo ending: `date` - ) >$LOGDIR/$GROUP.`date +%Y%m%d.%H%M%S` 2>&1 + ) 2>&1 | grep -v '^$' | logger -p daemon.info -t "rancid/$GROUP" done -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller L?tticher Stra?e 10 Tel 0241/701333-11 ch at westend.com D-52064 Aachen Fax 0241/911879 From ch at westend.com Mon May 22 10:25:24 2006 From: ch at westend.com (Christian Hammers) Date: Mon, 22 May 2006 12:25:24 +0200 Subject: [rancid] [patch] Using diffstat in the output mail Message-ID: <20060522102524.GB3474@westend.com> Hello I modified the mail output to include the output of diffstat. This gives me a nice overview of what has changed without having to browse through the long mail: switch1.intern | 4 +++- routerxx.intern | 4 +++- sw04-xxx-yyy.westend.com | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) bye, -christian- --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100 +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100 @@ -392,6 +392,8 @@ Subject: $subject Precedence: bulk +`diffstat $TMP.diff` + `cat $TMP.diff` EMAIL fi -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller L?tticher Stra?e 10 Tel 0241/701333-11 ch at westend.com D-52064 Aachen Fax 0241/911879 From heas at shrubbery.net Mon May 22 16:14:46 2006 From: heas at shrubbery.net (john heasley) Date: Mon, 22 May 2006 09:14:46 -0700 Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060522102524.GB3474@westend.com> References: <20060522102524.GB3474@westend.com> Message-ID: <20060522161446.GB4674@shrubbery.net> Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers: > Hello > > I modified the mail output to include the output of diffstat. This gives > me a nice overview of what has changed without having to browse through > the long mail: > > switch1.intern | 4 +++- > routerxx.intern | 4 +++- > sw04-xxx-yyy.westend.com | 4 +++- > 3 files changed, 9 insertions(+), 3 deletions(-) > > bye, > -christian- Can't you do this with procmail? > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100 > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100 > @@ -392,6 +392,8 @@ > Subject: $subject > Precedence: bulk > > +`diffstat $TMP.diff` > + > `cat $TMP.diff` > EMAIL > fi > > > -- > Christian Hammers WESTEND GmbH | Internet-Business-Provider > Technik CISCO Systems Partner - Authorized Reseller > L?tticher Stra?e 10 Tel 0241/701333-11 > ch at westend.com D-52064 Aachen Fax 0241/911879 > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From mstefani at redhat.com Tue May 23 11:18:23 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Tue, 23 May 2006 13:18:23 +0200 Subject: [rancid] PATCH: Cisco C3825,3845: Fix parsing of show version Message-ID: <20060523111823.GA10295@redhat.com> Hello, the Cisco C3825 and C3845 do not include the processor information in show version: Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory. Therefor the parsing of that string fails and rancid won't include the "Chassis type", "Memory: main" and "Processor ID" lines into the saved configs. The attached patch fixes this. I tested it against all our devices with rancid type "cisco" and the patch dosn't introduce any regression. Though your milleage may vary. The patch applies both to rancid-2.3.1 and rancid-2.3.2a4 (with an offset here). bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart -------------- next part -------------- --- rancid.orig 2006-05-23 03:58:36.000000000 -0400 +++ rancid 2006-05-23 05:03:02.000000000 -0400 @@ -211,7 +211,7 @@ next; /^System image file is "([^\"]*)"$/ && ProcessHistory("COMMENTS","keysort","F5","!Image: $1\n") && next; - if (/(\S+)\s+$(\S+)$\s+processor.*with (\S+[kK]) bytes/) { + if (/(\S+)\s+(?:$(\S+)$\s+processor\s+)?$revision[^)]+$.*with (\S+[kK]) bytes/) { my($proc) = $1; my($cpu) = $2; my($mem) = $3; @@ -256,6 +256,8 @@ $type = "3600"; } elsif ( $proc =~ /^37/) { $type = "3700"; + } elsif ( $proc =~ /^38/) { + $type = "3800"; } elsif ( $proc eq "RSP7000") { $type = "7500"; } elsif ( $proc =~ /RSP\d/) { @@ -299,7 +301,9 @@ "!Chassis type:$slave $proc - a $type $device\n"); ProcessHistory("COMMENTS","keysort","B1", "!Memory:$slave main $mem\n"); - ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n"); + if (defined($cpu)) { + ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n"); + } next; } if (/(\S+) Silicon\s*Switch Processor/) { -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060523/8f03c883/attachment.bin From ch at westend.com Tue May 23 12:10:23 2006 From: ch at westend.com (Christian Hammers) Date: Tue, 23 May 2006 14:10:23 +0200 Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060522161446.GB4674@shrubbery.net> References: <20060522102524.GB3474@westend.com> <20060522161446.GB4674@shrubbery.net> Message-ID: <20060523121023.GA21314@westend.com> On Mon, May 22, 2006 at 09:14:46AM -0700, john heasley wrote: > Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers: > > Hello > > > > I modified the mail output to include the output of diffstat. This gives > > me a nice overview of what has changed without having to browse through > > the long mail: > > > > switch1.intern | 4 +++- > > routerxx.intern | 4 +++- > > sw04-xxx-yyy.westend.com | 4 +++- > > 3 files changed, 9 insertions(+), 3 deletions(-) > > > > bye, > > -christian- > > Can't you do this with procmail? procmail?! As I completely fail to see how procmail can be used here I better explain my idea a bit more :-) Normally when changes to our routers were made, I get one mail containing the diff output of say 6 different router configs. To see that a) one specific router was affected at all and b) the changes on this router were very big or just one line, I would have to scroll down the long mail and inspect the diff. With this one-line patch I get a nice diffstat output at the top of the mail and can quickly see that e.g. somebody modified all edge routers or all intranet routers and can better decide if I want to read the details... bye, -christian- > > > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100 > > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100 > > @@ -392,6 +392,8 @@ > > Subject: $subject > > Precedence: bulk > > > > +`diffstat $TMP.diff` > > + > > `cat $TMP.diff` > > EMAIL > > fi > > > > > > -- > > Christian Hammers WESTEND GmbH | Internet-Business-Provider > > Technik CISCO Systems Partner - Authorized Reseller > > L?tticher Stra?e 10 Tel 0241/701333-11 > > ch at westend.com D-52064 Aachen Fax 0241/911879 > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller L?tticher Stra?e 10 Tel 0241/701333-11 ch at westend.com D-52064 Aachen Fax 0241/911879 From andy at shady.org Tue May 23 14:22:58 2006 From: andy at shady.org (andy) Date: Tue, 23 May 2006 15:22:58 +0100 Subject: [rancid] Re: extreme issues In-Reply-To: <20060419160204.GD15903@shady.org> References: <20060419160204.GD15903@shady.org> Message-ID: <20060523142257.GD30136@shady.org> An update on this issue: clogin has stopped working with extreme with extremeIOS latest versions it seems. This relates to both admin and local users, with or without TACACS+. example1 (local admin user) carp:~/rancid-2.3.2a4/bin$ ./clogin -c "show version" ballinteer-switch.internal.nw ballinteer-switch.internal.nw spawn ssh -c 3des -x -l admin ballinteer-switch.internal.nw admin at ballinteer-switch.internal.nw's password: ExtremeWare Copyright (C) 1996-2005 Extreme Networks. All rights reserved. Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957 ============================================================================== Press the key at any time for completions. Remember to save your configuration changes. Ballinteer Summit 48si:1 # Ballinteer Summit 48si:1 # ^]quit ^C^C^Ccarp:~/rancid-2.3.2a4/bin$ example2 (local non admin user) carp:~/rancid-2.3.2a4/bin$ ./clogin -u look -p xxxxxxx -c "show version" ballinteer-switch.internal.nw ballinteer-switch.internal.nw spawn ssh -c 3des -x -l look ballinteer-switch.internal.nw look at ballinteer-switch.internal.nw's password: ExtremeWare Copyright (C) 1996-2005 Extreme Networks. All rights reserved. Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957 ============================================================================== Press the key at any time for completions. Ballinteer Summit 48si:1 > Ballinteer Summit 48si:1 >Connection to ballinteer-switch.internal.nw closed. carp:~/rancid-2.3.2a4/bin$ example3 (tacacs non admin user) carp:~/rancid-2.3.2a4/bin$ ./clogin -u look -p xxxxxx -c "show version" athlone-switch.internal.nw athlone-switch.internal.nw spawn ssh -c 3des -x -l look athlone-switch.internal.nw look at athlone-switch.internal.nw's password: ExtremeWare Copyright (C) 1996-2005 Extreme Networks. All rights reserved. Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957 ============================================================================== Press the key at any time for completions. Summit48si:1 > Summit48si:1 >Connection to athlone-switch.internal.nw closed. The version of rancid is the latest version "rancid-2.3.2a4". I believe this is due to a change in the prompt made by extreme in the last few releases of their firmware. Does anyone have a working copy of clogin that works with local users with extreme switches as Ive never managed to get clogin working with a non-admin user? clogin cvs revision number: clogin.in,v 1.94 2006/04/28 This extreme IOS change has also affected version "clogin.in,v 1.79" which is still the currently distrobuted ports version for FreeBSD. I can supply outputs, in any enviroment with or without tacacs auth, using local or admin users if someone can fix the expect code used. cheers On Wed, Apr 19, 2006 at 05:02:04PM +0100, andy wrote: > Follow up to list: > > > > ----- Forwarded message from andy ----- > > Date: Tue, 18 Apr 2006 20:52:32 +0100 > From: andy > To: john heasley > Subject: Re: extreme issues > > Do you have enough info to look into this issue? > I can provide more if needed, Ive looked into it fairly closely now and I have to admit, without going right through > the code, I would not be able to solve the issue. > > I did some testing today however, and it seems the issue exists with a "user" account and no tacacs. > I could only get clogin to work with the "admin" user using both versions 7.4 and the new 7.5. > > cheers > > > > On Sun, Apr 16, 2006 at 03:33:48PM +0000, john heasley wrote: > > can you show me the prompt/clogin without tacacs? > > > > Fri, Apr 14, 2006 at 07:04:16PM +0100, andy: > > > Hi, > > > > > > Ive been using rancid for quite some time now, and we decided to roll out tac_plus for auth on our extremes. > > > Basically, rancid then stopped working. > > > > > > Ive been using tac_plus for junipers for a while quite successfully. All good. > > > So, basically, I have a user called "look" that i use for rancid. > > > > > > This is the tac_plus conf for the look group: > > > > > > group = tier1 > > > { > > > ## extreme tacacs configuration > > > default service = deny > > > cmd = show { > > > permit configuration > > > permit version > > > permit memory > > > permit switch > > > permit slot > > > permit diag > > > deny .* > > > } > > > cmd = disable { > > > permit clipaging > > > deny .* > > > } > > > > > > ## cli service for junipers > > > service = junos-exec > > > { > > > priv_lvl = 15 > > > local-user-name = tier1 > > > allow-commands = "" > > > allow-configuration = "" > > > deny-commands = "monitor|request|file" > > > deny-configuration = "" > > > } > > > } > > > > > > I was running the ports version of rancd when stuff broke but ive now downloaded the latest version. > > > It still appears fairly broken though with our new config. I know that the prompt changed when we moved from using an > > > admin user to a non-admin user. > > > > > > Is there a fix for the errors below. > > > > > > cheers > > > > > > this is the output when i try to run clogin > > > > > > carp:~$ ./clogin -c "show version;show version" tallaght-switch.internal.nw > > > tallaght-switch.internal.nw > > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw > > > andy at tallaght-switch.internal.nw's password: > > > > > > ExtremeWare > > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved. > > > =============================================================== > > > > > > Press the key at any time for completions. > > > Tallaght Summit 48si::1 > can't read "expect_out(2,string)": no such element in array > > > while executing > > > "set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)"" > > > invoked from within > > > "expect -nobrace -re {[ > > > ]+} { exp_continue; } -re {^(.+:)1 >} { # stoopid extreme cmd-line numbers and > > > # prompt based on state of config changes..." > > > invoked from within > > > "expect { > > > -re "\[\r\n]+" { exp_continue; } > > > -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and > > > # prompt based on state of config ch..." > > > ("foreach" body line 125) > > > invoked from within > > > "foreach router [lrange $argv $i end] { > > > set router [string tolower $router] > > > send_user "$router\n" > > > > > > # Figure out the prompt. > > > # autoenabl..." > > > (file "./clogin" line 686) > > > carp:~$ ./clogin -autoenable -c "show version;show version" tallaght-switch.internal.nw > > > tallaght-switch.internal.nw > > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw > > > andy at tallaght-switch.internal.nw's password: > > > > > > ExtremeWare > > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved. > > > =============================================================== > > > > > > Press the key at any time for completions. > > > Tallaght Summit 48si::1 > > > > ^C^C^Ccarp:~$ ./clogin -noenable -c "show version;show version" tallaght-switch.internal.nw > > > tallaght-switch.internal.nw > > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw > > > andy at tallaght-switch.internal.nw's password: > > > > > > ExtremeWare > > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved. > > > =============================================================== > > > > > > Press the key at any time for completions. > > > Tallaght Summit 48si::1 > can't read "expect_out(2,string)": no such element in array > > > while executing > > > "set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)"" > > > invoked from within > > > "expect -nobrace -re {[ > > > ]+} { exp_continue; } -re {^(.+:)1 >} { # stoopid extreme cmd-line numbers and > > > # prompt based on state of config changes..." > > > invoked from within > > > "expect { > > > -re "\[\r\n]+" { exp_continue; } > > > -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and > > > # prompt based on state of config ch..." > > > ("foreach" body line 125) > > > invoked from within > > > "foreach router [lrange $argv $i end] { > > > set router [string tolower $router] > > > send_user "$router\n" > > > > > > # Figure out the prompt. > > > # autoenabl..." > > > (file "./clogin" line 686) > > > > > > > > > -- > > > andy andy at shady.org > > > ----------------------------------------------- > > > Never argue with an idiot. They drag you down > > > to their level, then beat you with experience. > > > ----------------------------------------------- > > > > -- > andy andy at shady.org > ----------------------------------------------- > Never argue with an idiot. They drag you down > to their level, then beat you with experience. > ----------------------------------------------- > > ----- End forwarded message ----- > > -- > andy andy at shady.org > ----------------------------------------------- > Never argue with an idiot. They drag you down > to their level, then beat you with experience. > ----------------------------------------------- > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- andy andy at shady.org ----------------------------------------------- Never argue with an idiot. They drag you down to their level, then beat you with experience. ----------------------------------------------- From heas at shrubbery.net Tue May 23 19:13:30 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 23 May 2006 12:13:30 -0700 Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060523121023.GA21314@westend.com> References: <20060522102524.GB3474@westend.com> <20060522161446.GB4674@shrubbery.net> <20060523121023.GA21314@westend.com> Message-ID: <20060523191330.GG16410@shrubbery.net> Tue, May 23, 2006 at 02:10:23PM +0200, Christian Hammers: > On Mon, May 22, 2006 at 09:14:46AM -0700, john heasley wrote: > > Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers: > > > Hello > > > > > > I modified the mail output to include the output of diffstat. This gives > > > me a nice overview of what has changed without having to browse through > > > the long mail: > > > > > > switch1.intern | 4 +++- > > > routerxx.intern | 4 +++- > > > sw04-xxx-yyy.westend.com | 4 +++- > > > 3 files changed, 9 insertions(+), 3 deletions(-) > > > > > > bye, > > > -christian- > > > > Can't you do this with procmail? > > procmail?! As I completely fail to see how procmail can be used here I > better explain my idea a bit more :-) > > Normally when changes to our routers were made, I get one mail > containing the diff output of say 6 different router configs. > > To see that a) one specific router was affected at all and b) the > changes on this router were very big or just one line, I would have to > scroll down the long mail and inspect the diff. > > With this one-line patch I get a nice diffstat output at the top of the > mail and can quickly see that e.g. somebody modified all edge routers > or all intranet routers and can better decide if I want to read the > details... > > bye, > > -christian- :0:maildir.lock * Subject: .* diffs * !^X-MAILLOOP: diffstat | (cd $MAILDIR; tee copy | sed -e '1,/^$/d' > body; sed -e '1,/^$/p' -e '/^$/q' copy > headers; cat headers; diffstat body; echo ; cat body; rm -f copy headers body; ) | formail -A "X-MAILLOOP: diffstat" -s procmail > > > > > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100 > > > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100 > > > @@ -392,6 +392,8 @@ > > > Subject: $subject > > > Precedence: bulk > > > > > > +`diffstat $TMP.diff` > > > + > > > `cat $TMP.diff` > > > EMAIL > > > fi > > > > > > > > > -- > > > Christian Hammers WESTEND GmbH | Internet-Business-Provider > > > Technik CISCO Systems Partner - Authorized Reseller > > > L?tticher Stra?e 10 Tel 0241/701333-11 > > > ch at westend.com D-52064 Aachen Fax 0241/911879 > > > > > > _______________________________________________ > > > Rancid-discuss mailing list > > > Rancid-discuss at shrubbery.net > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -- > Christian Hammers WESTEND GmbH | Internet-Business-Provider > Technik CISCO Systems Partner - Authorized Reseller > L?tticher Stra?e 10 Tel 0241/701333-11 > ch at westend.com D-52064 Aachen Fax 0241/911879 From ch at westend.com Tue May 23 19:54:42 2006 From: ch at westend.com (Christian Hammers) Date: Tue, 23 May 2006 21:54:42 +0200 Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060523191330.GG16410@shrubbery.net> References: <20060522102524.GB3474@westend.com> <20060522161446.GB4674@shrubbery.net> <20060523121023.GA21314@westend.com> <20060523191330.GG16410@shrubbery.net> Message-ID: <20060523195442.GA29042@westend.com> Hello On Tue, May 23, 2006 at 12:13:30PM -0700, john heasley wrote: > :0:maildir.lock > * Subject: .* diffs > * !^X-MAILLOOP: diffstat > | (cd $MAILDIR; tee copy | sed -e '1,/^$/d' > body; sed -e '1,/^$/p' -e '/^$/q' copy > headers; cat headers; diffstat body; echo ; cat body; rm -f copy headers body; ) | formail -A "X-MAILLOOP: diffstat" -s procmail *shudder* Ok, ok, I acknowledge that it really *is* possible to do with procmail, but you won't propose me to fix it this way, or? :) As I still think that the additional diffstat output would be beneficial to/liked by the majority of the rancid users, I would still prefer to see my one-line patch included... maybe with a "if $WANT_DIFFSTAT then" surrounded to make it configurable. I would even send you patches for this. > > > > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100 > > > > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100 > > > > @@ -392,6 +392,8 @@ > > > > Subject: $subject > > > > Precedence: bulk > > > > > > > > +`diffstat $TMP.diff` > > > > + > > > > `cat $TMP.diff` > > > > EMAIL > > > > fi bye, -christian- -- Christian Hammers WESTEND GmbH | Internet-Business-Provider Technik CISCO Systems Partner - Authorized Reseller L?tticher Stra?e 10 Tel 0241/701333-11 ch at westend.com D-52064 Aachen Fax 0241/911879 From asp at partan.com Tue May 23 19:59:18 2006 From: asp at partan.com (Andrew Partan) Date: Tue, 23 May 2006 15:59:18 -0400 Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060522102524.GB3474@westend.com> References: <20060522102524.GB3474@westend.com> Message-ID: <20060523195918.GB70283@partan.com> On Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers wrote: > I modified the mail output to include the output of diffstat. diffstat is another package & thus another thing that must be installed before running rancid. It is worth it? Dunno. --asp From rspeed at gmail.com Wed May 24 16:11:56 2006 From: rspeed at gmail.com (Ryan Speed) Date: Wed, 24 May 2006 09:11:56 -0700 Subject: [rancid] ignore certain diff's Message-ID: Howdy, I've got rancid checking a few cisco routers running Callmanager Express which has turned out to be a bit of an annoyance because when people forward their phones I get the diff emails sent out. Before I go hacking away at the scripts could someone suggest an elegant way to add exceptions to the emailing of diffs? I'm assuming a | grep -v call-forward in the right place would do the trick. Thanks, Ryan -- ><(((?> Ryan Speed From tex at off.org Wed May 24 16:46:05 2006 From: tex at off.org (Austin Schutz) Date: Wed, 24 May 2006 09:46:05 -0700 Subject: [rancid] Re: ignore certain diff's In-Reply-To: References: Message-ID: <20060524164605.GD7880@gblx.net> On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote: > Howdy, > > I've got rancid checking a few cisco routers running Callmanager > Express which has turned out to be a bit of an annoyance because when > people forward their phones I get the diff emails sent out. Before I > go hacking away at the scripts could someone suggest an elegant way to > add exceptions to the emailing of diffs? I'm assuming a | grep -v > call-forward in the right place would do the trick. > Hmm, yesterday someone else mentioned a different concept of filtering the diffs before they were emailed. Seems like maybe we could make the diff command configurable so people could plug in alternatives or do extra filtering. Austin From david_laporte at harvard.edu Wed May 24 16:58:58 2006 From: david_laporte at harvard.edu (David LaPorte) Date: Wed, 24 May 2006 12:58:58 -0400 Subject: [rancid] Re: ignore certain diff's In-Reply-To: References: Message-ID: <447490D2.3060702@harvard.edu> We do something similar to ignore access-list changes. It's more in-depth than simply grep'ing it (since there are context lines as well you don't want to see), but hacking control_rancid as follows should work: cvs -f diff -U 4 | sed -e '/^RCS file: /d' -e '/^--- /d' \ -e '/^+++ /d' -e 's/^$[-+ ]$/\1 /' >$TMP.diff to: cvs -f diff -U 4 --ignore-matching-lines='^call-forward' | sed -e '/^RCS file: /d' -e '/^--- /d' -e '/^+++ /d' -e 's/^$[-+ ]$/\1 /' >$TMP.diff For some reason, I seem to remember it would still email even if the diff were blank, so I wrapped the email section in a: DIFF=`cat $TMP.diff | grep -v "^===" | grep -v "^diff " | grep -v "^Index: " | grep -v "^retrieving revision" | grep -v "^$"` if [ -n "$DIFF" ]; then ...email stuff here... fi There may be a better way, but that has worked well for me. Dave Ryan Speed wrote: > Howdy, > > I've got rancid checking a few cisco routers running Callmanager > Express which has turned out to be a bit of an annoyance because when > people forward their phones I get the diff emails sent out. Before I > go hacking away at the scripts could someone suggest an elegant way to > add exceptions to the emailing of diffs? I'm assuming a | grep -v > call-forward in the right place would do the trick. > > Thanks, > Ryan > From eravin at panix.com Wed May 24 19:14:07 2006 From: eravin at panix.com (Ed Ravin) Date: Wed, 24 May 2006 15:14:07 -0400 Subject: [rancid] Re: ignore certain diff's In-Reply-To: References: Message-ID: <20060524191407.GA15602@panix.com> On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote: > I've got rancid checking a few cisco routers running Callmanager > Express which has turned out to be a bit of an annoyance because when > people forward their phones I get the diff emails sent out. Before I > go hacking away at the scripts could someone suggest an elegant way to > add exceptions to the emailing of diffs? Assuming GNU diff, you could use something like this: DIFFSUPPRESSOPTS="-b -I '^ntp clock-period [0-9][0-9]*' -I '^! Last configuration change ' -I '^! NVRAM config last updated '" The above is a fragment from a non-RANCID script I have that manipulates the routers. The -I (or --ignore-matching-lines) option specifies patterns that diff will ignore if the differences in that line match the specified RE. I'm sure with judicious use of one or two shell variables, we could have settings in rancid.conf to allow various kinds of fine-tuning of the diff listing that RANCID mails out. From jim.bartus at gmail.com Thu May 25 15:45:09 2006 From: jim.bartus at gmail.com (jim bartus) Date: Thu, 25 May 2006 11:45:09 -0400 Subject: [rancid] post-install, now what? Message-ID: I've gotten a trial install of rancid going on my network now checking about 20 devices (all cisco, switches, routers, and two pixes). My question is... now what? For instance, in my old setup (pancho/snmp/tftp based) I had a copy of running config sitting in a tftp root, which made it easy to "copy tftp run" from a device to restore a config. How do you guys address this in rancid? I notice that since what rancid stores in cvs is one giant file, I'd have to write a script to parse out the parts I want. Is there a community site of some sort where scripts like these are posted? Also, has anyone done any integration work with syslog so that rancid will automatically run against a device when a log message about its config changing comes in? Mostly I'm just trying to avoid as much re-inventing of the wheel as possible, so I'm hoping to find documentation, tips, best practices, and scripts that may already exist. -jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060525/6d5ba560/attachment.html From eravin at panix.com Thu May 25 15:59:19 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 25 May 2006 11:59:19 -0400 Subject: [rancid] Re: post-install, now what? In-Reply-To: References: Message-ID: <20060525155919.GC6833@panix.com> On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote: > I've gotten a trial install of rancid going on my network now checking > about 20 devices (all cisco, switches, routers, and two pixes). My > question is... now what? > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of > running config sitting in a tftp root, which made it easy to "copy > tftp run" from a device to restore a config. How do you guys address > this in rancid? We don't. RANCID post-processes the config in various ways that improve change reporting but lose the original config. For starters, by default all passwords get removed from the config so that they don't accidently get emailed out, but there are more subtle transformations: sequence numbers get removed, some things get sorted, etc. You probably want to keep Pancho around so that you'll have an exact copy of the config to restore from. > I notice that since what rancid stores in cvs is one > giant file, I'd have to write a script to parse out the parts I want. > Is there a community site of some sort where scripts like these are > posted? The current copy of the config is kept available for your use - look in /configs . You may also want to read through the Perl code for the *rancid scripts to see how they parse out bits and pieces of the config. > Also, has anyone done any integration work with syslog so that rancid > will automatically run against a device when a log message about its > config changing comes in? See the entry for Simple Event Coordinator (SEC) in the RANCID FAQ: http://www.shrubbery.net/rancid/FAQ > Mostly I'm just trying to avoid as much re-inventing of the wheel as > possible, so I'm hoping to find documentation, tips, best practices, > and scripts that may already exist. The best resource seems to be the archives of this mailing list, where I got the tip above about SEC :-). From jim.bartus at gmail.com Thu May 25 18:54:38 2006 From: jim.bartus at gmail.com (jim bartus) Date: Thu, 25 May 2006 14:54:38 -0400 Subject: [rancid] Re: post-install, now what? In-Reply-To: <20060525155919.GC6833@panix.com> References: <20060525155919.GC6833@panix.com> Message-ID: Thanks Ed, but I can't find any mention of SEC in that link. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060525/a86ba898/attachment.html From willay at gmail.com Thu May 25 19:00:32 2006 From: willay at gmail.com (William) Date: Thu, 25 May 2006 20:00:32 +0100 Subject: [rancid] Re: post-install, now what? In-Reply-To: References: <20060525155919.GC6833@panix.com> Message-ID: Hi Jim, We use swatch to look out for the %SYS-5-CONFIG message generated in our syslog logs, which will then run rancid to update all of our devices. This doc might be worth reading: http://sourceforge.net/docman/display_doc.php?docid=5332&group_id=25401 Regards, Will On 25/05/06, jim bartus wrote: > Thanks Ed, but I can't find any mention of SEC in that link. > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From tck at pretend.net Thu May 25 19:09:52 2006 From: tck at pretend.net (Thomas C. Knoeller) Date: Thu, 25 May 2006 15:09:52 -0400 Subject: [rancid] no password on cat5 Message-ID: <20060525190952.GA23066@pretend.net> Howdy, I have a couple of lab CatOS device that we do not require a password to log in to. But in CatOS, I still have to hit return at the "Enter password:" user prompt to login. How would I represent an empty password for these devices in the .clogin file? Thanks, -Tom From eravin at panix.com Thu May 25 19:20:01 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 25 May 2006 15:20:01 -0400 Subject: [rancid] Re: post-install, now what? In-Reply-To: References: <20060525155919.GC6833@panix.com> Message-ID: <20060525192001.GA5041@panix.com> On Thu, May 25, 2006 at 02:54:38PM -0400, jim bartus wrote: > > Thanks Ed, but I can't find any mention of SEC in that link. And neither can I. I guess I shouldn't believe everything I read. Here's a mailing list archive with the information that claimed to be in the FAQ: http://threebit.net/mail-archive/cisco-nsp/msg00122.html http://threebit.net/mail-archive/cisco-nsp/msg00053.html From eravin at panix.com Thu May 25 19:24:51 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 25 May 2006 15:24:51 -0400 Subject: [rancid] Re: no password on cat5 In-Reply-To: <20060525190952.GA23066@pretend.net> References: <20060525190952.GA23066@pretend.net> Message-ID: <20060525192451.GB5041@panix.com> On Thu, May 25, 2006 at 03:09:52PM -0400, Thomas C. Knoeller wrote: > I have a couple of lab CatOS device that we do not require a password to log > in to. But in CatOS, I still have to hit return at the "Enter password:" user > prompt to login. How would I represent an empty password for these devices in > the .clogin file? Have you tried: add password ROUTERNAME {} {enable-pw} From tck at pretend.net Thu May 25 19:46:51 2006 From: tck at pretend.net (Thomas C. Knoeller) Date: Thu, 25 May 2006 15:46:51 -0400 Subject: [rancid] Re: no password on cat5 In-Reply-To: <20060525192451.GB5041@panix.com> References: <20060525190952.GA23066@pretend.net> <20060525192451.GB5041@panix.com> Message-ID: <20060525194651.GB23066@pretend.net> | Have you tried: | | add password ROUTERNAME {} {enable-pw} Shortly after I sent this, yes. And it worked. Originally I was trying userpassword like this: add userpassword ROUTERNAME {} add password * {user} {enable} It failed with userpassword both before and after the password line. But working now. Thanks! -Tom From rspeed at gmail.com Thu May 25 22:50:43 2006 From: rspeed at gmail.com (Ryan Speed) Date: Thu, 25 May 2006 15:50:43 -0700 Subject: [rancid] Re: ignore certain diff's In-Reply-To: <20060524191407.GA15602@panix.com> References: <20060524191407.GA15602@panix.com> Message-ID: I assume this isn't an out of the box solution, i'd have to modify the scripts to actually use the DIFFSUPPRESSOPTS variable? I'm not trying to sound ungreatful I just want to make sure I read the email properly. thanks for all the responses thus far. On 5/24/06, Ed Ravin wrote: > On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote: > > I've got rancid checking a few cisco routers running Callmanager > > Express which has turned out to be a bit of an annoyance because when > > people forward their phones I get the diff emails sent out. Before I > > go hacking away at the scripts could someone suggest an elegant way to > > add exceptions to the emailing of diffs? > > Assuming GNU diff, you could use something like this: > > DIFFSUPPRESSOPTS="-b -I '^ntp clock-period [0-9][0-9]*' -I '^! Last configuration change ' -I '^! NVRAM config last updated '" > > The above is a fragment from a non-RANCID script I have that manipulates > the routers. The -I (or --ignore-matching-lines) option specifies patterns > that diff will ignore if the differences in that line match the specified RE. > > I'm sure with judicious use of one or two shell variables, we could have > settings in rancid.conf to allow various kinds of fine-tuning of the diff > listing that RANCID mails out. > -- ><(((?> Ryan Speed http://speedo.ca (Personal site) http://gallery.speedo.ca (Photo Gallery) http://newsbc.ca (News BC) http://newsbc.ca/movies (Movie Reviews) From jlewis at lewis.org Fri May 26 16:22:46 2006 From: jlewis at lewis.org (Jon Lewis) Date: Fri, 26 May 2006 12:22:46 -0400 (EDT) Subject: [rancid] Re: [patch] Using diffstat in the output mail In-Reply-To: <20060523195918.GB70283@partan.com> References: <20060522102524.GB3474@westend.com> <20060523195918.GB70283@partan.com> Message-ID: On Tue, 23 May 2006, Andrew Partan wrote: > On Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers wrote: >> I modified the mail output to include the output of diffstat. > > diffstat is another package & thus another thing that must be > installed before running rancid. It is worth it? Dunno. I like the idea, and have patched it into our rancid installation. With a little more work, this could be turned into a configurable option such that rancid doesn't actually depend on it. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From dev at linkdown.org Sun May 28 17:55:00 2006 From: dev at linkdown.org (Bruno Prigent) Date: Sun, 28 May 2006 19:55:00 +0200 Subject: [rancid] rancid-addons - a RANCID script compilation Message-ID: <4479E3F4.10806@linkdown.org> Hi, I "wrote" few scripts for rancid (radware support and extend netscreen support). I decided to make them available to the public (GPL). I called this rancid-addons. I kept a reference to the RANCID licence and put the file COPYING.RANCID in the package. You can visit my website to download the archive : English : http://www.linkdown.org/static_rancidaddons_en.html French : http://www.linkdown.org/fr/static_rancidaddons_fr.html regards, Bruno From heas at shrubbery.net Tue May 30 14:46:39 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 30 May 2006 07:46:39 -0700 Subject: [rancid] Re: post-install, now what? In-Reply-To: <20060525155919.GC6833@panix.com> References: <20060525155919.GC6833@panix.com> Message-ID: <20060530144639.GB25876@shrubbery.net> Thu, May 25, 2006 at 11:59:19AM -0400, Ed Ravin: > On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote: > > I've gotten a trial install of rancid going on my network now checking > > about 20 devices (all cisco, switches, routers, and two pixes). My > > question is... now what? > > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of > > running config sitting in a tftp root, which made it easy to "copy > > tftp run" from a device to restore a config. How do you guys address > > this in rancid? > > We don't. RANCID post-processes the config in various ways that improve > change reporting but lose the original config. For starters, by default > all passwords get removed from the config so that they don't accidently > get emailed out, but there are more subtle transformations: sequence numbers > get removed, some things get sorted, etc. What is lost? From mfreeman at netcogov.com Tue May 30 15:29:14 2006 From: mfreeman at netcogov.com (Freeman, Michael) Date: Tue, 30 May 2006 10:29:14 -0500 Subject: [rancid] Rancid and a database? Message-ID: Has anyone thought of storing the information rancid collects in a database? I'm mostly interested in Rancid's ability to parse through the /show diag/ and /show version/ commands on devices and using that data to generate asset/inventory reports. From dev at linkdown.org Tue May 30 15:54:05 2006 From: dev at linkdown.org (Bruno Prigent) Date: Tue, 30 May 2006 17:54:05 +0200 Subject: [rancid] Re: Rancid and a database? In-Reply-To: References: Message-ID: <447C6A9D.7000407@linkdown.org> A guy in my company wrote perl scripts to parse the rancid CVS and rancid diff received by email. I don't think those scripts are available to public. I guess the main problem is that the script has to know the grammar of every devices type (cisco, juniper, etc). If the constructor decide to change the command or implement a command in different ways within different devices, you have to modify the script. For inventory (device name, device type, IOS) I use grep/sed/awk when I need it but I think it's not really reliable. Keep me updated if you plan to work on something. Bruno Freeman, Michael wrote: > Has anyone thought of storing the information rancid collects in a > database? I'm mostly interested in Rancid's ability to parse through the > /show diag/ and /show version/ commands on devices and using that data > to generate asset/inventory reports. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > From heas at shrubbery.net Tue May 30 15:58:14 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 30 May 2006 08:58:14 -0700 Subject: [rancid] Re: Rancid and a database? In-Reply-To: References: Message-ID: <20060530155814.GA24954@shrubbery.net> Tue, May 30, 2006 at 10:29:14AM -0500, Freeman, Michael: > Has anyone thought of storing the information rancid collects in a > database? I'm mostly interested in Rancid's ability to parse through the > /show diag/ and /show version/ commands on devices and using that data > to generate asset/inventory reports. See Joe Abley and Stephen Stuart's NANOG presentation: http://www.nanog.org/mtg-0210/abley.html From mfreeman at netcogov.com Tue May 30 16:01:16 2006 From: mfreeman at netcogov.com (Freeman, Michael) Date: Tue, 30 May 2006 11:01:16 -0500 Subject: [rancid] Re: Rancid and a database? Message-ID: Bruno, I don't think there is any way to get around the problem of the commands or output changing, so that wouldn't be a new challenge for Rancid. I don't think I want to parse any CVS information, in fact I'm not even interested in storing anything in CVS/SVN at this point, probably just hacking up the routines in the rancid cisco parsing modules to store data filtered out through the regular expressions and store in a DB using DBIx::Class. -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Bruno Prigent Sent: Tuesday, May 30, 2006 10:54 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Re: Rancid and a database? A guy in my company wrote perl scripts to parse the rancid CVS and rancid diff received by email. I don't think those scripts are available to public. I guess the main problem is that the script has to know the grammar of every devices type (cisco, juniper, etc). If the constructor decide to change the command or implement a command in different ways within different devices, you have to modify the script. For inventory (device name, device type, IOS) I use grep/sed/awk when I need it but I think it's not really reliable. Keep me updated if you plan to work on something. Bruno Freeman, Michael wrote: > Has anyone thought of storing the information rancid collects in a > database? I'm mostly interested in Rancid's ability to parse through > the /show diag/ and /show version/ commands on devices and using that > data to generate asset/inventory reports. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From eravin at panix.com Tue May 30 16:04:12 2006 From: eravin at panix.com (Ed Ravin) Date: Tue, 30 May 2006 12:04:12 -0400 Subject: [rancid] config file postprocessing (was: post-install, now what?) In-Reply-To: <20060530144639.GB25876@shrubbery.net> References: <20060525155919.GC6833@panix.com> <20060530144639.GB25876@shrubbery.net> Message-ID: <20060530160412.GA8787@panix.com> On Tue, May 30, 2006 at 07:46:39AM -0700, john heasley wrote: > Thu, May 25, 2006 at 11:59:19AM -0400, Ed Ravin: > > On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote: > > > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of > > > running config sitting in a tftp root, which made it easy to "copy > > > tftp run" from a device to restore a config. How do you guys address > > > this in rancid? > > > > We don't. RANCID post-processes the config in various ways that improve > > change reporting but lose the original config. For starters, by default > > all passwords get removed from the config so that they don't accidently > > get emailed out, but there are more subtle transformations: sequence numbers > > get removed, some things get sorted, etc. > > What is lost? If passwords are left in the config, almost nothing. The biggest complaint I recall seeing is below, from a post to rancid-discuss a year ago: > I also have several ACL's that are optimized by packet hits given the > large amount of traffic and RANCID sorts those as well. So these aren't > necessarily functional problems so much as performance and audit issues. I > suppose I can hack up the script to turn this off, but I'd imagine other > people might possibly run into the same problem. Thanks, My point was that even though functionality is the same, the config isn't. And though the differences caused by RANCID's processing almost never matter, sometimes, like in the case above, it does. If you have an auditor looking over your shoulder asking if the router configs are properly backed up (as the author of the quote above did), you're put in the position of defending RANCID's changes to the config, as the auditor is understandably going to ask why the alleged backups in RANCID don't exactly match the config file on the router. Another issue that might occur when using RANCID as your primary backup to the router configuration - the RANCID files are much larger than the original config file, due to all the helpful comments inserted by RANCID showing things like the hardware status or directory listings. Depending on the size of the NVRAM and your disaster recovery plan, you might try to restore a router with a config that won't fit until you trim down the comments. -- Ed From randy at psg.com Tue May 30 16:42:53 2006 From: randy at psg.com (Randy Bush) Date: Tue, 30 May 2006 06:42:53 -1000 Subject: [rancid] Re: Rancid and a database? References: <447C6A9D.7000407@linkdown.org> Message-ID: <17532.30221.956303.990602@roam.psg.com> > Has anyone thought of storing the information rancid collects in a > database? I'm mostly interested in Rancid's ability to parse through the > /show diag/ and /show version/ commands on devices and using that data > to generate asset/inventory reports. look at nick's rcc. digests juniper and cisco into mysql and allows you to run over that. http://www.nanog.org/mtg-0405/feamster.html randy From mstefani at redhat.com Tue May 30 17:42:30 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Tue, 30 May 2006 19:42:30 +0200 Subject: [rancid] Re: config file postprocessing In-Reply-To: <20060530160412.GA8787@panix.com> References: <20060525155919.GC6833@panix.com> <20060530144639.GB25876@shrubbery.net> <20060530160412.GA8787@panix.com> Message-ID: <447C8406.1020200@redhat.com> Ed Ravin wrote: >>I also have several ACL's that are optimized by packet hits given the >>large amount of traffic and RANCID sorts those as well. So these aren't >>necessarily functional problems so much as performance and audit issues. I >>suppose I can hack up the script to turn this off, but I'd imagine other >>people might possibly run into the same problem. Thanks, Was there a solution for this? Like a patch that makes this configurable or disables it? Removing passwords and SNMP community strings isn't a problem in the case of the recovery of a network device. Of course only if properly documented; there is other information that isn't in the config file anyway like VLAN and VTP infos. But the sorting of the ACLs is as information is lost without any possibility to recover it. Ranging from a performance issue to "damn this ACL looks weird" effect when looking on the router. Though this resorting can be mitigated by heavy use of comments in the ACLs thus breaking big blocks of permit or deny rules into smaller chunks. But still i would prefer to have the ACLs as is. > My point was that even though functionality is the same, the config isn't. > And though the differences caused by RANCID's processing almost never > matter, sometimes, like in the case above, it does. If you have > an auditor looking over your shoulder asking if the router configs > are properly backed up (as the author of the quote above did), you're > put in the position of defending RANCID's changes to the config, as > the auditor is understandably going to ask why the alleged backups > in RANCID don't exactly match the config file on the router. > > Another issue that might occur when using RANCID as your primary backup Isn't that the main use of RANCID? > the original config file, due to all the helpful comments inserted > by RANCID showing things like the hardware status or directory listings. > Depending on the size of the NVRAM and your disaster recovery plan, you > might try to restore a router with a config that won't fit until you > trim down the comments. IMHO this shouldn't be realy a problem quite the opposite, the comments contain usefull information like VTP and VLAN setup that might not be saved in the config. And trimming the comments at the beginning is/should be an easy task for an automated process or a human. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From chris at siliconhotrod.com Tue May 30 19:24:44 2006 From: chris at siliconhotrod.com (Chris Moody) Date: Tue, 30 May 2006 12:24:44 -0700 Subject: [rancid] rancid use scenarios Message-ID: <447C9BFC.8040509@siliconhotrod.com> I'm currently using rancid for backups of a handful of devices (83 to be exact) and love it. Our group has used it numerous occasions to prove when changes did/didn't occur. At any rate, I'm needing some usage scenarios to help me sell the concept to a larger audience at my office. We have another team that is responsible for several hundred nodes and has nothing like rancid in place. I'm planning to get them using the service, but need more "weight" in selling the idea to them. What are some of the largest deployments of rancid (also anyone willing to give contact info to vouch for their numbers?)? Anyone have experience in enterprise scale usage? Any caveats? Any tips? Any insights and stories are appreciated. If I can demonstrate that the tool(s) can reliably handle a large load of devices, the widespread usage may become a reality instead of just my recommendation. Cheers, -Chris From azhang at StanfordEagle.com Tue May 30 21:31:57 2006 From: azhang at StanfordEagle.com (Zhang, Anchi) Date: Tue, 30 May 2006 16:31:57 -0500 Subject: [rancid] Re: rancid use scenarios Message-ID: <7E8497ADB180D24CB13C804F22714A920192EB0B@SFG-HOU-MAILV1.stanford.sfgc.com> Have you tried to change passwords/enable secrets on hundreds of Cisco devices without Rancid after a group member leaves? At my previous job, there were more than 500 Cisco devices and I was the only one versed in Unix/Rancid. As a result, I was asked to run my shell/clogin script to change the passwords on my LAST day. Rancid should be deployed if there are more than 10 network devices just as Cfengined should be deployed for an installation of more than 10 Unix/Linux nodes. -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Moody Sent: Tuesday, May 30, 2006 2:25 PM To: rancid-discuss at shrubbery.net Subject: [rancid] rancid use scenarios I'm currently using rancid for backups of a handful of devices (83 to be exact) and love it. Our group has used it numerous occasions to prove when changes did/didn't occur. At any rate, I'm needing some usage scenarios to help me sell the concept to a larger audience at my office. We have another team that is responsible for several hundred nodes and has nothing like rancid in place. I'm planning to get them using the service, but need more "weight" in selling the idea to them. What are some of the largest deployments of rancid (also anyone willing to give contact info to vouch for their numbers?)? Anyone have experience in enterprise scale usage? Any caveats? Any tips? Any insights and stories are appreciated. If I can demonstrate that the tool(s) can reliably handle a large load of devices, the widespread usage may become a reality instead of just my recommendation. Cheers, -Chris _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at veggiechinese.net Tue May 30 22:31:34 2006 From: rancid at veggiechinese.net (William Yardley) Date: Tue, 30 May 2006 15:31:34 -0700 Subject: [rancid] CSS problems Message-ID: <20060530223134.GB29392@mitch.veggiechinese.net> Running rancid 2.3 on Linux (RHEL 3). Logging into two Cisco CSS 11503s seems to work fine, but it doesn't seem to actually execute any commands. I tried upgrading to 2.3.2a4, but no dice still. Setting "expert" mode (in the CSS's user profile) doesn't seem to help. Neither does changing the hostname to be lower case. Anything obvious I should try? Expect is v5.38.0 (from the .raw file) Connected to css1. Escape character is '^]'. User Access Verification Username:XXXXXX Password: CSS1# Error: TIMEOUT reached (it seems to just sit there after getting to a prompt, but login works Ok) from the command line (cssrancid): executing clogin -t 90 -c"term length 65535;copy profile user-profile;show version;show boot;show run" css1 css1 clogin error: Error: TIMEOUT reached css1 clogin error: Error: TIMEOUT reached css1: missed cmd(s): term length 65535,show run,show version,copy profile user-profile,show boot css1: missed cmd(s): term length 65535,show run,show version,copy profile user-profile,show boot css1: End of run not found css1: End of run not found ! From morty at frakir.org Wed May 31 06:16:05 2006 From: morty at frakir.org (Mordechai T. Abzug) Date: Wed, 31 May 2006 02:16:05 -0400 Subject: [rancid] Re: rancid use scenarios In-Reply-To: <447C9BFC.8040509@siliconhotrod.com> References: <447C9BFC.8040509@siliconhotrod.com> Message-ID: <20060531061604.GJ13315@red-sonja.frakir.org> On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote: > At any rate, I'm needing some usage scenarios to help me sell the > concept to a larger audience at my office. We have another team > that is responsible for several hundred nodes and has nothing like > rancid in place. I'm planning to get them using the service, but > need more "weight" in selling the idea to them. > What are some of the largest deployments of rancid (also anyone > willing to give contact info to vouch for their numbers?)? Anyone > have experience in enterprise scale usage? Any caveats? Any tips? We have 350+ nodes in rancid. We have a number of smaller management domains rather than one massive implementation; the largest domain has 125 rancid-monitored nodes. rancid is relatively lightweight, especially if you tune down the number of parallel gets, so we run it as an extra process on existing NMS stations. It also requires almost no space, thanks to using CVS; from a resource consumption perspective, it actually scales lots better than some commercial equivalents. If you are located in the US, regardless of your feelings, chances are that you need rancid or something like it for legal compliance -- between SOX, FISMA, and HIPAA, most commercial and government entities need lots of monitoring. If you don't think you need it now, but you are subject to any kind of auditing and haven't been audited yet, do yourself a favor and implement it now. Quite aside from legal issues, tools like rancid are great for lots of real-life reasons. They are good for: * detecting surprise changes ("when did that change occur? Sure would be nice to have an automated tool to tell us when someone makes a change in the middle of the night and forgets to send email"); * security monitoring of routers ("where did that permissive ACL come from? Sure would be nice if a tool could tell us what changes occurred on routers, so if anything suspicious happens, we can know immediately instead of when it ends up in the media"); * exercising router flashes ("Whoops, the flash went bad but the device continued to function in-memory, so nobody noticed until a power outage. Sure would be nice if we had a tool that periodically logged in to devices and ran a bunch of commands that demonstrate that it is working well"); * backing up configs ("Our last manual backup of the router config was 5 years ago; we've upgraded it twice, and added lots of ACLs since then. Wouldn't an automated way to get config backups make sense?") If your people are against freeware, or want "Enterprise" features, there are COTS tools that do more than rancid out of the box, or at least satisfy management desire for a commercial provider. Opsware NAS is particularly studly; it will automatically go out when config change events are reported via syslog, grab the latest update, and tell you who did the change (if available). It can get asset and module information. It can do "policy compliance." It can integrate with HP OV NNM and other products. Of course, Opsware costs mucho dinero and requires beefy hardware, while you can set up a reasonable rancid setup using an old PC and no commercial software. If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all Juniper, etc.), your vendor may provide/sell you an element manager (CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like functionality. Unfortunately, it will be specific to said vendor. If you are or might become heterogeneous, rancid or other vendor-neutral package is a good call. - Morty From saku+rancid at ytti.fi Wed May 31 06:26:08 2006 From: saku+rancid at ytti.fi (Saku Ytti) Date: Wed, 31 May 2006 09:26:08 +0300 Subject: [rancid] Re: rancid use scenarios In-Reply-To: <447C9BFC.8040509@siliconhotrod.com> References: <447C9BFC.8040509@siliconhotrod.com> Message-ID: <20060531062608.GA30763@mx.ytti.net> On (2006-05-30 12:24 -0700), Chris Moody wrote: > What are some of the largest deployments of rancid (also anyone willing > to give contact info to vouch for their numbers?)? Anyone have > experience in enterprise scale usage? Any caveats? Any tips? % LC_ALL=C;find -name "router.db"|xargs wc -l|tail -n 1 6163 total Works for us, 1700 of these are collected every 4h, rest once a week. Several hardware vendors (~7 vendors), including support for telco systems (binos) and corecess that we've added in-house (happy to provide if needed). -- ++ytti From rspeed at gmail.com Wed May 31 16:11:43 2006 From: rspeed at gmail.com (Ryan Speed) Date: Wed, 31 May 2006 09:11:43 -0700 Subject: [rancid] Re: rancid use scenarios In-Reply-To: <20060531061604.GJ13315@red-sonja.frakir.org> References: <447C9BFC.8040509@siliconhotrod.com> <20060531061604.GJ13315@red-sonja.frakir.org> Message-ID: rancid just found its director of marketing me thinks ;) On 5/30/06, Mordechai T. Abzug wrote: > On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote: > > We have 350+ nodes in rancid. We have a number of smaller management > domains rather than one massive implementation; the largest domain has > 125 rancid-monitored nodes. rancid is relatively lightweight, > especially if you tune down the number of parallel gets, so we run it > as an extra process on existing NMS stations. It also requires almost > no space, thanks to using CVS; from a resource consumption > perspective, it actually scales lots better than some commercial > equivalents. > > If you are located in the US, regardless of your feelings, chances are > that you need rancid or something like it for legal compliance -- > between SOX, FISMA, and HIPAA, most commercial and government entities > need lots of monitoring. If you don't think you need it now, but you > are subject to any kind of auditing and haven't been audited yet, do > yourself a favor and implement it now. > > Quite aside from legal issues, tools like rancid are great for lots of > real-life reasons. They are good for: > > * detecting surprise changes ("when did that change occur? Sure would > be nice to have an automated tool to tell us when someone makes a > change in the middle of the night and forgets to send email"); > > * security monitoring of routers ("where did that permissive ACL come > from? Sure would be nice if a tool could tell us what changes > occurred on routers, so if anything suspicious happens, we can know > immediately instead of when it ends up in the media"); > > * exercising router flashes ("Whoops, the flash went bad but the > device continued to function in-memory, so nobody noticed until a > power outage. Sure would be nice if we had a tool that periodically > logged in to devices and ran a bunch of commands that demonstrate > that it is working well"); > > * backing up configs ("Our last manual backup of the router config was > 5 years ago; we've upgraded it twice, and added lots of ACLs since > then. Wouldn't an automated way to get config backups make sense?") > > If your people are against freeware, or want "Enterprise" features, > there are COTS tools that do more than rancid out of the box, or at > least satisfy management desire for a commercial provider. Opsware > NAS is particularly studly; it will automatically go out when config > change events are reported via syslog, grab the latest update, and > tell you who did the change (if available). It can get asset and > module information. It can do "policy compliance." It can integrate > with HP OV NNM and other products. Of course, Opsware costs mucho > dinero and requires beefy hardware, while you can set up a reasonable > rancid setup using an old PC and no commercial software. > > If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all > Juniper, etc.), your vendor may provide/sell you an element manager > (CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like > functionality. Unfortunately, it will be specific to said vendor. If > you are or might become heterogeneous, rancid or other vendor-neutral > package is a good call. > > - Morty > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- ><(((?> Ryan Speed http://speedo.ca (Personal site) http://gallery.speedo.ca (Photo Gallery) http://newsbc.ca (News BC) http://newsbc.ca/movies (Movie Reviews)