From mstefani at redhat.com Thu May 4 15:55:47 2006
From: mstefani at redhat.com (Michael Stefaniuc)
Date: Thu, 04 May 2006 17:55:47 +0200
Subject: [rancid] race condition in ssh on CatOS
Message-ID: <445A2403.8010202@redhat.com>
Hello,
in october 2004 there was a small thread about this problem "Bug when
using SSH on CatOS devices"
(http://www.shrubbery.net/pipermail/rancid-discuss/2004-October/000891.html)
but it ended with a quick hack that worked for the older Extreme's but
dosn't for CatOS
(http://www.shrubbery.net/pipermail/rancid-discuss/2004-November/000898.html)
The problem with CatOS ssh is that it eats _sometimes_ the echoing of
the last packet that made the connection to terminate unlike the Extreme
that accordingly to the above was eating only the \n\r. As clogin does a
send "exit\r"
and that fits in one packet the CatOS ssh will forget to echo that back
before terminating the connection. So one gets _sometimes_
Switch> (enable)Connection to switch.foo.bar closed by remote host.
Connection to switch.foo.bar closed.
I get that not only with cat5rancid but also directly with ssh.
Now adapting the proposed patch/hack:
TOP: while() {
tr/\015//d;
if (/> \(enable\) ?exit$/) {
$clean_run=1;
last;
}
# Check and see if it was a "less clean" run.
elsif (/> \(enable\) ?exitConnection to (\S+) closed by remote
host\./){
$clean_run=1;
last;
}
}
by ommiting "exit" isn't hard but is it safe? One can assume that getting
Switch> (enable) exitConnection to switch.foo.bar closed by remote host.
wont happen in the middle of a cat5run run ever. But is is very likely
to get
Switch> (enable)Connection to switch.foo.bar closed by remote host.
between 2 commands. One cannot safely set $clean_run=1 in that case.
The method i used was to split up 'send "exit\r"' in clogin into
send "exit"
sleep 0.1
send "\r"
Alternatively using send -h "exit\r" and using the "hangover" human
speed setting (see man expect) works too. This way i reduce the problem
to detecting "Switch> (enable) exitConnection ...".
Is there a better way to achieve a reliable backup of CatOS devices with
rancid using ssh besides having to patch clogin and cat5rancid? Not that
patching would be a problem but having the right fix upstream makes
future maintanance easier.
bye
michael
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
From jsutherl at newedgenetworks.com Fri May 5 16:39:02 2006
From: jsutherl at newedgenetworks.com (Sutherland, James)
Date: Fri, 5 May 2006 09:39:02 -0700
Subject: [rancid] Infinate loop on clogin
Message-ID:
Interestingly we managed to accidentally get rancid set so that an
Efficient 5871 was set as a cisco.
What resulted was an infinite loop that causes rancid to hang forever
until the telnet to that device is killed.
I wasn't sure if this would be considered a bug, but I thought I'd send
it to this list as an example of this problem, which we've seen several
times.
Example:
Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69
172.28.41.69
spawn telnet 172.28.41.69
Trying 172.28.41.69...
Connected to 172.28.41.69.
Escape character is '^]'.
Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
Wrong password! Try logging in again.
Login: ******
^C
Fri 8:58am {rancid at prometheus:[~/bin]}
From mstefani at redhat.com Fri May 5 16:44:29 2006
From: mstefani at redhat.com (Michael Stefaniuc)
Date: Fri, 05 May 2006 18:44:29 +0200
Subject: [rancid] Re: Infinate loop on clogin
In-Reply-To:
References:
Message-ID: <445B80ED.6000601@redhat.com>
Sutherland, James wrote:
> Interestingly we managed to accidentally get rancid set so that an
> Efficient 5871 was set as a cisco.
>
> What resulted was an infinite loop that causes rancid to hang forever
> until the telnet to that device is killed.
>
> I wasn't sure if this would be considered a bug, but I thought I'd send
> it to this list as an example of this problem, which we've seen several
> times.
Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to
prevent such loops being to disastrous.
bye
michael
>
> Example:
> Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69
> 172.28.41.69
> spawn telnet 172.28.41.69
> Trying 172.28.41.69...
> Connected to 172.28.41.69.
> Escape character is '^]'.
>
> Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> ^C
> Fri 8:58am {rancid at prometheus:[~/bin]}
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
From heas at shrubbery.net Fri May 5 16:47:55 2006
From: heas at shrubbery.net (john heasley)
Date: Fri, 5 May 2006 09:47:55 -0700
Subject: [rancid] Re: Infinate loop on clogin
In-Reply-To: <445B80ED.6000601@redhat.com>
References:
<445B80ED.6000601@redhat.com>
Message-ID: <20060505164755.GD12082@shrubbery.net>
Fri, May 05, 2006 at 06:44:29PM +0200, Michael Stefaniuc:
> Sutherland, James wrote:
> > Interestingly we managed to accidentally get rancid set so that an
> > Efficient 5871 was set as a cisco.
> >
> > What resulted was an infinite loop that causes rancid to hang forever
> > until the telnet to that device is killed.
> >
> > I wasn't sure if this would be considered a bug, but I thought I'd send
> > it to this list as an example of this problem, which we've seen several
> > times.
> Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to
> prevent such loops being to disastrous.
That will do nothing, as the timeout only takes effect when there is no
input match. Here, there's obviously a match.
> >
> > Example:
> > Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69
> > 172.28.41.69
> > spawn telnet 172.28.41.69
> > Trying 172.28.41.69...
> > Connected to 172.28.41.69.
> > Escape character is '^]'.
> >
> > Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready
> > Login: ******
> > Wrong password! Try logging in again.
> > Login: ******
So its a bug/bad assumption that devices stop prompting and disconnect
after a few login failures.
From jsutherl at newedgenetworks.com Fri May 5 16:56:05 2006
From: jsutherl at newedgenetworks.com (Sutherland, James)
Date: Fri, 5 May 2006 09:56:05 -0700
Subject: [rancid] Re: Infinate loop on clogin
Message-ID:
That didn't seem to work for me notice the time stamps:
Fri 9:48am {rancid at prometheus:[~]} ./bin/clogin -t 90 172.28.41.69 >
/tmp/clogin.test
^C
Fri 9:54am {rancid at prometheus:[~]}
Just for fun:
Fri 9:55am {rancid at prometheus:[~]} grep -c Login /tmp/clogin.test
1714
-----Original Message-----
From: Michael Stefaniuc [mailto:mstefani at redhat.com]
Sent: Friday, May 05, 2006 9:44 AM
To: Sutherland, James
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Infinate loop on clogin
Sutherland, James wrote:
> Interestingly we managed to accidentally get rancid set so that an
> Efficient 5871 was set as a cisco.
>
> What resulted was an infinite loop that causes rancid to hang forever
> until the telnet to that device is killed.
>
> I wasn't sure if this would be considered a bug, but I thought I'd
> send it to this list as an example of this problem, which we've seen
> several times.
Call clogin with -t to give it a timeout. rancid uses clogin -t 90 to
prevent such loops being to disastrous.
bye
michael
>
> Example:
> Fri 8:58am {rancid at prometheus:[~/bin]} ./clogin 172.28.41.69
> 172.28.41.69
> spawn telnet 172.28.41.69
> Trying 172.28.41.69...
> Connected to 172.28.41.69.
> Escape character is '^]'.
>
> Efficient 5871 IDSL Router (5871-001/2) v5.3.80 Ready
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> Wrong password! Try logging in again.
> Login: ******
> ^C
> Fri 8:58am {rancid at prometheus:[~/bin]}
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
From heas at shrubbery.net Fri May 5 22:58:17 2006
From: heas at shrubbery.net (john heasley)
Date: Fri, 5 May 2006 15:58:17 -0700
Subject: [rancid] Re: race condition in ssh on CatOS
In-Reply-To: <445A2403.8010202@redhat.com>
References: <445A2403.8010202@redhat.com>
Message-ID: <20060505225817.GH12082@shrubbery.net>
Thu, May 04, 2006 at 05:55:47PM +0200, Michael Stefaniuc:
> Switch> (enable) exitConnection to switch.foo.bar closed by remote host.
> wont happen in the middle of a cat5run run ever. But is is very likely
> to get
> Switch> (enable)Connection to switch.foo.bar closed by remote host.
> between 2 commands. One cannot safely set $clean_run=1 in that case.
> The method i used was to split up 'send "exit\r"' in clogin into
> send "exit"
> sleep 0.1
> send "\r"
> Alternatively using send -h "exit\r" and using the "hangover" human
> speed setting (see man expect) works too. This way i reduce the problem
> to detecting "Switch> (enable) exitConnection ...".
>
> Is there a better way to achieve a reliable backup of CatOS devices with
> rancid using ssh besides having to patch clogin and cat5rancid? Not that
> patching would be a problem but having the right fix upstream makes
> future maintanance easier.
Normally I'd say use your support contract to harrass cisco to fix their
broken stuff before we make hacks permanent (unless its an Extreme), but I
think this has been fixed. Of 43 chassis I collect, only one is failing
(I have not looked into why). So, I suggest you try more recent code, try
ipservicesk9-mz.122-18.SXF vintage.
From mstefani at redhat.com Sat May 6 08:54:48 2006
From: mstefani at redhat.com (Michael Stefaniuc)
Date: Sat, 06 May 2006 10:54:48 +0200
Subject: [rancid] Re: race condition in ssh on CatOS
In-Reply-To: <20060505225817.GH12082@shrubbery.net>
References: <445A2403.8010202@redhat.com>
<20060505225817.GH12082@shrubbery.net>
Message-ID: <445C6458.1080607@redhat.com>
john heasley wrote:
> Thu, May 04, 2006 at 05:55:47PM +0200, Michael Stefaniuc:
>
>>Switch> (enable) exitConnection to switch.foo.bar closed by remote host.
>>wont happen in the middle of a cat5run run ever. But is is very likely
>>to get
>>Switch> (enable)Connection to switch.foo.bar closed by remote host.
>>between 2 commands. One cannot safely set $clean_run=1 in that case.
>>The method i used was to split up 'send "exit\r"' in clogin into
>>send "exit"
>>sleep 0.1
>>send "\r"
>>Alternatively using send -h "exit\r" and using the "hangover" human
>>speed setting (see man expect) works too. This way i reduce the problem
>>to detecting "Switch> (enable) exitConnection ...".
>>
>>Is there a better way to achieve a reliable backup of CatOS devices with
>>rancid using ssh besides having to patch clogin and cat5rancid? Not that
>>patching would be a problem but having the right fix upstream makes
>>future maintanance easier.
>
>
> Normally I'd say use your support contract to harrass cisco to fix their
> broken stuff before we make hacks permanent (unless its an Extreme), but I
> think this has been fixed. Of 43 chassis I collect, only one is failing
> (I have not looked into why). So, I suggest you try more recent code, try
> ipservicesk9-mz.122-18.SXF vintage.
I was talking about CatOS. We do not have any problems with backing up
IOS devices. Sadly there is no IOS available for the good old Cat2948.
I'll have to check the release notes for the newer CatOS versions if
they fixed this problem and cross check that on a device under normal
operation load. If the problem still persists i'll harrass Cisco.
Anyway the proper fix will take quite long so i will have to live with
the patch in my rancid tree.
bye
michael
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
From kanagaraj at aims.com.my Mon May 8 07:21:56 2006
From: kanagaraj at aims.com.my (Kanagaraj Krishna)
Date: Mon, 8 May 2006 15:21:56 +0800
Subject: [rancid] Re: Rancid attic devices
References: <20060323202728.59206.qmail@web50514.mail.yahoo.com>
<20060325210956.GA75327@partan.com>
Message-ID: <029301c67270$1685aa00$6b86dfcb@kana>
Hi,
I have a question regarding the reuse of previous added device on
rancid. This is the situation. Previously I've added a device with IP
xxx.xxx.xxx.xxx and realised that once it was deleted from router.db, it
was placed under attic. Currently I'm planning to use the same IP
xxx.xxx.xxx.xxx for another device but at the same time maintain the older
device configs as well. What is best way to do this? Thanks
Regards,
Kanagaraj Krishna
From heas at shrubbery.net Mon May 8 07:36:14 2006
From: heas at shrubbery.net (john heasley)
Date: Mon, 8 May 2006 00:36:14 -0700
Subject: [rancid] Re: Rancid attic devices
In-Reply-To: <029301c67270$1685aa00$6b86dfcb@kana>
References: <20060323202728.59206.qmail@web50514.mail.yahoo.com>
<20060325210956.GA75327@partan.com>
<029301c67270$1685aa00$6b86dfcb@kana>
Message-ID: <20060508073614.GI12984@shrubbery.net>
Mon, May 08, 2006 at 03:21:56PM +0800, Kanagaraj Krishna:
> Hi,
> I have a question regarding the reuse of previous added device on
> rancid. This is the situation. Previously I've added a device with IP
> xxx.xxx.xxx.xxx and realised that once it was deleted from router.db, it
> was placed under attic. Currently I'm planning to use the same IP
> xxx.xxx.xxx.xxx for another device but at the same time maintain the older
> device configs as well. What is best way to do this? Thanks
>
> Regards,
> Kanagaraj Krishna
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
This is really a CVS question.
IIRC, when a file is added that was previous "cvs delete"'ed, the files is
essentially resurrected. Meaning that you start off from whence you had
ended, thus maintaining all the history. I think that applies to subversion
as well.
If you wanted to maintain them separately, you can goof with the repository
-- which I do not encourage -- by renaming the repository file from
Attic/foo,v to Attic/foo_old,v or something similar.
From Anton.Schweitzer at o2.com Mon May 8 08:13:10 2006
From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com)
Date: Mon, 8 May 2006 10:13:10 +0200
Subject: [rancid] No Software: tag in config for 6500/7600 Switches
Message-ID:
Hi,
i did a script for greping all the sofware releases, so i discovered there
is no software tag for Cisco 65XX and 76XX.
Can anyone tell why there is no "Image:Software:" tag ?
Cheers
Anton
Anton Schweitzer
CNO IP Backoffice
o2 (Germany) GmbH & Co.OHG
Georg Brauchle-Ring 23-25, D-80992 M?nchen
Tel +49(0)89-2442-5794
Mobil +49(0)176-23407715
Fax +49(0)89-2442-5632
anton.schweitzer at o2.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060508/36ff17ff/attachment.html
From heas at shrubbery.net Mon May 8 08:20:51 2006
From: heas at shrubbery.net (john heasley)
Date: Mon, 8 May 2006 01:20:51 -0700
Subject: [rancid] Re: No Software: tag in config for 6500/7600 Switches
In-Reply-To:
References:
Message-ID: <20060508082051.GM12984@shrubbery.net>
Mon, May 08, 2006 at 10:13:10AM +0200, Anton.Schweitzer at o2.com:
> Hi,
>
> i did a script for greping all the sofware releases, so i discovered there
> is no software tag for Cisco 65XX and 76XX.
>
> Can anyone tell why there is no "Image:Software:" tag ?
>
Cisco likes to change formats [for no apparent reason]. The fix is included
in ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a4.tar.gz
From kanagaraj at aims.com.my Mon May 8 09:52:09 2006
From: kanagaraj at aims.com.my (Kanagaraj Krishna)
Date: Mon, 8 May 2006 17:52:09 +0800
Subject: [rancid] Re: correct above errors first!
Message-ID: <000f01c67285$128ee7d0$6b86dfcb@kana>
Hi,
What does the errors below points to.......can't figure it out (from the log)
Error 1
cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is back again)
cvs [commit aborted]: internal error: no parsed RCS file
Added aaa.aaa.aaa.aaa
cvs status: aaa.aaa.aaa.aaa should be removed and is still there
Trying to get all of the configs.
All routers sucessfully completed.
cvs diff: Diffing .
cvs diff: Diffing configs
cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available
cvs commit: Examining .
cvs commit: Examining configs
cvs [commit aborted]: internal error: no parsed RCS file
Error 2
cvs diff: Diffing .
cvs diff: Diffing configs
cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available
cvs commit: Examining .
cvs commit: Examining configs
cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx'
cvs [commit aborted]: correct above errors first!
ending: Mon May 8 17:41:31 MYT 2006
Thanks,
Kanagaraj Krishna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060508/ca0e3f78/attachment.html
From Todd at equivoice.com Mon May 8 13:04:10 2006
From: Todd at equivoice.com (Todd Heide)
Date: Mon, 8 May 2006 08:04:10 -0500
Subject: [rancid] Linux n00b questions
Message-ID: <082FEA82DC985B4F8A6B412D5AC4E220207A57@exchange.Equivoice.local>
Is there a clear concise document describing the steps to get Rancid
working on Cisco routers using Tacacs+? I plug my way through Redhat 9.0
fairly well, but when it comes to terminology, I get cross eyed and
dumb.
Thanks
Todd
From heas at shrubbery.net Mon May 8 14:47:21 2006
From: heas at shrubbery.net (john heasley)
Date: Mon, 8 May 2006 07:47:21 -0700
Subject: [rancid] Re: correct above errors first!
In-Reply-To: <000f01c67285$128ee7d0$6b86dfcb@kana>
References: <000f01c67285$128ee7d0$6b86dfcb@kana>
Message-ID: <20060508144721.GN12984@shrubbery.net>
It means that somehow you have a file in group/configs that has not been
cvs added; most likely because someone has been making changes manually
instead of allow rancid to do it.
Mon, May 08, 2006 at 05:52:09PM +0800, Kanagaraj Krishna:
> Hi,
> What does the errors below points to.......can't figure it out (from the log)
>
> Error 1
> cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is back again)
> cvs [commit aborted]: internal error: no parsed RCS file
> Added aaa.aaa.aaa.aaa
>
> cvs status: aaa.aaa.aaa.aaa should be removed and is still there
>
>
> Trying to get all of the configs.
> All routers sucessfully completed.
>
> cvs diff: Diffing .
> cvs diff: Diffing configs
> cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available
> cvs commit: Examining .
> cvs commit: Examining configs
> cvs [commit aborted]: internal error: no parsed RCS file
>
> Error 2
> cvs diff: Diffing .
> cvs diff: Diffing configs
> cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available
> cvs commit: Examining .
> cvs commit: Examining configs
> cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx'
> cvs [commit aborted]: correct above errors first!
>
> ending: Mon May 8 17:41:31 MYT 2006
>
> Thanks,
> Kanagaraj Krishna
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From kanagaraj at aims.com.my Tue May 9 01:26:58 2006
From: kanagaraj at aims.com.my (Kanagaraj Krishna)
Date: Tue, 9 May 2006 09:26:58 +0800
Subject: [rancid] Re: correct above errors first!
References: <000f01c67285$128ee7d0$6b86dfcb@kana>
<20060508144721.GN12984@shrubbery.net>
Message-ID: <005101c67307$aa351a50$6b86dfcb@kana>
Any suggestions in solving this issue?
Regards,
Kana
----- Original Message -----
From: "john heasley"
To: "Kanagaraj Krishna"
Cc:
Sent: Monday, May 08, 2006 10:47 PM
Subject: Re: [rancid] Re: correct above errors first!
> It means that somehow you have a file in group/configs that has not been
> cvs added; most likely because someone has been making changes manually
> instead of allow rancid to do it.
>
> Mon, May 08, 2006 at 05:52:09PM +0800, Kanagaraj Krishna:
> > Hi,
> > What does the errors below points to.......can't figure it out (from
the log)
> >
> > Error 1
> > cvs add: aaa.aaa.aaa.aaa should be removed and is still there (or is
back again)
> > cvs [commit aborted]: internal error: no parsed RCS file
> > Added aaa.aaa.aaa.aaa
> >
> > cvs status: aaa.aaa.aaa.aaa should be removed and is still there
> >
> >
> > Trying to get all of the configs.
> > All routers sucessfully completed.
> >
> > cvs diff: Diffing .
> > cvs diff: Diffing configs
> > cvs diff: configs/aaa.aaa.aaa.aaa was removed, no comparison available
> > cvs commit: Examining .
> > cvs commit: Examining configs
> > cvs [commit aborted]: internal error: no parsed RCS file
> >
> > Error 2
> > cvs diff: Diffing .
> > cvs diff: Diffing configs
> > cvs diff: configs/xxx.xxx.xxx.xxx was removed, no comparison available
> > cvs commit: Examining .
> > cvs commit: Examining configs
> > cvs commit: Up-to-date check failed for `configs/xxx.xxx.xxx.xxx'
> > cvs [commit aborted]: correct above errors first!
> >
> > ending: Mon May 8 17:41:31 MYT 2006
> >
> > Thanks,
> > Kanagaraj Krishna
>
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
From adamp at nyroc.rr.com Wed May 10 14:49:43 2006
From: adamp at nyroc.rr.com (Adam Pawlukiewicz)
Date: Wed, 10 May 2006 10:49:43 -0400
Subject: [rancid] Rancid and Motorola BSR64000
Message-ID: <00dd01c67440$f98575c0$c9035d18@rr.com>
Has anyone tried to get rancid to work with a Motorola BSR64000?
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060510/aa63c55c/attachment.html
From frnkblk at iname.com Wed May 10 15:12:18 2006
From: frnkblk at iname.com (Frank Bulk)
Date: Wed, 10 May 2006 10:12:18 -0500
Subject: [rancid] Re: Rancid and Motorola BSR64000
In-Reply-To: <00dd01c67440$f98575c0$c9035d18@rr.com>
Message-ID:
I'm looking for the same....let me know if there is a way.
Frank
_____
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Adam Pawlukiewicz
Sent: Wednesday, May 10, 2006 9:50 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Rancid and Motorola BSR64000
Has anyone tried to get rancid to work with a Motorola BSR64000?
Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060510/18f3a62a/attachment.html
From eravin at panix.com Sat May 13 02:47:49 2006
From: eravin at panix.com (Ed Ravin)
Date: Fri, 12 May 2006 22:47:49 -0400
Subject: [rancid] Re: Out of band access to devices?
Message-ID: <20060513024749.GA29808@panix.com>
On Tue, Aug 16, 2005 at 03:56:04PM +1000, Andrew Pollock wrote:
...
> So the only way of managing the devices is via SSHing to the Cyclades and
> getting on the console port. We can SSH directly to a specific port of the
> Cyclades, and after authenticating, get on the console attached to that
> port, and disconnect by way of the standard SSH disconnect break sequence
> when we're done.
>
> I'm wondering if RANCID has evolved over the last nearly 2 years to include
> such out of band access to devices, or if it's much of a muchness still?
It hasn't, but I finally decided I needed the feature and wrote it up.
In my case, I had to ssh to a server and run the "cu" command to get to
the serial console, so I set up a generic extension of the ssh method to
allow arbitrary arguments on the ssh command line. It looks like this
in .cloginrc:
add method testrouter {ssh}
add sshargs testrouter {-t} {termserver} {cu -l /dev/tty01 -s 9600}
I also had to add a match for "Connected" in the login dialog, which
"cu" prints when it's ready for you to send data, so clogin would send
an empty return to wake up the router's serial port.
This isn't sufficiently generic for my taste - I'd prefer something
where you can specify the path to the front end program to run
(it could be conserver, for example), and I'd want the match and
response for "Connected" to also be configurable in .cloginrc.
I propose something like this:
add spawn_command myrouter /usr/local/bin/conserver
add spawn_command_args myrouter {--this} {--that} {termserver01}
add spawn_greeting myrouter {termserver01 ready} {connected to myrouter}
add spawn_greeting_response myrouter {connect myrouter} {\r\r}
So you could have multiple expect/send responses to the front end device
before you get the router prompt and do the usual login dialogue (i.e.
the above example would listen for "termserver01 ready", then send
"connect myrouter\r", then listen for "connected to myrouter", then
send "\r\r" to wake up the router and hopefully produce a router login
prompt so the rest of clogin could proceed).
The current patch for just adding an "sshargs" variable to clogin
is a mere 30 lines - if anyone wants it, let me know. If there's
any consensus on the "right" way to do this, I'll be happy to code
it up for inclusion in a future version of RANCID.
Sample invocation:
$ ./clogin -t 5 -c 'show ver' testrouter
testrouter
spawn ssh -t termserver01 cu -l /dev/tty01 -s 9600
Connected.
Username: testme
Password:
Router#
Router#term length 0
Router#show ver
Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version 12.4(5a), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
[...]
From morty at frakir.org Wed May 17 03:13:38 2006
From: morty at frakir.org (Mordechai T. Abzug)
Date: Tue, 16 May 2006 23:13:38 -0400
Subject: [rancid] rancid, netscreens and console page size
Message-ID: <20060517031338.GA29706@red-sonja.frakir.org>
I'm using the latest nrancid and nlogin for netscreens. Seems to work
nicely, with one caveat: every time we run rancid, paging gets turned
off. On netscreens, paging is a global parameter which can only be
changed by admin users. This can be very annoying for non-admin
users.
Patch:
*** /tmp/T0EMaOJJ Wed May 17 03:12:01 2006
--- nlogin Wed May 17 02:36:55 2006
***************
*** 412,417 ****
--- 412,419 ----
}
}
}
+ send "unset console page\r"
+ expect -re "$prompt" {}
send "exit\r"
expect {
-re "$prompt" {
***************
*** 511,516 ****
--- 513,520 ----
send "set console page 0\r"
expect -re $prompt {}
source $sfile
+ send "unset console page\r"
+ expect -re "$prompt" {}
close
} else {
label $firewall
Thanks!
- Morty
From listuser at numbnuts.net Wed May 17 19:54:48 2006
From: listuser at numbnuts.net (listuser at numbnuts.net)
Date: Wed, 17 May 2006 14:54:48 -0500 (CDT)
Subject: [rancid] Re: Rancid and Motorola BSR64000
In-Reply-To: <00dd01c67440$f98575c0$c9035d18@rr.com>
Message-ID:
I haven't tried it on a BSR64000 but RANCID succesfully locked me out of a
BSR1000. It turns out that the code we're running on the 1000 (1.1.19)
has a few bugs that pertain to non-gracefully disconnected telnet
connections. RANCID killed the connection when it didn't encounter the
output it was looking for (and "end" statement IIRC). 3 hung telnet
connections later and I could no longer get into the BSR. We had to
reboot the thing to fix the problem.
I'd love to get support for the BSR as well as the Ariss C3. They are
Cisco-like but not quite close enough.
Justin
On Wed, 10 May 2006, Adam Pawlukiewicz wrote:
> Has anyone tried to get rancid to work with a Motorola BSR64000?
Adam
--
BEGIN-ANTISPAM-VOTING-LINKS
------------------------------------------------------
Teach CanIt if this mail (ID 293185) is spam:
Spam: http://canit.linuxnuts.net/b.php?c=s&i=293185&m=045e544411ba
Not spam: http://canit.linuxnuts.net/b.php?c=n&i=293185&m=045e544411ba
Forget vote: http://canit.linuxnuts.net/b.php?c=f&i=293185&m=045e544411ba
------------------------------------------------------
END-ANTISPAM-VOTING-LINKS
From eravin at panix.com Thu May 18 21:50:27 2006
From: eravin at panix.com (Ed Ravin)
Date: Thu, 18 May 2006 17:50:27 -0400
Subject: [rancid] patch for "out of band" access to devices
In-Reply-To: <20060513024749.GA29808@panix.com>
References: <20060513024749.GA29808@panix.com>
Message-ID: <20060518215027.GA7299@panix.com>
On Fri, May 12, 2006 at 10:47:49PM -0400, Ed Ravin wrote:
> On Tue, Aug 16, 2005 at 03:56:04PM +1000, Andrew Pollock wrote:
> ...
> > So the only way of managing the devices is via SSHing to the Cyclades and
> > getting on the console port. We can SSH directly to a specific port of the
> > Cyclades, and after authenticating, get on the console attached to that
> > port, and disconnect by way of the standard SSH disconnect break sequence
> > when we're done.
> >
> > I'm wondering if RANCID has evolved over the last nearly 2 years to include
> > such out of band access to devices, or if it's much of a muchness still?
As I posted previously, I've implemented this, and I now think/hope
it's clean enough to release a patch. Here's how it works in cloginrc:
add method testrouter {usercmd}
add usercmd testrouter {ssh} {-t} {termserver01} {cu -l /dev/tty01 -s 9600}
add usercmd_chat testrouter {Connected.} {\r}
The patches below to clogin define a new method, "usercmd" (i.e. instead
of "telnet" or "ssh"), which tells clogin to use the exact text supplied
in the "usercmd" directive for that router as the command to spawn. Note
the way the command line args are delimited, the braces have to be used
to mark off the arguments or the spawn command will fail.
Since whatever out-of-band gizmo you're using to access the router
might need some more interaction to let you get to the router,
the usercmd_chat directive is a list of expect/send pairs - match
something, send something, match the next something, send something,
etc. This is pretty primitive but it should be enough to get through
conserver, cu, kermit, or whatever you're using as the out-of-band
connector. In the above case, usercmd_chat is defined to "wait for the
string 'Connected.' and then send a CR".
For Andrew's case above, he might have to do something like:
add usercmd routeronc1 {ssh} {-t} {-p 12345} {cyclades01}
add usercmd_chat routeronc1 {Login:} {operator\r} {Password:} {secret\r} {Connected.} {\r}
to get past the authentication he describes, and then send a CR to the router
to get it to display a prompt.
I didn't code anything yet for the situation Andrew describes where he
wants to send an SSH break sequence when he's done. The attached patch
includes a fix to clogin so that it will hang up if it times out after it's
already sent "exit" to the router - though it wastes a few more seconds
timing out, it is a reliable way to close the connection in my environment.
If it turns out someone needs to have more chat interaction upon exit, I'd
be happy to code it in.
The patch to clogin is attached. The first chunk may need to be applied
by hand, since one of the surrounding lines is from my S/Key patches.
-- Ed
-------------- next part --------------
--- rancid-panix-3/libexec/rancid/clogin 2006-05-13 00:38:40.000000000 -0400
+++ rancid-panix-4/libexec/rancid/clogin 2006-05-15 21:00:20.000000000 -0400
@@ -288,7 +288,7 @@
# Log into the router.
proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
global spawn_id in_proc do_command do_script platform
- global prompt u_prompt p_prompt e_prompt sshcmd
+ global prompt u_prompt p_prompt e_prompt sshcmd usercmd usercmd_chat
global otpinuse
set in_proc 1
set uprompt_seen 0
@@ -319,6 +319,22 @@
send_user "\nError: $sshcmd failed: $reason\n"
exit 1
}
+ } elseif [string match "usercmd" $prog] { # user supplies connect cmd
+ set retval [ catch {eval spawn $usercmd} reason ]
+ if { $retval } {
+ send_user "\nError: '$usercmd' failed: $reason\n"
+ exit 1
+ }
+ if { [llength $usercmd_chat] > 0 } {
+ #send_user "\nExecuting usercmd_chat: $usercmd_chat\n"
+ sleep 0.3
+ foreach {i j} $usercmd_chat {
+ expect {
+ -re $i { eval send "\"$j\""}
+ timeout { send "\r"; send_user "\nTimeout in usercmd_chat waiting for -re $i: punting with CR\n"; break }
+ }
+ }
+ }
} elseif ![string compare $prog "rsh"] {
if [ catch {spawn rsh -l $user $router} reason ] {
send_user "\nError: rsh failed: $reason\n"
@@ -626,7 +642,7 @@
exp_continue
}
-re "\[\n\r]+" { exp_continue }
- timeout { return 0 }
+ timeout { close; return 0 }
eof { return 0 }
}
set in_proc 0
@@ -752,6 +768,10 @@
set sshcmd [find sshcmd $router]
if { "$sshcmd" == "" } { set sshcmd {ssh} }
+ # If user provides a router-specific connection method, use it
+ set usercmd [find usercmd $router]
+ set usercmd_chat [find usercmd_chat $router]
+
# Login to the router
if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype]} {
continue
From ch at westend.com Mon May 22 10:21:06 2006
From: ch at westend.com (Christian Hammers)
Date: Mon, 22 May 2006 12:21:06 +0200
Subject: [rancid] Patch: Using logger instead of unattended logfiles
Message-ID: <20060522102106.GA3474@westend.com>
Hi
I like to get noticed in case of errors and don't like logfiles that
lay forgotten and unattended somewhere in a log/ directory so I piped
the output to logger which writes it to the syslog file which is
monitored by logcheck.
It would be nice if this would be configurable (or default).
bye,
-christian-
--- /home/ch/rancid-run 2006-05-22 11:27:47.419037711 +0200
+++ bin/rancid-run.in 2006-05-22 11:55:51.102623562 +0200
@@ -81,10 +81,6 @@
exit 1
fi
-if [ ! -d $LOGDIR ] ; then
- mkdir $LOGDIR || (echo "Could not create log directory: $LOGDIR"; exit 1)
-fi
-
for GROUP in $LIST_OF_GROUPS
do
@@ -131,5 +127,5 @@
echo
echo ending: `date`
- ) >$LOGDIR/$GROUP.`date +%Y%m%d.%H%M%S` 2>&1
+ ) 2>&1 | grep -v '^$' | logger -p daemon.info -t "rancid/$GROUP"
done
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
L?tticher Stra?e 10 Tel 0241/701333-11
ch at westend.com D-52064 Aachen Fax 0241/911879
From ch at westend.com Mon May 22 10:25:24 2006
From: ch at westend.com (Christian Hammers)
Date: Mon, 22 May 2006 12:25:24 +0200
Subject: [rancid] [patch] Using diffstat in the output mail
Message-ID: <20060522102524.GB3474@westend.com>
Hello
I modified the mail output to include the output of diffstat. This gives
me a nice overview of what has changed without having to browse through
the long mail:
switch1.intern | 4 +++-
routerxx.intern | 4 +++-
sw04-xxx-yyy.westend.com | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
bye,
-christian-
--- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100
+++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100
@@ -392,6 +392,8 @@
Subject: $subject
Precedence: bulk
+`diffstat $TMP.diff`
+
`cat $TMP.diff`
EMAIL
fi
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
L?tticher Stra?e 10 Tel 0241/701333-11
ch at westend.com D-52064 Aachen Fax 0241/911879
From heas at shrubbery.net Mon May 22 16:14:46 2006
From: heas at shrubbery.net (john heasley)
Date: Mon, 22 May 2006 09:14:46 -0700
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060522102524.GB3474@westend.com>
References: <20060522102524.GB3474@westend.com>
Message-ID: <20060522161446.GB4674@shrubbery.net>
Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers:
> Hello
>
> I modified the mail output to include the output of diffstat. This gives
> me a nice overview of what has changed without having to browse through
> the long mail:
>
> switch1.intern | 4 +++-
> routerxx.intern | 4 +++-
> sw04-xxx-yyy.westend.com | 4 +++-
> 3 files changed, 9 insertions(+), 3 deletions(-)
>
> bye,
> -christian-
Can't you do this with procmail?
> --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100
> +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100
> @@ -392,6 +392,8 @@
> Subject: $subject
> Precedence: bulk
>
> +`diffstat $TMP.diff`
> +
> `cat $TMP.diff`
> EMAIL
> fi
>
>
> --
> Christian Hammers WESTEND GmbH | Internet-Business-Provider
> Technik CISCO Systems Partner - Authorized Reseller
> L?tticher Stra?e 10 Tel 0241/701333-11
> ch at westend.com D-52064 Aachen Fax 0241/911879
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From mstefani at redhat.com Tue May 23 11:18:23 2006
From: mstefani at redhat.com (Michael Stefaniuc)
Date: Tue, 23 May 2006 13:18:23 +0200
Subject: [rancid] PATCH: Cisco C3825,3845: Fix parsing of show version
Message-ID: <20060523111823.GA10295@redhat.com>
Hello,
the Cisco C3825 and C3845 do not include the processor information in
show version:
Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory.
Therefor the parsing of that string fails and rancid won't include the
"Chassis type", "Memory: main" and "Processor ID" lines into the saved
configs.
The attached patch fixes this. I tested it against all our devices with
rancid type "cisco" and the patch dosn't introduce any regression.
Though your milleage may vary.
The patch applies both to rancid-2.3.1 and rancid-2.3.2a4 (with an
offset here).
bye
michael
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
-------------- next part --------------
--- rancid.orig 2006-05-23 03:58:36.000000000 -0400
+++ rancid 2006-05-23 05:03:02.000000000 -0400
@@ -211,7 +211,7 @@
next;
/^System image file is "([^\"]*)"$/ &&
ProcessHistory("COMMENTS","keysort","F5","!Image: $1\n") && next;
- if (/(\S+)\s+\((\S+)\)\s+processor.*with (\S+[kK]) bytes/) {
+ if (/(\S+)\s+(?:\((\S+)\)\s+processor\s+)?\(revision[^)]+\).*with (\S+[kK]) bytes/) {
my($proc) = $1;
my($cpu) = $2;
my($mem) = $3;
@@ -256,6 +256,8 @@
$type = "3600";
} elsif ( $proc =~ /^37/) {
$type = "3700";
+ } elsif ( $proc =~ /^38/) {
+ $type = "3800";
} elsif ( $proc eq "RSP7000") {
$type = "7500";
} elsif ( $proc =~ /RSP\d/) {
@@ -299,7 +301,9 @@
"!Chassis type:$slave $proc - a $type $device\n");
ProcessHistory("COMMENTS","keysort","B1",
"!Memory:$slave main $mem\n");
- ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n");
+ if (defined($cpu)) {
+ ProcessHistory("COMMENTS","keysort","A3","!CPU:$slave $cpu$_$slaveslot\n");
+ }
next;
}
if (/(\S+) Silicon\s*Switch Processor/) {
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060523/8f03c883/attachment.bin
From ch at westend.com Tue May 23 12:10:23 2006
From: ch at westend.com (Christian Hammers)
Date: Tue, 23 May 2006 14:10:23 +0200
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060522161446.GB4674@shrubbery.net>
References: <20060522102524.GB3474@westend.com>
<20060522161446.GB4674@shrubbery.net>
Message-ID: <20060523121023.GA21314@westend.com>
On Mon, May 22, 2006 at 09:14:46AM -0700, john heasley wrote:
> Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers:
> > Hello
> >
> > I modified the mail output to include the output of diffstat. This gives
> > me a nice overview of what has changed without having to browse through
> > the long mail:
> >
> > switch1.intern | 4 +++-
> > routerxx.intern | 4 +++-
> > sw04-xxx-yyy.westend.com | 4 +++-
> > 3 files changed, 9 insertions(+), 3 deletions(-)
> >
> > bye,
> > -christian-
>
> Can't you do this with procmail?
procmail?! As I completely fail to see how procmail can be used here I
better explain my idea a bit more :-)
Normally when changes to our routers were made, I get one mail
containing the diff output of say 6 different router configs.
To see that a) one specific router was affected at all and b) the
changes on this router were very big or just one line, I would have to
scroll down the long mail and inspect the diff.
With this one-line patch I get a nice diffstat output at the top of the
mail and can quickly see that e.g. somebody modified all edge routers
or all intranet routers and can better decide if I want to read the
details...
bye,
-christian-
>
> > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100
> > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100
> > @@ -392,6 +392,8 @@
> > Subject: $subject
> > Precedence: bulk
> >
> > +`diffstat $TMP.diff`
> > +
> > `cat $TMP.diff`
> > EMAIL
> > fi
> >
> >
> > --
> > Christian Hammers WESTEND GmbH | Internet-Business-Provider
> > Technik CISCO Systems Partner - Authorized Reseller
> > L?tticher Stra?e 10 Tel 0241/701333-11
> > ch at westend.com D-52064 Aachen Fax 0241/911879
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
L?tticher Stra?e 10 Tel 0241/701333-11
ch at westend.com D-52064 Aachen Fax 0241/911879
From andy at shady.org Tue May 23 14:22:58 2006
From: andy at shady.org (andy)
Date: Tue, 23 May 2006 15:22:58 +0100
Subject: [rancid] Re: extreme issues
In-Reply-To: <20060419160204.GD15903@shady.org>
References: <20060419160204.GD15903@shady.org>
Message-ID: <20060523142257.GD30136@shady.org>
An update on this issue:
clogin has stopped working with extreme with extremeIOS latest versions it seems.
This relates to both admin and local users, with or without TACACS+.
example1 (local admin user)
carp:~/rancid-2.3.2a4/bin$ ./clogin -c "show version" ballinteer-switch.internal.nw
ballinteer-switch.internal.nw
spawn ssh -c 3des -x -l admin ballinteer-switch.internal.nw
admin at ballinteer-switch.internal.nw's password:
ExtremeWare
Copyright (C) 1996-2005 Extreme Networks. All rights reserved.
Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957
==============================================================================
Press the key at any time for completions.
Remember to save your configuration changes.
Ballinteer Summit 48si:1 #
Ballinteer Summit 48si:1 # ^]quit
^C^C^Ccarp:~/rancid-2.3.2a4/bin$
example2 (local non admin user)
carp:~/rancid-2.3.2a4/bin$ ./clogin -u look -p xxxxxxx -c "show version" ballinteer-switch.internal.nw
ballinteer-switch.internal.nw
spawn ssh -c 3des -x -l look ballinteer-switch.internal.nw
look at ballinteer-switch.internal.nw's password:
ExtremeWare
Copyright (C) 1996-2005 Extreme Networks. All rights reserved.
Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957
==============================================================================
Press the key at any time for completions.
Ballinteer Summit 48si:1 >
Ballinteer Summit 48si:1 >Connection to ballinteer-switch.internal.nw closed.
carp:~/rancid-2.3.2a4/bin$
example3 (tacacs non admin user)
carp:~/rancid-2.3.2a4/bin$ ./clogin -u look -p xxxxxx -c "show version" athlone-switch.internal.nw
athlone-switch.internal.nw
spawn ssh -c 3des -x -l look athlone-switch.internal.nw
look at athlone-switch.internal.nw's password:
ExtremeWare
Copyright (C) 1996-2005 Extreme Networks. All rights reserved.
Protected by U.S Patent Nos 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957
==============================================================================
Press the key at any time for completions.
Summit48si:1 >
Summit48si:1 >Connection to athlone-switch.internal.nw closed.
The version of rancid is the latest version "rancid-2.3.2a4".
I believe this is due to a change in the prompt made by extreme in the last few releases of their firmware.
Does anyone have a working copy of clogin that works with local users with extreme switches as Ive never managed to get
clogin working with a non-admin user?
clogin cvs revision number: clogin.in,v 1.94 2006/04/28
This extreme IOS change has also affected version "clogin.in,v 1.79" which is still the currently distrobuted ports
version for FreeBSD.
I can supply outputs, in any enviroment with or without tacacs auth, using local or admin users if someone can fix the
expect code used.
cheers
On Wed, Apr 19, 2006 at 05:02:04PM +0100, andy wrote:
> Follow up to list:
>
>
>
> ----- Forwarded message from andy -----
>
> Date: Tue, 18 Apr 2006 20:52:32 +0100
> From: andy
> To: john heasley
> Subject: Re: extreme issues
>
> Do you have enough info to look into this issue?
> I can provide more if needed, Ive looked into it fairly closely now and I have to admit, without going right through
> the code, I would not be able to solve the issue.
>
> I did some testing today however, and it seems the issue exists with a "user" account and no tacacs.
> I could only get clogin to work with the "admin" user using both versions 7.4 and the new 7.5.
>
> cheers
>
>
>
> On Sun, Apr 16, 2006 at 03:33:48PM +0000, john heasley wrote:
> > can you show me the prompt/clogin without tacacs?
> >
> > Fri, Apr 14, 2006 at 07:04:16PM +0100, andy:
> > > Hi,
> > >
> > > Ive been using rancid for quite some time now, and we decided to roll out tac_plus for auth on our extremes.
> > > Basically, rancid then stopped working.
> > >
> > > Ive been using tac_plus for junipers for a while quite successfully. All good.
> > > So, basically, I have a user called "look" that i use for rancid.
> > >
> > > This is the tac_plus conf for the look group:
> > >
> > > group = tier1
> > > {
> > > ## extreme tacacs configuration
> > > default service = deny
> > > cmd = show {
> > > permit configuration
> > > permit version
> > > permit memory
> > > permit switch
> > > permit slot
> > > permit diag
> > > deny .*
> > > }
> > > cmd = disable {
> > > permit clipaging
> > > deny .*
> > > }
> > >
> > > ## cli service for junipers
> > > service = junos-exec
> > > {
> > > priv_lvl = 15
> > > local-user-name = tier1
> > > allow-commands = ""
> > > allow-configuration = ""
> > > deny-commands = "monitor|request|file"
> > > deny-configuration = ""
> > > }
> > > }
> > >
> > > I was running the ports version of rancd when stuff broke but ive now downloaded the latest version.
> > > It still appears fairly broken though with our new config. I know that the prompt changed when we moved from using an
> > > admin user to a non-admin user.
> > >
> > > Is there a fix for the errors below.
> > >
> > > cheers
> > >
> > > this is the output when i try to run clogin
> > >
> > > carp:~$ ./clogin -c "show version;show version" tallaght-switch.internal.nw
> > > tallaght-switch.internal.nw
> > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw
> > > andy at tallaght-switch.internal.nw's password:
> > >
> > > ExtremeWare
> > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved.
> > > ===============================================================
> > >
> > > Press the key at any time for completions.
> > > Tallaght Summit 48si::1 > can't read "expect_out(2,string)": no such element in array
> > > while executing
> > > "set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)""
> > > invoked from within
> > > "expect -nobrace -re {[
> > > ]+} { exp_continue; } -re {^(.+:)1 >} { # stoopid extreme cmd-line numbers and
> > > # prompt based on state of config changes..."
> > > invoked from within
> > > "expect {
> > > -re "\[\r\n]+" { exp_continue; }
> > > -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and
> > > # prompt based on state of config ch..."
> > > ("foreach" body line 125)
> > > invoked from within
> > > "foreach router [lrange $argv $i end] {
> > > set router [string tolower $router]
> > > send_user "$router\n"
> > >
> > > # Figure out the prompt.
> > > # autoenabl..."
> > > (file "./clogin" line 686)
> > > carp:~$ ./clogin -autoenable -c "show version;show version" tallaght-switch.internal.nw
> > > tallaght-switch.internal.nw
> > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw
> > > andy at tallaght-switch.internal.nw's password:
> > >
> > > ExtremeWare
> > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved.
> > > ===============================================================
> > >
> > > Press the key at any time for completions.
> > > Tallaght Summit 48si::1 >
> > > ^C^C^Ccarp:~$ ./clogin -noenable -c "show version;show version" tallaght-switch.internal.nw
> > > tallaght-switch.internal.nw
> > > spawn ssh -c 3des -x -l andy tallaght-switch.internal.nw
> > > andy at tallaght-switch.internal.nw's password:
> > >
> > > ExtremeWare
> > > Copyright (C) 1996-2003 Extreme Networks. All rights reserved.
> > > ===============================================================
> > >
> > > Press the key at any time for completions.
> > > Tallaght Summit 48si::1 > can't read "expect_out(2,string)": no such element in array
> > > while executing
> > > "set prompt ".? ?$junk\[0-9]+ $expect_out(2,string)""
> > > invoked from within
> > > "expect -nobrace -re {[
> > > ]+} { exp_continue; } -re {^(.+:)1 >} { # stoopid extreme cmd-line numbers and
> > > # prompt based on state of config changes..."
> > > invoked from within
> > > "expect {
> > > -re "\[\r\n]+" { exp_continue; }
> > > -re "^(.+:)1 $prompt" { # stoopid extreme cmd-line numbers and
> > > # prompt based on state of config ch..."
> > > ("foreach" body line 125)
> > > invoked from within
> > > "foreach router [lrange $argv $i end] {
> > > set router [string tolower $router]
> > > send_user "$router\n"
> > >
> > > # Figure out the prompt.
> > > # autoenabl..."
> > > (file "./clogin" line 686)
> > >
> > >
> > > --
> > > andy andy at shady.org
> > > -----------------------------------------------
> > > Never argue with an idiot. They drag you down
> > > to their level, then beat you with experience.
> > > -----------------------------------------------
> >
>
> --
> andy andy at shady.org
> -----------------------------------------------
> Never argue with an idiot. They drag you down
> to their level, then beat you with experience.
> -----------------------------------------------
>
> ----- End forwarded message -----
>
> --
> andy andy at shady.org
> -----------------------------------------------
> Never argue with an idiot. They drag you down
> to their level, then beat you with experience.
> -----------------------------------------------
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
--
andy andy at shady.org
-----------------------------------------------
Never argue with an idiot. They drag you down
to their level, then beat you with experience.
-----------------------------------------------
From heas at shrubbery.net Tue May 23 19:13:30 2006
From: heas at shrubbery.net (john heasley)
Date: Tue, 23 May 2006 12:13:30 -0700
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060523121023.GA21314@westend.com>
References: <20060522102524.GB3474@westend.com>
<20060522161446.GB4674@shrubbery.net>
<20060523121023.GA21314@westend.com>
Message-ID: <20060523191330.GG16410@shrubbery.net>
Tue, May 23, 2006 at 02:10:23PM +0200, Christian Hammers:
> On Mon, May 22, 2006 at 09:14:46AM -0700, john heasley wrote:
> > Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers:
> > > Hello
> > >
> > > I modified the mail output to include the output of diffstat. This gives
> > > me a nice overview of what has changed without having to browse through
> > > the long mail:
> > >
> > > switch1.intern | 4 +++-
> > > routerxx.intern | 4 +++-
> > > sw04-xxx-yyy.westend.com | 4 +++-
> > > 3 files changed, 9 insertions(+), 3 deletions(-)
> > >
> > > bye,
> > > -christian-
> >
> > Can't you do this with procmail?
>
> procmail?! As I completely fail to see how procmail can be used here I
> better explain my idea a bit more :-)
>
> Normally when changes to our routers were made, I get one mail
> containing the diff output of say 6 different router configs.
>
> To see that a) one specific router was affected at all and b) the
> changes on this router were very big or just one line, I would have to
> scroll down the long mail and inspect the diff.
>
> With this one-line patch I get a nice diffstat output at the top of the
> mail and can quickly see that e.g. somebody modified all edge routers
> or all intranet routers and can better decide if I want to read the
> details...
>
> bye,
>
> -christian-
:0:maildir.lock
* Subject: .* diffs
* !^X-MAILLOOP: diffstat
| (cd $MAILDIR; tee copy | sed -e '1,/^$/d' > body; sed -e '1,/^$/p' -e '/^$/q' copy > headers; cat headers; diffstat body; echo ; cat body; rm -f copy headers body; ) | formail -A "X-MAILLOOP: diffstat" -s procmail
> >
> > > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100
> > > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100
> > > @@ -392,6 +392,8 @@
> > > Subject: $subject
> > > Precedence: bulk
> > >
> > > +`diffstat $TMP.diff`
> > > +
> > > `cat $TMP.diff`
> > > EMAIL
> > > fi
> > >
> > >
> > > --
> > > Christian Hammers WESTEND GmbH | Internet-Business-Provider
> > > Technik CISCO Systems Partner - Authorized Reseller
> > > L?tticher Stra?e 10 Tel 0241/701333-11
> > > ch at westend.com D-52064 Aachen Fax 0241/911879
> > >
> > > _______________________________________________
> > > Rancid-discuss mailing list
> > > Rancid-discuss at shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
> --
> Christian Hammers WESTEND GmbH | Internet-Business-Provider
> Technik CISCO Systems Partner - Authorized Reseller
> L?tticher Stra?e 10 Tel 0241/701333-11
> ch at westend.com D-52064 Aachen Fax 0241/911879
From ch at westend.com Tue May 23 19:54:42 2006
From: ch at westend.com (Christian Hammers)
Date: Tue, 23 May 2006 21:54:42 +0200
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060523191330.GG16410@shrubbery.net>
References: <20060522102524.GB3474@westend.com>
<20060522161446.GB4674@shrubbery.net>
<20060523121023.GA21314@westend.com>
<20060523191330.GG16410@shrubbery.net>
Message-ID: <20060523195442.GA29042@westend.com>
Hello
On Tue, May 23, 2006 at 12:13:30PM -0700, john heasley wrote:
> :0:maildir.lock
> * Subject: .* diffs
> * !^X-MAILLOOP: diffstat
> | (cd $MAILDIR; tee copy | sed -e '1,/^$/d' > body; sed -e '1,/^$/p' -e '/^$/q' copy > headers; cat headers; diffstat body; echo ; cat body; rm -f copy headers body; ) | formail -A "X-MAILLOOP: diffstat" -s procmail
*shudder* Ok, ok, I acknowledge that it really *is* possible to do with
procmail, but you won't propose me to fix it this way, or? :)
As I still think that the additional diffstat output would be beneficial
to/liked by the majority of the rancid users, I would still prefer to
see my one-line patch included... maybe with a "if $WANT_DIFFSTAT then"
surrounded to make it configurable. I would even send you patches for
this.
> > > > --- old/bin/control_rancid.in 2006-03-15 10:05:33.000000000 +0100
> > > > +++ new/bin/control_rancid.in 2006-03-16 09:33:44.964493641 +0100
> > > > @@ -392,6 +392,8 @@
> > > > Subject: $subject
> > > > Precedence: bulk
> > > >
> > > > +`diffstat $TMP.diff`
> > > > +
> > > > `cat $TMP.diff`
> > > > EMAIL
> > > > fi
bye,
-christian-
--
Christian Hammers WESTEND GmbH | Internet-Business-Provider
Technik CISCO Systems Partner - Authorized Reseller
L?tticher Stra?e 10 Tel 0241/701333-11
ch at westend.com D-52064 Aachen Fax 0241/911879
From asp at partan.com Tue May 23 19:59:18 2006
From: asp at partan.com (Andrew Partan)
Date: Tue, 23 May 2006 15:59:18 -0400
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060522102524.GB3474@westend.com>
References: <20060522102524.GB3474@westend.com>
Message-ID: <20060523195918.GB70283@partan.com>
On Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers wrote:
> I modified the mail output to include the output of diffstat.
diffstat is another package & thus another thing that must be
installed before running rancid. It is worth it? Dunno.
--asp
From rspeed at gmail.com Wed May 24 16:11:56 2006
From: rspeed at gmail.com (Ryan Speed)
Date: Wed, 24 May 2006 09:11:56 -0700
Subject: [rancid] ignore certain diff's
Message-ID:
Howdy,
I've got rancid checking a few cisco routers running Callmanager
Express which has turned out to be a bit of an annoyance because when
people forward their phones I get the diff emails sent out. Before I
go hacking away at the scripts could someone suggest an elegant way to
add exceptions to the emailing of diffs? I'm assuming a | grep -v
call-forward in the right place would do the trick.
Thanks,
Ryan
--
><(((?>
Ryan Speed
From tex at off.org Wed May 24 16:46:05 2006
From: tex at off.org (Austin Schutz)
Date: Wed, 24 May 2006 09:46:05 -0700
Subject: [rancid] Re: ignore certain diff's
In-Reply-To:
References:
Message-ID: <20060524164605.GD7880@gblx.net>
On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote:
> Howdy,
>
> I've got rancid checking a few cisco routers running Callmanager
> Express which has turned out to be a bit of an annoyance because when
> people forward their phones I get the diff emails sent out. Before I
> go hacking away at the scripts could someone suggest an elegant way to
> add exceptions to the emailing of diffs? I'm assuming a | grep -v
> call-forward in the right place would do the trick.
>
Hmm, yesterday someone else mentioned a different concept of filtering
the diffs before they were emailed. Seems like maybe we could make the diff
command configurable so people could plug in alternatives or do extra
filtering.
Austin
From david_laporte at harvard.edu Wed May 24 16:58:58 2006
From: david_laporte at harvard.edu (David LaPorte)
Date: Wed, 24 May 2006 12:58:58 -0400
Subject: [rancid] Re: ignore certain diff's
In-Reply-To:
References:
Message-ID: <447490D2.3060702@harvard.edu>
We do something similar to ignore access-list changes. It's more
in-depth than simply grep'ing it (since there are context lines as well
you don't want to see), but hacking control_rancid as follows should work:
cvs -f diff -U 4 | sed -e '/^RCS file: /d' -e '/^--- /d' \
-e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff
to:
cvs -f diff -U 4 --ignore-matching-lines='^call-forward' | sed -e '/^RCS
file: /d' -e '/^--- /d' -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff
For some reason, I seem to remember it would still email even if the
diff were blank, so I wrapped the email section in a:
DIFF=`cat $TMP.diff | grep -v "^===" | grep -v "^diff " | grep -v
"^Index: " | grep -v "^retrieving revision" | grep -v "^$"`
if [ -n "$DIFF" ]; then
...email stuff here...
fi
There may be a better way, but that has worked well for me.
Dave
Ryan Speed wrote:
> Howdy,
>
> I've got rancid checking a few cisco routers running Callmanager
> Express which has turned out to be a bit of an annoyance because when
> people forward their phones I get the diff emails sent out. Before I
> go hacking away at the scripts could someone suggest an elegant way to
> add exceptions to the emailing of diffs? I'm assuming a | grep -v
> call-forward in the right place would do the trick.
>
> Thanks,
> Ryan
>
From eravin at panix.com Wed May 24 19:14:07 2006
From: eravin at panix.com (Ed Ravin)
Date: Wed, 24 May 2006 15:14:07 -0400
Subject: [rancid] Re: ignore certain diff's
In-Reply-To:
References:
Message-ID: <20060524191407.GA15602@panix.com>
On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote:
> I've got rancid checking a few cisco routers running Callmanager
> Express which has turned out to be a bit of an annoyance because when
> people forward their phones I get the diff emails sent out. Before I
> go hacking away at the scripts could someone suggest an elegant way to
> add exceptions to the emailing of diffs?
Assuming GNU diff, you could use something like this:
DIFFSUPPRESSOPTS="-b -I '^ntp clock-period [0-9][0-9]*' -I '^! Last configuration change ' -I '^! NVRAM config last updated '"
The above is a fragment from a non-RANCID script I have that manipulates
the routers. The -I (or --ignore-matching-lines) option specifies patterns
that diff will ignore if the differences in that line match the specified RE.
I'm sure with judicious use of one or two shell variables, we could have
settings in rancid.conf to allow various kinds of fine-tuning of the diff
listing that RANCID mails out.
From jim.bartus at gmail.com Thu May 25 15:45:09 2006
From: jim.bartus at gmail.com (jim bartus)
Date: Thu, 25 May 2006 11:45:09 -0400
Subject: [rancid] post-install, now what?
Message-ID:
I've gotten a trial install of rancid going on my network now checking about
20 devices (all cisco, switches, routers, and two pixes). My question is...
now what?
For instance, in my old setup (pancho/snmp/tftp based) I had a copy of
running config sitting in a tftp root, which made it easy to "copy tftp run"
from a device to restore a config. How do you guys address this in rancid?
I notice that since what rancid stores in cvs is one giant file, I'd have to
write a script to parse out the parts I want. Is there a community site of
some sort where scripts like these are posted?
Also, has anyone done any integration work with syslog so that rancid will
automatically run against a device when a log message about its config
changing comes in?
Mostly I'm just trying to avoid as much re-inventing of the wheel as
possible, so I'm hoping to find documentation, tips, best practices, and
scripts that may already exist.
-jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060525/6d5ba560/attachment.html
From eravin at panix.com Thu May 25 15:59:19 2006
From: eravin at panix.com (Ed Ravin)
Date: Thu, 25 May 2006 11:59:19 -0400
Subject: [rancid] Re: post-install, now what?
In-Reply-To:
References:
Message-ID: <20060525155919.GC6833@panix.com>
On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote:
> I've gotten a trial install of rancid going on my network now checking
> about 20 devices (all cisco, switches, routers, and two pixes). My
> question is... now what?
> For instance, in my old setup (pancho/snmp/tftp based) I had a copy of
> running config sitting in a tftp root, which made it easy to "copy
> tftp run" from a device to restore a config. How do you guys address
> this in rancid?
We don't. RANCID post-processes the config in various ways that improve
change reporting but lose the original config. For starters, by default
all passwords get removed from the config so that they don't accidently
get emailed out, but there are more subtle transformations: sequence numbers
get removed, some things get sorted, etc. You probably want to keep Pancho
around so that you'll have an exact copy of the config to restore from.
> I notice that since what rancid stores in cvs is one
> giant file, I'd have to write a script to parse out the parts I want.
> Is there a community site of some sort where scripts like these are
> posted?
The current copy of the config is kept available for your use - look
in /configs . You may also want to read through the Perl
code for the *rancid scripts to see how they parse out bits and pieces
of the config.
> Also, has anyone done any integration work with syslog so that rancid
> will automatically run against a device when a log message about its
> config changing comes in?
See the entry for Simple Event Coordinator (SEC) in the RANCID FAQ:
http://www.shrubbery.net/rancid/FAQ
> Mostly I'm just trying to avoid as much re-inventing of the wheel as
> possible, so I'm hoping to find documentation, tips, best practices,
> and scripts that may already exist.
The best resource seems to be the archives of this mailing list, where I
got the tip above about SEC :-).
From jim.bartus at gmail.com Thu May 25 18:54:38 2006
From: jim.bartus at gmail.com (jim bartus)
Date: Thu, 25 May 2006 14:54:38 -0400
Subject: [rancid] Re: post-install, now what?
In-Reply-To: <20060525155919.GC6833@panix.com>
References:
<20060525155919.GC6833@panix.com>
Message-ID:
Thanks Ed, but I can't find any mention of SEC in that link.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060525/a86ba898/attachment.html
From willay at gmail.com Thu May 25 19:00:32 2006
From: willay at gmail.com (William)
Date: Thu, 25 May 2006 20:00:32 +0100
Subject: [rancid] Re: post-install, now what?
In-Reply-To:
References:
<20060525155919.GC6833@panix.com>
Message-ID:
Hi Jim,
We use swatch to look out for the %SYS-5-CONFIG message generated in
our syslog logs, which will then run rancid to update all of our
devices.
This doc might be worth reading:
http://sourceforge.net/docman/display_doc.php?docid=5332&group_id=25401
Regards,
Will
On 25/05/06, jim bartus wrote:
> Thanks Ed, but I can't find any mention of SEC in that link.
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
From tck at pretend.net Thu May 25 19:09:52 2006
From: tck at pretend.net (Thomas C. Knoeller)
Date: Thu, 25 May 2006 15:09:52 -0400
Subject: [rancid] no password on cat5
Message-ID: <20060525190952.GA23066@pretend.net>
Howdy,
I have a couple of lab CatOS device that we do not require a password to log
in to. But in CatOS, I still have to hit return at the "Enter password:" user
prompt to login. How would I represent an empty password for these devices in
the .clogin file?
Thanks,
-Tom
From eravin at panix.com Thu May 25 19:20:01 2006
From: eravin at panix.com (Ed Ravin)
Date: Thu, 25 May 2006 15:20:01 -0400
Subject: [rancid] Re: post-install, now what?
In-Reply-To:
References:
<20060525155919.GC6833@panix.com>
Message-ID: <20060525192001.GA5041@panix.com>
On Thu, May 25, 2006 at 02:54:38PM -0400, jim bartus wrote:
>
> Thanks Ed, but I can't find any mention of SEC in that link.
And neither can I. I guess I shouldn't believe everything I read.
Here's a mailing list archive with the information that claimed to be
in the FAQ:
http://threebit.net/mail-archive/cisco-nsp/msg00122.html
http://threebit.net/mail-archive/cisco-nsp/msg00053.html
From eravin at panix.com Thu May 25 19:24:51 2006
From: eravin at panix.com (Ed Ravin)
Date: Thu, 25 May 2006 15:24:51 -0400
Subject: [rancid] Re: no password on cat5
In-Reply-To: <20060525190952.GA23066@pretend.net>
References: <20060525190952.GA23066@pretend.net>
Message-ID: <20060525192451.GB5041@panix.com>
On Thu, May 25, 2006 at 03:09:52PM -0400, Thomas C. Knoeller wrote:
> I have a couple of lab CatOS device that we do not require a password to log
> in to. But in CatOS, I still have to hit return at the "Enter password:" user
> prompt to login. How would I represent an empty password for these devices in
> the .clogin file?
Have you tried:
add password ROUTERNAME {} {enable-pw}
From tck at pretend.net Thu May 25 19:46:51 2006
From: tck at pretend.net (Thomas C. Knoeller)
Date: Thu, 25 May 2006 15:46:51 -0400
Subject: [rancid] Re: no password on cat5
In-Reply-To: <20060525192451.GB5041@panix.com>
References: <20060525190952.GA23066@pretend.net>
<20060525192451.GB5041@panix.com>
Message-ID: <20060525194651.GB23066@pretend.net>
| Have you tried:
|
| add password ROUTERNAME {} {enable-pw}
Shortly after I sent this, yes. And it worked.
Originally I was trying userpassword like this:
add userpassword ROUTERNAME {}
add password * {user} {enable}
It failed with userpassword both before and after the password line.
But working now. Thanks!
-Tom
From rspeed at gmail.com Thu May 25 22:50:43 2006
From: rspeed at gmail.com (Ryan Speed)
Date: Thu, 25 May 2006 15:50:43 -0700
Subject: [rancid] Re: ignore certain diff's
In-Reply-To: <20060524191407.GA15602@panix.com>
References:
<20060524191407.GA15602@panix.com>
Message-ID:
I assume this isn't an out of the box solution, i'd have to modify the
scripts to actually use the DIFFSUPPRESSOPTS variable? I'm not trying
to sound ungreatful I just want to make sure I read the email
properly.
thanks for all the responses thus far.
On 5/24/06, Ed Ravin wrote:
> On Wed, May 24, 2006 at 09:11:56AM -0700, Ryan Speed wrote:
> > I've got rancid checking a few cisco routers running Callmanager
> > Express which has turned out to be a bit of an annoyance because when
> > people forward their phones I get the diff emails sent out. Before I
> > go hacking away at the scripts could someone suggest an elegant way to
> > add exceptions to the emailing of diffs?
>
> Assuming GNU diff, you could use something like this:
>
> DIFFSUPPRESSOPTS="-b -I '^ntp clock-period [0-9][0-9]*' -I '^! Last configuration change ' -I '^! NVRAM config last updated '"
>
> The above is a fragment from a non-RANCID script I have that manipulates
> the routers. The -I (or --ignore-matching-lines) option specifies patterns
> that diff will ignore if the differences in that line match the specified RE.
>
> I'm sure with judicious use of one or two shell variables, we could have
> settings in rancid.conf to allow various kinds of fine-tuning of the diff
> listing that RANCID mails out.
>
--
><(((?>
Ryan Speed
http://speedo.ca (Personal site)
http://gallery.speedo.ca (Photo Gallery)
http://newsbc.ca (News BC)
http://newsbc.ca/movies (Movie Reviews)
From jlewis at lewis.org Fri May 26 16:22:46 2006
From: jlewis at lewis.org (Jon Lewis)
Date: Fri, 26 May 2006 12:22:46 -0400 (EDT)
Subject: [rancid] Re: [patch] Using diffstat in the output mail
In-Reply-To: <20060523195918.GB70283@partan.com>
References: <20060522102524.GB3474@westend.com>
<20060523195918.GB70283@partan.com>
Message-ID:
On Tue, 23 May 2006, Andrew Partan wrote:
> On Mon, May 22, 2006 at 12:25:24PM +0200, Christian Hammers wrote:
>> I modified the mail output to include the output of diffstat.
>
> diffstat is another package & thus another thing that must be
> installed before running rancid. It is worth it? Dunno.
I like the idea, and have patched it into our rancid installation. With a
little more work, this could be turned into a configurable option such
that rancid doesn't actually depend on it.
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
From dev at linkdown.org Sun May 28 17:55:00 2006
From: dev at linkdown.org (Bruno Prigent)
Date: Sun, 28 May 2006 19:55:00 +0200
Subject: [rancid] rancid-addons - a RANCID script compilation
Message-ID: <4479E3F4.10806@linkdown.org>
Hi,
I "wrote" few scripts for rancid (radware support and extend netscreen
support). I decided to make them available to the public (GPL). I called
this rancid-addons.
I kept a reference to the RANCID licence and put the file COPYING.RANCID
in the package.
You can visit my website to download the archive :
English : http://www.linkdown.org/static_rancidaddons_en.html
French : http://www.linkdown.org/fr/static_rancidaddons_fr.html
regards,
Bruno
From heas at shrubbery.net Tue May 30 14:46:39 2006
From: heas at shrubbery.net (john heasley)
Date: Tue, 30 May 2006 07:46:39 -0700
Subject: [rancid] Re: post-install, now what?
In-Reply-To: <20060525155919.GC6833@panix.com>
References:
<20060525155919.GC6833@panix.com>
Message-ID: <20060530144639.GB25876@shrubbery.net>
Thu, May 25, 2006 at 11:59:19AM -0400, Ed Ravin:
> On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote:
> > I've gotten a trial install of rancid going on my network now checking
> > about 20 devices (all cisco, switches, routers, and two pixes). My
> > question is... now what?
> > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of
> > running config sitting in a tftp root, which made it easy to "copy
> > tftp run" from a device to restore a config. How do you guys address
> > this in rancid?
>
> We don't. RANCID post-processes the config in various ways that improve
> change reporting but lose the original config. For starters, by default
> all passwords get removed from the config so that they don't accidently
> get emailed out, but there are more subtle transformations: sequence numbers
> get removed, some things get sorted, etc.
What is lost?
From mfreeman at netcogov.com Tue May 30 15:29:14 2006
From: mfreeman at netcogov.com (Freeman, Michael)
Date: Tue, 30 May 2006 10:29:14 -0500
Subject: [rancid] Rancid and a database?
Message-ID:
Has anyone thought of storing the information rancid collects in a
database? I'm mostly interested in Rancid's ability to parse through the
/show diag/ and /show version/ commands on devices and using that data
to generate asset/inventory reports.
From dev at linkdown.org Tue May 30 15:54:05 2006
From: dev at linkdown.org (Bruno Prigent)
Date: Tue, 30 May 2006 17:54:05 +0200
Subject: [rancid] Re: Rancid and a database?
In-Reply-To:
References:
Message-ID: <447C6A9D.7000407@linkdown.org>
A guy in my company wrote perl scripts to parse the rancid CVS and
rancid diff received by email. I don't think those scripts are available
to public.
I guess the main problem is that the script has to know the grammar of
every devices type (cisco, juniper, etc). If the constructor decide to
change the command or implement a command in different ways within
different devices, you have to modify the script.
For inventory (device name, device type, IOS) I use grep/sed/awk when I
need it but I think it's not really reliable. Keep me updated if you
plan to work on something.
Bruno
Freeman, Michael wrote:
> Has anyone thought of storing the information rancid collects in a
> database? I'm mostly interested in Rancid's ability to parse through the
> /show diag/ and /show version/ commands on devices and using that data
> to generate asset/inventory reports.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
>
From heas at shrubbery.net Tue May 30 15:58:14 2006
From: heas at shrubbery.net (john heasley)
Date: Tue, 30 May 2006 08:58:14 -0700
Subject: [rancid] Re: Rancid and a database?
In-Reply-To:
References:
Message-ID: <20060530155814.GA24954@shrubbery.net>
Tue, May 30, 2006 at 10:29:14AM -0500, Freeman, Michael:
> Has anyone thought of storing the information rancid collects in a
> database? I'm mostly interested in Rancid's ability to parse through the
> /show diag/ and /show version/ commands on devices and using that data
> to generate asset/inventory reports.
See Joe Abley and Stephen Stuart's NANOG presentation:
http://www.nanog.org/mtg-0210/abley.html
From mfreeman at netcogov.com Tue May 30 16:01:16 2006
From: mfreeman at netcogov.com (Freeman, Michael)
Date: Tue, 30 May 2006 11:01:16 -0500
Subject: [rancid] Re: Rancid and a database?
Message-ID:
Bruno,
I don't think there is any way to get around the problem of the commands
or output changing, so that wouldn't be a new challenge for Rancid. I
don't think I want to parse any CVS information, in fact I'm not even
interested in storing anything in CVS/SVN at this point, probably just
hacking up the routines in the rancid cisco parsing modules to store
data filtered out through the regular expressions and store in a DB
using DBIx::Class.
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Bruno Prigent
Sent: Tuesday, May 30, 2006 10:54 AM
To: rancid-discuss at shrubbery.net
Subject: [rancid] Re: Rancid and a database?
A guy in my company wrote perl scripts to parse the rancid CVS and
rancid diff received by email. I don't think those scripts are available
to public.
I guess the main problem is that the script has to know the grammar of
every devices type (cisco, juniper, etc). If the constructor decide to
change the command or implement a command in different ways within
different devices, you have to modify the script.
For inventory (device name, device type, IOS) I use grep/sed/awk when I
need it but I think it's not really reliable. Keep me updated if you
plan to work on something.
Bruno
Freeman, Michael wrote:
> Has anyone thought of storing the information rancid collects in a
> database? I'm mostly interested in Rancid's ability to parse through
> the /show diag/ and /show version/ commands on devices and using that
> data to generate asset/inventory reports.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From eravin at panix.com Tue May 30 16:04:12 2006
From: eravin at panix.com (Ed Ravin)
Date: Tue, 30 May 2006 12:04:12 -0400
Subject: [rancid] config file postprocessing (was: post-install, now what?)
In-Reply-To: <20060530144639.GB25876@shrubbery.net>
References:
<20060525155919.GC6833@panix.com>
<20060530144639.GB25876@shrubbery.net>
Message-ID: <20060530160412.GA8787@panix.com>
On Tue, May 30, 2006 at 07:46:39AM -0700, john heasley wrote:
> Thu, May 25, 2006 at 11:59:19AM -0400, Ed Ravin:
> > On Thu, May 25, 2006 at 11:45:09AM -0400, jim bartus wrote:
> > > For instance, in my old setup (pancho/snmp/tftp based) I had a copy of
> > > running config sitting in a tftp root, which made it easy to "copy
> > > tftp run" from a device to restore a config. How do you guys address
> > > this in rancid?
> >
> > We don't. RANCID post-processes the config in various ways that improve
> > change reporting but lose the original config. For starters, by default
> > all passwords get removed from the config so that they don't accidently
> > get emailed out, but there are more subtle transformations: sequence numbers
> > get removed, some things get sorted, etc.
>
> What is lost?
If passwords are left in the config, almost nothing. The biggest complaint
I recall seeing is below, from a post to rancid-discuss a year ago:
> I also have several ACL's that are optimized by packet hits given the
> large amount of traffic and RANCID sorts those as well. So these aren't
> necessarily functional problems so much as performance and audit issues. I
> suppose I can hack up the script to turn this off, but I'd imagine other
> people might possibly run into the same problem. Thanks,
My point was that even though functionality is the same, the config isn't.
And though the differences caused by RANCID's processing almost never
matter, sometimes, like in the case above, it does. If you have
an auditor looking over your shoulder asking if the router configs
are properly backed up (as the author of the quote above did), you're
put in the position of defending RANCID's changes to the config, as
the auditor is understandably going to ask why the alleged backups
in RANCID don't exactly match the config file on the router.
Another issue that might occur when using RANCID as your primary backup
to the router configuration - the RANCID files are much larger than
the original config file, due to all the helpful comments inserted
by RANCID showing things like the hardware status or directory listings.
Depending on the size of the NVRAM and your disaster recovery plan, you
might try to restore a router with a config that won't fit until you
trim down the comments.
-- Ed
From randy at psg.com Tue May 30 16:42:53 2006
From: randy at psg.com (Randy Bush)
Date: Tue, 30 May 2006 06:42:53 -1000
Subject: [rancid] Re: Rancid and a database?
References:
<447C6A9D.7000407@linkdown.org>
Message-ID: <17532.30221.956303.990602@roam.psg.com>
> Has anyone thought of storing the information rancid collects in a
> database? I'm mostly interested in Rancid's ability to parse through the
> /show diag/ and /show version/ commands on devices and using that data
> to generate asset/inventory reports.
look at nick's rcc. digests juniper and cisco into mysql and allows
you to run over that.
http://www.nanog.org/mtg-0405/feamster.html
randy
From mstefani at redhat.com Tue May 30 17:42:30 2006
From: mstefani at redhat.com (Michael Stefaniuc)
Date: Tue, 30 May 2006 19:42:30 +0200
Subject: [rancid] Re: config file postprocessing
In-Reply-To: <20060530160412.GA8787@panix.com>
References: <20060525155919.GC6833@panix.com> <20060530144639.GB25876@shrubbery.net>
<20060530160412.GA8787@panix.com>
Message-ID: <447C8406.1020200@redhat.com>
Ed Ravin wrote:
>>I also have several ACL's that are optimized by packet hits given the
>>large amount of traffic and RANCID sorts those as well. So these aren't
>>necessarily functional problems so much as performance and audit issues. I
>>suppose I can hack up the script to turn this off, but I'd imagine other
>>people might possibly run into the same problem. Thanks,
Was there a solution for this? Like a patch that makes this configurable
or disables it?
Removing passwords and SNMP community strings isn't a problem in the
case of the recovery of a network device. Of course only if properly
documented; there is other information that isn't in the config file
anyway like VLAN and VTP infos.
But the sorting of the ACLs is as information is lost without any
possibility to recover it. Ranging from a performance issue to "damn
this ACL looks weird" effect when looking on the router. Though this
resorting can be mitigated by heavy use of comments in the ACLs thus
breaking big blocks of permit or deny rules into smaller chunks. But
still i would prefer to have the ACLs as is.
> My point was that even though functionality is the same, the config isn't.
> And though the differences caused by RANCID's processing almost never
> matter, sometimes, like in the case above, it does. If you have
> an auditor looking over your shoulder asking if the router configs
> are properly backed up (as the author of the quote above did), you're
> put in the position of defending RANCID's changes to the config, as
> the auditor is understandably going to ask why the alleged backups
> in RANCID don't exactly match the config file on the router.
>
> Another issue that might occur when using RANCID as your primary backup
Isn't that the main use of RANCID?
> the original config file, due to all the helpful comments inserted
> by RANCID showing things like the hardware status or directory listings.
> Depending on the size of the NVRAM and your disaster recovery plan, you
> might try to restore a router with a config that won't fit until you
> trim down the comments.
IMHO this shouldn't be realy a problem quite the opposite, the comments
contain usefull information like VTP and VLAN setup that might not be
saved in the config. And trimming the comments at the beginning
is/should be an easy task for an automated process or a human.
bye
michael
--
Michael Stefaniuc Tel.: +49-711-96437-199
Sr. Network Engineer Fax.: +49-711-96437-111
Red Hat GmbH Email: mstefani at redhat.com
Hauptstaetterstr. 58 http://www.redhat.de/
D-70178 Stuttgart
From chris at siliconhotrod.com Tue May 30 19:24:44 2006
From: chris at siliconhotrod.com (Chris Moody)
Date: Tue, 30 May 2006 12:24:44 -0700
Subject: [rancid] rancid use scenarios
Message-ID: <447C9BFC.8040509@siliconhotrod.com>
I'm currently using rancid for backups of a handful of devices (83 to be
exact) and love it. Our group has used it numerous occasions to prove
when changes did/didn't occur.
At any rate, I'm needing some usage scenarios to help me sell the
concept to a larger audience at my office. We have another team that is
responsible for several hundred nodes and has nothing like rancid in
place. I'm planning to get them using the service, but need more
"weight" in selling the idea to them.
What are some of the largest deployments of rancid (also anyone willing
to give contact info to vouch for their numbers?)? Anyone have
experience in enterprise scale usage? Any caveats? Any tips?
Any insights and stories are appreciated. If I can demonstrate that the
tool(s) can reliably handle a large load of devices, the widespread
usage may become a reality instead of just my recommendation.
Cheers,
-Chris
From azhang at StanfordEagle.com Tue May 30 21:31:57 2006
From: azhang at StanfordEagle.com (Zhang, Anchi)
Date: Tue, 30 May 2006 16:31:57 -0500
Subject: [rancid] Re: rancid use scenarios
Message-ID: <7E8497ADB180D24CB13C804F22714A920192EB0B@SFG-HOU-MAILV1.stanford.sfgc.com>
Have you tried to change passwords/enable secrets on hundreds of Cisco
devices without Rancid after a group member leaves? At my previous job,
there were more than 500 Cisco devices and I was the only one versed in
Unix/Rancid. As a result, I was asked to run my shell/clogin script to
change the passwords on my LAST day.
Rancid should be deployed if there are more than 10 network devices just
as Cfengined should be deployed for an installation of more than 10
Unix/Linux nodes.
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Moody
Sent: Tuesday, May 30, 2006 2:25 PM
To: rancid-discuss at shrubbery.net
Subject: [rancid] rancid use scenarios
I'm currently using rancid for backups of a handful of devices (83 to be
exact) and love it. Our group has used it numerous occasions to prove
when changes did/didn't occur.
At any rate, I'm needing some usage scenarios to help me sell the
concept to a larger audience at my office. We have another team that is
responsible for several hundred nodes and has nothing like rancid in
place. I'm planning to get them using the service, but need more
"weight" in selling the idea to them.
What are some of the largest deployments of rancid (also anyone willing
to give contact info to vouch for their numbers?)? Anyone have
experience in enterprise scale usage? Any caveats? Any tips?
Any insights and stories are appreciated. If I can demonstrate that the
tool(s) can reliably handle a large load of devices, the widespread
usage may become a reality instead of just my recommendation.
Cheers,
-Chris
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
From rancid at veggiechinese.net Tue May 30 22:31:34 2006
From: rancid at veggiechinese.net (William Yardley)
Date: Tue, 30 May 2006 15:31:34 -0700
Subject: [rancid] CSS problems
Message-ID: <20060530223134.GB29392@mitch.veggiechinese.net>
Running rancid 2.3 on Linux (RHEL 3).
Logging into two Cisco CSS 11503s seems to work fine, but it doesn't
seem to actually execute any commands. I tried upgrading to 2.3.2a4, but
no dice still.
Setting "expert" mode (in the CSS's user profile) doesn't seem to help.
Neither does changing the hostname to be lower case. Anything obvious I
should try?
Expect is v5.38.0
(from the .raw file)
Connected to css1.
Escape character is '^]'.
User Access Verification
Username:XXXXXX
Password:
CSS1#
Error: TIMEOUT reached
(it seems to just sit there after getting to a prompt, but login works
Ok)
from the command line (cssrancid):
executing clogin -t 90 -c"term length 65535;copy profile user-profile;show version;show boot;show run" css1
css1 clogin error: Error: TIMEOUT reached
css1 clogin error: Error: TIMEOUT reached
css1: missed cmd(s): term length 65535,show run,show version,copy
profile user-profile,show boot
css1: missed cmd(s): term length 65535,show run,show version,copy
profile user-profile,show boot
css1: End of run not found
css1: End of run not found
!
From morty at frakir.org Wed May 31 06:16:05 2006
From: morty at frakir.org (Mordechai T. Abzug)
Date: Wed, 31 May 2006 02:16:05 -0400
Subject: [rancid] Re: rancid use scenarios
In-Reply-To: <447C9BFC.8040509@siliconhotrod.com>
References: <447C9BFC.8040509@siliconhotrod.com>
Message-ID: <20060531061604.GJ13315@red-sonja.frakir.org>
On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote:
> At any rate, I'm needing some usage scenarios to help me sell the
> concept to a larger audience at my office. We have another team
> that is responsible for several hundred nodes and has nothing like
> rancid in place. I'm planning to get them using the service, but
> need more "weight" in selling the idea to them.
> What are some of the largest deployments of rancid (also anyone
> willing to give contact info to vouch for their numbers?)? Anyone
> have experience in enterprise scale usage? Any caveats? Any tips?
We have 350+ nodes in rancid. We have a number of smaller management
domains rather than one massive implementation; the largest domain has
125 rancid-monitored nodes. rancid is relatively lightweight,
especially if you tune down the number of parallel gets, so we run it
as an extra process on existing NMS stations. It also requires almost
no space, thanks to using CVS; from a resource consumption
perspective, it actually scales lots better than some commercial
equivalents.
If you are located in the US, regardless of your feelings, chances are
that you need rancid or something like it for legal compliance --
between SOX, FISMA, and HIPAA, most commercial and government entities
need lots of monitoring. If you don't think you need it now, but you
are subject to any kind of auditing and haven't been audited yet, do
yourself a favor and implement it now.
Quite aside from legal issues, tools like rancid are great for lots of
real-life reasons. They are good for:
* detecting surprise changes ("when did that change occur? Sure would
be nice to have an automated tool to tell us when someone makes a
change in the middle of the night and forgets to send email");
* security monitoring of routers ("where did that permissive ACL come
from? Sure would be nice if a tool could tell us what changes
occurred on routers, so if anything suspicious happens, we can know
immediately instead of when it ends up in the media");
* exercising router flashes ("Whoops, the flash went bad but the
device continued to function in-memory, so nobody noticed until a
power outage. Sure would be nice if we had a tool that periodically
logged in to devices and ran a bunch of commands that demonstrate
that it is working well");
* backing up configs ("Our last manual backup of the router config was
5 years ago; we've upgraded it twice, and added lots of ACLs since
then. Wouldn't an automated way to get config backups make sense?")
If your people are against freeware, or want "Enterprise" features,
there are COTS tools that do more than rancid out of the box, or at
least satisfy management desire for a commercial provider. Opsware
NAS is particularly studly; it will automatically go out when config
change events are reported via syslog, grab the latest update, and
tell you who did the change (if available). It can get asset and
module information. It can do "policy compliance." It can integrate
with HP OV NNM and other products. Of course, Opsware costs mucho
dinero and requires beefy hardware, while you can set up a reasonable
rancid setup using an old PC and no commercial software.
If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all
Juniper, etc.), your vendor may provide/sell you an element manager
(CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like
functionality. Unfortunately, it will be specific to said vendor. If
you are or might become heterogeneous, rancid or other vendor-neutral
package is a good call.
- Morty
From saku+rancid at ytti.fi Wed May 31 06:26:08 2006
From: saku+rancid at ytti.fi (Saku Ytti)
Date: Wed, 31 May 2006 09:26:08 +0300
Subject: [rancid] Re: rancid use scenarios
In-Reply-To: <447C9BFC.8040509@siliconhotrod.com>
References: <447C9BFC.8040509@siliconhotrod.com>
Message-ID: <20060531062608.GA30763@mx.ytti.net>
On (2006-05-30 12:24 -0700), Chris Moody wrote:
> What are some of the largest deployments of rancid (also anyone willing
> to give contact info to vouch for their numbers?)? Anyone have
> experience in enterprise scale usage? Any caveats? Any tips?
% LC_ALL=C;find -name "router.db"|xargs wc -l|tail -n 1
6163 total
Works for us, 1700 of these are collected every 4h, rest once a week.
Several hardware vendors (~7 vendors), including support for telco systems
(binos) and corecess that we've added in-house (happy to provide if needed).
--
++ytti
From rspeed at gmail.com Wed May 31 16:11:43 2006
From: rspeed at gmail.com (Ryan Speed)
Date: Wed, 31 May 2006 09:11:43 -0700
Subject: [rancid] Re: rancid use scenarios
In-Reply-To: <20060531061604.GJ13315@red-sonja.frakir.org>
References: <447C9BFC.8040509@siliconhotrod.com>
<20060531061604.GJ13315@red-sonja.frakir.org>
Message-ID:
rancid just found its director of marketing me thinks ;)
On 5/30/06, Mordechai T. Abzug wrote:
> On Tue, May 30, 2006 at 12:24:44PM -0700, Chris Moody wrote:
>
> We have 350+ nodes in rancid. We have a number of smaller management
> domains rather than one massive implementation; the largest domain has
> 125 rancid-monitored nodes. rancid is relatively lightweight,
> especially if you tune down the number of parallel gets, so we run it
> as an extra process on existing NMS stations. It also requires almost
> no space, thanks to using CVS; from a resource consumption
> perspective, it actually scales lots better than some commercial
> equivalents.
>
> If you are located in the US, regardless of your feelings, chances are
> that you need rancid or something like it for legal compliance --
> between SOX, FISMA, and HIPAA, most commercial and government entities
> need lots of monitoring. If you don't think you need it now, but you
> are subject to any kind of auditing and haven't been audited yet, do
> yourself a favor and implement it now.
>
> Quite aside from legal issues, tools like rancid are great for lots of
> real-life reasons. They are good for:
>
> * detecting surprise changes ("when did that change occur? Sure would
> be nice to have an automated tool to tell us when someone makes a
> change in the middle of the night and forgets to send email");
>
> * security monitoring of routers ("where did that permissive ACL come
> from? Sure would be nice if a tool could tell us what changes
> occurred on routers, so if anything suspicious happens, we can know
> immediately instead of when it ends up in the media");
>
> * exercising router flashes ("Whoops, the flash went bad but the
> device continued to function in-memory, so nobody noticed until a
> power outage. Sure would be nice if we had a tool that periodically
> logged in to devices and ran a bunch of commands that demonstrate
> that it is working well");
>
> * backing up configs ("Our last manual backup of the router config was
> 5 years ago; we've upgraded it twice, and added lots of ACLs since
> then. Wouldn't an automated way to get config backups make sense?")
>
> If your people are against freeware, or want "Enterprise" features,
> there are COTS tools that do more than rancid out of the box, or at
> least satisfy management desire for a commercial provider. Opsware
> NAS is particularly studly; it will automatically go out when config
> change events are reported via syslog, grab the latest update, and
> tell you who did the change (if available). It can get asset and
> module information. It can do "policy compliance." It can integrate
> with HP OV NNM and other products. Of course, Opsware costs mucho
> dinero and requires beefy hardware, while you can set up a reasonable
> rancid setup using an old PC and no commercial software.
>
> If you are a single-vendor stop (ie. all Cisco, or all Nortel, or all
> Juniper, etc.), your vendor may provide/sell you an element manager
> (CiscoWorks, Optivity, JunOScope, etc.) that includes rancid-like
> functionality. Unfortunately, it will be specific to said vendor. If
> you are or might become heterogeneous, rancid or other vendor-neutral
> package is a good call.
>
> - Morty
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
--
><(((?>
Ryan Speed
http://speedo.ca (Personal site)
http://gallery.speedo.ca (Photo Gallery)
http://newsbc.ca (News BC)
http://newsbc.ca/movies (Movie Reviews)