From avram at juniper.net Sat Jan 12 21:05:50 2002 From: avram at juniper.net (Avram Dorfman) Date: Sat, 12 Jan 2002 13:05:50 -0800 Subject: automating non-config actions? Message-ID: Has anyone thought about modifying rancid to make it a batch utility for executing arbitrary actions on lots of routers? I'd like to be able to write simple expect scripts to accomplish a task, like "show route" or "clear route forwarding-table x/y x.x.x.x" and then roll it out to a whole list of routers. The main difference I'm looking for is - a switch to turn off all the diffing and cvs - direct the logging to somewhere besides the config directory - specify the action script on the command line. This way, I could leverage all of rancid's router.db and vendor specific login knowledge, to get a more general utility. In particular, what I really want to do is build a script to *install* a batch of configs from the archive on a series of routers. I would use this in a lab environment to quickly restore a bunch of routers to arbitrary past lab scenarios that people have built. I would also then use it to run tests & show commands against the scenario, and store them for later reference. I'm getting ready to hack this up myself. But if anyone is has done something like this already, perhaps I can leverage your work. Either way, I'd like to know how many people are interested in this capability, so I can decide to what extent it's worth the effort of doing it professionally from the get-go, instead of quick-and-dirty. -Avram From avram at juniper.net Sat Jan 12 21:05:50 2002 From: avram at juniper.net (Avram Dorfman) Date: Sat, 12 Jan 2002 13:05:50 -0800 Subject: the cleartext password issue Message-ID: Hello Everyone, I've dealt with rancid-style packages for a while that I home-grew, before rancid came along, so I've faced this annoying clear-text password in a file issue many times before. One way that I've considered handling it (although never actually implemented) is this: Encrypt the password file, but rather than storing that key in a file, have a "daemon" process that you have to launch manually, which prompts for it. Then this process would simply keep it in memory, and be responsible for doing all the sensitive stuff. I never implemented it for two reasons: 1) I couldn't think of a way to still get the scheduling benefits of cron, while having this process be the one that does everything, and 2) if someone hacks into the rancid user's account after an operator has manually launched the daemon, he could still subvert the process by mucking with the config files to direct rancid to login to a trojan horse, and steel the password there. Thus, the limiting factor is still the ability to become the rancid user. But I thought I'd throw it out there in case anyone else can expand on it for a real solution. -Avram From asp at partan.com Sat Jan 12 22:06:33 2002 From: asp at partan.com (Andrew Partan) Date: Sat, 12 Jan 2002 17:06:33 -0500 Subject: automating non-config actions? In-Reply-To: ; from avram@juniper.net on Sat, Jan 12, 2002 at 01:05:50PM -0800 References: Message-ID: <20020112170633.A7639@partan.com> On Sat, Jan 12, 2002 at 01:05:50PM -0800, Avram Dorfman wrote: > Has anyone thought about modifying rancid to make it a batch > utility for executing arbitrary actions on lots of routers? Look at clogin - its already does a lot of what you want. --asp From heas at shrubbery.net Sat Jan 12 22:34:25 2002 From: heas at shrubbery.net (john heasley) Date: Sat, 12 Jan 2002 14:34:25 -0800 Subject: automating non-config actions? In-Reply-To: <20020112170633.A7639@partan.com>; from asp@partan.com on Sat, Jan 12, 2002 at 05:06:33PM -0500 References: <20020112170633.A7639@partan.com> Message-ID: <20020112143425.I21650@shrubbery.net> Sat, Jan 12, 2002 at 05:06:33PM -0500, Andrew Partan: > On Sat, Jan 12, 2002 at 01:05:50PM -0800, Avram Dorfman wrote: > > Has anyone thought about modifying rancid to make it a batch > > utility for executing arbitrary actions on lots of routers? > > Look at clogin - its already does a lot of what you want. > --asp btw, clogin is cisco (more or less) specific at this point. a simple shell script would whack that for you. eg: cd /usr/local/rancid for router in `cat */router.db` do oldFS=$IFS IFS=: set $router IFS=$oldFS if [ "$3" == "up" ] ; then if [ "$2" != "juniper"] ; then jlogin -s jnx_script $1 else clogin -s cisco_script $1 fi fi done From avram at juniper.net Sat Jan 12 22:39:28 2002 From: avram at juniper.net (Avram Dorfman) Date: Sat, 12 Jan 2002 14:39:28 -0800 Subject: automating non-config actions? Message-ID: I did see that. -s will cover the arbitrary script task I've suggested. The grouping and parallel processing done by do-diffs, control_rancid, and par, look like they would need to be hacked to support the -s option of the *login scripts, with the more flexible batch functionality that they provide, rather than manually listing every router using *login -r. But a lot of the checking & emailing control_rancid does sort of doesn't make sense to do for non-config collecting, or in an interactive environment. My apologies for not really specifying my intent clearly. Thanks, -Avram > -----Original Message----- > From: Andrew Partan [mailto:asp at partan.com] > Sent: Saturday, January 12, 2002 5:07 PM > To: Avram Dorfman > Cc: rancid-discuss at shrubbery.net > Subject: Re: automating non-config actions? > > > On Sat, Jan 12, 2002 at 01:05:50PM -0800, Avram Dorfman wrote: > > Has anyone thought about modifying rancid to make it a batch > > utility for executing arbitrary actions on lots of routers? > > Look at clogin - its already does a lot of what you want. > --asp > From avram at juniper.net Sat Jan 12 22:44:46 2002 From: avram at juniper.net (Avram Dorfman) Date: Sat, 12 Jan 2002 14:44:46 -0800 Subject: automating non-config actions? Message-ID: Yup. I think I'll steal the group code, and work in par. I was thinking about building this back into control_rancid & do_diffs, but it will probably be quicker just to make a new script. Thanks, -Avram > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Saturday, January 12, 2002 5:34 PM > To: Avram Dorfman > Cc: rancid-discuss at shrubbery.net > Subject: Re: automating non-config actions? > > > Sat, Jan 12, 2002 at 05:06:33PM -0500, Andrew Partan: > > On Sat, Jan 12, 2002 at 01:05:50PM -0800, Avram Dorfman wrote: > > > Has anyone thought about modifying rancid to make it a batch > > > utility for executing arbitrary actions on lots of routers? > > > > Look at clogin - its already does a lot of what you want. > > --asp > > btw, clogin is cisco (more or less) specific at this point. a simple > shell script would whack that for you. eg: > > cd /usr/local/rancid > for router in `cat */router.db` > do > oldFS=$IFS > IFS=: > set $router > IFS=$oldFS > > if [ "$3" == "up" ] ; then > if [ "$2" != "juniper"] ; then > jlogin -s jnx_script $1 > else > clogin -s cisco_script $1 > fi > fi > done > From heas at shrubbery.net Sat Jan 12 22:59:39 2002 From: heas at shrubbery.net (john heasley) Date: Sat, 12 Jan 2002 14:59:39 -0800 Subject: the cleartext password issue In-Reply-To: ; from avram@juniper.net on Sat, Jan 12, 2002 at 01:05:50PM -0800 References: Message-ID: <20020112145939.K21650@shrubbery.net> Sat, Jan 12, 2002 at 01:05:50PM -0800, Avram Dorfman: > Hello Everyone, > > I've dealt with rancid-style packages for a while that I home-grew, before rancid came along, so I've faced this annoying clear-text password in a file issue many times before. > > One way that I've considered handling it (although never actually implemented) is this: > > Encrypt the password file, but rather than storing that key in a file, have a "daemon" process that you have to launch manually, which prompts for it. Then this process would simply keep it in memory, and be responsible for doing all the sensitive stuff. > > I never implemented it for two reasons: 1) I couldn't think of a way to still get the scheduling benefits of cron, while having this process be the one that does everything, and 2) if someone hacks into the rancid user's account after an operator has manually launched the daemon, he could still subvert the process by mucking with the config files to direct rancid to login to a trojan horse, and steel the password there. Thus, the limiting factor is still the ability to become the rancid user. > > But I thought I'd throw it out there in case anyone else can expand on it for a real solution. > > -Avram this is the 2nd largest cost of automation and i have not been able to come up with a viable solution. if you have a daemon and someone hacks root or an account in group kmem, it is possible to look through memory and extract the password. or that daemon dumps a core in some world readable area ... and so on. protecting the rancid users' area and .cloginrc along with the unix box itself are the best methods. we still would like to add something like {} as a possible password token which would cause *login to prompt the user. allowing a .cloginrc to be shared among many users, but which contains no actual passwords. which would also be helpful for secure_id logins. it would be nice if all vendors did AAA and had a priv level that could look at everything, but not modify. then rancid would not need write privs. i believe this is possible on juniper with a local user definition and may be possible with AAA via radius. of course, the user making automated config changes still has privs ... From jlewis at packetnexus.com Sat Jan 12 23:05:43 2002 From: jlewis at packetnexus.com (Jason Lewis) Date: Sat, 12 Jan 2002 18:05:43 -0500 Subject: automating non-config actions? In-Reply-To: Message-ID: <00b301c19bbd$aa30e5a0$4d78a8c0@spinalcord> Have you looked at these? MRAT - http://cisco.nothingnet.com/ Pancho - http://pancho.lunarmedia.net/ jas From nicolas.strina at smart-telecom.ch Thu Jan 17 16:19:19 2002 From: nicolas.strina at smart-telecom.ch (Nicolas STRINA) Date: 17 Jan 2002 17:19:19 +0100 Subject: Oops Message-ID: <1011284359.3634.126.camel@onyx.vtx.ch> Hello, I just install Rancid on my tool box. So actually i have a problem. I am able to log on the router and to exec some commands but the logs are giving me this output: Getting missed routers: round 4. !ROM Bootstrap: Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) ir00.pul.lsn.fe0-0.vtxnet.ch: missed cmd(s): show diagbus,write term,dir /all bootflash:,show env all,show controllers cbus,dir /all nvram:,show module,dir /all sup-bootflash:,show c7200,show variables boot,show flash,show vlan,dir /all slot0:,show install active,dir /all slot1:,show boot,show diag,show controllers,show gsr chassis,dir /all sup-microcode:,dir /all disk0:,dir /all disk1:,show bootvar,show vtp status ir00.pul.lsn.fe0-0.vtxnet.ch: End of run not found For sure on the version of CISCO i am running i don't have this parameters enable or this hardware present on my router. My question: Is the config saved ? Where can i find it on my box ? Is it normal ? Thanks to let me know. Regards, Nicolas -- ---------------------------------------- STRINA Nicolas IP Network Manager VTX Services - Internet Service Provider Av. de Lavaux 101 CH-1009 Pully nicolas.strina at smart-telecom.ch http://www.vtx.ch ---------------------------------------- From heas at shrubbery.net Thu Jan 17 17:42:22 2002 From: heas at shrubbery.net (john heasley) Date: Thu, 17 Jan 2002 17:42:22 +0000 Subject: Oops In-Reply-To: <1011284359.3634.126.camel@onyx.vtx.ch>; from nicolas.strina@smart-telecom.ch on Thu, Jan 17, 2002 at 05:19:19PM +0100 References: <1011284359.3634.126.camel@onyx.vtx.ch> Message-ID: <20020117174222.D19370@shrubbery.net> Thu, Jan 17, 2002 at 05:19:19PM +0100, Nicolas STRINA: > Hello, > > I just install Rancid on my tool box. So actually i have a problem. > I am able to log on the router and to exec some commands but the logs > are giving me this output: > > Getting missed routers: round 4. > !ROM Bootstrap: Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE > (fc1) > ir00.pul.lsn.fe0-0.vtxnet.ch: missed cmd(s): show diagbus,write term,dir > /all bootflash:,show env all,show controllers cbus,dir /all nvram:,show > module,dir /all sup-bootflash:,show c7200,show variables boot,show > flash,show vlan,dir /all slot0:,show install active,dir /all slot1:,show > boot,show diag,show controllers,show gsr chassis,dir /all > sup-microcode:,dir /all disk0:,dir /all disk1:,show bootvar,show vtp > status > ir00.pul.lsn.fe0-0.vtxnet.ch: End of run not found > > For sure on the version of CISCO i am running i don't have this > parameters enable or this hardware present on my router. > > My question: > > Is the config saved ? Where can i find it on my box ? Is it normal ? the second line above (!ROM...) is the last line output by rancid, collected from show version in this case. so, it is logging in and at least starting collection of the router data. please see the FAQ (http://www.shrubbery.net/rancid/FAQ) for hints on how to debug this. if you still have trouble, drop another email. > Thanks to let me know. > > Regards, > > Nicolas > > -- > ---------------------------------------- > STRINA Nicolas > IP Network Manager > VTX Services - Internet Service Provider > Av. de Lavaux 101 CH-1009 Pully > nicolas.strina at smart-telecom.ch > http://www.vtx.ch > ---------------------------------------- From jrivel at dti.net Thu Jan 24 19:44:21 2002 From: jrivel at dti.net (Josh Rivel) Date: Thu, 24 Jan 2002 14:44:21 -0500 Subject: problem with Cat6000's Message-ID: <20020124194421.GA17157@dti.net> Hi. I'm using rancid-2.2 on an OpenBSD 3.0 box, tcl/tk 8.3.3, expect 5.24. Works fine for my various Foundry's and IOS devices (2500s, 4000's, 7200's, etc.) However, on the switch side of the 6500's (a 6506 and 6509), and also on a 2980 I get the following in my log files: starting: Thu Jan 24 14:16:24 EST 2002 Trying to get all of the configs. cat6506: End of run not found end cat6509: End of run not found end cat2980 End of run not found end ===================================== etc. a cloginc -c "cmd1;cmd2" switch-name works fine, no errors. I saw the same thing when I was running rancid-2.1 on Solaris 2.6, figured upgrading to OpenBSD, newer versions of rancid and expect would solve the problem, but it remains. The prompt on the switches is: switchname> and switchname> (enable) when in enabled mode. All the switches are running IOS which uses SSH, I am running OpenSSH 3.0.2 The only relevant lines in the .cloginrc is: add method cat650* ssh add method cat2980* ssh and add cyphertype * {3des} Thanks. Here's the output of clogin -s "show version" to one of the switches: $ clogin -c "show ver" cat6509 cat6509 spawn ssh -c 3des -x -l rancid cat6509 rancid at cat6509's password: Cisco Systems Console cat6509> enable Enter password: cat6509> (enable) cat6509> (enable) set length 0 Screen length for this session set to 0. cat6509> (enable) show ver WS-C6509 Software, Version NmpSW: 7.1(1) Copyright (c) 1995-2001 by Cisco Systems NMP S/W compiled on Nov 30 2001, 17:24:31 System Bootstrap Version: 5.3(1) Hardware Version: 2.0 Model: WS-C6509 Serial #: SCA0349028V PS1 Module: WS-CAC-1300W Serial #: ACP03451461 PS2 Module: WS-CAC-1300W Serial #: ACP03430209 Mod Port Model Serial # Versions --- ---- ------------------- ----------- -------------------------------------- 1 2 WS-X6K-SUP1A-2GE SAD03411160 Hw : 3.4 Fw : 5.3(1) Fw1: 5.4(2) Sw : 7.1(1) Sw1: 7.1(1) WS-F6K-PFC SAD03430164 Hw : 1.1 2 48 WS-X6248-RJ-45 SAD040102MV Hw : 1.1 Fw : 4.2(0.24)VAI78 Sw : 7.1(1) 3 48 WS-X6248-RJ-45 SAD040102T4 Hw : 1.1 Fw : 4.2(0.24)VAI78 Sw : 7.1(1) 15 1 WS-F6K-MSFC SAD03427681 Hw : 2.1 Fw : 12.0(7)XE1, Sw : 12.0(7)XE1, DRAM FLASH NVRAM Module Total Used Free Total Used Free Total Used Free ------ ------- ------- ------- ------- ------- ------- ----- ----- ----- 1 65408K 45434K 19974K 16384K 9896K 6488K 512K 296K 216K Uptime is 27 days, 23 hours, 14 minutes cat6509> (enable)Connection to cat6509 closed by remote host. Connection to cat6509 closed. -- josh From terry at tmk.com Sun Jan 27 06:36:38 2002 From: terry at tmk.com (Terry Kennedy) Date: Sun, 27 Jan 2002 01:36:38 -0500 (EST) Subject: problem with Cat6000's Message-ID: <01KDJQZU6ZJ88WWBJ9@tmk.com> This is apparently a problem with the SSH implementation in CatOS - when RANCID says "exit", the switch closes the connection before echoing the exit command, which causes the script to not see that things completed properly. The following diff shows a fix to cat5rancid to deal with this. Note that your line numbers will be different - I have other unrelated changes. *************** *** 1051,1056 **** --- 1050,1060 ---- TOP: while() { tr/\015//d; if (/> \(enable\) ?exit$/) { + $clean_run=1; + last; + } + # CatOS SSH client stomps on the "exit" command echo... + if (/> \(enable\)*Connection*/) { $clean_run=1; last; } Terry Kennedy http://www.tmk.com terry at tmk.com New York, NY USA From heas at shrubbery.net Mon Jan 28 01:14:31 2002 From: heas at shrubbery.net (john heasley) Date: Mon, 28 Jan 2002 01:14:31 +0000 Subject: problem with Cat6000's In-Reply-To: <01KDJQZU6ZJ88WWBJ9@tmk.com>; from terry@tmk.com on Sun, Jan 27, 2002 at 01:36:38AM -0500 References: <01KDJQZU6ZJ88WWBJ9@tmk.com> Message-ID: <20020128011431.B23341@shrubbery.net> josh, please report this to cisco. make them fix thier stuff. cat6509> (enable) show ver WS-C6509 Software, Version NmpSW: 7.1(1) Copyright (c) 1995-2001 by Cisco Systems NMP S/W compiled on Nov 30 2001, 17:24:31 System Bootstrap Version: 5.3(1) Sun, Jan 27, 2002 at 01:36:38AM -0500, Terry Kennedy: > This is apparently a problem with the SSH implementation in CatOS - when > RANCID says "exit", the switch closes the connection before echoing the > exit command, which causes the script to not see that things completed > properly. The following diff shows a fix to cat5rancid to deal with this. > Note that your line numbers will be different - I have other unrelated > changes. > > *************** > *** 1051,1056 **** > --- 1050,1060 ---- > TOP: while() { > tr/\015//d; > if (/> \(enable\) ?exit$/) { > + $clean_run=1; > + last; > + } > + # CatOS SSH client stomps on the "exit" command echo... > + if (/> \(enable\)*Connection*/) { > $clean_run=1; > last; > } > > Terry Kennedy http://www.tmk.com > terry at tmk.com New York, NY USA