From shekhar at mos.com.np Thu Jun 1 09:55:49 2006 From: shekhar at mos.com.np (Shekhar Basnet) Date: Thu, 01 Jun 2006 15:40:49 +0545 Subject: [rancid] Run a command in all the routers Message-ID: <1149155748.17542.12.camel@chulu.mos.com.np> Hello all, Suppose I want to run a command say "show diag" in all the routers of different router.db files, what command do I issue? Thats one. I have 18 router.db files polling 72 devices. Now I want to issue that command in only 9 router.db files. How do I tackle that? TIA S. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060601/a3672371/attachment.html From cstave at gmail.com Thu Jun 1 14:00:46 2006 From: cstave at gmail.com (Chris Stave) Date: Thu, 1 Jun 2006 10:00:46 -0400 Subject: [rancid] Re: Run a command in all the routers In-Reply-To: <1149155748.17542.12.camel@chulu.mos.com.np> References: <1149155748.17542.12.camel@chulu.mos.com.np> Message-ID: <5471c93d0606010700m11e59f9dkede58160a1ec4c68@mail.gmail.com> I've had good luck with scripts calling clogin, my devices are sequentially addressed, so a simple loop takes care of them all for me. It doesn't matter so much that they're in router.db as that they are in .cloginrc. As far as using router.db files to determine which devices get the command issued, it's a little tougher. If it is something that you're going to use a lot, you could write a script for each grouping. Below is my script to connect to everything between 10.2.1.1 and 10.2.1.50 and run the commands in cmds.txt for (( i = 1 ; i <= 50; i++ )) do /home/rancid/bin/clogin -x /home/rancid/cmds.txt 10.2.1.$i done then you can edit cmds.txt to contain whatever commands you would like to send, currently my cmds.txt contains: show cdp ent * exit Good luck! Chris Stave Drew University On 6/1/06, Shekhar Basnet wrote: > > Hello all, > > Suppose I want to run a command say "show diag" in all the routers of > different router.db files, what command do I issue? > > Thats one. I have 18 router.db files polling 72 devices. Now I want to > issue that command in only 9 router.db files. How do I tackle that? > > TIA > S. > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060601/96cc24a6/attachment.html From DylanV at semaphore.com Thu Jun 1 17:44:25 2006 From: DylanV at semaphore.com (Dylan Vanderhoof) Date: Thu, 1 Jun 2006 10:44:25 -0700 Subject: [rancid] Re: Run a command in all the routers Message-ID: find . -name router.db |xargs cat |grep up| sed s/:.*:up//g Running that from the rancid data-dir should give you a list of each up device to stdout. -D -----Original Message----- From: Shekhar Basnet [mailto:shekhar at mos.com.np] Sent: Thursday, June 01, 2006 2:56 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Run a command in all the routers Hello all, Suppose I want to run a command say "show diag" in all the routers of different router.db files, what command do I issue? Thats one. I have 18 router.db files polling 72 devices. Now I want to issue that command in only 9 router.db files. How do I tackle that? TIA S. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20060601/668eac2c/attachment.html From eravin at panix.com Thu Jun 1 18:10:53 2006 From: eravin at panix.com (Ed Ravin) Date: Thu, 1 Jun 2006 14:10:53 -0400 Subject: [rancid] Re: Run a command in all the routers In-Reply-To: References: Message-ID: <20060601181053.GA14781@panix.com> On Thu, Jun 01, 2006 at 10:44:25AM -0700, Dylan Vanderhoof wrote: > > find . -name router.db |xargs cat |grep up| sed s/:.*:up//g That might not work at some sites. How about this: find . -name router.db | xargs cat | grep -w up | cut -f1 -d: Which would avoid accidentally trying to reach routers with names like "Frupton" that weren't in the "up" state, and be a little more reliable parsing out the router name. -- Ed (but all bets are off if one of your routers is named "up") From asp at partan.com Thu Jun 1 18:49:12 2006 From: asp at partan.com (Andrew Partan) Date: Thu, 1 Jun 2006 14:49:12 -0400 Subject: [rancid] Re: Run a command in all the routers In-Reply-To: References: Message-ID: <20060601184912.GA39794@partan.com> On Thu, Jun 01, 2006 at 10:44:25AM -0700, Dylan Vanderhoof wrote: > find . -name router.db |xargs cat |grep up| sed s/:.*:up//g Or clogin -c "show diag" `find . -name router.db | \ xargs awk -F: '$3 == "up" && $2 == "cisco" && $1 !~ /^#/ {print $1}'` Change cisco to the type of device you want the command to run on. You can also do clogin -c "show diag;show version" if you want to run more then one command. Or clogin -x command_file if command_file has a list of the commands you want to run. Or clogin -s script_file if script_file is a more complex expect script. See share/*.exp for a couple of sample expect scripts. --asp From jeekay at gmail.com Thu Jun 1 11:55:20 2006 From: jeekay at gmail.com (Jee Kay) Date: Thu, 1 Jun 2006 12:55:20 +0100 Subject: [rancid] Re: Run a command in all the routers In-Reply-To: <1149155748.17542.12.camel@chulu.mos.com.np> References: <1149155748.17542.12.camel@chulu.mos.com.np> Message-ID: On 01/06/06, Shekhar Basnet wrote: > Suppose I want to run a command say "show diag" in all the routers of different router.db files, what command do I issue? > > Thats one. I have 18 router.db files polling 72 devices. Now I want to issue that command in only 9 router.db files. How do I tackle that? (eww HTML email) I don't know about the first, but for the second you can do: ./clogin -c "show diag" router1 router2 router3 router4 Ras From razor at lg.minjust.gov.ua Fri Jun 2 11:35:30 2006 From: razor at lg.minjust.gov.ua (Alexsey Razorenov) Date: Fri, 02 Jun 2006 14:35:30 +0300 Subject: [rancid] without X Message-ID: hi all is it possible to NOT install the X 4 rancid? thanx -- ??????? ?????????, ??????? ???????????? ?????? 1-???. ?????????? ??????? ???????????? ??????? ??????? From rancid at veggiechinese.net Tue Jun 6 20:40:36 2006 From: rancid at veggiechinese.net (William Yardley) Date: Tue, 6 Jun 2006 13:40:36 -0700 Subject: [rancid] "command not found" error Message-ID: <20060606204036.GA18151@mitch.veggiechinese.net> When running /usr/local/rancid/bin/rancid-run, I get: /usr/local/rancid/bin/rancid-run: line 59: rancid:: command not found Rancid still works, but the error is very confusing (especially since Rancid doesn't really send anything to stdout / stderr while it's working). I *think* it's talking about line 59 of rancid.conf, not line 59 of rancid-run - I have (in the config): # list of rancid groups LIST_OF_GROUPS="rancid" # For each group, define a list of people to receive the diffs. # in sendmail's /etc/aliases. rancid: user1,user2 [...] MAILDOMAIN="@example.com"; export MAILDOMAIN This seems correct from a quick look at the example config file. I do have /usr/local/rancid/run in $PATH in my environment. I tried suing to the user running rancid (usually I run it as "sudo -u ranciduser /path/to/rancid/rancid-run), but that didn't change anything. "which rancid" does return the correct rancid. w From heas at shrubbery.net Tue Jun 6 20:44:04 2006 From: heas at shrubbery.net (john heasley) Date: Tue, 6 Jun 2006 13:44:04 -0700 Subject: [rancid] Re: "command not found" error In-Reply-To: <20060606204036.GA18151@mitch.veggiechinese.net> References: <20060606204036.GA18151@mitch.veggiechinese.net> Message-ID: <20060606204404.GJ7214@shrubbery.net> Tue, Jun 06, 2006 at 01:40:36PM -0700, William Yardley: > When running /usr/local/rancid/bin/rancid-run, I get: > > /usr/local/rancid/bin/rancid-run: line 59: rancid:: command not found > > Rancid still works, but the error is very confusing (especially since > Rancid doesn't really send anything to stdout / stderr while it's > working). > > I *think* it's talking about line 59 of rancid.conf, not line 59 of > rancid-run - I have (in the config): > > # list of rancid groups > LIST_OF_GROUPS="rancid" > # For each group, define a list of people to receive the diffs. > # in sendmail's /etc/aliases. > rancid: user1,user2 That is not valid shell (sh) code. You have to enter the mail alias in /etc/aliases, not in rancid.conf. > [...] > MAILDOMAIN="@example.com"; export MAILDOMAIN > > This seems correct from a quick look at the example config file. > > I do have /usr/local/rancid/run in $PATH in my environment. I tried > suing to the user running rancid (usually I run it as "sudo -u > ranciduser /path/to/rancid/rancid-run), but that didn't change anything. > "which rancid" does return the correct rancid. > > w > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From mwlucas at blackhelicopters.org Thu Jun 8 16:17:55 2006 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Thu, 8 Jun 2006 12:17:55 -0400 Subject: [rancid] clogin interactive works, non-interactive doesn't Message-ID: <20060608161755.GA48547@bewilderbeast.blackhelicopters.org> Hi, I'm using rancid 2.3.1 on FreeBSD 6.1, built from ports, and am having a problem with run-rancid. Rancid runs as the user "rancid" with a homedir of /home/rancid, much like many other people on this list. When I run clogin from the command line, I can issue commands to all the routers to my heart's content. When I run rancid-run, however, my log fills up with: host.name clogin error: Error: TIMEOUT reached (plus lists of the commands that failed, of course) Any suggestions on where to look? Thanks, ==ml -- Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur From mwlucas at blackhelicopters.org Thu Jun 8 19:55:49 2006 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Thu, 8 Jun 2006 15:55:49 -0400 Subject: [rancid] Re: clogin interactive works, non-interactive doesn't In-Reply-To: <20060608161755.GA48547@bewilderbeast.blackhelicopters.org> References: <20060608161755.GA48547@bewilderbeast.blackhelicopters.org> Message-ID: <20060608195549.GA49870@bewilderbeast.blackhelicopters.org> On Thu, Jun 08, 2006 at 12:17:55PM -0400, Michael W. Lucas wrote: > Hi, > > I'm using rancid 2.3.1 on FreeBSD 6.1, built from ports, and am having > a problem with run-rancid. Rancid runs as the user "rancid" with a > homedir of /home/rancid, much like many other people on this list. > > When I run clogin from the command line, I can issue commands to all > the routers to my heart's content. When I run rancid-run, however, my > log fills up with: > > host.name clogin error: Error: TIMEOUT reached > (plus lists of the commands that failed, of course) > > > Any suggestions on where to look? > > Thanks, > > ==ml Followup to my own post so the answer gets in the archives: rancid-run works fine with plain hostnames in router.db, but choked on FQDN. While FQDN would be nice, it isn't vital for me. Thanks for all the private mail of suggestions! ==ml (who, once again, should have gone to lunch *before* sending an email saying he had a problem...) -- Michael W. Lucas mwlucas at FreeBSD.org, mwlucas at BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Latest book: PGP & GPG -- http://www.pgpandgpg.com "The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur From sha at onland.dk Fri Jun 9 07:22:16 2006 From: sha at onland.dk (Soren Hansen) Date: Fri, 09 Jun 2006 09:22:16 +0200 Subject: [rancid] Re: clogin interactive works, non-interactive doesn't In-Reply-To: <20060608161755.GA48547@bewilderbeast.blackhelicopters.org> References: <20060608161755.GA48547@bewilderbeast.blackhelicopters.org> Message-ID: <448921A8.1030401@onland.dk> I recently added a number of 2950's to my Rancid installation. Some of these switches had a "+" in the hostname and those didn't succeed. Replacing "+" with "_" fixed my problem. /S?ren Michael W. Lucas wrote: > Hi, > > I'm using rancid 2.3.1 on FreeBSD 6.1, built from ports, and am having > a problem with run-rancid. Rancid runs as the user "rancid" with a > homedir of /home/rancid, much like many other people on this list. > > When I run clogin from the command line, I can issue commands to all > the routers to my heart's content. When I run rancid-run, however, my > log fills up with: > > host.name clogin error: Error: TIMEOUT reached > (plus lists of the commands that failed, of course) > > > Any suggestions on where to look? > > Thanks, > > ==ml > > From bigwavedave at gmail.com Fri Jun 9 19:15:00 2006 From: bigwavedave at gmail.com (Big Wave Dave) Date: Fri, 9 Jun 2006 12:15:00 -0700 Subject: [rancid] NetGear 7324 Message-ID: <8e124f160606091215q4e408ce7t741803b41fad1359@mail.gmail.com> I love Rancid, and use it for many devices... but have now been forced to add some NetGear switches to the mix. The switches are Netgear GSM7324 switches. I'd love to be able to get my rancid install to pull configs from them as well. Unfortunately none of the rancid "login" scripts seem to be able to get all the way to enable mode. Some of them get close... but appear to only give 4 of the characters for the password!? Has anyone found a way to gather from these switches or similar? Thanks, Dave From rspeed at gmail.com Mon Jun 12 16:41:34 2006 From: rspeed at gmail.com (Ryan Speed) Date: Mon, 12 Jun 2006 09:41:34 -0700 Subject: [rancid] Re: ignore certain diff's In-Reply-To: <447490D2.3060702@harvard.edu> References: <447490D2.3060702@harvard.edu> Message-ID: just to follow-up for completeness. Thanks Dave, your suggestion worked with minor modification, I made the changes and forgot about it (mainly because I stopped receiving the bogus emails). I changed --ignore-matching-lines='^call-forward' to --ignore-matching-lines='.*call-forward.*' which has filtered out the call forwarding emails I was receiving. Thanks again, Ryan On 5/24/06, David LaPorte wrote: > We do something similar to ignore access-list changes. It's more > in-depth than simply grep'ing it (since there are context lines as well > you don't want to see), but hacking control_rancid as follows should work: > > cvs -f diff -U 4 | sed -e '/^RCS file: /d' -e '/^--- /d' \ > -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > > to: > > cvs -f diff -U 4 --ignore-matching-lines='^call-forward' | sed -e '/^RCS > file: /d' -e '/^--- /d' -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > > For some reason, I seem to remember it would still email even if the > diff were blank, so I wrapped the email section in a: > > DIFF=`cat $TMP.diff | grep -v "^===" | grep -v "^diff " | grep -v > "^Index: " | grep -v "^retrieving revision" | grep -v "^$"` > if [ -n "$DIFF" ]; then > ...email stuff here... > fi > > There may be a better way, but that has worked well for me. > > Dave > > Ryan Speed wrote: > > Howdy, > > > > I've got rancid checking a few cisco routers running Callmanager > > Express which has turned out to be a bit of an annoyance because when > > people forward their phones I get the diff emails sent out. Before I > > go hacking away at the scripts could someone suggest an elegant way to > > add exceptions to the emailing of diffs? I'm assuming a | grep -v > > call-forward in the right place would do the trick. > > > > Thanks, > > Ryan > > > -- ><(((?> Ryan Speed http://speedo.ca (Personal site) http://gallery.speedo.ca (Photo Gallery) http://newsbc.ca (News BC) http://newsbc.ca/movies (Movie Reviews) From esteinke at speakeasy.net Tue Jun 13 15:15:27 2006 From: esteinke at speakeasy.net (esteinke at speakeasy.net) Date: Tue, 13 Jun 2006 15:15:27 +0000 Subject: [rancid] (no subject) Message-ID: Greetings! Any hints on getting an Aruba Wireless switch working with Rancid? The OS= is somewhat like the Cisco IOS. I succesfully tested the clogin porti= on and after the initial setup it was able to pull the config. Then it st= arted emailing about not being able to contact the router. Looking at = the logs I see that it is waiting for resposnes to commands which the = Aruba doesn't support (show vlan) being one. Is there a way to customize = rancid for this device? Thanks! Liz From karpenko at willers.employees.org Tue Jun 13 15:42:20 2006 From: karpenko at willers.employees.org (jkarpenko) Date: Tue, 13 Jun 2006 08:42:20 -0700 (PDT) Subject: [rancid] Re: (no subject) In-Reply-To: References: Message-ID: <20060613083741.W93308@willers.employees.org> I would make a copy of clogin (expect script) and rancid (perl script) and then modify the rancid (perl script) to send the commands your want or comment out the commands you do or don't want it to send; the commands that are sent is what rancid (perl script) parses. The rancid (perl script) calls the clogin (expect script). You would need to make sure and replace the "clogin" with the name of the copy that you made. Dunno if this is what your looking for, but HTH. /karpenko/ On Tue, 13 Jun 2006 esteinke at speakeasy.net wrote: > Greetings! > > Any hints on getting an Aruba Wireless switch working with Rancid? The OS= > is somewhat like the Cisco IOS. I succesfully tested the clogin porti= > on and after the initial setup it was able to pull the config. Then it st= > arted emailing about not being able to contact the router. Looking at = > the logs I see that it is waiting for resposnes to commands which the = > Aruba doesn't support (show vlan) being one. Is there a way to customize = > rancid for this device? > Thanks! > Liz > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From tyler at tylerhall.net Thu Jun 15 14:30:33 2006 From: tyler at tylerhall.net (Tyler Hall) Date: Thu, 15 Jun 2006 07:30:33 -0700 Subject: [rancid] flogin stops after login In-Reply-To: References: Message-ID: <44916F09.8050802@tylerhall.net> Greetings, I'm trying to login to a foundry router, It logs in successfully but then sits there and won't run the command. Any help you could provide would be great. -su-2.05b# /usr/local/libexec/rancid/flogin -u rancid -c 'sh arp' 1.2.3.4 spawn ssh -c 3des -x -l rancid 1.2.3.4 ssh: connect to host 1.2.3.4 port 22: Connection refused spawn telnet 1.2.3.4 -23 Trying 1.2.3.4... Connected to 1.2.3.4. Escape character is '^]'. User Access Verification Please Enter Login Name: rancid Please Enter Password: User login successful. telnet at az-ge-br1# Error: TIMEOUT reached Thanks:) From erik at code.de Fri Jun 16 16:25:10 2006 From: erik at code.de (Erik Wenzel) Date: Fri, 16 Jun 2006 18:25:10 +0200 Subject: [rancid] Re: ignore certain diff's In-Reply-To: References: <20060524191407.GA15602@panix.com> Message-ID: <20060616162510.GA18693@hendrix.code.de> Ok, I have written together a patch[0] for v2.3.1 based on all information in this thread. Test and comment the patch, please. [0] http://gpl.code.de/rancid/diff-suppress-2.3.1-2.patch -- erik at code.de From tex at off.org Fri Jun 16 18:13:13 2006 From: tex at off.org (Austin Schutz) Date: Fri, 16 Jun 2006 11:13:13 -0700 Subject: [rancid] Re: ignore certain diff's In-Reply-To: <20060616162510.GA18693@hendrix.code.de> References: <20060524191407.GA15602@panix.com> <20060616162510.GA18693@hendrix.code.de> Message-ID: <20060616181313.GE7880@gblx.net> On Fri, Jun 16, 2006 at 06:25:10PM +0200, Erik Wenzel wrote: > Ok, I have written together a patch[0] for v2.3.1 based on all > information in this thread. Test and comment the patch, please. > > [0] http://gpl.code.de/rancid/diff-suppress-2.3.1-2.patch No comment about whether or not the code works (I'm sure it probably does) but it seems excessively complex for direct inclusion into control_rancid. Heas made a comment about having a diff script. That seems like a pretty good idea. If we did that we could do something like: # Diff the directory and then checkin. trap 'rm -fr $TMP $TMP.diff $DIR/routers.single;' 1 2 15 cd $DIR # Difftool runs cvs diff using a configurable diff version, munging # output to strip superfluous data. difftool > $TMP.diff if [ -s $TMP.diff ]; then sendmail -t < References: <20060524191407.GA15602@panix.com> <20060616162510.GA18693@hendrix.code.de> Message-ID: <20060616235838.GA6445@hendrix.code.de> On Fri, Jun 16, 2006 at 06:25:10PM +0200, Erik Wenzel wrote: > Ok, I have written together a patch[0] for v2.3.1 based on all > information in this thread. Test and comment the patch, please. > > [0] http://gpl.code.de/rancid/diff-suppress-2.3.1-2.patch I made mistake in GNU tool detection. Fixed version is available[1]. Thanks to Ed Ravin. [1] http://gpl.code.de/rancid/diff-suppress-2.3.1-3.patch -- erik at code.de From matt.hope at nicta.com.au Mon Jun 19 03:03:38 2006 From: matt.hope at nicta.com.au (Matt Hope) Date: Mon, 19 Jun 2006 13:03:38 +1000 Subject: [rancid] Re: ignore certain diff's In-Reply-To: <20060616181313.GE7880@gblx.net> References: <20060524191407.GA15602@panix.com> <20060616162510.GA18693@hendrix.code.de> <20060616181313.GE7880@gblx.net> Message-ID: <4496140A.7080000@nicta.com.au> Austin Schutz wrote: > > No comment about whether or not the code works (I'm sure it > probably does) but it seems excessively complex for direct inclusion > into control_rancid. > Heas made a comment about having a diff script. That seems like a > pretty good idea. If we did that we could do something like: > [..] > ... and all the logic about which diff executable and what we > grep for would be externalized. I was having thoughts about taking it a step further - having an rc.d/ type directory of scripts to run after the checkout. By default, this would just be the " cvs diff | mail " command, but I can see it being useful for other things as well - say, for running a "rat" report any time there are router changes, or re-drawing the network diagram (if you're the kind of person that generates this from the config files). A different way to solve the parent's problem would be to use diff's '--exclude-from=FILE' argument. On this list previously, we've had people wanting to suppress Cisco Call Manager forwarding changes, as well as spantree changes on some Catalyst switches. From mstefani at redhat.com Mon Jun 26 12:44:26 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Mon, 26 Jun 2006 14:44:26 +0200 Subject: [rancid] clogin connecting over an other router? Message-ID: <449FD6AA.9050908@redhat.com> Hello, i could swear I have seen once that rancid can jump over a router to get to an other network device but i can't find that anymore :( . I know there is the work to make clogin connect over terminal servers and that could be made to work for this case too but that's overly complicated. Having something in .cloginrc like: add via 192.168.42.* 192.168.0.254 would be way easier. So a clogin 192.168.42.42 would connect normaly to 192.168.0.254 and then spawn itself and do a ssh/telnet to 192.168.42.42. That could be cascaded even more if 192.168.0.254 would also have a "via". The advantage of this approach is that one wouldn't have to add any expect code into cloginrc like it is needed with the generic terminal server approach as clogin already has all the needed code. I do not know if others have a use for this function but at least we could use it to access WLAN APs and external switches (those without a separate management interface). We like to keep external networks physicaly separated from internal ones and do not like to mix internal and external VLANs on the same device. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From eravin at panix.com Mon Jun 26 14:07:48 2006 From: eravin at panix.com (Ed Ravin) Date: Mon, 26 Jun 2006 10:07:48 -0400 Subject: [rancid] Re: clogin connecting over an other router? In-Reply-To: <449FD6AA.9050908@redhat.com> References: <449FD6AA.9050908@redhat.com> Message-ID: <20060626140748.GA12187@panix.com> On Mon, Jun 26, 2006 at 02:44:26PM +0200, Michael Stefaniuc wrote: > I know there is the work to make clogin connect over terminal servers > and that could be made to work for this case too but that's overly > complicated. Having something in .cloginrc like: > add via 192.168.42.* 192.168.0.254 > would be way easier. > So a clogin 192.168.42.42 would connect normaly to 192.168.0.254 and > then spawn itself and do a ssh/telnet to 192.168.42.42. Interesting idea. When I wrote the patch for using arbitrary commands to connect to the remote router, discussed here: http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html It didn't occur to me one might want to use clogin as the external command to make the connection. But it should work - with the patch, you could do this: add method viarouter {usercmd} add usercmd viarouter {clogin} {-c} {telnet 192.168.42.42} {192.168.0.254} Assuming that cloginrc was set up properly to log in to 192.168.0.254. > The advantage of this approach is that one wouldn't have to add any > expect code into cloginrc like it is needed with the generic terminal > server approach as clogin already has all the needed code. Indeed - the "chat script" stuff I put into the patch shouldn't be needed in this case. From mstefani at redhat.com Mon Jun 26 14:17:12 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Mon, 26 Jun 2006 16:17:12 +0200 Subject: [rancid] Re: clogin connecting over an other router? In-Reply-To: <20060626140748.GA12187@panix.com> References: <449FD6AA.9050908@redhat.com> <20060626140748.GA12187@panix.com> Message-ID: <449FEC68.6040708@redhat.com> Ed Ravin wrote: > On Mon, Jun 26, 2006 at 02:44:26PM +0200, Michael Stefaniuc wrote: > >>I know there is the work to make clogin connect over terminal servers >>and that could be made to work for this case too but that's overly >>complicated. Having something in .cloginrc like: >> add via 192.168.42.* 192.168.0.254 >>would be way easier. >>So a clogin 192.168.42.42 would connect normaly to 192.168.0.254 and >>then spawn itself and do a ssh/telnet to 192.168.42.42. > > > Interesting idea. When I wrote the patch for using arbitrary commands > to connect to the remote router, discussed here: > > http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001490.html > > It didn't occur to me one might want to use clogin as the external > command to make the connection. But it should work - with the patch, Ok, thanks, i'll try it out and let you know if it works. > you could do this: > > add method viarouter {usercmd} > add usercmd viarouter {clogin} {-c} {telnet 192.168.42.42} {192.168.0.254} > > Assuming that cloginrc was set up properly to log in to 192.168.0.254. > > >>The advantage of this approach is that one wouldn't have to add any >>expect code into cloginrc like it is needed with the generic terminal >>server approach as clogin already has all the needed code. > > > Indeed - the "chat script" stuff I put into the patch shouldn't be needed > in this case. bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From kkadow at gmail.com Tue Jun 27 21:49:13 2006 From: kkadow at gmail.com (Kevin) Date: Tue, 27 Jun 2006 16:49:13 -0500 Subject: [rancid] Retrieving cisco configuration using SNMP+TFTP Message-ID: Has any work been done with RANCID to retrieve cisco configuration via SNMP? I have a script using the Cisco::CopyConfig perl module to extract from switches and routers. I'm working on hooking this into rancid. The script uses a ReadWrite community string to send a SNMP command instructing IOS to upload configuration to a TFTP server. This isn't quite as insecure as you might think at first glance :) IOS provides "snmp-server view" and "snmp-server tftp-server-list" settings, restricting a SNMP community to a source IP accessing a specific OID, and simultaneously restricting destination TFTP server. The tricky part may be ensuring that the TFTP server itself is secure. To this end I use OpenBSD's TFTP proxy. Kevin Kadow ===== Pseudocode follows ===== #! /usr/bin/perl # # Cisco::CopyConfig requires Net::SNMP # use Cisco::CopyConfig; use Socket; unless(-w $filename) { open(NEW,">$filename"); close(NEW); chmod 0622, $filename; } $config = Cisco::CopyConfig->new( 'Host' => $ip, 'Comm' => $community); $config->copy($tftpserver, $filename); chmod 0622, $filename: die "Error result is $error" if($error=$config->error()); ###EOF### From mfreeman at netcogov.com Tue Jun 27 21:50:39 2006 From: mfreeman at netcogov.com (Freeman, Michael) Date: Tue, 27 Jun 2006 16:50:39 -0500 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: Message-ID: I don't think it would take much to hook it into rancid, as I believe if you have the file already downloaded you can feed it into one of the 'rancid' utilities from the command line and it will do its thing. -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Kevin Sent: Tuesday, June 27, 2006 4:49 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Retrieving cisco configuration using SNMP+TFTP Has any work been done with RANCID to retrieve cisco configuration via SNMP? I have a script using the Cisco::CopyConfig perl module to extract from switches and routers. I'm working on hooking this into rancid. The script uses a ReadWrite community string to send a SNMP command instructing IOS to upload configuration to a TFTP server. This isn't quite as insecure as you might think at first glance :) IOS provides "snmp-server view" and "snmp-server tftp-server-list" settings, restricting a SNMP community to a source IP accessing a specific OID, and simultaneously restricting destination TFTP server. The tricky part may be ensuring that the TFTP server itself is secure. To this end I use OpenBSD's TFTP proxy. Kevin Kadow ===== Pseudocode follows ===== #! /usr/bin/perl # # Cisco::CopyConfig requires Net::SNMP # use Cisco::CopyConfig; use Socket; unless(-w $filename) { open(NEW,">$filename"); close(NEW); chmod 0622, $filename; } $config = Cisco::CopyConfig->new( 'Host' => $ip, 'Comm' => $community); $config->copy($tftpserver, $filename); chmod 0622, $filename: die "Error result is $error" if($error=$config->error()); ###EOF### _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss Netco Government Services has recently acquired Multimax and is changing its name to Multimax Inc. Visit http://www.multimax.com for more information. From cmoody at qualcomm.com Tue Jun 27 23:15:42 2006 From: cmoody at qualcomm.com (Chris Moody) Date: Tue, 27 Jun 2006 16:15:42 -0700 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: Message-ID: <44A1BC1E.5090506@qualcomm.com> There's already work existing that does the snmp based "write net" http://www.pancho.org/ -Chris Freeman, Michael wrote: > I don't think it would take much to hook it into rancid, as I believe if > you have the file already downloaded you can feed it into one of the > 'rancid' utilities from the command line and it will do its thing. > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Kevin > Sent: Tuesday, June 27, 2006 4:49 PM > To: rancid-discuss at shrubbery.net > Subject: [rancid] Retrieving cisco configuration using SNMP+TFTP > > Has any work been done with RANCID to retrieve cisco configuration via > SNMP? > > I have a script using the Cisco::CopyConfig perl module to extract from > switches and routers. I'm working on hooking this into rancid. > > The script uses a ReadWrite community string to send a SNMP command > instructing IOS to upload configuration to a TFTP server. > > This isn't quite as insecure as you might think at first glance :) > > IOS provides "snmp-server view" and "snmp-server tftp-server-list" > settings, restricting a SNMP community to a source IP accessing a > specific OID, and simultaneously restricting destination TFTP server. > The tricky part may be ensuring that the TFTP server itself is secure. > To this end I use OpenBSD's TFTP proxy. > > > Kevin Kadow > > ===== Pseudocode follows ===== > #! /usr/bin/perl > # > # Cisco::CopyConfig requires Net::SNMP > # > use Cisco::CopyConfig; > use Socket; > > unless(-w $filename) { > open(NEW,">$filename"); close(NEW); > chmod 0622, $filename; > } > > $config = Cisco::CopyConfig->new( 'Host' => $ip, 'Comm' => $community); > $config->copy($tftpserver, $filename); chmod 0622, $filename: > > die "Error result is $error" if($error=$config->error()); > > ###EOF### > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > Netco Government Services has recently acquired Multimax and is changing its name to Multimax Inc. > Visit http://www.multimax.com for more information. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From kkadow at gmail.com Wed Jun 28 02:04:48 2006 From: kkadow at gmail.com (Kevin) Date: Tue, 27 Jun 2006 21:04:48 -0500 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: <44A1BC1E.5090506@qualcomm.com> References: <44A1BC1E.5090506@qualcomm.com> Message-ID: On 6/27/06, Chris Moody wrote: > Freeman, Michael wrote: > > I don't think it would take much to hook it into rancid, as I believe if > > you have the file already downloaded you can feed it into one of the > > 'rancid' utilities from the command line and it will do its thing. > > There's already work existing that does the snmp based "write net" > http://www.pancho.org/ I'm primarily interested in configuration 'diffs' and archives. Is pancho readily integrated into rancid? If not, would it make more sense to add SNMP+TFTP as a rancid module, or to add support in rancid to call pancho to retrieve Cisco configurations? Basically, my employer doesn't mind building process around open source, but prefers that the solution be part of the base FOSS project (makes it easier to replace senior staff with inexpensive newly graduated CS BS students). Kevin From mstefani at redhat.com Wed Jun 28 16:03:40 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Wed, 28 Jun 2006 18:03:40 +0200 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: <44A1BC1E.5090506@qualcomm.com> Message-ID: <44A2A85C.80603@redhat.com> Kevin wrote: > On 6/27/06, Chris Moody wrote: > >>Freeman, Michael wrote: >> >>>I don't think it would take much to hook it into rancid, as I believe if >>>you have the file already downloaded you can feed it into one of the >>>'rancid' utilities from the command line and it will do its thing. >> >>There's already work existing that does the snmp based "write net" >>http://www.pancho.org/ > > > I'm primarily interested in configuration 'diffs' and archives. > Is pancho readily integrated into rancid? You can have also a look at my "wrapper rancid" patch: http://www.shrubbery.net/pipermail/rancid-discuss/2005-November/001276.html It basicaly takes a config file gathered by any means and puts into rancid. The only plugin i have written is for Cisco VPN 3k concentrators and it uses snmp to get some additional infos. > If not, would it make more sense to add SNMP+TFTP as a rancid module, Not IMO. We at least moved to rancid to get rid of tftp (at least one of the reasons). > or to add support in rancid to call pancho to retrieve Cisco > configurations? You can do that with wrancid (wrapper rancid). > Basically, my employer doesn't mind building process around open > source, but prefers that the solution be part of the base FOSS project > (makes it easier to replace senior staff with inexpensive newly > graduated CS BS students). bye michael -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From cmoody at qualcomm.com Wed Jun 28 22:52:39 2006 From: cmoody at qualcomm.com (Chris Moody) Date: Wed, 28 Jun 2006 15:52:39 -0700 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: <44A1BC1E.5090506@qualcomm.com> Message-ID: <44A30837.1070808@qualcomm.com> > If not, would it make more sense to add SNMP+TFTP as a rancid module, > or to add support in rancid to call pancho to retrieve Cisco > configurations? This should be pretty trivial to implement. clogin has the capability to run external command scripts (CSS boxes behave differently though). 'Write net' (or whatever variation necessary) should be relatively easy to implement (however, we all know that IOS CLI is a bit of a bugger sometimes for scripts). I'm currently using the clogin capabilities to run loads of other commands...dump the output to a collector host...and then munging the data w. perl to actually do something useful with it. I'm actually about to tackle this exact task (rancid CVS -and- tftp repository). While this may seem redundant, I have some engineers that prefer having a tftp source available for config uploads. I need to have the CVS change repository, but also have a readily available (and simple) source for staff to be able to do uploads when devices die. First steps are to build a device discovery mechanism to auto-maintain my list of nodes (additions/removals, etc). This way I don't have to enslave myself with maintaining the setup on a day to day basis (and other scripts, etc). I'm probably going to end up leveraging both projects (or mushing them together). I'll let you in on my progress as I get further along if you're interested. Cheers, -Chris p.s. Great work Michael. Sharp addition. :o) From kkadow at gmail.com Thu Jun 29 03:19:33 2006 From: kkadow at gmail.com (Kevin) Date: Wed, 28 Jun 2006 22:19:33 -0500 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: <44A30837.1070808@qualcomm.com> References: <44A1BC1E.5090506@qualcomm.com> <44A30837.1070808@qualcomm.com> Message-ID: On 6/28/06, Chris Moody wrote: > 'Write net' (or whatever variation necessary) should be relatively easy > to implement (however, we all know that IOS CLI is a bit of a bugger > sometimes for scripts). Risks and headaches of scripting the CLI are exactly why I went with the Cisco SNMP solution -- we have technical and political cause not to have a Unix machine/script with "enable" access into production-critical Cisco gear. By using Cisco's "snmp-server view", the community string can only do one thing -- trigger a "write net". And with "snmp-server tftp-server-list", the destination of the write net command can also be locked down. This solution gives me much more confidence in the security of the design than if I were to use "clogin". Compromise the machine on which the script runs, and you still don't automatically own the Cisco routers -- all you can do to the router for which you have a community is have it send the configuration to the server, you can't even exploit this to TFTP the configuration to an unapproved destination! > I'm actually about to tackle this exact task (rancid CVS -and- tftp > repository). While this may seem redundant, I have some engineers that > prefer having a tftp source available for config uploads. I need to > have the CVS change repository, but also have a readily available (and > simple) source for staff to be able to do uploads when devices die. This is part of why I started looking at rancid -- I want to have a TFTP server with the latest configurations to do restores, but not include passwords and crypto secrets -- I started scripting Perl to remove these, and that's how I ran into rancid. >p.s. Great work Michael. Sharp addition. :o) I will likely hook my Perl script into Michael's "wrancid". From jeekay at gmail.com Thu Jun 29 11:46:05 2006 From: jeekay at gmail.com (Jee Kay) Date: Thu, 29 Jun 2006 12:46:05 +0100 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: <44A1BC1E.5090506@qualcomm.com> <44A30837.1070808@qualcomm.com> Message-ID: On 29/06/06, Kevin wrote: > Risks and headaches of scripting the CLI are exactly why I went with > the Cisco SNMP solution -- we have technical and political cause not > to have a Unix machine/script with "enable" access into > production-critical Cisco gear. Just as a data point - you realise 'enable' access doesn't necessarily mean 'privilege level 15' right? What we do here is lower 'show startup-config' to priv level 2 and give the RANCID user priv2... works grand :) Also means the RANCID user cannot affect the router in any way. Ras From rmordasiewicz at samuelmanutech.com Thu Jun 29 18:05:17 2006 From: rmordasiewicz at samuelmanutech.com (Robin Mordasiewicz) Date: Thu, 29 Jun 2006 14:05:17 -0400 (EDT) Subject: [rancid] !VLAN: % Ambiguous command: "show vlan" Message-ID: I am noticing an error in the output "!VLAN: % Ambiguous command: "show vlan"" my device is NAME: "2821 chassis", DESCR: "2821 chassis" !Image: Software: C2800NM-IPBASE-M, 12.4(5a), RELEASE SOFTWARE (fc3) !Image: Compiled: Sat 14-Jan-06 03:19 by alnguyen !Image: flash:c2800nm-ipbase-mz.124-5a.bin ! !ROM Bootstrap: Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) From mstefani at redhat.com Thu Jun 29 21:51:57 2006 From: mstefani at redhat.com (Michael Stefaniuc) Date: Thu, 29 Jun 2006 23:51:57 +0200 Subject: [rancid] Re: !VLAN: % Ambiguous command: "show vlan" In-Reply-To: References: Message-ID: <44A44B7D.7080606@redhat.com> Robin Mordasiewicz wrote: > I am noticing an error in the output > > "!VLAN: % Ambiguous command: "show vlan"" I get the same on 38xx and 37xx Cisco routers and planned to fix it but it's not a priority. The correct fix would be to run on those boxes a sh vlan-switch bye michael > > > my device is > NAME: "2821 chassis", DESCR: "2821 chassis" > !Image: Software: C2800NM-IPBASE-M, 12.4(5a), RELEASE SOFTWARE (fc3) > !Image: Compiled: Sat 14-Jan-06 03:19 by alnguyen > !Image: flash:c2800nm-ipbase-mz.124-5a.bin > ! > !ROM Bootstrap: Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1) > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -- Michael Stefaniuc Tel.: +49-711-96437-199 Sr. Network Engineer Fax.: +49-711-96437-111 Red Hat GmbH Email: mstefani at redhat.com Hauptstaetterstr. 58 http://www.redhat.de/ D-70178 Stuttgart From shekhar at mos.com.np Fri Jun 30 04:02:59 2006 From: shekhar at mos.com.np (Shekhar Basnet) Date: Fri, 30 Jun 2006 09:47:59 +0545 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: <44A1BC1E.5090506@qualcomm.com> <44A30837.1070808@qualcomm.com> Message-ID: <1151640179.3134.394.camel@chulu.mos.com.np> On Thu, 2006-06-29 at 17:31, Jee Kay wrote: > On 29/06/06, Kevin wrote: > > Risks and headaches of scripting the CLI are exactly why I went with > > the Cisco SNMP solution -- we have technical and political cause not > > to have a Unix machine/script with "enable" access into > > production-critical Cisco gear. > > Just as a data point - you realise 'enable' access doesn't necessarily > mean 'privilege level 15' right? What we do here is lower 'show > startup-config' to priv level 2 and give the RANCID user priv2... > works grand :) Also means the RANCID user cannot affect the router in > any way. > I use TACACS+ downloaded from the shrubbery site. The RANCID user is able to run only the show commands and nothing more than that. S. > Ras > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From kanagaraj at aims.com.my Fri Jun 30 04:08:27 2006 From: kanagaraj at aims.com.my (Kanagaraj Krishna) Date: Fri, 30 Jun 2006 12:08:27 +0800 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP References: <44A1BC1E.5090506@qualcomm.com><44A30837.1070808@qualcomm.com> <1151640179.3134.394.camel@chulu.mos.com.np> Message-ID: <011001c69bfa$d72540f0$6b86dfcb@kana> I'm also using TACACS+ which limits the commands of the RANCID user. Working fine. ----- Original Message ----- From: "Shekhar Basnet" To: Sent: Friday, June 30, 2006 12:02 PM Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP > On Thu, 2006-06-29 at 17:31, Jee Kay wrote: > > On 29/06/06, Kevin wrote: > > > Risks and headaches of scripting the CLI are exactly why I went with > > > the Cisco SNMP solution -- we have technical and political cause not > > > to have a Unix machine/script with "enable" access into > > > production-critical Cisco gear. > > > > Just as a data point - you realise 'enable' access doesn't necessarily > > mean 'privilege level 15' right? What we do here is lower 'show > > startup-config' to priv level 2 and give the RANCID user priv2... > > works grand :) Also means the RANCID user cannot affect the router in > > any way. > > > I use TACACS+ downloaded from the shrubbery site. The RANCID user is > able to run only the show commands and nothing more than that. > > S. > > > Ras > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From jeekay at gmail.com Thu Jun 29 23:52:57 2006 From: jeekay at gmail.com (Jee Kay) Date: Fri, 30 Jun 2006 00:52:57 +0100 Subject: [rancid] Maximum length of config Message-ID: I've got a device that returns 35k+ lines of config... and expect doesn't seem to be very happy about that. Specifically it seems to give up after roughly 29k lines - I'm guessing a buffer of some description has filled up. Sorry for the newbie expect question, but is this a known 'problem' and if so how do I go about making it go away? :) Thanks, Ras From asp at partan.com Fri Jun 30 15:15:53 2006 From: asp at partan.com (Andrew Partan) Date: Fri, 30 Jun 2006 11:15:53 -0400 Subject: [rancid] Re: Maximum length of config In-Reply-To: References: Message-ID: <20060630151553.GA18967@partan.com> On Fri, Jun 30, 2006 at 12:52:57AM +0100, Jee Kay wrote: > I've got a device that returns 35k+ lines of config... and expect > doesn't seem to be very happy about that. Specifically it seems to > give up after roughly 29k lines - I'm guessing a buffer of some > description has filled up. I have configs much longer than that & rancid is just fine. Something else must be going wrong. --asp From saku+rancid at ytti.fi Fri Jun 30 17:40:55 2006 From: saku+rancid at ytti.fi (Saku Ytti) Date: Fri, 30 Jun 2006 20:40:55 +0300 Subject: [rancid] Re: Retrieving cisco configuration using SNMP+TFTP In-Reply-To: References: <44A1BC1E.5090506@qualcomm.com> <44A30837.1070808@qualcomm.com> Message-ID: <20060630174055.GA28807@mx.ytti.net> On (2006-06-28 22:19 -0500), Kevin wrote: > By using Cisco's "snmp-server view", the community string can only do > one thing -- trigger a "write net". And with "snmp-server > tftp-server-list", the destination of the write net command can also > be locked down. However this only bites to tftp, not to ftp and rcp which are also supported by CISCO-COPY-CONFIG-MIB. So if you're not doing vigorous antispoofing and attacker knows your community, attacker can pull/push config using spoofed requests. This appears to be old bug 'CSCdu32036', but it's also present in as late IOS' as 12.4T, so I'm not confident if cisco found correct bug for it. You can workaround this with, in my order of preference a) vigorous antispoofing b) CoPP c) rACL d) ACL in interfaces. > This solution gives me much more confidence in the security of the > design than if I were to use "clogin". Compromise the machine on > which the script runs, and you still don't automatically own the Cisco > routers -- all you can do to the router for which you have a community > is have it send the configuration to the server, you can't even > exploit this to TFTP the configuration to an unapproved destination! I'd say never ever run SNMP RW without SNMPv3. At least rancid is using TCP in most all scecnarios. -- ++ytti From wise.186 at osu.edu Fri Jun 30 18:00:23 2006 From: wise.186 at osu.edu (Aaron Wise) Date: Fri, 30 Jun 2006 14:00:23 -0400 Subject: [rancid] svn commit fails during rancid-run Message-ID: I'm running Rancid with subversion, and was wondering if anyone else is seeing commit failures when running rancid-run (with SVN): svn: Commit failed (details follow): svn: Out of date: '/repos' in transaction '9-1' It appears that this is known subversion behavior-- although I don't fully understand the reason for the behavior, and don't know if this is consistent across other subversion versions. :) I have not seen this issue on my CVS based installation. subversion-1.3.1 (installed from FreeBSD ports) rancid-2.3.2a4 (substituted for the rancid-2.3.1 FreeBSD port) I was able to work around this issue by inserting a "$RCSSYS update" before each commit line in rancid-cvs and control_rancid. Otherwise, everything has been working great! Best Regards, Aaron From heas at shrubbery.net Fri Jun 30 18:05:10 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 30 Jun 2006 11:05:10 -0700 Subject: [rancid] Re: svn commit fails during rancid-run In-Reply-To: References: Message-ID: <20060630180510.GA17035@shrubbery.net> Fri, Jun 30, 2006 at 02:00:23PM -0400, Aaron Wise: > I'm running Rancid with subversion, and was wondering if anyone else > is seeing commit failures when running rancid-run (with SVN): > > svn: Commit failed (details follow): > svn: Out of date: '/repos' in transaction '9-1' > > It appears that this is known subversion behavior-- although I don't > fully understand the reason for the behavior, and don't know if this > is consistent across other subversion versions. :) I have not seen > this issue on my CVS based installation. > > subversion-1.3.1 (installed from FreeBSD ports) > rancid-2.3.2a4 (substituted for the rancid-2.3.1 FreeBSD port) > > I was able to work around this issue by inserting a "$RCSSYS update" > before each commit line in rancid-cvs and control_rancid. Someone or something must be mucking with your respository. I'd suggest that you change the ownership & permissions of the files and directories where your repository lies such that no other can alter them. From wise.186 at osu.edu Fri Jun 30 18:48:01 2006 From: wise.186 at osu.edu (Aaron Wise) Date: Fri, 30 Jun 2006 14:48:01 -0400 Subject: [rancid] Re: svn commit fails during rancid-run In-Reply-To: <20060630180510.GA17035@shrubbery.net> References: <20060630180510.GA17035@shrubbery.net> Message-ID: The entire repository is owned by the rancid user and group-- users not in the rancid group don't even have read permissions. This installation is not yet in production, so rancid is the only application touching the repository. On Jun 30, 2006, at 2:05 PM, john heasley wrote: > Someone or something must be mucking with your respository. I'd > suggest > that you change the ownership & permissions of the files and > directories > where your repository lies such that no other can alter them. From heas at shrubbery.net Fri Jun 30 18:55:53 2006 From: heas at shrubbery.net (john heasley) Date: Fri, 30 Jun 2006 11:55:53 -0700 Subject: [rancid] Re: svn commit fails during rancid-run In-Reply-To: References: <20060630180510.GA17035@shrubbery.net> Message-ID: <20060630185553.GD17035@shrubbery.net> Are there errors from commits in your logs? The updates should not be necessary and if that is fixing the problem then something must be leaving your tree out of date. Try 'svn status' after rancid has run, it should produce no output. Fri, Jun 30, 2006 at 02:48:01PM -0400, Aaron Wise: > The entire repository is owned by the rancid user and group-- users > not in the rancid group don't even have read permissions. This > installation is not yet in production, so rancid is the only > application touching the repository. > > > > On Jun 30, 2006, at 2:05 PM, john heasley wrote: > >Someone or something must be mucking with your respository. I'd > >suggest > >that you change the ownership & permissions of the files and > >directories > >where your repository lies such that no other can alter them. From wise.186 at osu.edu Fri Jun 30 19:21:12 2006 From: wise.186 at osu.edu (Aaron Wise) Date: Fri, 30 Jun 2006 15:21:12 -0400 Subject: [rancid] Re: svn commit fails during rancid-run In-Reply-To: <20060630185553.GD17035@shrubbery.net> References: <20060630180510.GA17035@shrubbery.net> <20060630185553.GD17035@shrubbery.net> Message-ID: <76079D57-4A83-4863-8113-946EA91AD44C@osu.edu> I removed the updates from rancid-cvs and control_rancid, and am unable to reproduce the previous error-- commits are working fine, and 'svn status' produces no output. Not sure how I was causing the error earlier... Thanks for your help John. On Jun 30, 2006, at 2:55 PM, john heasley wrote: > Are there errors from commits in your logs? The updates should not be > necessary and if that is fixing the problem then something must be > leaving your tree out of date. Try 'svn status' after rancid has run, > it should produce no output. > > Fri, Jun 30, 2006 at 02:48:01PM -0400, Aaron Wise: >> The entire repository is owned by the rancid user and group-- users >> not in the rancid group don't even have read permissions. This >> installation is not yet in production, so rancid is the only >> application touching the repository. >> >> >> >> On Jun 30, 2006, at 2:05 PM, john heasley wrote: >>> Someone or something must be mucking with your respository. I'd >>> suggest >>> that you change the ownership & permissions of the files and >>> directories >>> where your repository lies such that no other can alter them. From georg.naggies at r-it.at Thu Jun 29 06:40:18 2006 From: georg.naggies at r-it.at (georg.naggies at r-it.at) Date: Thu, 29 Jun 2006 08:40:18 +0200 Subject: [rancid] Huawei routers Message-ID: Anyone got Rancid to work with Huawei equipment and would care to share? Regards,