[rancid] Re: F5 load balancer support

Mike Ashcraft mashcraft at omniture.com
Wed Aug 29 21:32:43 UTC 2007


Sam,
 
Glad you got it working.  
 
Your problem was that you inserted my patch manually and accidentally
made a syntax error.
 
In expect, you can not start a line with else, it has to be:
 
    } else {
 
If you have a chance to make this change and try it out, please let me
know.  
 
 
Mike

________________________________

From: Sam Munzani [mailto:smunzani at comcast.net] 
Sent: Wednesday, August 29, 2007 3:06 PM
To: Mike Ashcraft
Cc: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: F5 load balancer support


Mike,

Yes. The code was 4.x. I ended up hard coding the term with vt100. The
look gave me an error for some reason. Below is the code I added below
Cat1900 code.
When I added following code, I got error.
        -re "Terminal type\?"   {
                                if {[info exists env(TERM)]} {
                                        send "$env(TERM)\r"
                                        }
                                else {  
                                        send "vt100\r"
                                        }
                                }
########## error output ########
Terminal type? [xterm] invalid command name "else"
    while executing
"else {
                                        send "vt100\r"
                                        }"
    invoked from within
"expect -nobrace -re {(Connection refused|Secure connection [^
]+ refused)} {
            catch {close}; wait
            if !$progs {
                send_user "\nError: Connect..."
    invoked from within
"expect {
        -re "(Connection refused|Secure connection \[^\n\r]+ refused)" {
            catch {close}; wait
            if !$progs {
                send_user "\nError: Connection..."
    (procedure "login" line 73)
    invoked from within
"login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype"
    ("foreach" body line 111)
    invoked from within
"foreach router [lrange $argv $i end] {
    set router [string tolower $router]
    send_user "$router\n"

################################

So I hard coded to vt100 like below

        -re "Terminal type\?"   {
                                send "vt100\r"
                                }

and things are working fine.

Thanks,
Sam


	Sam,
	 
	What version is on your old boxes?  4.x?  I don't know how well
f5rancid will work on BIG-IP 4.x as I do not have it to test. 
	 
	That said, along with all disclaimers of fitness for any purpose
or any liability for anything that might happen, I gave it a quick
attempt.  
	 
	Here is a diff for f5login that you can test.  This tries to
send the TERM type from your environment and defaults to vt100 if it is
not set.  It replaces a chunk of Cisco related code that is not needed.
	 
	418,421c418,424
	<       -re "Enter Selection: " {
	<                                 # Catalyst 1900s have some
lame menu.  Enter
	<                                 # K to reach a command-line.
	<                                 send "K\r"
	---
	>       -re "Terminal type\?" {
	>                                 # v4.x asks for term type
	>                                   if {[info exists env(TERM)]}
{
	>                                       send "$env(TERM)\r"
	>                                 } else {
	>                                 send "vt100\r"
	>                                   }
	
	If that does not work,  adjust the regex to match the actual
prompt and hardcode vt100 if necessary.  If that fails, send a screen
capture of the normal login process and the results of an f5login for
comparison. 
	 
	Mike  
	
________________________________

	From: Sam Munzani [mailto:sam at munzani.com] 
	Sent: Wednesday, August 29, 2007 11:50 AM
	To: Mike Ashcraft
	Cc: Lance; rancid-discuss at shrubbery.net
	Subject: Re: [rancid] Re: F5 load balancer support
	
	
	Team,
	
	I am sorry to reopen this old thread but the question I have
relates to this old thread.
	Attached 2 rancid login files work fine on newer F5 boxes.
However on old boxes, it prompts for "term type" at the ssh login. I
need to insert logic in the script to answer to this "term type"
question. What's best way to handle it?
	
	Pass it as an argument like
	f5login -t vt100 device-name
	
	and then catch the variable and add necessary logic for the
expect?
	
	Thanks,
	Sam
	

		I have been on vacation for the last couple of weeks or
I would have posted this sooner and possibly saved some of you a bit of
effort. 
		 
		It sounds like Lance and Sam have put together a working
f5rancid with basic functionality which Sam posted last night.  I have
attached my f5rancid which I have been running for a few months.
Installation instructions are included as comments in the file.  This
version uses clogin so that a separate f5login script is not required.
		 
		This version formats and processes the output to make it
more usable.  As far as what is captured, I based this on the F5
equivalent of a tech out.  It grabs a copy of all the configuration
files, hardware configuration and software version as well as the
timestamps and file sizes for SSL certs hosted on the device.  This
facilitates rebuilding from scratch as quickly as possible if this is
ever needed.  
		 
		I was able to resolve the bug I mentioned yesterday by
increasing the clogin timeout.  On a small number of devices it failed
to process the last few commands when running from cron but always
worked properly from the command line on all devices [making it
difficult to track down].   I mention this because it may be an
appropriate fix for other intermittent problems sometimes discussed on
this list.
		 
		Any feedback is appreciated.  I hope to get f5 support
added to future releases of rancid.  
		 
		Thanks,
		 
		Mike
		 
		 

________________________________

		From: Sam Munzani [mailto:sam at munzani.com] 
		Sent: Monday, July 16, 2007 7:49 PM
		To: Lance
		Cc: Mike Ashcraft; rancid-discuss at shrubbery.net
		Subject: Re: [rancid] Re: F5 load balancer support
		
		
		Lance,
		
		Thanks a lot for all your help. Pretty much you did all
the work while I watched what you are doing :-)..
		
		Attached are cleaned up files. In f5rancid file, I have
left some basic functions(non platform specific) just in case we expand
this script to do a lot more than just "b list" output. In rancid-fe, we
defined a new device type "f5", f5login was copied from clogin and
remarked some "term length" statements we don't need on F5.
		
		All 3 files are attached and working great. Please be
aware, we are not parsing anything at all. All its doing is basic
function of running "b list" command and capturing its output. As I
expand more on this, I will be sure to share with the audience here.
		
		Again, thanks a lot for all your help today.
		
		Regards,
		Sam
		

			I have helped Sam get a working f5rancid which
requires a f5login (only
			because it doesn't recognize the prompt with a
space and exit, unless
			you enter a return before the exit). He is
cleaning up all the unused
			functions and will post it.
			
			Once John H. sends out his script I will look at
it and see how it
			differs from the one I did with Sam. I will even
help Sam get it working
			for his setup. We will let you know when it is
all working.
			
			-lance
			
			  

				-------- Original Message --------
				Subject: [rancid] Re: F5 load balancer
support
				From: "Mike Ashcraft"
<mashcraft at omniture.com> <mailto:mashcraft at omniture.com> 
				Date: Mon, July 16, 2007 11:48 am
				To: <sam at munzani.com>
<mailto:sam at munzani.com> 
				Cc: rancid-discuss at shrubbery.net
				
				Sam,
				 
				I have a working f5rancid that I have
been using for a number of months
				now.   I have one minor bug related to
tracking installed SSL certs
				which you probably don't care about.
Other than that, it works great.
				 
				I did encounter and solve all the
problems you have been discussing on
				the list.
				 
				Let me know if you are interested in
trying what I have.  I have tested
				it with Big-IP 9.1.2.  
				 
				Mike
				
				________________________________
				
				From:
rancid-discuss-bounces at shrubbery.net
	
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Sam Munzani
				Sent: Monday, July 16, 2007 10:58 AM
				To: smunzani at comcast.net
				Cc: rancid-discuss at shrubbery.net
				Subject: [rancid] Re: F5 load balancer
support
				
				
				BTW, this is what I see in the log when
I do rancid-run now. That means
				the f5rancid file(hacked copy of rancid)
is still missing something.
				
				more nfl.20070716.114842
				starting: Mon Jul 16 11:48:42 CDT 2007
				
				
				
				Trying to get all of the configs.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 1.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 2.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 3.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 4.
				test-f5-01: End of run not found
				-bash: write: command not found
				
				cvs diff: Diffing .
				cvs diff: Diffing configs
				nfl.20070716.114842 71%starting: Mon Jul
16 11:48:42 CDT 2007
				
				
				
				Trying to get all of the configs.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 1.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 2.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 3.
				test-f5-01: End of run not found
				-bash: write: command not found
				=====================================
				Getting missed routers: round 4.
				test-f5-01: End of run not found
				-bash: write: command not found
				
				cvs diff: Diffing .
				cvs diff: Diffing configs
				cvs diff: cannot find configs/test-f5-01
				cvs commit: Examining .
				cvs commit: Examining configs
				cvs commit: Up-to-date check failed for
`configs/test-f5-01'
				cvs [commit aborted]: correct above
errors first!
				ls: test-f5-01: No such file or
directory
				
				ending: Mon Jul 16 11:49:41 CDT 2007
				
				Thanks,
				Sam
				
				
					David,
					
					Thanks a lot for the tip. This
worked well. Now f5login goes
				much more 
					cleaner and the "root" doesn't
set sent again. I still have
				other issues 
					where rancid-run is backing up
config properly but I am still 
					troubleshooting it.
					
					Now here is a question. What
does "bldshgalsjd" mean and how
				does it do 
					this miracle?
					
					Thanks,
					Sam
					  
				
						Thanks for this tip,
turns out that this is also the
				reason the
						username gets entered at
a prompt on the cisco IPS
				devices. Since it's
						using SSH and therefore
doesn't need a username prompt,
				solution was
						to simply add in
.cloginrc:
						
						add userprompt ids*
bldshgalsjd  (<- something that
				won't get sent 
						during login)
						
						Regards,
						
						David
						
						On 14/07/07, Lance
<rancid at gheek.net> <mailto:rancid at gheek.net> 
				<mailto:rancid at gheek.net>
<mailto:rancid at gheek.net>   wrote:
						    
				
							Sam,
							
							Have you tried
using telnet to login, if the f5
				has it enabled.
							You may also
want to set auto enable in your
				.cloginrc for this device
							as it looks to
clogin as you are already in a
				cisco equivalent equal to
							enable since
your prompt has a # sign in it.
							
							Looking at your
next email along with this one
				it looks like you are
							already in a
cisco equivalent of enable after
				you login. f5login seems
							to be sending
your username of root as a command
				after you get connected
							because it sees
this line "Last login: Fri Jul
				13 14:38:03 2007 from
							172.24.100.12"
and it matches on the word
				"Login". See below.
							
	
"(Username|Login|login|user name):"? yes
							
							expect: set
expect_out(0,string) "login:"
							
							expect: set
expect_out(1,string) "login"
							
							expect: set
expect_out(spawn_id) "exp4"
							
							expect: set
expect_out(buffer) " \r\nLast
				login:"
							
							send: sending
"root\r" to { exp4 }
							
							expect:
continuing expect
							
							You are just
using a Cisco login/parsing script
				so it expects prompts
							from a Cisco
device and in this case you have a
				*nix SSH banner that
							gets
interrupted. I know you can use RANCID to
				backup *nix systems. So
							it knows how to
understand connecting to a *nix
				system. You might want
							to try this
email thread which asks about
				backing up Linux conifgs.
					
	
"http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
				ml"
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml> 
	
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
				ml>
<http://www.shrubbery.net/pipermail/rancid-discuss/2006-August/001649.ht
ml>   
							
							Or you could
modify the existing f5login like
				so.
							
							I think you have
to use the carrot before the ()
				to work. I haven't
							checked this as
I am at home and not on a UNIX
				system right now. Sorry
							to lazy to check
it out right now. You might
				want to uncomment the line
							below 3. and
comment out the line below 2. and
				see if that works. This
							is the only
point in the code that I see it look
				for login in any line.
							If that doesn't
work send me back the debug and
				I will see what I can
							do. I am sure
some people that use expect more
				often then I can probably
							quickly tell you
what to use as syntax there.
							
							# Figure out
prompts
							   set u_prompt
[find userprompt $router
							if { "$u_prompt"
== "" } {
							       #1.
ORIGINAL
							       #set
u_prompt
				"^(Username|Login|login|user name):"
							       #2.
Modified to read for a line beginning
				with 
	
Username,Login,login, or
							user name.
							       set
u_prompt "^(Username|Login|login|user
				name):"
							       #3.
Modified to read for a line beginning
				with Login or login. 
							but I
							may be wrong
							       #set
u_prompt
				"^(Username|^Login|^login|user name):"
							   } else {
							       set
u_prompt [join [lindex $u_prompt 0]
				""]
							
							
							Let me know if
this works for you.
							
							-Lance
							
							      
				
								--------
Original Message --------
								Subject:
Re: [rancid]  F5 load balancer
				support
								From:
Sam Munzani <smunzani at comcast.net> <mailto:smunzani at comcast.net> 
				<mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>  
								Date:
Fri, July 13, 2007 2:30 pm
								To:
Lance <rancid at gheek.net> <mailto:rancid at gheek.net> 
				<mailto:rancid at gheek.net>
<mailto:rancid at gheek.net>  
								Cc:
rancid-discuss at shrubbery.net
								
								Lance,
								
								F5 login
works fine with a minor error.
								
								$
f5login test-f5-01
	
test-f5-01
								spawn
ssh -c 3des -x -l root test-f5-01
	
Password:
								Last
login: Fri Jul 13 14:26:28 2007
				from 172.24.100.12
								root
	
[root at test-f5-01:Active] config # root
								-bash:
root: command not found
	
[root at test-f5-01:Active] config #
	
[root at test-f5-01:Active] config #
	
[root at test-f5-01:Active] config #
								
								I don't
know how to debug otherwise I
				would turn on debug too. If you
								can
provide some hints on debug, I would
				appreciate it.
								
								Thanks,
								Sam
								        
				
								What
error(s) do you get when you try to
				run your f5rancid?
								
								Where
does it fail if you debug your
				f5login?
								
								
								-lance
								
								
	

				
								--------
Original Message --------
								Subject:
[rancid]  F5 load balancer
				support
								From:
Sam Munzani <smunzani at comcast.net> <mailto:smunzani at comcast.net> 
				<mailto:smunzani at comcast.net>
<mailto:smunzani at comcast.net>  
								Date:
Fri, July 13, 2007 12:45 pm
								To:
rancid-discuss at shrubbery.net
								
								Hi,
								
								Did
anybody happened to hack one of
				Cisco scripts to support 
	

				
							BigIP F5
							      
				
								boxes?
It should be pretty simple. All I
				want to do is login and
	

				
								type "b
								        
				
								list"
which is equivalent of "show run"
				on cisco.
								
								However
for some reason things not
				working. All I did was copied
	

				
								clogin
								        
				
								to
f5login, copied rancid to f5rancid
				and added following to
	

				
	
rancid-fe.
								        
				
								elsif
($vendor =~ /^f5$/i)
				{ exec('f5rancid', 
	

				
							$router); }
							      
				
								Then
modified f5 rancid file and kept
				only one command in list of
								commands
"b list".
								
								For some
reason its not working. I can
				post my configs here if
	

				
								somebody
								        
				
								like to
see them.
								
								Thanks,
								Sam
					
	
_______________________________________________
	
Rancid-discuss mailing list
	
Rancid-discuss at shrubbery.net
					
	
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
								
	

				
								
	

				
	
_______________________________________________
							Rancid-discuss
mailing list
	
Rancid-discuss at shrubbery.net
					
	
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
							
							      
				
					
	
_______________________________________________
					Rancid-discuss mailing list
					Rancid-discuss at shrubbery.net
	
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss<hr>________
_______________________________________
				Rancid-discuss mailing list
				Rancid-discuss at shrubbery.net
	
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
				    

			
			_______________________________________________
			Rancid-discuss mailing list
			Rancid-discuss at shrubbery.net
	
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
			
			  



	
________________________________


	_______________________________________________
	Rancid-discuss mailing list
	Rancid-discuss at shrubbery.net
	http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070829/3db91b87/attachment.html 


More information about the Rancid-discuss mailing list