From Jeremy_Keys at memorial.org Sat Nov 1 13:56:10 2008 From: Jeremy_Keys at memorial.org (Keys, Jeremy) Date: Sat, 1 Nov 2008 07:56:10 -0600 Subject: [rancid] Cisco ASA Backup with Preshared Keys Message-ID: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> I use rancid to backup all of my configurations, including two Cisco ASA 5520's. The only problem I have run into is that when rancid backs up the configs on the ASA, the actual preshared keys are displayed as an asterisk (*) rather than the actual preshared key. Is there a way to get rancid to backup the actual config file? I assume it's just doing a screen scrape (sh running-config) and capturing the output rather than copying the actual file. This is fine for most equipment, but if I have a failure on the ASA and needed to restore the config, I would have to re-enter all the preshared keys (not fun with several hundred tunnels). Any help is greatly appreciated, Jeremy Keys jeremy_keys at memorial.org This message and accompanying documents are covered by the Electronic Communications Privacy Act 18 U.S.C. "Sections 2510-2521," and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081101/388eed89/attachment.html From Todd at equivoice.com Sun Nov 2 03:40:51 2008 From: Todd at equivoice.com (Todd Heide) Date: Sat, 1 Nov 2008 22:40:51 -0500 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> Message-ID: <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> There is only one way to see the pre-share keys on an ASA. More system:running-config Not sure how Rancid can do that, but if someone can set it up to issue that command, then you should be able to back up the VPN keys. From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy Sent: Saturday, November 01, 2008 8:56 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Cisco ASA Backup with Preshared Keys I use rancid to backup all of my configurations, including two Cisco ASA 5520's. The only problem I have run into is that when rancid backs up the configs on the ASA, the actual preshared keys are displayed as an asterisk (*) rather than the actual preshared key. Is there a way to get rancid to backup the actual config file? I assume it's just doing a screen scrape (sh running-config) and capturing the output rather than copying the actual file. This is fine for most equipment, but if I have a failure on the ASA and needed to restore the config, I would have to re-enter all the preshared keys (not fun with several hundred tunnels). Any help is greatly appreciated, Jeremy Keys jeremy_keys at memorial.org This message and accompanying documents are covered by the Electronic Communications Privacy Act 18 U.S.C. "Sections 2510-2521," and contain information intended for the specified individual(s) only. This information is confidential. If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, copying, or the taking of any action based on the contents of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081101/e6f2b4c7/attachment.html From dc at dwichandra.info Mon Nov 3 16:50:52 2008 From: dc at dwichandra.info (Dwi C Taniel) Date: Mon, 03 Nov 2008 08:50:52 -0800 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> Message-ID: <20081103085052.mm1dp6792c80goko@mail.dwichandra.info> Hi all, I had one incident that I have to backup the config while showing the pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels) To what I remember, I commented out several lines in /usr/local/rancid/bin/rancid One of the line read as follow: (mine is at line 1541 - 1543) if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } ... and I think I also commented out several other line(s) but can't remember which one. Now, if you commented out that line in rancid script, please bear the following point(s) in mind (CMIIW please): - all devices using /usr/local/rancid/bin/rancid will have that particular keyword unmasked -> instead of *** will be the actual value. So this will apply to all devices marked as 'cisco' in router.db - whoever can access /usr/local/rancid/var (or any location that was configured to store the rancid-run results) will be able to see the crypto/ ISAKMP keys I might have missed other line(s) to comment out either in /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those that is more intimate with those scripts, please share it to the list. Hope that helps ;) P.S.: I'm no longer have access to PIX anymore, so for those that still have those access, please give it a try and let me know ;) Cheers, Dwi On 11/01/2008, Todd Heide wrote: > There is only one way to see the pre-share keys on an ASA. > > > > More system:running-config > > > > Not sure how Rancid can do that, but if someone can set it up to issue > that command, then you should be able to back up the VPN keys. > > > > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy > Sent: Saturday, November 01, 2008 8:56 AM > To: rancid-discuss at shrubbery.net > Subject: [rancid] Cisco ASA Backup with Preshared Keys > > > > I use rancid to backup all of my configurations, including two Cisco ASA > 5520's. The only problem I have run into is that when rancid backs up > the configs on the ASA, the actual preshared keys are displayed as an > asterisk (*) rather than the actual preshared key. > > > > Is there a way to get rancid to backup the actual config file? I assume > it's just doing a screen scrape (sh running-config) and capturing the > output rather than copying the actual file. This is fine for most > equipment, but if I have a failure on the ASA and needed to restore the > config, I would have to re-enter all the preshared keys (not fun with > several hundred tunnels). > > > > Any help is greatly appreciated, > > > > Jeremy Keys > > jeremy_keys at memorial.org > > > > > > > This message and accompanying documents are covered by > the Electronic Communications Privacy Act 18 > U.S.C. "Sections 2510-2521," and contain information > intended for the specified individual(s) only. This > information is confidential. If you are not the intended > recipient or an agent responsible for delivering it to > the intended recipient, you are hereby notified that you > have received this document in error and that any review, > dissemination, copying, or the taking of any action based > on the contents of this information is strictly > prohibited. If you have received this communication in > error, please notify us immediately by e-mail, and delete > the original message. > > > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From dc at dwichandra.info Mon Nov 3 17:21:47 2008 From: dc at dwichandra.info (Dwi C Taniel) Date: Mon, 03 Nov 2008 09:21:47 -0800 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> Message-ID: <20081103092147.gypav9bb4040kk4c@mail.dwichandra.info> Anyway, just to add one safer approach on Jeremy's request: Based on http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid#Initial_Rancid_Configuration I'm quoting the paragraph: By default Rancid filters out passwords and SNMP community strings. You may want to set the FILTER_PWDS and NOCOMMSTR variables to "NO" to prevent this. # # Sample rancid.conf # LIST_OF_GROUPS="networking" FILTER_PWDS=NO; export FILTER_PWDS NOCOMMSTR=NO; export NOCOMMSTR So, I think, what you need is only the FILTER_PWDS=NO; export FILTER_PWDS, without tempering /usr/local/rancid/bin/rancid too much ;) Hope that helps. Cheers, Dwi On 11/01/2008, "Keys, Jeremy" wrote: > I use rancid to backup all of my configurations, including two Cisco ASA > 5520's. The only problem I have run into is that when rancid backs up > the configs on the ASA, the actual preshared keys are displayed as an > asterisk (*) rather than the actual preshared key. > > > > Is there a way to get rancid to backup the actual config file? I assume > it's just doing a screen scrape (sh running-config) and capturing the > output rather than copying the actual file. This is fine for most > equipment, but if I have a failure on the ASA and needed to restore the > config, I would have to re-enter all the preshared keys (not fun with > several hundred tunnels). > > > > Any help is greatly appreciated, > > > > Jeremy Keys > > jeremy_keys at memorial.org > > > > > > > > This message and accompanying documents are covered by > the Electronic Communications Privacy Act 18 > U.S.C. "Sections 2510-2521," and contain information > intended for the specified individual(s) only. This > information is confidential. If you are not the intended > recipient or an agent responsible for delivering it to > the intended recipient, you are hereby notified that you > have received this document in error and that any review, > dissemination, copying, or the taking of any action based > on the contents of this information is strictly > prohibited. If you have received this communication in > error, please notify us immediately by e-mail, and delete > the original message. > > > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. From cgauthier at mapscu.com Mon Nov 3 17:43:28 2008 From: cgauthier at mapscu.com (Chris Gauthier) Date: Mon, 3 Nov 2008 09:43:28 -0800 Subject: [rancid] code posting idea Message-ID: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B118@mshin01.mapscu.com> Here is one option for posting snippets of code that might help some people, especially if the lines are longer: http://pastebin.com/ I've used it in the past and it works very nicely. Also, if we wanted to have a "list-specific" pastebin, then just go to http://rancid.pastebin.com/ By having a different list, it avoids all the "noise" of the very busy main pastebin site. More information about pastebin can be found at http://pastebin.com/pastebin.php?help=1. Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081103/e1781a36/attachment.html From cgauthier at mapscu.com Mon Nov 3 17:53:25 2008 From: cgauthier at mapscu.com (Chris Gauthier) Date: Mon, 3 Nov 2008 09:53:25 -0800 Subject: [rancid] Re: code posting idea In-Reply-To: <8423e7bb0811030948v111495f4l275d989ef79f1f78@mail.gmail.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B118@mshin01.mapscu.com> <8423e7bb0811030948v111495f4l275d989ef79f1f78@mail.gmail.com> Message-ID: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B155@mshin01.mapscu.com> Lance, You are right, it is not searchable, but this list is searchable, if we include links. The URLs are short, so it shouldn't be too bad. I do see value in searching, but, at the same time, I am glad it does not allow for it. I've posted code on there in the past while collaborating that I really was not too interested in sharing with a bunch of other people. Thus, I was happy that searching wasn't available. The source code is open-source, so we could modify and create our own pastebin-type site or we could contribute to the pastebin project. Chris -----Original Message----- From: Lance Vermilion [mailto:rancid at gheek.net] Sent: Monday, November 03, 2008 9:49 AM To: Chris Gauthier Subject: Re: [rancid] code posting idea The only issue I have with it is it is not searchable...as far as I can see. If it is please point it out. On Mon, Nov 3, 2008 at 10:43 AM, Chris Gauthier wrote: > Here is one option for posting snippets of code that might help some people, > especially if the lines are longer: > > > > http://pastebin.com/ > > > > I've used it in the past and it works very nicely. Also, if we wanted to > have a "list-specific" pastebin, then just go to http://rancid.pastebin.com/ > > > > By having a different list, it avoids all the "noise" of the very busy main > pastebin site. More information about pastebin can be found at > http://pastebin.com/pastebin.php?help=1. > > > > Chris > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Mon Nov 3 17:45:21 2008 From: rancid at gheek.net (Lance Vermilion) Date: Mon, 3 Nov 2008 10:45:21 -0700 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <20081103085052.mm1dp6792c80goko@mail.dwichandra.info> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> <20081103085052.mm1dp6792c80goko@mail.dwichandra.info> Message-ID: <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> John, Can we include this fix? Jeremy et all, You could also simply just add the following before the other WriteTerm items in the commandtable inside of /bin/rancid so it would then get that info. The command would be attempted to be ran on non ASA like devices but if the command is invalid (like the already existing logic) it will just continue down the list of commands. If it is successful running it will then mark it as found_end and no longer process the rest of the commands in "WriteTerm". {'more system:running-config' => 'WriteTerm'}, Dwi C Taniel, Since the show running-config does NOT include the pre-shared-key RANCID would not replace it with . If you wanted to filter it out you would need to augment rancid by adding this below the isakmp removed line under the sub WriteTerm if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } Example tunnel-group xx.xx.xx.xx ipsec-attributes pre-shared-key * Todd is correct with the more system:running-config Here is a Cisco document backing up his comment. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml I have also found but not verified "Another way to get unencrypted keys is to go to the /admin/config page with a web browser. This works for 7.x and 8.x. On a Pix running 6.x, go to /config." On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel wrote: > Hi all, > > I had one incident that I have to backup the config while showing the > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels) > > To what I remember, I commented out several lines in > /usr/local/rancid/bin/rancid > > One of the line read as follow: (mine is at line 1541 - 1543) > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 $'"); next; > } > > ... and I think I also commented out several other line(s) but can't > remember which one. > > Now, if you commented out that line in rancid script, please bear the > following point(s) in mind (CMIIW please): > - all devices using /usr/local/rancid/bin/rancid will have that > particular keyword unmasked -> instead of *** will be the actual > value. So this will apply to all devices marked as 'cisco' in router.db > - whoever can access /usr/local/rancid/var (or any location that was > configured to store the rancid-run results) will be able to see the > crypto/ ISAKMP keys > > I might have missed other line(s) to comment out either in > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those > that is more intimate with those scripts, please share it to the list. > > Hope that helps ;) > > P.S.: I'm no longer have access to PIX anymore, so for those that > still have those access, please give it a try and let me know ;) > > Cheers, > > Dwi > > > On 11/01/2008, Todd Heide wrote: > >> There is only one way to see the pre-share keys on an ASA. >> >> >> >> More system:running-config >> >> >> >> Not sure how Rancid can do that, but if someone can set it up to issue >> that command, then you should be able to back up the VPN keys. >> >> >> >> From: rancid-discuss-bounces at shrubbery.net >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy >> Sent: Saturday, November 01, 2008 8:56 AM >> To: rancid-discuss at shrubbery.net >> Subject: [rancid] Cisco ASA Backup with Preshared Keys >> >> >> >> I use rancid to backup all of my configurations, including two Cisco ASA >> 5520's. The only problem I have run into is that when rancid backs up >> the configs on the ASA, the actual preshared keys are displayed as an >> asterisk (*) rather than the actual preshared key. >> >> >> >> Is there a way to get rancid to backup the actual config file? I assume >> it's just doing a screen scrape (sh running-config) and capturing the >> output rather than copying the actual file. This is fine for most >> equipment, but if I have a failure on the ASA and needed to restore the >> config, I would have to re-enter all the preshared keys (not fun with >> several hundred tunnels). >> >> >> >> Any help is greatly appreciated, >> >> >> >> Jeremy Keys >> >> jeremy_keys at memorial.org >> >> >> >> >> >> >> This message and accompanying documents are covered by >> the Electronic Communications Privacy Act 18 >> U.S.C. "Sections 2510-2521," and contain information >> intended for the specified individual(s) only. This >> information is confidential. If you are not the intended >> recipient or an agent responsible for delivering it to >> the intended recipient, you are hereby notified that you >> have received this document in error and that any review, >> dissemination, copying, or the taking of any action based >> on the contents of this information is strictly >> prohibited. If you have received this communication in >> error, please notify us immediately by e-mail, and delete >> the original message. >> >> >> >> > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Mon Nov 3 18:25:28 2008 From: rancid at gheek.net (Lance Vermilion) Date: Mon, 3 Nov 2008 11:25:28 -0700 Subject: [rancid] Re: code posting idea In-Reply-To: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B155@mshin01.mapscu.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B118@mshin01.mapscu.com> <8423e7bb0811030948v111495f4l275d989ef79f1f78@mail.gmail.com> <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B155@mshin01.mapscu.com> Message-ID: <8423e7bb0811031025h28799427w51514b51a3bb4945@mail.gmail.com> To me the concept of the mailing list is great since you read the topic and see the output of the discussion including any code changes needed. splitting them up makes for a challenge if they don't set the pastebin to keep it forever and we are also dependent on the pastebin (no matter where it is) being around forever. I keep all my emails so I search for my stuff locally but once it goes to pastebin I am no longer able to see code snippets over time in my own local email box. great idea but those would be my complaints. maybe if mailman had a plugin or something that would take the code snips and add them to the pastebin and then update the email with the link before sending out to the list. now that would be awesome. On Mon, Nov 3, 2008 at 10:53 AM, Chris Gauthier wrote: > Lance, > > You are right, it is not searchable, but this list is searchable, if we > include links. The URLs are short, so it shouldn't be too bad. I do > see value in searching, but, at the same time, I am glad it does not > allow for it. I've posted code on there in the past while collaborating > that I really was not too interested in sharing with a bunch of other > people. Thus, I was happy that searching wasn't available. > > The source code is open-source, so we could modify and create our own > pastebin-type site or we could contribute to the pastebin project. > > Chris > > > -----Original Message----- > From: Lance Vermilion [mailto:rancid at gheek.net] > Sent: Monday, November 03, 2008 9:49 AM > To: Chris Gauthier > Subject: Re: [rancid] code posting idea > > The only issue I have with it is it is not searchable...as far as I > can see. If it is please point it out. > > On Mon, Nov 3, 2008 at 10:43 AM, Chris Gauthier > wrote: >> Here is one option for posting snippets of code that might help some > people, >> especially if the lines are longer: >> >> >> >> http://pastebin.com/ >> >> >> >> I've used it in the past and it works very nicely. Also, if we wanted > to >> have a "list-specific" pastebin, then just go to > http://rancid.pastebin.com/ >> >> >> >> By having a different list, it avoids all the "noise" of the very busy > main >> pastebin site. More information about pastebin can be found at >> http://pastebin.com/pastebin.php?help=1. >> >> >> >> Chris >> >> >> >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From bgmilne at staff.telkomsa.net Tue Nov 4 06:36:06 2008 From: bgmilne at staff.telkomsa.net (Buchan Milne) Date: Tue, 4 Nov 2008 08:36:06 +0200 Subject: [rancid] Re: code posting idea In-Reply-To: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B118@mshin01.mapscu.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812E7B118@mshin01.mapscu.com> Message-ID: <200811040836.06676.bgmilne@staff.telkomsa.net> On Monday 03 November 2008 19:43:28 Chris Gauthier wrote: > Here is one option for posting snippets of code that might help some > people, especially if the lines are longer: Is there really a need to post code snippets? If there is, and if upstream development has stalled (I don't follow this list that closely, but I can't see any evidence of development), wouldn't it make more sense to start a project on sourceforge, and import the released versions into CVS or subversion. Fixes could be made in the selected VCS (commit mails are possible), and patches could be posted on the tracker. Code snippets really should not be the method end users should need to use to maintain the software (it's even worse than the Qmail situation with patches on patches on patches), regardless of the tool used to track them. Regards, Buchan From dc at dwichandra.info Tue Nov 4 08:33:58 2008 From: dc at dwichandra.info (Dwi Chandra) Date: Tue, 4 Nov 2008 00:33:58 -0800 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net><082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local><20081103085052.mm1dp6792c80goko@mail.dwichandra.info> <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> Message-ID: <0D358781099D47CBBDEB6563259C7A57@LUCKY> Thanks for your enlightenment and correction Lance :) Turned out that I mixed up the changes that I did and the rancid script itself :P Cheers, Dwi -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Lance Vermilion Sent: Monday, November 03, 2008 9:45 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys John, Can we include this fix? Jeremy et all, You could also simply just add the following before the other WriteTerm items in the commandtable inside of /bin/rancid so it would then get that info. The command would be attempted to be ran on non ASA like devices but if the command is invalid (like the already existing logic) it will just continue down the list of commands. If it is successful running it will then mark it as found_end and no longer process the rest of the commands in "WriteTerm". {'more system:running-config' => 'WriteTerm'}, Dwi C Taniel, Since the show running-config does NOT include the pre-shared-key RANCID would not replace it with . If you wanted to filter it out you would need to augment rancid by adding this below the isakmp removed line under the sub WriteTerm if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) { ProcessHistory("","","","!$1 $'"); next; } Example tunnel-group xx.xx.xx.xx ipsec-attributes pre-shared-key * Todd is correct with the more system:running-config Here is a Cisco document backing up his comment. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note0918 6a00807f2d37.shtml I have also found but not verified "Another way to get unencrypted keys is to go to the /admin/config page with a web browser. This works for 7.x and 8.x. On a Pix running 6.x, go to /config." On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel wrote: > Hi all, > > I had one incident that I have to backup the config while showing the > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels) > > To what I remember, I commented out several lines in > /usr/local/rancid/bin/rancid > > One of the line read as follow: (mine is at line 1541 - 1543) > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 $'"); next; > } > > ... and I think I also commented out several other line(s) but can't > remember which one. > > Now, if you commented out that line in rancid script, please bear the > following point(s) in mind (CMIIW please): > - all devices using /usr/local/rancid/bin/rancid will have that > particular keyword unmasked -> instead of *** will be the actual > value. So this will apply to all devices marked as 'cisco' in router.db > - whoever can access /usr/local/rancid/var (or any location that was > configured to store the rancid-run results) will be able to see the > crypto/ ISAKMP keys > > I might have missed other line(s) to comment out either in > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those > that is more intimate with those scripts, please share it to the list. > > Hope that helps ;) > > P.S.: I'm no longer have access to PIX anymore, so for those that > still have those access, please give it a try and let me know ;) > > Cheers, > > Dwi > > > On 11/01/2008, Todd Heide wrote: > >> There is only one way to see the pre-share keys on an ASA. >> >> >> >> More system:running-config >> >> >> >> Not sure how Rancid can do that, but if someone can set it up to issue >> that command, then you should be able to back up the VPN keys. >> >> >> >> From: rancid-discuss-bounces at shrubbery.net >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy >> Sent: Saturday, November 01, 2008 8:56 AM >> To: rancid-discuss at shrubbery.net >> Subject: [rancid] Cisco ASA Backup with Preshared Keys >> >> >> >> I use rancid to backup all of my configurations, including two Cisco ASA >> 5520's. The only problem I have run into is that when rancid backs up >> the configs on the ASA, the actual preshared keys are displayed as an >> asterisk (*) rather than the actual preshared key. >> >> >> >> Is there a way to get rancid to backup the actual config file? I assume >> it's just doing a screen scrape (sh running-config) and capturing the >> output rather than copying the actual file. This is fine for most >> equipment, but if I have a failure on the ASA and needed to restore the >> config, I would have to re-enter all the preshared keys (not fun with >> several hundred tunnels). >> >> >> >> Any help is greatly appreciated, >> >> >> >> Jeremy Keys >> >> jeremy_keys at memorial.org >> >> >> >> >> >> >> This message and accompanying documents are covered by >> the Electronic Communications Privacy Act 18 >> U.S.C. "Sections 2510-2521," and contain information >> intended for the specified individual(s) only. This >> information is confidential. If you are not the intended >> recipient or an agent responsible for delivering it to >> the intended recipient, you are hereby notified that you >> have received this document in error and that any review, >> dissemination, copying, or the taking of any action based >> on the contents of this information is strictly >> prohibited. If you have received this communication in >> error, please notify us immediately by e-mail, and delete >> the original message. >> >> >> >> > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Tue Nov 4 18:58:26 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 4 Nov 2008 10:58:26 -0800 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> <20081103085052.mm1dp6792c80goko@mail.dwichandra.info> <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> Message-ID: <20081104185825.GA5051@shrubbery.net> Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion: > John, > > Can we include this fix? > > Jeremy et all, > > You could also simply just add the following before the other > WriteTerm items in the commandtable inside of /bin/rancid > so it would then get that info. The command would be attempted to be > ran on non ASA like devices but if the command is invalid (like the > already existing logic) it will just continue down the list of > commands. If it is successful running it will then mark it as > found_end and no longer process the rest of the commands in > "WriteTerm". > > {'more system:running-config' => 'WriteTerm'}, > > Dwi C Taniel, > > Since the show running-config does NOT include the pre-shared-key > RANCID would not replace it with . If you wanted to filter it > out you would need to augment rancid by adding this below the isakmp > removed line under the sub WriteTerm > > if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 $'"); next; > } Any others to be filtered, besides failover key? > Example > > tunnel-group xx.xx.xx.xx ipsec-attributes > pre-shared-key * > > Todd is correct with the more system:running-config > > Here is a Cisco document backing up his comment. > http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml > > I have also found but not verified "Another way to get unencrypted > keys is to go to the /admin/config page with a web browser. This works > for 7.x and 8.x. On a Pix running 6.x, go to /config." > > On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel wrote: > > Hi all, > > > > I had one incident that I have to backup the config while showing the > > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels) > > > > To what I remember, I commented out several lines in > > /usr/local/rancid/bin/rancid > > > > One of the line read as follow: (mine is at line 1541 - 1543) > > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { > > ProcessHistory("","","","!$1 $'"); next; > > } > > > > ... and I think I also commented out several other line(s) but can't > > remember which one. > > > > Now, if you commented out that line in rancid script, please bear the > > following point(s) in mind (CMIIW please): > > - all devices using /usr/local/rancid/bin/rancid will have that > > particular keyword unmasked -> instead of *** will be the actual > > value. So this will apply to all devices marked as 'cisco' in router.db > > - whoever can access /usr/local/rancid/var (or any location that was > > configured to store the rancid-run results) will be able to see the > > crypto/ ISAKMP keys > > > > I might have missed other line(s) to comment out either in > > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those > > that is more intimate with those scripts, please share it to the list. > > > > Hope that helps ;) > > > > P.S.: I'm no longer have access to PIX anymore, so for those that > > still have those access, please give it a try and let me know ;) > > > > Cheers, > > > > Dwi > > > > > > On 11/01/2008, Todd Heide wrote: > > > >> There is only one way to see the pre-share keys on an ASA. > >> > >> > >> > >> More system:running-config > >> > >> > >> > >> Not sure how Rancid can do that, but if someone can set it up to issue > >> that command, then you should be able to back up the VPN keys. > >> > >> > >> > >> From: rancid-discuss-bounces at shrubbery.net > >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy > >> Sent: Saturday, November 01, 2008 8:56 AM > >> To: rancid-discuss at shrubbery.net > >> Subject: [rancid] Cisco ASA Backup with Preshared Keys > >> > >> > >> > >> I use rancid to backup all of my configurations, including two Cisco ASA > >> 5520's. The only problem I have run into is that when rancid backs up > >> the configs on the ASA, the actual preshared keys are displayed as an > >> asterisk (*) rather than the actual preshared key. > >> > >> > >> > >> Is there a way to get rancid to backup the actual config file? I assume > >> it's just doing a screen scrape (sh running-config) and capturing the > >> output rather than copying the actual file. This is fine for most > >> equipment, but if I have a failure on the ASA and needed to restore the > >> config, I would have to re-enter all the preshared keys (not fun with > >> several hundred tunnels). > >> > >> > >> > >> Any help is greatly appreciated, > >> > >> > >> > >> Jeremy Keys > >> > >> jeremy_keys at memorial.org > >> > >> > >> > >> > >> > >> > >> This message and accompanying documents are covered by > >> the Electronic Communications Privacy Act 18 > >> U.S.C. "Sections 2510-2521," and contain information > >> intended for the specified individual(s) only. This > >> information is confidential. If you are not the intended > >> recipient or an agent responsible for delivering it to > >> the intended recipient, you are hereby notified that you > >> have received this document in error and that any review, > >> dissemination, copying, or the taking of any action based > >> on the contents of this information is strictly > >> prohibited. If you have received this communication in > >> error, please notify us immediately by e-mail, and delete > >> the original message. > >> > >> > >> > >> > > > > > > > > ---------------------------------------------------------------- > > This message was sent using IMP, the Internet Messaging Program. > > > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at gheek.net Tue Nov 4 19:04:37 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 4 Nov 2008 12:04:37 -0700 Subject: [rancid] Re: Cisco ASA Backup with Preshared Keys In-Reply-To: <20081104185825.GA5051@shrubbery.net> References: <79B328604B4C6542A581859C64FAAC3E9F944E@chimsx04.CHI.catholichealth.net> <082FEA82DC985B4F8A6B412D5AC4E220012E5AD6@exchange.Equivoice.local> <20081103085052.mm1dp6792c80goko@mail.dwichandra.info> <8423e7bb0811030945q1183bed1wf917fe575efdeddb@mail.gmail.com> <20081104185825.GA5051@shrubbery.net> Message-ID: <8423e7bb0811041104r470b5058we6c16588cccb8e3d@mail.gmail.com> The VPN keys is the only one I know of. I didn't look at the failover keys. Great point. On Tue, Nov 4, 2008 at 11:58 AM, john heasley wrote: > Mon, Nov 03, 2008 at 10:45:21AM -0700, Lance Vermilion: >> John, >> >> Can we include this fix? >> >> Jeremy et all, >> >> You could also simply just add the following before the other >> WriteTerm items in the commandtable inside of /bin/rancid >> so it would then get that info. The command would be attempted to be >> ran on non ASA like devices but if the command is invalid (like the >> already existing logic) it will just continue down the list of >> commands. If it is successful running it will then mark it as >> found_end and no longer process the rest of the commands in >> "WriteTerm". >> >> {'more system:running-config' => 'WriteTerm'}, >> >> Dwi C Taniel, >> >> Since the show running-config does NOT include the pre-shared-key >> RANCID would not replace it with . If you wanted to filter it >> out you would need to augment rancid by adding this below the isakmp >> removed line under the sub WriteTerm >> >> if (/^( pre-shared-key ).*/ && $filter_pwds >= 1) { >> ProcessHistory("","","","!$1 $'"); next; >> } > > Any others to be filtered, besides failover key? > >> Example >> >> tunnel-group xx.xx.xx.xx ipsec-attributes >> pre-shared-key * >> >> Todd is correct with the more system:running-config >> >> Here is a Cisco document backing up his comment. >> http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml >> >> I have also found but not verified "Another way to get unencrypted >> keys is to go to the /admin/config page with a web browser. This works >> for 7.x and 8.x. On a Pix running 6.x, go to /config." >> >> On Mon, Nov 3, 2008 at 9:50 AM, Dwi C Taniel wrote: >> > Hi all, >> > >> > I had one incident that I have to backup the config while showing the >> > pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels) >> > >> > To what I remember, I commented out several lines in >> > /usr/local/rancid/bin/rancid >> > >> > One of the line read as follow: (mine is at line 1541 - 1543) >> > if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) { >> > ProcessHistory("","","","!$1 $'"); next; >> > } >> > >> > ... and I think I also commented out several other line(s) but can't >> > remember which one. >> > >> > Now, if you commented out that line in rancid script, please bear the >> > following point(s) in mind (CMIIW please): >> > - all devices using /usr/local/rancid/bin/rancid will have that >> > particular keyword unmasked -> instead of *** will be the actual >> > value. So this will apply to all devices marked as 'cisco' in router.db >> > - whoever can access /usr/local/rancid/var (or any location that was >> > configured to store the rancid-run results) will be able to see the >> > crypto/ ISAKMP keys >> > >> > I might have missed other line(s) to comment out either in >> > /usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those >> > that is more intimate with those scripts, please share it to the list. >> > >> > Hope that helps ;) >> > >> > P.S.: I'm no longer have access to PIX anymore, so for those that >> > still have those access, please give it a try and let me know ;) >> > >> > Cheers, >> > >> > Dwi >> > >> > >> > On 11/01/2008, Todd Heide wrote: >> > >> >> There is only one way to see the pre-share keys on an ASA. >> >> >> >> >> >> >> >> More system:running-config >> >> >> >> >> >> >> >> Not sure how Rancid can do that, but if someone can set it up to issue >> >> that command, then you should be able to back up the VPN keys. >> >> >> >> >> >> >> >> From: rancid-discuss-bounces at shrubbery.net >> >> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy >> >> Sent: Saturday, November 01, 2008 8:56 AM >> >> To: rancid-discuss at shrubbery.net >> >> Subject: [rancid] Cisco ASA Backup with Preshared Keys >> >> >> >> >> >> >> >> I use rancid to backup all of my configurations, including two Cisco ASA >> >> 5520's. The only problem I have run into is that when rancid backs up >> >> the configs on the ASA, the actual preshared keys are displayed as an >> >> asterisk (*) rather than the actual preshared key. >> >> >> >> >> >> >> >> Is there a way to get rancid to backup the actual config file? I assume >> >> it's just doing a screen scrape (sh running-config) and capturing the >> >> output rather than copying the actual file. This is fine for most >> >> equipment, but if I have a failure on the ASA and needed to restore the >> >> config, I would have to re-enter all the preshared keys (not fun with >> >> several hundred tunnels). >> >> >> >> >> >> >> >> Any help is greatly appreciated, >> >> >> >> >> >> >> >> Jeremy Keys >> >> >> >> jeremy_keys at memorial.org >> >> >> >> >> >> >> >> >> >> >> >> >> >> This message and accompanying documents are covered by >> >> the Electronic Communications Privacy Act 18 >> >> U.S.C. "Sections 2510-2521," and contain information >> >> intended for the specified individual(s) only. This >> >> information is confidential. If you are not the intended >> >> recipient or an agent responsible for delivering it to >> >> the intended recipient, you are hereby notified that you >> >> have received this document in error and that any review, >> >> dissemination, copying, or the taking of any action based >> >> on the contents of this information is strictly >> >> prohibited. If you have received this communication in >> >> error, please notify us immediately by e-mail, and delete >> >> the original message. >> >> >> >> >> >> >> >> >> > >> > >> > >> > ---------------------------------------------------------------- >> > This message was sent using IMP, the Internet Messaging Program. >> > >> > >> > _______________________________________________ >> > Rancid-discuss mailing list >> > Rancid-discuss at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From heas at shrubbery.net Wed Nov 5 08:45:23 2008 From: heas at shrubbery.net (john heasley) Date: Wed, 5 Nov 2008 08:45:23 +0000 Subject: [rancid] Re: nslogin netscaler V8 In-Reply-To: <0E1ADE61-4645-4EE4-AFC0-7B5844DDCC94@schirrmeister.net> References: <0E1ADE61-4645-4EE4-AFC0-7B5844DDCC94@schirrmeister.net> Message-ID: <20081105084523.GT1729@shrubbery.net> Thu, Oct 30, 2008 at 04:14:44AM +0100, Marco Schirrmeister: > > On Tuesday 14 October 2008 22:40:00 Zod Mansour wrote: > > Does anyone have a working nslogin for netscaler Version 8? > > > I noticed the same issue with a NetScaler V8 firmware. It just didn't > logged in and stopped at the password prompt. > I guess the NetScaler files that included in upstream at the moment > are very old. I think below version 5, but I don't know. > > I modified the nslogin and nsrancid scripts that they match with the > prompt and the commands on a NetScaler with version 8.x firmware. > Maybe we can include more commands. Right now it only runs "show ns > ns.conf". > > You can find my patches and a new RPM package here. > http://people.ogilvy.de/~mschirrmeister/linux/rancid/ I don't know anything about netscaler, but your changes appear as if they'd break previous versions. Why should that support be dropped? is pre-8 completely passe? Has the prompt changed? Matching just '>' is usually a bad idea. From peter.serwe at gmail.com Wed Nov 5 20:43:35 2008 From: peter.serwe at gmail.com (Peter Serwe) Date: Wed, 5 Nov 2008 12:43:35 -0800 Subject: [rancid] $host: found unexpected command - Message-ID: So, I wanted to add a command to rancid. I added it into the @commandtable. Is there somewhere else it needs to go? Reading through ~/bin/rancid and greps through the ~/bin/ directory didn't seem to point me in the right direction. Peter -- ???? From rancid at gheek.net Thu Nov 6 15:37:52 2008 From: rancid at gheek.net (Lance Vermilion) Date: Thu, 6 Nov 2008 08:37:52 -0700 Subject: [rancid] Re: $host: found unexpected command - In-Reply-To: References: Message-ID: <8423e7bb0811060737o5e7aab94y7ae5c3c3bb6bbc76@mail.gmail.com> Peter, Just add them to the commandtable and the sub routine you choose needs to be able to handle that command's output so it will get recorded correctly and put in the sub of ProcessHistory. -Lance 2008/11/5 Peter Serwe : > So, I wanted to add a command to rancid. > > I added it into the @commandtable. Is there somewhere else it needs to go? > > Reading through ~/bin/rancid and greps through the ~/bin/ directory > didn't seem to point me in the right direction. > > Peter > > -- > ???? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From peter.serwe at gmail.com Sat Nov 8 00:48:02 2008 From: peter.serwe at gmail.com (Peter Serwe) Date: Fri, 7 Nov 2008 16:48:02 -0800 Subject: [rancid] Re: using RANCID for mass configuration changes In-Reply-To: <986544234AB0A44BADE40DF502E2012A014C4E19@SPBMAIL.spb.sovintel.net> References: <986544234AB0A44BADE40DF502E2012A014C4E0F@SPBMAIL.spb.sovintel.net> <20080916163228.GB29476@monkey.local> <986544234AB0A44BADE40DF502E2012A014C4E19@SPBMAIL.spb.sovintel.net> Message-ID: Wow.. I must say that script is far less dirty than the script I did which just has me set the group (rancid-group) of routers, and then push changes out via command files tailored to the group of routers (group actually being roughly equivalent to manufacturer and type). I used the script to quickly demo that functionality at a presentation I gave on RANCID last night.. Peter On Tue, Sep 16, 2008 at 10:19 PM, Smirnoff Alexander wrote: > Thanx a lot ! ;) > > -----Original Message----- > From: Daniel Medina [mailto:daniel.medina at gmail.com] > Sent: Tuesday, September 16, 2008 8:32 PM > To: Smirnoff Alexander > Cc: rancid-discuss at shrubbery.net > Subject: Re: [rancid] using RANCID for mass configuration changes > > On Tue, Sep 16, 2008 at 10:29:03AM +0400, Smirnoff Alexander wrote: >> I want to use RANCID for mass configuration changing on routers, like >> set snmp or syslog server address. >> >> What best place in RANCID scripts for this commands ? > > You could just use clogin. > > As a one-liner: > > $ clogin -c 'conf t; snmp-server host 1.1.1.1 public; end; wr mem' > router1 router2 router3 > > Or put the commands in a file: > > $ cat /tmp/commands > conf t > snmp-server host 1.1.1.1 public > end > wr mem > > $ clogin -x /tmp/commands route1 router2 router3 > > Caveats apply (beware of commands which may prompt you back, for > example). > > -- > Dan > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > -- ???? From peter.serwe at gmail.com Sat Nov 8 00:54:01 2008 From: peter.serwe at gmail.com (Peter Serwe) Date: Fri, 7 Nov 2008 16:54:01 -0800 Subject: [rancid] Presentation on RANCID at my local UUG Message-ID: I gave a presentation on RANCID, and how to deploy it and use it on a CentOS system to my local Unix User's group. I don't know if it's of interest or not, and I make no claims about the quality of the material, presentation, or video, but I have 2 hours of video, and powerpoint slides if anyone's interested. Also, it was alleged during the presentation that Ubuuntu does not suffer from the problems alleged to exist on Linux in general with expect, and hence, the need to build expect from patched source may not exist for Ubuuntu. I felt it worth mentioning for possible inclusion in the README after verification. It is even perhaps possible that all versions of Debian do not suffer from this problem, but I can't make that claim as I do not use or have an installation of Ubuuntu or anything else Debian. Peter -- ???? From nick.hasser at gmail.com Sat Nov 8 00:05:47 2008 From: nick.hasser at gmail.com (Nick Hasser) Date: Fri, 07 Nov 2008 19:05:47 -0500 Subject: [rancid] support for dd-wrt? Message-ID: <4914D7DB.5000301@gmail.com> Has anyone expressed interest in having support or started working on support for dd-wrt? Nick From babydr at baby-dragons.com Sat Nov 8 20:09:04 2008 From: babydr at baby-dragons.com (Mr. James W. Laferriere) Date: Sat, 8 Nov 2008 11:09:04 -0900 (AKST) Subject: [rancid] Re: Presentation on RANCID at my local UUG In-Reply-To: References: Message-ID: Hello Peter , On Fri, 7 Nov 2008, Peter Serwe wrote: > I gave a presentation on RANCID, and how to deploy it and use it on a > CentOS system to my > local Unix User's group. > > I don't know if it's of interest or not, and I make no claims about > the quality of the material, > presentation, or video, but I have 2 hours of video, and powerpoint > slides if anyone's interested. > > Also, it was alleged during the presentation that Ubuuntu does not > suffer from the problems alleged > to exist on Linux in general with expect, and hence, the need to build > expect from patched source > may not exist for Ubuuntu. I felt it worth mentioning for possible > inclusion in the README after > verification. It is even perhaps possible that all versions of Debian > do not suffer from this problem, > but I can't make that claim as I do not use or have an installation of > Ubuuntu or anything else Debian. > > Peter Might there be a URL: of where to view them ? Tia , JimL -- +------------------------------------------------------------------+ | James W. Laferriere | System Techniques | Give me VMS | | Network&System Engineer | 2133 McCullam Ave | Give me Linux | | babydr at baby-dragons.com | Fairbanks, AK. 99701 | only on AXP | +------------------------------------------------------------------+ From cgauthier at mapscu.com Mon Nov 10 05:08:38 2008 From: cgauthier at mapscu.com (Chris Gauthier) Date: Sun, 9 Nov 2008 21:08:38 -0800 Subject: [rancid] Re: Presentation on RANCID at my local UUG References: Message-ID: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> I tackled the Ubuntu issue earlier this summer with v8.04 LTS Server. Here is a link to my previous posts: http://www.shrubbery.net/pipermail/rancid-discuss/2008-August/003246.html Chris ________________________________ From: rancid-discuss-bounces at shrubbery.net on behalf of Peter Serwe Sent: Fri 11/7/2008 4:54 PM To: rancid-discuss at shrubbery.net Subject: [rancid] Presentation on RANCID at my local UUG I gave a presentation on RANCID, and how to deploy it and use it on a CentOS system to my local Unix User's group. I don't know if it's of interest or not, and I make no claims about the quality of the material, presentation, or video, but I have 2 hours of video, and powerpoint slides if anyone's interested. Also, it was alleged during the presentation that Ubuuntu does not suffer from the problems alleged to exist on Linux in general with expect, and hence, the need to build expect from patched source may not exist for Ubuuntu. I felt it worth mentioning for possible inclusion in the README after verification. It is even perhaps possible that all versions of Debian do not suffer from this problem, but I can't make that claim as I do not use or have an installation of Ubuuntu or anything else Debian. Peter -- ???? _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081109/5d8f8d48/attachment.html From Atif.SIDDIQUI at HydroOne.com Mon Nov 10 20:48:59 2008 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Mon, 10 Nov 2008 15:48:59 -0500 Subject: [rancid] Netscreen: nlogin file 'set console page 0' In-Reply-To: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> Message-ID: <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> Hi, The netscreen login script sets the 'console page to 0' to get the config snapshot at once, but this command is not removed when it exists the box. Can anyone help changing it? Although it is saying that do not save the config; but still config is not removed. Which files are used for Netscreens: nlogin nrancid nrancid.back nslogin nsrancid Appreciate your help. Here is the portion of config: nlogin set in_proc 1 send "set console page 0\r" expect $prompt {} # Is this a multi-command? if [ string match "*\;*" "$command" ] { set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { send "[subst [lindex $commands $i]]\r" expect { -re "$prompt" {} } } } else { send "[subst $command]\r" expect { -re "$prompt" {} } } send "exit\r" expect { "\n" { exp_continue } -re "$prompt" { send "exit\r" exp_continue } -re "Configuration modified, save?" { send "n\r" exp_continue } timeout { return 0 } eof { return 0 } } set in_proc 0 } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081110/20191d7f/attachment.html From heas at shrubbery.net Mon Nov 10 23:49:28 2008 From: heas at shrubbery.net (john heasley) Date: Mon, 10 Nov 2008 15:49:28 -0800 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> Message-ID: <20081110234928.GD4042@shrubbery.net> Mon, Nov 10, 2008 at 03:48:59PM -0500, Atif.SIDDIQUI at HydroOne.com: > Hi, > > > > The netscreen login script sets the 'console page to 0' to get the > config snapshot at once, but this command is not removed when it exists > the box. Can anyone help changing it? Although it is saying that do not > save the config; but still config is not removed. isn't the terminal length negotiated by telnet/ssh when you connect? From smurphy at calarts.edu Tue Nov 11 01:11:49 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Mon, 10 Nov 2008 17:11:49 -0800 Subject: [rancid] RANCID Debug Mode Message-ID: <4918DBD5.4050300@calarts.edu> I am trying to see the entire RANCID process from beginning to end first with clogin and having it login run the config portion and finally logout. I have tried /usr/local/libexec/rancid/clogin 10.0.0.1 This just shows the login portion. Is there a way to see everything? Thanks. From Atif.SIDDIQUI at HydroOne.com Tue Nov 11 01:20:04 2008 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Mon, 10 Nov 2008 20:20:04 -0500 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <20081110234928.GD4042@shrubbery.net> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> Message-ID: <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> Not sure about that. I see in the script 'nlogin' that it is setting it to zero, which causing issue for us as get commands keep scrolling. When techs login to the FW for troubleshooting. Anyone using netscreen expereinced this issue? -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Monday, November 10, 2008 6:49 PM To: SIDDIQUI Atif Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Netscreen: nlogin file 'set console page 0' Mon, Nov 10, 2008 at 03:48:59PM -0500, Atif.SIDDIQUI at HydroOne.com: > Hi, > > > > The netscreen login script sets the 'console page to 0' to get the > config snapshot at once, but this command is not removed when it exists > the box. Can anyone help changing it? Although it is saying that do not > save the config; but still config is not removed. isn't the terminal length negotiated by telnet/ssh when you connect? From rancid at gheek.net Tue Nov 11 15:38:12 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 11 Nov 2008 08:38:12 -0700 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4918DBD5.4050300@calarts.edu> References: <4918DBD5.4050300@calarts.edu> Message-ID: <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> Sean, clogin is purely the login script. You must run "rancid -d " to see what you are looking for. -Lance On Mon, Nov 10, 2008 at 6:11 PM, Sean Murphy wrote: > I am trying to see the entire RANCID process from beginning to end first > with clogin and having it login run the config portion and finally logout. > > I have tried /usr/local/libexec/rancid/clogin 10.0.0.1 > > This just shows the login portion. Is there a way to see everything? > > Thanks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From smurphy at calarts.edu Tue Nov 11 16:57:32 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Tue, 11 Nov 2008 08:57:32 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> Message-ID: <4919B97C.4020205@calarts.edu> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081111/af07fe64/attachment.html From mashcraft at omniture.com Tue Nov 11 17:33:02 2008 From: mashcraft at omniture.com (Mike Ashcraft) Date: Tue, 11 Nov 2008 10:33:02 -0700 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919B97C.4020205@calarts.edu> References: <4918DBD5.4050300@calarts.edu><8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> Message-ID: <45EB285310B55542A513F93230F0A533082541F7@EXCHANGE0.orm.omniture.com> Sean, You need to run this in the same environment that rancid runs in. Ideally as the same user. Mike From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Sean Murphy Sent: Tuesday, November 11, 2008 9:58 AM To: Lance Vermilion Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: RANCID Debug Mode OK I ran the command and received the following output. I thought I could see it in real time like clogin unless this is an error. I noticed that it said clogin not found but I can run that by itself and its fine. raphael# ./rancid -d 10.0.0.1 executing clogin -t 90 -c"admin show version;show version;show redundancy secondary;show idprom backplane;show install active;admin show env all;show env all;show rsp chassis-info;show gsr chassis;show diag chassis-info;show boot;show bootvar;admin show variables boot;show variables boot;show flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all sup-bootflash:;dir /all sup-microcode:;dir /all slavenvram:;dir /all slavebootflash:;dir /all slaveslot0:;dir /all slavedisk0:;dir /all slaveslot1:;dir /all slavedisk1:;dir /all slaveslot2:;dir /all slavedisk2:;dir /all slavesup-bootflash:;dir /all sec-nvram:;dir /all sec-bootflash:;dir /all sec-slot0:;dir /all sec-disk0:;dir /all sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir /all sec-disk2:;show controllers;show controllers cbus;show diagbus;admin show diag;show diag;show module;show spe version;show c7200;show inventory raw;show vtp status;show vlan;show vlan-switch;show debug;show running-config;write term" 10.0.0.1 clogin: not found 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show module,admin show env all,show controllers,admin show version,show diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show vlan-switch,admin show variables boot,show redundancy secondary,show running-config,show c7200,dir /all slot1: 10.0.0.1: End of run not found 10.0.0.1: End of run not found ! raphael# Lance Vermilion wrote: Sean, clogin is purely the login script. You must run "rancid -d " to see what you are looking for. -Lance On Mon, Nov 10, 2008 at 6:11 PM, Sean Murphy wrote: I am trying to see the entire RANCID process from beginning to end first with clogin and having it login run the config portion and finally logout. I have tried /usr/local/libexec/rancid/clogin 10.0.0.1 This just shows the login portion. Is there a way to see everything? Thanks. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081111/a28f85c5/attachment.html From smurphy at calarts.edu Tue Nov 11 18:18:28 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Tue, 11 Nov 2008 10:18:28 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <45EB285310B55542A513F93230F0A533082541F7@EXCHANGE0.orm.omniture.com> References: <4918DBD5.4050300@calarts.edu><8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <45EB285310B55542A513F93230F0A533082541F7@EXCHANGE0.orm.omniture.com> Message-ID: <4919CC74.2090300@calarts.edu> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081111/c0150e66/attachment.html From smurphy at calarts.edu Tue Nov 11 18:27:37 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Tue, 11 Nov 2008 10:27:37 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> Message-ID: <4919CE99.7000301@calarts.edu> It looks like there all in the same directory and rancid script does not show a path to clogin raphael# grep clogin rancid $timeo = 90; # clogin timeout in seconds print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host verify in your rancid script the location of clogin. (grep clogin > /usr/local/libexec/rancid/bin/rancid). > > Your rancid stuff should be located in the bin directory inside of > your rancid directory. Like so. > > /usr/local/libexec/rancid/bin/clogin > > you mentioned the following as your location to clogin > > /usr/local/libexec/rancid/clogin > > On Tue, Nov 11, 2008 at 9:57 AM, Sean Murphy wrote: > >> OK I ran the command and received the following output. I thought I could >> see it in real time like clogin unless this is an error. I noticed that it >> said clogin not found but I can run that by itself and its fine. >> >> >> raphael# ./rancid -d 10.0.0.1 >> executing clogin -t 90 -c"admin show version;show version;show redundancy >> secondary;show idprom backplane;show install active;admin show env all;show >> env all;show rsp chassis-info;show gsr chassis;show diag chassis-info;show >> boot;show bootvar;admin show variables boot;show variables boot;show >> flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all >> disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir >> /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all >> sup-bootflash:;dir /all sup-microcode:;dir /all slavenvram:;dir /all >> slavebootflash:;dir /all slaveslot0:;dir /all slavedisk0:;dir /all >> slaveslot1:;dir /all slavedisk1:;dir /all slaveslot2:;dir /all >> slavedisk2:;dir /all slavesup-bootflash:;dir /all sec-nvram:;dir /all >> sec-bootflash:;dir /all sec-slot0:;dir /all sec-disk0:;dir /all >> sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir /all sec-disk2:;show >> controllers;show controllers cbus;show diagbus;admin show diag;show >> diag;show module;show spe version;show c7200;show inventory raw;show vtp >> status;show vlan;show vlan-switch;show debug;show running-config;write term" >> 10.0.0.1 >> clogin: not found >> 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp >> chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr >> chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all >> sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show >> install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir >> /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all >> slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables >> boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show >> module,admin show env all,show controllers,admin show version,show >> diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all >> bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp >> status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all >> slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show >> controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show >> vlan-switch,admin show variables boot,show redundancy secondary,show >> running-config,show c7200,dir /all slot1: >> 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp >> chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr >> chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir /all >> sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show >> install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir >> /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir /all >> slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show variables >> boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show >> module,admin show env all,show controllers,admin show version,show >> diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all >> bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp >> status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir /all >> slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show >> controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show >> vlan-switch,admin show variables boot,show redundancy secondary,show >> running-config,show c7200,dir /all slot1: >> 10.0.0.1: End of run not found >> 10.0.0.1: End of run not found >> ! >> raphael# >> >> >> Lance Vermilion wrote: >> >> Sean, >> >> clogin is purely the login script. You must run "rancid -d " to >> see what you are looking for. >> >> -Lance >> >> On Mon, Nov 10, 2008 at 6:11 PM, Sean Murphy wrote: >> >> >> I am trying to see the entire RANCID process from beginning to end first >> with clogin and having it login run the config portion and finally logout. >> >> I have tried /usr/local/libexec/rancid/clogin 10.0.0.1 >> >> This just shows the login portion. Is there a way to see everything? >> >> Thanks. >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> >> >> >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> >> From heas at shrubbery.net Tue Nov 11 19:29:49 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 11 Nov 2008 11:29:49 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919CE99.7000301@calarts.edu> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> Message-ID: <20081111192949.GB6869@shrubbery.net> Tue, Nov 11, 2008 at 10:27:37AM -0800, Sean Murphy: > It looks like there all in the same directory and rancid script does not > show a path to clogin > it inherits PATH from the shell. From rancid at gheek.net Tue Nov 11 18:36:00 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 11 Nov 2008 11:36:00 -0700 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919CE99.7000301@calarts.edu> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> Message-ID: <8423e7bb0811111036y4d6b20cdu8016c0e79d7d76e7@mail.gmail.com> Sean, Try this. I am guessing you are not in the same directory as the rancid script which means it will look in the directory which you are executing it from to find the clogin script. cd /usr/local/libexec/rancid/ ./rancid -d On Tue, Nov 11, 2008 at 11:27 AM, Sean Murphy wrote: > It looks like there all in the same directory and rancid script does not > show a path to clogin > > raphael# grep clogin rancid > $timeo = 90; # clogin timeout in seconds > print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if > ($debug); > print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if > ($log); > system "clogin -t $timeo -c \"$cisco_cmds\" $host > $host.raw 2>&1" || die "clogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; > open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host || die "clogin failed for $host: $!\n"; > print STDOUT ("$host clogin error: $_"); > print STDERR ("$host clogin error: $_") if ($debug); > raphael# > > > raphael# ls -la /usr/local/libexec/rancid > total 698 > drwxr-xr-x 2 root wheel 1024 Nov 11 10:23 . > drwxr-xr-x 3 root wheel 512 Nov 10 18:08 .. > -r-xr-xr-x 1 root wheel 14384 Nov 10 18:08 agmrancid > -r-xr-xr-x 1 root wheel 14160 Nov 10 18:08 alogin > -r-xr-xr-x 1 root wheel 8479 Nov 10 18:08 arancid > -r-xr-xr-x 1 root wheel 17228 Nov 10 18:08 blogin > -r-xr-xr-x 1 root wheel 8180 Nov 10 18:08 brancid > -r-xr-xr-x 1 root wheel 35477 Nov 10 18:08 cat5rancid > -r-xr-xr-x 1 root wheel 24635 Nov 10 18:08 clogin > -r-xr-xr-x 1 root wheel 12451 Nov 10 18:08 control_rancid > -r-xr-xr-x 1 root wheel 21290 Nov 10 18:08 cssrancid > -r-xr-xr-x 1 root wheel 13129 Nov 10 18:08 elogin > -r-xr-xr-x 1 root wheel 8682 Nov 10 18:08 erancid > -r-xr-xr-x 1 root wheel 37646 Nov 10 18:08 f10rancid > -r-xr-xr-x 1 root wheel 18172 Nov 10 18:08 flogin > -r-xr-xr-x 1 root wheel 7711 Nov 10 18:08 fnrancid > -r-xr-xr-x 1 root wheel 12978 Nov 10 18:08 francid > -r-xr-xr-x 1 root wheel 20345 Nov 10 18:08 hlogin > -r-xr-xr-x 1 root wheel 12220 Nov 10 18:08 hpuifilter > -r-xr-xr-x 1 root wheel 16049 Nov 10 18:08 hrancid > -r-xr-xr-x 1 root wheel 13010 Nov 10 18:08 htlogin > -r-xr-xr-x 1 root wheel 7446 Nov 10 18:08 htrancid > -r-xr-xr-x 1 root wheel 18507 Nov 10 18:08 jerancid > -r-xr-xr-x 1 root wheel 14735 Nov 10 18:08 jlogin > -r-xr-xr-x 1 root wheel 20228 Nov 10 18:08 jrancid > -r-xr-xr-x 1 root wheel 23076 Nov 10 18:08 lg.cgi > -r-xr-xr-x 1 root wheel 6384 Nov 10 18:08 lgform.cgi > -r-xr-xr-x 1 root wheel 11870 Nov 10 18:08 mrancid > -r-xr-xr-x 1 root wheel 14588 Nov 10 18:08 nlogin > -r-xr-xr-x 1 root wheel 9676 Nov 10 18:08 nrancid > -r-xr-xr-x 1 root wheel 20307 Nov 10 18:08 nslogin > -r-xr-xr-x 1 root wheel 8538 Nov 10 18:08 nsrancid > -r-xr-xr-x 1 root wheel 4609 Nov 10 18:08 par > -r-xr-xr-x 1 root wheel 16956 Nov 10 18:08 prancid > -r-xr-xr-x 1 root wheel 59970 Nov 10 18:08 rancid > -r-xr-xr-x 1 root wheel 2954 Nov 10 18:08 rancid-cvs > -r-xr-xr-x 1 root wheel 1995 Nov 10 18:08 rancid-fe > -r-xr-xr-x 1 root wheel 3452 Nov 10 18:08 rancid-run > -r-xr-xr-x 1 root wheel 23562 Nov 10 18:08 rivlogin > -r-xr-xr-x 1 root wheel 9098 Nov 10 18:08 rivrancid > -r-xr-xr-x 1 root wheel 11416 Nov 10 18:08 rrancid > -r-xr-xr-x 1 root wheel 10566 Nov 10 18:08 srancid > -r-xr-xr-x 1 root wheel 14220 Nov 10 18:08 tntlogin > -r-xr-xr-x 1 root wheel 8084 Nov 10 18:08 tntrancid > -r-xr-xr-x 1 root wheel 14819 Nov 10 18:08 xrancid > -r-xr-xr-x 1 root wheel 11930 Nov 10 18:08 zrancid > raphael# > > > > Lance Vermilion wrote: >> >> verify in your rancid script the location of clogin. (grep clogin >> /usr/local/libexec/rancid/bin/rancid). >> >> Your rancid stuff should be located in the bin directory inside of >> your rancid directory. Like so. >> >> /usr/local/libexec/rancid/bin/clogin >> >> you mentioned the following as your location to clogin >> >> /usr/local/libexec/rancid/clogin >> >> On Tue, Nov 11, 2008 at 9:57 AM, Sean Murphy wrote: >> >>> >>> OK I ran the command and received the following output. I thought I >>> could >>> see it in real time like clogin unless this is an error. I noticed that >>> it >>> said clogin not found but I can run that by itself and its fine. >>> >>> >>> raphael# ./rancid -d 10.0.0.1 >>> executing clogin -t 90 -c"admin show version;show version;show redundancy >>> secondary;show idprom backplane;show install active;admin show env >>> all;show >>> env all;show rsp chassis-info;show gsr chassis;show diag >>> chassis-info;show >>> boot;show bootvar;admin show variables boot;show variables boot;show >>> flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all >>> disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all >>> disk2:;dir >>> /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all >>> sup-bootflash:;dir /all sup-microcode:;dir /all slavenvram:;dir /all >>> slavebootflash:;dir /all slaveslot0:;dir /all slavedisk0:;dir /all >>> slaveslot1:;dir /all slavedisk1:;dir /all slaveslot2:;dir /all >>> slavedisk2:;dir /all slavesup-bootflash:;dir /all sec-nvram:;dir /all >>> sec-bootflash:;dir /all sec-slot0:;dir /all sec-disk0:;dir /all >>> sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir /all >>> sec-disk2:;show >>> controllers;show controllers cbus;show diagbus;admin show diag;show >>> diag;show module;show spe version;show c7200;show inventory raw;show vtp >>> status;show vlan;show vlan-switch;show debug;show running-config;write >>> term" >>> 10.0.0.1 >>> clogin: not found >>> 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp >>> chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr >>> chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir >>> /all >>> sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show >>> install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir >>> /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir >>> /all >>> slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show >>> variables >>> boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show >>> module,admin show env all,show controllers,admin show version,show >>> diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all >>> bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp >>> status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir >>> /all >>> slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show >>> controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show >>> vlan-switch,admin show variables boot,show redundancy secondary,show >>> running-config,show c7200,dir /all slot1: >>> 10.0.0.1: missed cmd(s): admin show diag,dir /all slavedisk2:,show rsp >>> chassis-info,dir /all sec-slot2:,show diag,dir /all disk1:,show gsr >>> chassis,dir /all sec-nvram:,show diag chassis-info,dir /all disk2:,dir >>> /all >>> sec-bootflash:,show spe version,dir /all slaveslot2:,dir /all disk0:,show >>> install active,show bootvar,dir /all slaveslot0:,dir /all sec-slot1:,dir >>> /all harddiska:,dir /all slavenvram:,show flash,dir /all sec-disk2:,dir >>> /all >>> slavesup-bootflash:,dir /all sec-disk0:,dir /all harddiskb:,show >>> variables >>> boot,show boot,show inventory raw,dir /all slavedisk1:,show env all,show >>> module,admin show env all,show controllers,admin show version,show >>> diagbus,dir /all slavedisk0:,show debug,show idprom backplane,dir /all >>> bootflash:,dir /all sec-slot0:,dir /all sec-disk1:,write term,show vtp >>> status,dir /all sup-bootflash:,dir /all slot2:,dir /all harddisk:,dir >>> /all >>> slot0:,dir /all sup-microcode:,show vlan,dir /all slavebootflash:,show >>> controllers cbus,dir /all slaveslot1:,dir /all nvram:,show version,show >>> vlan-switch,admin show variables boot,show redundancy secondary,show >>> running-config,show c7200,dir /all slot1: >>> 10.0.0.1: End of run not found >>> 10.0.0.1: End of run not found >>> ! >>> raphael# >>> >>> >>> Lance Vermilion wrote: >>> >>> Sean, >>> >>> clogin is purely the login script. You must run "rancid -d " to >>> see what you are looking for. >>> >>> -Lance >>> >>> On Mon, Nov 10, 2008 at 6:11 PM, Sean Murphy wrote: >>> >>> >>> I am trying to see the entire RANCID process from beginning to end first >>> with clogin and having it login run the config portion and finally >>> logout. >>> >>> I have tried /usr/local/libexec/rancid/clogin 10.0.0.1 >>> >>> This just shows the login portion. Is there a way to see everything? >>> >>> Thanks. >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> >>> >>> >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> >>> > From smurphy at calarts.edu Tue Nov 11 21:02:04 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Tue, 11 Nov 2008 13:02:04 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <20081111192949.GB6869@shrubbery.net> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> <20081111192949.GB6869@shrubbery.net> Message-ID: <4919F2CC.8040605@calarts.edu> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081111/7b25d7c2/attachment.html From heas at shrubbery.net Tue Nov 11 21:11:31 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 11 Nov 2008 13:11:31 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919F2CC.8040605@calarts.edu> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> <20081111192949.GB6869@shrubbery.net> <4919F2CC.8040605@calarts.edu> Message-ID: <20081111211131.GJ6869@shrubbery.net> Tue, Nov 11, 2008 at 01:02:04PM -0800, Sean Murphy: > Thats what I needed! Changing roots path worked! > > I have errors on the bottom of the script "10.0.0.1: End of run not > found" has anyone seen this before? > > raphael# set path = ($path /usr/local/rancid/bin) this happens when the doesnt have permissions to read the config, the config is truncated due to memory limitation or premature disconnect, the wrong device type is used in router.db, or something in the config confuses the script and it misses the end marker. i'd guess one of the first 3 causes. please stop sending html mail. From jethro.binks at strath.ac.uk Tue Nov 11 21:29:30 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue, 11 Nov 2008 21:29:30 +0000 (GMT) Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919F2CC.8040605@calarts.edu> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> <20081111192949.GB6869@shrubbery.net> <4919F2CC.8040605@calarts.edu> Message-ID: On Tue, 11 Nov 2008, Sean Murphy wrote: > Thats what I needed! Changing roots path worked! > > I have errors on the bottom of the script "10.0.0.1: End of run not > found" has anyone seen this before? The error is very often discussed on the list; see John's reply for more details. For reference, when I need to see the detail of what is really going on, I do the following (the rancid programs are not in my usual path): env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename which will produce devicename.raw and and devicename.new files in the current directory which can be examined along with the chatty output. >From time to time I have also done: cd /usr/local/libexec/rancid expect -d ./clogin -c 'show config' devicename to get debugging data out of expect. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From rancid at gheek.net Tue Nov 11 21:15:05 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 11 Nov 2008 14:15:05 -0700 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: <4919F2CC.8040605@calarts.edu> References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> <20081111192949.GB6869@shrubbery.net> <4919F2CC.8040605@calarts.edu> Message-ID: <8423e7bb0811111315j6e3cca63hbd541f04309ea400@mail.gmail.com> Sean, Are you running this against Cisco IOS gear? If so you will need to make sure you are running it as the rancid user or source the rancid file that sets all the env stuff. I think the file is located in "/etc". Also check what John had mentioned. -Lance On Tue, Nov 11, 2008 at 2:02 PM, Sean Murphy wrote: > Thats what I needed! Changing roots path worked! > > I have errors on the bottom of the script "10.0.0.1: End of run not found" > has anyone seen this before? > > raphael# set path = ($path /usr/local/rancid/bin) > > raphael# which rancid > /usr/local/rancid/bin/rancid > > raphael# which clogin > /usr/local/rancid/bin/clogin > > raphael# rancid -d 10.0.0.1 > executing clogin -t 90 -c"admin show version;show version;show redundancy > secondary;show idprom backplane;show install active;admin show env all;show > env all;show rsp chassis-info;show gsr chassis;show diag chassis-info;show > boot;show bootvar;admin show variables boot;show variables boot;show > flash;dir /all nvram:;dir /all bootflash:;dir /all slot0:;dir /all > disk0:;dir /all slot1:;dir /all disk1:;dir /all slot2:;dir /all disk2:;dir > /all harddisk:;dir /all harddiska:;dir /all harddiskb:;dir /all > sup-bootflash:;dir /all sup-microcode:;dir /all slavenvram:;dir /all > slavebootflash:;dir /all slaveslot0:;dir /all slavedisk0:;dir /all > slaveslot1:;dir /all slavedisk1:;dir /all slaveslot2:;dir /all > slavedisk2:;dir /all slavesup-bootflash:;dir /all sec-nvram:;dir /all > sec-bootflash:;dir /all sec-slot0:;dir /all sec-disk0:;dir /all > sec-slot1:;dir /all sec-disk1:;dir /all sec-slot2:;dir /all sec-disk2:;show > controllers;show controllers cbus;show diagbus;admin show diag;show > diag;show module;show spe version;show c7200;show inventory raw;show vtp > status;show vlan;show vlan-switch;show debug;show running-config;write term" > 10.0.0.1 > PROMPT MATCH: E200C-S50# > HIT COMMAND:E200C-S50#admin show version > In ShowVersion: E200C-S50#admin show version > HIT COMMAND:E200C-S50#show version > In ShowVersion: E200C-S50#show version > HIT COMMAND:E200C-S50#show redundancy secondary > In ShowRedundancy: E200C-S50#show redundancy secondary > HIT COMMAND:E200C-S50#show idprom backplane > In ShowIDprom: E200C-S50#show idprom backplane > HIT COMMAND:E200C-S50#show install active > In ShowInstallActive: E200C-S50#show install active > HIT COMMAND:E200C-S50#admin show env all > In ShowEnv: E200C-S50#admin show env all > HIT COMMAND:E200C-S50#show env all > In ShowEnv: E200C-S50#show env all > HIT COMMAND:E200C-S50#show rsp chassis-info > In ShowRSP: E200C-S50#show rsp chassis-info > HIT COMMAND:E200C-S50#show gsr chassis > In ShowGSR: E200C-S50#show gsr chassis > HIT COMMAND:E200C-S50#show diag chassis-info > In ShowGSR: E200C-S50#show diag chassis-info > HIT COMMAND:E200C-S50#show boot > In ShowBoot: E200C-S50#show boot > HIT COMMAND:E200C-S50#show bootvar > In ShowBoot: E200C-S50#show bootvar > HIT COMMAND:E200C-S50#admin show variables boot > In ShowBoot: E200C-S50#admin show variables boot > HIT COMMAND:E200C-S50#show variables boot > In ShowBoot: E200C-S50#show variables boot > HIT COMMAND:E200C-S50#show flash > In ShowFlash: E200C-S50#show flash > HIT COMMAND:E200C-S50#dir /all nvram: > In DirSlotN: E200C-S50#dir /all nvram: > HIT COMMAND:E200C-S50#dir /all bootflash: > In DirSlotN: E200C-S50#dir /all bootflash: > HIT COMMAND:E200C-S50#dir /all slot0: > In DirSlotN: E200C-S50#dir /all slot0: > HIT COMMAND:E200C-S50#dir /all disk0: > In DirSlotN: E200C-S50#dir /all disk0: > HIT COMMAND:E200C-S50#dir /all slot1: > In DirSlotN: E200C-S50#dir /all slot1: > HIT COMMAND:E200C-S50#dir /all disk1: > In DirSlotN: E200C-S50#dir /all disk1: > HIT COMMAND:E200C-S50#dir /all slot2: > In DirSlotN: E200C-S50#dir /all slot2: > HIT COMMAND:E200C-S50#dir /all disk2: > In DirSlotN: E200C-S50#dir /all disk2: > HIT COMMAND:E200C-S50#dir /all harddisk: > In DirSlotN: E200C-S50#dir /all harddisk: > HIT COMMAND:E200C-S50#dir /all harddiska: > In DirSlotN: E200C-S50#dir /all harddiska: > HIT COMMAND:E200C-S50#dir /all harddiskb: > In DirSlotN: E200C-S50#dir /all harddiskb: > HIT COMMAND:E200C-S50#dir /all sup-bootflash: > In DirSlotN: E200C-S50#dir /all sup-bootflash: > HIT COMMAND:E200C-S50#dir /all sup-microcode: > In DirSlotN: E200C-S50#dir /all sup-microcode: > HIT COMMAND:E200C-S50#dir /all slavenvram: > In DirSlotN: E200C-S50#dir /all slavenvram: > HIT COMMAND:E200C-S50#dir /all slavebootflash: > In DirSlotN: E200C-S50#dir /all slavebootflash: > HIT COMMAND:E200C-S50#dir /all slaveslot0: > In DirSlotN: E200C-S50#dir /all slaveslot0: > HIT COMMAND:E200C-S50#dir /all slavedisk0: > In DirSlotN: E200C-S50#dir /all slavedisk0: > HIT COMMAND:E200C-S50#dir /all slaveslot1: > In DirSlotN: E200C-S50#dir /all slaveslot1: > HIT COMMAND:E200C-S50#dir /all slavedisk1: > In DirSlotN: E200C-S50#dir /all slavedisk1: > HIT COMMAND:E200C-S50#dir /all slaveslot2: > In DirSlotN: E200C-S50#dir /all slaveslot2: > HIT COMMAND:E200C-S50#dir /all slavedisk2: > In DirSlotN: E200C-S50#dir /all slavedisk2: > HIT COMMAND:E200C-S50#dir /all slavesup-bootflash: > In DirSlotN: E200C-S50#dir /all slavesup-bootflash: > HIT COMMAND:E200C-S50#dir /all sec-nvram: > In DirSlotN: E200C-S50#dir /all sec-nvram: > HIT COMMAND:E200C-S50#dir /all sec-bootflash: > In DirSlotN: E200C-S50#dir /all sec-bootflash: > HIT COMMAND:E200C-S50#dir /all sec-slot0: > In DirSlotN: E200C-S50#dir /all sec-slot0: > HIT COMMAND:E200C-S50#dir /all sec-disk0: > In DirSlotN: E200C-S50#dir /all sec-disk0: > HIT COMMAND:E200C-S50#dir /all sec-slot1: > In DirSlotN: E200C-S50#dir /all sec-slot1: > HIT COMMAND:E200C-S50#dir /all sec-disk1: > In DirSlotN: E200C-S50#dir /all sec-disk1: > HIT COMMAND:E200C-S50#dir /all sec-slot2: > In DirSlotN: E200C-S50#dir /all sec-slot2: > HIT COMMAND:E200C-S50#dir /all sec-disk2: > In DirSlotN: E200C-S50#dir /all sec-disk2: > HIT COMMAND:E200C-S50#show controllers > In ShowContAll: E200C-S50#show controllers > HIT COMMAND:E200C-S50#show controllers cbus > In ShowContCbus: E200C-S50#show controllers cbus > HIT COMMAND:E200C-S50#show diagbus > In ShowDiagbus: E200C-S50#show diagbus > HIT COMMAND:E200C-S50#admin show diag > In ShowDiag: E200C-S50#admin show diag > HIT COMMAND:E200C-S50#show diag > In ShowDiag: E200C-S50#show diag > HIT COMMAND:E200C-S50#show module > In ShowModule: E200C-S50#show module > HIT COMMAND:E200C-S50#show spe version > In ShowSpeVersion: E200C-S50#show spe version > HIT COMMAND:E200C-S50#show c7200 > In ShowC7200: E200C-S50#show c7200 > HIT COMMAND:E200C-S50#show inventory raw > In ShowInventory: E200C-S50#show inventory raw > HIT COMMAND:E200C-S50#show vtp status > In ShowVTP: E200C-S50#show vtp status > HIT COMMAND:E200C-S50#show vlan > In ShowVLAN: E200C-S50#show vlan > HIT COMMAND:E200C-S50#show vlan-switch > In ShowVLAN: E200C-S50#show vlan-switch > HIT COMMAND:E200C-S50#show debug > In ShowDebug: E200C-S50#show debug > HIT COMMAND:E200C-S50#show running-config > In WriteTerm: E200C-S50#show running-config > HIT COMMAND:E200C-S50#write term > In WriteTerm: E200C-S50#write term > 10.0.0.1: End of run not found > 10.0.0.1: End of run not found > ^ > raphael# > > > > > john heasley wrote: > > Tue, Nov 11, 2008 at 10:27:37AM -0800, Sean Murphy: > > > It looks like there all in the same directory and rancid script does not > show a path to clogin > > > > it inherits PATH from the shell. > From heas at shrubbery.net Tue Nov 11 22:25:08 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 11 Nov 2008 14:25:08 -0800 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> Message-ID: <20081111222508.GL6869@shrubbery.net> Most devices accept (negotiate) the terminal length sent by telnet/ssh and most allow the pager to essentially be disabled by setting the terminal length to zero. Some (broken) devices, like Foundry, have a global setting to disable/enable the pager that is permanent and affects all users. So, what flavour is the netscreen? Do you have the latest firmware? Do you have a properly functioning/configured client? Mon, Nov 10, 2008 at 08:20:04PM -0500, Atif.SIDDIQUI at HydroOne.com: > Not sure about that. > > I see in the script 'nlogin' that it is setting it to zero, which > causing issue for us as get commands keep scrolling. When techs login to > the FW for troubleshooting. > > Anyone using netscreen expereinced this issue? > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, November 10, 2008 6:49 PM > To: SIDDIQUI Atif > Cc: rancid-discuss at shrubbery.net > Subject: Re: [rancid] Netscreen: nlogin file 'set console page 0' > > Mon, Nov 10, 2008 at 03:48:59PM -0500, Atif.SIDDIQUI at HydroOne.com: > > Hi, > > > > > > > > The netscreen login script sets the 'console page to 0' to get the > > config snapshot at once, but this command is not removed when it > exists > > the box. Can anyone help changing it? Although it is saying that do > not > > save the config; but still config is not removed. > > isn't the terminal length negotiated by telnet/ssh when you connect? From smurphy at calarts.edu Tue Nov 11 22:39:41 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Tue, 11 Nov 2008 14:39:41 -0800 Subject: [rancid] Re: RANCID Debug Mode In-Reply-To: References: <4918DBD5.4050300@calarts.edu> <8423e7bb0811110738r57ecfda8h1b204407817ade1b@mail.gmail.com> <4919B97C.4020205@calarts.edu> <8423e7bb0811110919g36421d36hf2e7004178bfe079@mail.gmail.com> <4919CE99.7000301@calarts.edu> <20081111192949.GB6869@shrubbery.net> <4919F2CC.8040605@calarts.edu> Message-ID: <491A09AD.8060504@calarts.edu> Thank You all for your help. Debuging works and I think I have tracked down the issue to the Force10 S50 with "SFTOS" software running on it. The Cisco Switches and Routers backup fine. I have tried to apply the fix to the clogin and force10.in. that a saw on an earlier post. It now captures some of the config but stops for some reason in mid config and RANCID rights the output in the configs directory. here is the fix I followed. http://www.shrubbery.net/pipermail/rancid-discuss/2008-April/002971.html Does anyone know of a fix for the force10 S50s and SFTOS? Jethro R Binks wrote: > On Tue, 11 Nov 2008, Sean Murphy wrote: > > >> Thats what I needed! Changing roots path worked! >> >> I have errors on the bottom of the script "10.0.0.1: End of run not >> found" has anyone seen this before? >> > > The error is very often discussed on the list; see John's reply for more > details. > > For reference, when I need to see the detail of what is really going on, I > do the following (the rancid programs are not in my usual path): > > env NOPIPE=y PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename > > which will produce devicename.raw and and devicename.new files in the > current directory which can be examined along with the chatty output. > > >From time to time I have also done: > > cd /usr/local/libexec/rancid > expect -d ./clogin -c 'show config' devicename > > to get debugging data out of expect. > > Jethro. > > From jethro.binks at strath.ac.uk Tue Nov 11 22:45:29 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Tue, 11 Nov 2008 22:45:29 +0000 (GMT) Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <20081111222508.GL6869@shrubbery.net> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> <20081111222508.GL6869@shrubbery.net> Message-ID: On Tue, 11 Nov 2008, john heasley wrote: > Some (broken) devices, like Foundry, have a global setting to > disable/enable the pager that is permanent and affects all users. Perhaps once, but does not appear to be the case even on modestly recent versions of the Foundry OS that I am familiar with (BigIron 7.6, 8.0, Super-X 3.x, 4.x, FWSX). skip-page-display is a Priv exec command that affects only the current session. Maybe it is time to remove the naughty words surrounding this bit in flogin :) "Serial console and Telnet CLI users can individually enable or disable page-display mode without affecting the page-display mode of other CLI users. ... This command is equivalent to the no enable skip-page-display command at the global CONFIG level." Global config command "enable skip-page-display" is per-system, rather than per-user. I guess the per-session priv exec command came later. I note similar comments for Extreme: "... an extreme (since the pager can not be disabled on a per-vty basis)". Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From Atif.SIDDIQUI at HydroOne.com Tue Nov 11 22:57:41 2008 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Tue, 11 Nov 2008 17:57:41 -0500 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <20081111222508.GL6869@shrubbery.net> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> <20081111222508.GL6869@shrubbery.net> Message-ID: <41BBAE5132ABA54BB2BA8716254F03D601156901@1104MILPEV.corp.hydroone.com> I found this patch: config change; but we should be able to put in the page only for that vty sessionnot affecting all the users and config; As RANCID does not save the config after doing the following steps; other users always get a message to save the config or not; even though they have not change anything; it was because RANCID added "set console 0" then unset it cause the config changes. Can we have a workaround. http://www.shrubbery.net/pipermail/rancid-discuss/2006-May/001488.html I'm using the latest nrancid and nlogin for netscreens. Seems to work nicely, with one caveat: every time we run rancid, paging gets turned off. On netscreens, paging is a global parameter which can only be changed by admin users. This can be very annoying for non-admin users. Patch: *** /tmp/T0EMaOJJ Wed May 17 03:12:01 2006 --- nlogin Wed May 17 02:36:55 2006 *************** *** 412,417 **** --- 412,419 ---- } } } + send "unset console page\r" + expect -re "$prompt" {} send "exit\r" expect { -re "$prompt" { *************** *** 511,516 **** --- 513,520 ---- send "set console page 0\r" expect -re $prompt {} source $sfile + send "unset console page\r" + expect -re "$prompt" {} close } else { label $firewall Thanks! - Morty -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Tuesday, November 11, 2008 5:25 PM To: SIDDIQUI Atif Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] Netscreen: nlogin file 'set console page 0' Most devices accept (negotiate) the terminal length sent by telnet/ssh and most allow the pager to essentially be disabled by setting the terminal length to zero. Some (broken) devices, like Foundry, have a global setting to disable/enable the pager that is permanent and affects all users. So, what flavour is the netscreen? Do you have the latest firmware? Do you have a properly functioning/configured client? Mon, Nov 10, 2008 at 08:20:04PM -0500, Atif.SIDDIQUI at HydroOne.com: > Not sure about that. > > I see in the script 'nlogin' that it is setting it to zero, which > causing issue for us as get commands keep scrolling. When techs login to > the FW for troubleshooting. > > Anyone using netscreen expereinced this issue? > > -----Original Message----- > From: john heasley [mailto:heas at shrubbery.net] > Sent: Monday, November 10, 2008 6:49 PM > To: SIDDIQUI Atif > Cc: rancid-discuss at shrubbery.net > Subject: Re: [rancid] Netscreen: nlogin file 'set console page 0' > > Mon, Nov 10, 2008 at 03:48:59PM -0500, Atif.SIDDIQUI at HydroOne.com: > > Hi, > > > > > > > > The netscreen login script sets the 'console page to 0' to get the > > config snapshot at once, but this command is not removed when it > exists > > the box. Can anyone help changing it? Although it is saying that do > not > > save the config; but still config is not removed. > > isn't the terminal length negotiated by telnet/ssh when you connect? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081111/7cccb962/attachment.html From heas at shrubbery.net Wed Nov 12 02:00:35 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 11 Nov 2008 18:00:35 -0800 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <41BBAE5132ABA54BB2BA8716254F03D601156901@1104MILPEV.corp.hydroone.com> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> <20081111222508.GL6869@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D601156901@1104MILPEV.corp.hydroone.com> Message-ID: <20081112020035.GV6869@shrubbery.net> Tue, Nov 11, 2008 at 05:57:41PM -0500, Atif.SIDDIQUI at HydroOne.com: > I found this patch: config change; > > > > but we should be able to put in the page only for that vty sessionnot > affecting all the users and config; > > As RANCID does not save the config after doing the following steps; > other users always get a message to save the config or not; even though > they have not change anything; it was because RANCID added "set console > 0" then unset it cause the config changes. Can we have a workaround. That does not seem to be a very good fix. If another user happens to be logged-in when rancid runs, the pager will be disabled AND if another user re-enables the pager it will confuse nlogin, possibly causing it to hang (thus more emails about problems collecting...). A better fix, assuming this is still a global knob, is to deal with the pager, if possible. From heas at shrubbery.net Wed Nov 12 07:31:59 2008 From: heas at shrubbery.net (john heasley) Date: Wed, 12 Nov 2008 07:31:59 +0000 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> <20081111222508.GL6869@shrubbery.net> Message-ID: <20081112073159.GH10158@shrubbery.net> Tue, Nov 11, 2008 at 10:45:29PM +0000, Jethro R Binks: > On Tue, 11 Nov 2008, john heasley wrote: > > > Some (broken) devices, like Foundry, have a global setting to > > disable/enable the pager that is permanent and affects all users. > > Perhaps once, but does not appear to be the case even on modestly recent > versions of the Foundry OS that I am familiar with (BigIron 7.6, 8.0, > Super-X 3.x, 4.x, FWSX). skip-page-display is a Priv exec command that > affects only the current session. Maybe it is time to remove the naughty > words surrounding this bit in flogin :) any who aspire to have a cisco-like CLI then make a simple command different, like terminal length 0 which has been around since IOS 8.0, deserve the naughty bits. > "Serial console and Telnet CLI users can individually enable or disable > page-display mode without affecting the page-display mode of other CLI > users. > > ... > > This command is equivalent to the no enable skip-page-display command at > the global CONFIG level." > > Global config command "enable skip-page-display" is per-system, rather > than per-user. I guess the per-session priv exec command came later. > > I note similar comments for Extreme: "... an extreme (since the pager can > not be disabled on a per-vty basis)". can it be now? whats the command? From heas at shrubbery.net Wed Nov 12 08:38:51 2008 From: heas at shrubbery.net (john heasley) Date: Wed, 12 Nov 2008 08:38:51 +0000 Subject: [rancid] ERX directory file size summary Message-ID: <20081112083851.GA966@shrubbery.net> At some point someone complained about changes from file size changes in the dir command. I missed the reply from them or they didn't reply if the following patch worked. I don't have an ERC, could someone test it? Index: bin/jerancid.in =================================================================== RCS file: /home/rancid/.CVS/rancid/bin/jerancid.in,v retrieving revision 1.46 diff -d -u -r1.46 jerancid.in --- bin/jerancid.in 22 Apr 2008 23:43:05 -0000 1.46 +++ bin/jerancid.in 29 Apr 2008 15:07:16 -0000 @@ -293,6 +293,19 @@ # fail if the RP is amid the auto-sync process return(-1) if (/active\/standby/i && /not sync/); + if (/(\S+:\s+)(\d+)(\s+)(\d+)(\s+)(\d+)/) { + my($totlen) = length($2) - 1; + my($tot) = $2 / (1024 * 1024); + my($freelen) = length($4) - 1; + my($free) = $4 / (1024 * 1024); + my($usedlen) = length($6) - 1; + my($used) = $6 / (1024 * 1024); + my($fmt) = sprintf("%%-%dsK%s%%-%dsK%s%%-%dsK", $totlen, $3, + $freelen, $5, $usedlen); + + ProcessHistory("FLASH","","","!Flash: $1" . + sprintf($fmt, $tot, $free, $used)); + } ProcessHistory("FLASH","","","!Flash: $_"); } ProcessHistory("","","","!\n"); From jethro.binks at strath.ac.uk Wed Nov 12 09:34:46 2008 From: jethro.binks at strath.ac.uk (Jethro R Binks) Date: Wed, 12 Nov 2008 09:34:46 +0000 (GMT) Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <20081112073159.GH10158@shrubbery.net> References: <0A9A5A2BC1C0A94C981AF5FCF2D2F33812F0ABD0@mshin01.mapscu.com> <41BBAE5132ABA54BB2BA8716254F03D60115657A@1104MILPEV.corp.hydroone.com> <20081110234928.GD4042@shrubbery.net> <41BBAE5132ABA54BB2BA8716254F03D6011565BF@1104MILPEV.corp.hydroone.com> <20081111222508.GL6869@shrubbery.net> <20081112073159.GH10158@shrubbery.net> Message-ID: On Wed, 12 Nov 2008, john heasley wrote: > any who aspire to have a cisco-like CLI then make a simple command > different, like terminal length 0 which has been around since IOS 8.0, > deserve the naughty bits. That comment could be applied to many vendors, not just Foundry. I have to deal with three or four Cisco-a-like CLI, each with their own quirks. I've even seen some badged as "industry-standard CLI", which I suppose is true in the broadest sense of operation and facility, but certainly not in detail. And remember the lawsuit spat between Cisco and Huawei, where the CLI was one issue of contentio. How close to a Cisco interface do vendors dare go? We buy products from different vendors for good reason, we can hardly expect every command to match exactly, and yet we should expect rancid to deal with those differences without prejudice, where such support is practicable. Anyway, Cisco can hardly be held an exemplar for consistency :) > > I note similar comments for Extreme: "... an extreme (since the pager > > can not be disabled on a per-vty basis)". > > can it be now? whats the command? Pass, don't have 'em. Jethro. -- . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK From gingabire at rwandatel.rw Wed Nov 12 08:53:19 2008 From: gingabire at rwandatel.rw (Grace Ingabire) Date: Wed, 12 Nov 2008 10:53:19 +0200 Subject: [rancid] clogin error Message-ID: Hello, I installed and configured rancid properly but when trying to test it with /usr/local/rancid/bin/clogin xx.xx.xx.xx, I'm getting this error Error: /root/.cloginrc must not be world readable/writable. Should not we edit this file? Need your advice on the .clogin file and where should we add manually all devices. Thanks. Regards, Grace -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081112/a8654c80/attachment.html From steve at host-it.co.uk Wed Nov 12 09:57:04 2008 From: steve at host-it.co.uk (Steve Ousley) Date: Wed, 12 Nov 2008 09:57:04 -0000 Subject: [rancid] Re: clogin error In-Reply-To: References: Message-ID: <00fb01c944ad$03e2b570$0ba82050$@co.uk> Hi Grace All you need to do is make the file not writable by anyone except the user that rancid runs as. You can do this by running the command: chmod 600 .cloginrc in the home directory of the user that rancid runs as. Steve Ousley - SO620-RIPE Nuco Technologies Ltd steve at host-it.co.uk www.nucotechnologies.com Tel. 0870 165 1300 Nuco Technologies Ltd is a company registered in England and Wales with company number 04470751 From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Grace Ingabire Sent: 12 November 2008 08:53 To: rancid-discuss at shrubbery.net Subject: [rancid] clogin error Hello, I installed and configured rancid properly but when trying to test it with /usr/local/rancid/bin/clogin xx.xx.xx.xx, I'm getting this error Error: /root/.cloginrc must not be world readable/writable. Should not we edit this file? Need your advice on the .clogin file and where should we add manually all devices. Thanks. Regards, Grace -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081112/1dc27d0e/attachment.html From heas at shrubbery.net Wed Nov 12 09:58:57 2008 From: heas at shrubbery.net (john heasley) Date: Wed, 12 Nov 2008 09:58:57 +0000 Subject: [rancid] Re: clogin error In-Reply-To: References: Message-ID: <20081112095856.GD966@shrubbery.net> Wed, Nov 12, 2008 at 10:53:19AM +0200, Grace Ingabire: > Hello, > > > > I installed and configured rancid properly but when trying to test it with > /usr/local/rancid/bin/clogin xx.xx.xx.xx, I'm getting this error > > > > Error: /root/.cloginrc must not be world readable/writable. > > Should not we edit this file? It refers to the permissions on the file; see chmod(2) or chmod 0600 ~/.cloginrc. you should create separate user to run rancid. > > > Need your advice on the .clogin file and where should we add manually all > devices. > > > > Thanks. > > > > Regards, > > Grace > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From gingabire at rwandatel.rw Wed Nov 12 10:17:11 2008 From: gingabire at rwandatel.rw (Grace Ingabire) Date: Wed, 12 Nov 2008 12:17:11 +0200 Subject: [rancid] Re: clogin error In-Reply-To: <00fb01c944ad$03e2b570$0ba82050$@co.uk> Message-ID: Hi Steve, I have done it as advised. In my /root/.clogin I have this syntax for all our devices: add user xxx peter add password xxx password enable password add method xxx {telnet} Where are we supposed to add devices (routers) manually? I have tried to test as rancid user and got this: /usr/local/rancid/bin/clogin xxx spawn telnet xxx Trying xxx... Connected to xxx (xxx). Escape character is '^]'. Cisco Systems Console Enter password: Enter password: Enter password: Connection closed by foreign host. spawn ssh -c 3des -x -l rancid xxx ssh_exchange_identification: Connection closed by remote host Error: Connection closed (ssh): xxx What is the root cause of this? Thanks for your quick reply. Regards, Grace _____ From: Steve Ousley [mailto:steve at host-it.co.uk] Sent: Wednesday, November 12, 2008 11:57 AM To: 'Grace Ingabire'; rancid-discuss at shrubbery.net Subject: RE: [rancid] clogin error Hi Grace All you need to do is make the file not writable by anyone except the user that rancid runs as. You can do this by running the command: chmod 600 .cloginrc in the home directory of the user that rancid runs as. Steve Ousley - SO620-RIPE Nuco Technologies Ltd steve at host-it.co.uk www.nucotechnologies.com Tel. 0870 165 1300 Nuco Technologies Ltd is a company registered in England and Wales with company number 04470751 From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Grace Ingabire Sent: 12 November 2008 08:53 To: rancid-discuss at shrubbery.net Subject: [rancid] clogin error Hello, I installed and configured rancid properly but when trying to test it with /usr/local/rancid/bin/clogin xx.xx.xx.xx, I'm getting this error Error: /root/.cloginrc must not be world readable/writable. Should not we edit this file? Need your advice on the .clogin file and where should we add manually all devices. Thanks. Regards, Grace -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081112/84799ae4/attachment.html From Michael.Skinner at virginmedia.co.uk Wed Nov 12 10:37:11 2008 From: Michael.Skinner at virginmedia.co.uk (Skinner, Michael) Date: Wed, 12 Nov 2008 10:37:11 -0000 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' Message-ID: It is possible for rancid to deal with the pager on netscreens. In my infrastructure rancid has read only accounts on devices, so has no ability to edit the console page, it gets on fine... admittedly I had to hack the code a bit, as the build in read-only support was broken. Problem and fix when originally discovered: http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002224.html Paul Zimmerman took the trouble to tidy this up further, details at bottom of email There is no reason this method couldn't be used for read/write accounts. Mike [rancid at caillez ~/local/libexec/rancid]$ sccs diffs -C8 -r1.2 nrancid ------- nrancid ------- *** - Mon Jul 23 09:20:57 2007 --- nrancid Mon Jul 23 09:17:18 2007 *************** *** 141,160 **** } # This routine parses "get system" sub GetSystem { print STDERR " In GetSystem: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; last if(/$prompt/); - # throw away the pager lines - next if /^--- more ---/; /^Serial Number: (\d+), Control Number: \d+$/ && ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; /^Product Name: (\S+)$/ && ProcessHistory("SYSTEM","","", "!Product: $1\n") && next; /^Hardware Version: (\S+), / && ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; /^Software Version: (\S+), Type: (\S+)$/ && --- 141,160 ---- } # This routine parses "get system" sub GetSystem { print STDERR " In GetSystem: $_" if ($debug); while () { tr/\015//d; + # throw away the pager text + s/^--- more ---( \x08|\x08)*//; next if /^\s*$/; last if(/$prompt/); /^Serial Number: (\d+), Control Number: \d+$/ && ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; /^Product Name: (\S+)$/ && ProcessHistory("SYSTEM","","", "!Product: $1\n") && next; /^Hardware Version: (\S+), / && ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; /^Software Version: (\S+), Type: (\S+)$/ && *************** *** 179,199 **** ProcessHistory("FILE","","","!\n"); return(0); } sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; next if /^Total Config.+$/i; last if(/$prompt/); - # throw away the pager lines - next if /^--- more ---/; if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin name \n"); next; } if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin password \n"); next; --- 179,199 ---- ProcessHistory("FILE","","","!\n"); return(0); } sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; + # throw away the pager text + s/^--- more ---( \x08|\x08)*//; next if /^\s*$/; next if /^Total Config.+$/i; last if(/$prompt/); if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin name \n"); next; } if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin password \n"); next; -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley Sent: 12 November 2008 02:01 To: Atif.SIDDIQUI at HydroOne.com Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' Tue, Nov 11, 2008 at 05:57:41PM -0500, Atif.SIDDIQUI at HydroOne.com: > I found this patch: config change; > > > > but we should be able to put in the page only for that vty sessionnot > affecting all the users and config; > > As RANCID does not save the config after doing the following steps; > other users always get a message to save the config or not; even > though they have not change anything; it was because RANCID added "set > console 0" then unset it cause the config changes. Can we have a workaround. That does not seem to be a very good fix. If another user happens to be logged-in when rancid runs, the pager will be disabled AND if another user re-enables the pager it will confuse nlogin, possibly causing it to hang (thus more emails about problems collecting...). A better fix, assuming this is still a global knob, is to deal with the pager, if possible. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss ------------------------------------------------------------------------------ Save Paper - Do you really need to print this e-mail? Visit www.virginmedia.com for more information, and more fun. This email and any attachments are or may be confidential and legally privileged and are sent solely for the attention of the addressee(s). If you have received this email in error, please delete it from your system: its use, disclosure or copying is unauthorised. Statements and opinions expressed in this email may not represent those of Virgin Media. Any representations or commitments in this email are subject to contract. Please note that we are migrating our email addresses to a company wide address of "@virginmedia.co.uk". If you are sending to a Telewest or ntl email address your email will be re-directed. Registered office: 160 Great Portland Street, London W1W 5QA. Registered in England and Wales with number 2591237 ============================================================================== From Atif.SIDDIQUI at HydroOne.com Wed Nov 12 18:33:42 2008 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Wed, 12 Nov 2008 13:33:42 -0500 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: References: Message-ID: <41BBAE5132ABA54BB2BA8716254F03D601156AF2@1104MILPEV.corp.hydroone.com> Mike, Thanks for the help here. This is the exact solution I was looking for. Atif -----Original Message----- From: Skinner, Michael [mailto:Michael.Skinner at virginmedia.co.uk] Sent: Wednesday, November 12, 2008 5:37 AM To: rancid-discuss at shrubbery.net Cc: john heasley; SIDDIQUI Atif Subject: RE: [rancid] Re: Netscreen: nlogin file 'set console page 0' It is possible for rancid to deal with the pager on netscreens. In my infrastructure rancid has read only accounts on devices, so has no ability to edit the console page, it gets on fine... admittedly I had to hack the code a bit, as the build in read-only support was broken. Problem and fix when originally discovered: http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002224.html Paul Zimmerman took the trouble to tidy this up further, details at bottom of email There is no reason this method couldn't be used for read/write accounts. Mike [rancid at caillez ~/local/libexec/rancid]$ sccs diffs -C8 -r1.2 nrancid ------- nrancid ------- *** - Mon Jul 23 09:20:57 2007 --- nrancid Mon Jul 23 09:17:18 2007 *************** *** 141,160 **** } # This routine parses "get system" sub GetSystem { print STDERR " In GetSystem: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; last if(/$prompt/); - # throw away the pager lines - next if /^--- more ---/; /^Serial Number: (\d+), Control Number: \d+$/ && ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; /^Product Name: (\S+)$/ && ProcessHistory("SYSTEM","","", "!Product: $1\n") && next; /^Hardware Version: (\S+), / && ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; /^Software Version: (\S+), Type: (\S+)$/ && --- 141,160 ---- } # This routine parses "get system" sub GetSystem { print STDERR " In GetSystem: $_" if ($debug); while () { tr/\015//d; + # throw away the pager text + s/^--- more ---( \x08|\x08)*//; next if /^\s*$/; last if(/$prompt/); /^Serial Number: (\d+), Control Number: \d+$/ && ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; /^Product Name: (\S+)$/ && ProcessHistory("SYSTEM","","", "!Product: $1\n") && next; /^Hardware Version: (\S+), / && ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; /^Software Version: (\S+), Type: (\S+)$/ && *************** *** 179,199 **** ProcessHistory("FILE","","","!\n"); return(0); } sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; next if /^\s*$/; next if /^Total Config.+$/i; last if(/$prompt/); - # throw away the pager lines - next if /^--- more ---/; if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin name \n"); next; } if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin password \n"); next; --- 179,199 ---- ProcessHistory("FILE","","","!\n"); return(0); } sub GetConf { print STDERR " In GetConf: $_" if ($debug); while () { tr/\015//d; + # throw away the pager text + s/^--- more ---( \x08|\x08)*//; next if /^\s*$/; next if /^Total Config.+$/i; last if(/$prompt/); if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin name \n"); next; } if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { ProcessHistory("ADMIN","","","!set admin password \n"); next; -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley Sent: 12 November 2008 02:01 To: Atif.SIDDIQUI at HydroOne.com Cc: rancid-discuss at shrubbery.net Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' Tue, Nov 11, 2008 at 05:57:41PM -0500, Atif.SIDDIQUI at HydroOne.com: > I found this patch: config change; > > > > but we should be able to put in the page only for that vty sessionnot > affecting all the users and config; > > As RANCID does not save the config after doing the following steps; > other users always get a message to save the config or not; even > though they have not change anything; it was because RANCID added "set > console 0" then unset it cause the config changes. Can we have a workaround. That does not seem to be a very good fix. If another user happens to be logged-in when rancid runs, the pager will be disabled AND if another user re-enables the pager it will confuse nlogin, possibly causing it to hang (thus more emails about problems collecting...). A better fix, assuming this is still a global knob, is to deal with the pager, if possible. _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss ------------------------------------------------------------------------ ------ Save Paper - Do you really need to print this e-mail? Visit www.virginmedia.com for more information, and more fun. This email and any attachments are or may be confidential and legally privileged and are sent solely for the attention of the addressee(s). If you have received this email in error, please delete it from your system: its use, disclosure or copying is unauthorised. Statements and opinions expressed in this email may not represent those of Virgin Media. Any representations or commitments in this email are subject to contract. Please note that we are migrating our email addresses to a company wide address of "@virginmedia.co.uk". If you are sending to a Telewest or ntl email address your email will be re-directed. Registered office: 160 Great Portland Street, London W1W 5QA. Registered in England and Wales with number 2591237 ======================================================================== ====== From rancid at gheek.net Wed Nov 12 17:16:46 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 12 Nov 2008 10:16:46 -0700 Subject: [rancid] Re: clogin error In-Reply-To: References: <00fb01c944ad$03e2b570$0ba82050$@co.uk> Message-ID: <8423e7bb0811120916j7855da74p19cb1c1a15504e84@mail.gmail.com> I would suggest following some of results from here. http://www.google.com/search?q=rancid+howto On Wed, Nov 12, 2008 at 3:17 AM, Grace Ingabire wrote: > Hi Steve, > > > > I have done it as advised. In my /root/.clogin I have this syntax for all > our devices: > > > > add user xxx peter > > add password xxx password enable password > > add method xxx {telnet} > > > > Where are we supposed to add devices (routers) manually? > > > > I have tried to test as rancid user and got this: > > > > > > /usr/local/rancid/bin/clogin xxx > > spawn telnet xxx > > Trying xxx... > > Connected to xxx (xxx). > > Escape character is '^]'. > > > > > > Cisco Systems Console > > > > > > > > > > Enter password: > > > > Enter password: > > > > Enter password: > > Connection closed by foreign host. > > spawn ssh -c 3des -x -l rancid xxx > > ssh_exchange_identification: Connection closed by remote host > > > > Error: Connection closed (ssh): xxx > > > > What is the root cause of this? > > > > Thanks for your quick reply. > > > > Regards, > > Grace > > > > ________________________________ > > From: Steve Ousley [mailto:steve at host-it.co.uk] > Sent: Wednesday, November 12, 2008 11:57 AM > To: 'Grace Ingabire'; rancid-discuss at shrubbery.net > Subject: RE: [rancid] clogin error > > > > Hi Grace > > > > All you need to do is make the file not writable by anyone except the user > that rancid runs as. You can do this by running the command: > > > > chmod 600 .cloginrc > > > > in the home directory of the user that rancid runs as. > > > > Steve Ousley - SO620-RIPE > > Nuco Technologies Ltd > > steve at host-it.co.uk > > www.nucotechnologies.com > > Tel. 0870 165 1300 > > > > Nuco Technologies Ltd is a company registered in England and Wales > with company number 04470751 > > > > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Grace Ingabire > Sent: 12 November 2008 08:53 > To: rancid-discuss at shrubbery.net > Subject: [rancid] clogin error > > > > Hello, > > > > I installed and configured rancid properly but when trying to test it with > /usr/local/rancid/bin/clogin xx.xx.xx.xx, I'm getting this error > > > > Error: /root/.cloginrc must not be world readable/writable. > > Should not we edit this file? > > > > Need your advice on the .clogin file and where should we add manually all > devices. > > > > Thanks. > > > > Regards, > > Grace > > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Thu Nov 13 00:36:50 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 12 Nov 2008 17:36:50 -0700 Subject: [rancid] Understand some regex used in rancid Message-ID: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> I don't understand what this is meaning. i have searched around but still can't figure out what the # sign is used for in perl regex like it is being used here. while (/#\s*($cmds_regexp)\s*$/) { If I can figure this out then I will have the IPS module working for rancid using the default clogin/rancid with only minor tweaks. From mpalatnik at wustl.edu Thu Nov 13 04:05:13 2008 From: mpalatnik at wustl.edu (Max Palatnik) Date: Wed, 12 Nov 2008 22:05:13 -0600 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> Message-ID: The # sign is probably the # in Switch# or Hostname#, so this command searches for the following: #(0 or more whitespace), the variable $cmds_regexp, then 0 or more whitespace at the end of a line. Hope this helps Max On 11/12/08 6:36 PM, "Lance Vermilion" wrote: > I don't understand what this is meaning. i have searched around but > still can't figure out what the # sign is used for in perl regex like > it is being used here. > > while (/#\s*($cmds_regexp)\s*$/) { > > > If I can figure this out then I will have the IPS module working for > rancid using the default clogin/rancid with only minor tweaks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From heas at shrubbery.net Thu Nov 13 06:53:10 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 13 Nov 2008 06:53:10 +0000 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> Message-ID: <20081113065310.GA2916@shrubbery.net> Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: > I don't understand what this is meaning. i have searched around but > still can't figure out what the # sign is used for in perl regex like > it is being used here. > > while (/#\s*($cmds_regexp)\s*$/) { the # is a #, the end of the enabled user's prompt. > > If I can figure this out then I will have the IPS module working for > rancid using the default clogin/rancid with only minor tweaks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From steve at host-it.co.uk Thu Nov 13 14:10:14 2008 From: steve at host-it.co.uk (Steve Ousley) Date: Thu, 13 Nov 2008 14:10:14 -0000 Subject: [rancid] Catalyst 2960 Message-ID: <02f201c94599$8c676930$a5363b90$@co.uk> Hi We have 2 Catalyst 2960 switches that rancid is unable to get the configs from. I have tried to clogin to the catalyst switches, and it logs in ok, however, I cannot type anything on the command line to get anything from the switch, the connection simply times out after a given period. I know the rancid user works ok as I can telnet to the switch from the rancid machine, and view output as normal, but whenever I do this from within rancid or clogin, it fails. The config that I have is: x.x.x.x:cisco:up in the router.db file. Has anyone seen anything like this in the past and corrected it? Steve Ousley - SO620-RIPE Nuco Technologies Ltd steve at host-it.co.uk www.nucotechnologies.com Tel. 0870 165 1300 Nuco Technologies Ltd is a company registered in England and Wales with company number 04470751 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081113/29b20aab/attachment.html From SMartin at sourceinterlink.com Thu Nov 13 14:23:38 2008 From: SMartin at sourceinterlink.com (Martin, Seth) Date: Thu, 13 Nov 2008 09:23:38 -0500 Subject: [rancid] Re: Catalyst 2960 In-Reply-To: <02f201c94599$8c676930$a5363b90$@co.uk> References: <02f201c94599$8c676930$a5363b90$@co.uk> Message-ID: <79B77295FBC9F247A32A6C98B67B1E1401E9BC5A@srv-1exch01.sourceinterlink.com> Is the user you log in with privileged or does it require enable? Have you set the appropriate autoenable in the cloginrc file? ________________________________ From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Steve Ousley Sent: Thursday, November 13, 2008 9:10 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Catalyst 2960 Hi We have 2 Catalyst 2960 switches that rancid is unable to get the configs from. I have tried to clogin to the catalyst switches, and it logs in ok, however, I cannot type anything on the command line to get anything from the switch, the connection simply times out after a given period. I know the rancid user works ok as I can telnet to the switch from the rancid machine, and view output as normal, but whenever I do this from within rancid or clogin, it fails. The config that I have is: x.x.x.x:cisco:up in the router.db file. Has anyone seen anything like this in the past and corrected it? Steve Ousley - SO620-RIPE Nuco Technologies Ltd steve at host-it.co.uk www.nucotechnologies.com Tel. 0870 165 1300 Nuco Technologies Ltd is a company registered in England and Wales with company number 04470751 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081113/8a82f98b/attachment.html From me at ale.cx Thu Nov 13 14:31:15 2008 From: me at ale.cx (alex) Date: Thu, 13 Nov 2008 14:31:15 +0000 Subject: [rancid] Re: Catalyst 2960 In-Reply-To: <02f201c94599$8c676930$a5363b90$@co.uk> References: <02f201c94599$8c676930$a5363b90$@co.uk> Message-ID: <200811131431.15847.me@ale.cx> On Thursday 13 November 2008 14:10:14 Steve Ousley wrote: > I have tried to clogin to the catalyst switches, and it logs in ok, > however, I cannot type anything on the command line to get anything from > the switch, the connection simply times out after a given period. Your autoenable settings are wrong. > Has anyone seen anything like this in the past and corrected it? Yes. Whenever I've seen this [with routers and ASAs] it's been that the autoenable setting in .cloginrc is wrong. RANCID is waiting for the '>' prompt, but because the credentials you've told it to use are auto-enabled, it never sees a '>' [only a '#'] so it times out.] alexd From steve at host-it.co.uk Thu Nov 13 15:19:28 2008 From: steve at host-it.co.uk (Steve Ousley) Date: Thu, 13 Nov 2008 15:19:28 -0000 Subject: [rancid] Re: Catalyst 2960 In-Reply-To: <200811131431.15847.me@ale.cx> References: <02f201c94599$8c676930$a5363b90$@co.uk> <200811131431.15847.me@ale.cx> Message-ID: <033b01c945a3$384aecf0$a8e0c6d0$@co.uk> Hi Alex Thanks for this explanation. Someone else already posted me the solution, but this is useful to see exactly WHY that setting changed the behaviour :) For the record, the setting was: Add autoenable hostname 1 Many thanks for the swift responses and resolution. Steve Ousley - SO620-RIPE Nuco Technologies Ltd steve at host-it.co.uk www.nucotechnologies.com Tel. 0870 165 1300 Nuco Technologies Ltd is a company registered in England and Wales with company number 04470751 -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of alex Sent: 13 November 2008 14:31 To: rancid-discuss at shrubbery.net Subject: [rancid] Re: Catalyst 2960 On Thursday 13 November 2008 14:10:14 Steve Ousley wrote: > I have tried to clogin to the catalyst switches, and it logs in ok, > however, I cannot type anything on the command line to get anything from > the switch, the connection simply times out after a given period. Your autoenable settings are wrong. > Has anyone seen anything like this in the past and corrected it? Yes. Whenever I've seen this [with routers and ASAs] it's been that the autoenable setting in .cloginrc is wrong. RANCID is waiting for the '>' prompt, but because the credentials you've told it to use are auto-enabled, it never sees a '>' [only a '#'] so it times out.] alexd _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From rancid at gheek.net Thu Nov 13 21:11:19 2008 From: rancid at gheek.net (Lance Vermilion) Date: Thu, 13 Nov 2008 14:11:19 -0700 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <20081113065310.GA2916@shrubbery.net> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> Message-ID: <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> Thx Max and John. As for making rancid work with IPS modules I have found that the post from Jeremy M. Guthrie "http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002209.html" does very well and doesn't require making a lot of changes to rancid to handle the errors that happen if you run too many commands that are invalid commands. I also eliminated the need for his ipslogin. I simply just had perl set the TERM to vt100 before it ran clogin and then set the TERM back to network after it was finished running clogin. I also fixed some typo's he had where it was the work "at" instead of "@". I fixed what should be skipped for the ShowVersion as it had some extra stuff that can change. Here is a copy of what I put on my webpage. http://www.gheek.net/?p=78 In order to get rancid to collect the config from an IPS module you will need to make sure you have the correct login creds in the rancid users ".cloginrc", add the type of ips to "rancid-fe" and you also need to create the "ipsrancid" script. Changes required for "rancid-fe" 'ips' => 'ipsrancid', Create the "ipsrancid" script as "/bin/ipsrancid". Make sure you "chmod 755 /bin/ipsrancid" and "chown : /bin/ipsrancid". #! /usr/bin/perl ## ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. ## All rights reserved. ## ## This software may be freely copied, modified and redistributed ## without fee for non-commerical purposes provided that this license ## remains intact and unmodified with any RANCID distribution. ## ## There is no warranty or other guarantee of fitness of this software. ## It is provided solely "as is". The author(s) disclaim(s) all ## responsibility and liability with respect to this software's usage ## or its effect upon hardware, computer systems, other software, or ## anything else. ## ## Except where noted otherwise, rancid was written by and is maintained by ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. ## # # hacked version of Hank's rancid - this one tries to deal with Hitachi's. # # Modified again by Lance Vermilion (11/13/08) # Modified from htrancid by Jeremy M. Guthrie # Created on 5/4/2007 # # This is meant to try handle Cisco's IPS V5.X line and on # # RANCID - Really Awesome New Cisco confIg Differ # # usage: ipsrancid [-d] [-l] [-f filename | $host] use Getopt::Std; getopts('dfl'); $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; $timeo = 90; # clogin timeout in seconds my(@commandtable, %commands, @commands);# command lists my(%filter_pwds); # password filtering mode # This routine is used to print out the router configuration sub ProcessHistory { ($new_hist_tag,$new_command,$command_string, @string) = (@_); if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && defined %history) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # ip address when the ip address is anywhere in # the strings. sub ipsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $addr (sort sortbyipaddr keys %lines) { $sorted_lines[$i] = $lines{$addr}; $i++; } @sorted_lines; } # These two routines will sort based upon IP addresses sub ipaddrval { my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); } sub sortbyipaddr { &ipaddrval($a) <=> &ipaddrval($b); } # This routine parses "show config" sub ShowConfig { print STDERR " In ShowConfig: $_" if ($debug); $firstexit=0; while () { tr/\015//d; tr/\020//d; #strip out the stupid spinning running-config progress thingy s/Generating current config: \.*[\|\/\-\\]//gi; $skipprocess=0; #sometimes an 'exit' appears at the top of the config, we don't want them if ( (/^exit/) && ( ! $firstexit ) ) { $firstexit=1; $skipprocess=1; } #remove spaces left over from lame spinning progress thingy if ( /^\s+! ??????????/ ) { s/^\s+!/!/g } if (/^(read-only-community) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(read-write-community) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(trap-community-name) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } if (/^(password) / && $filter_pwds >= 1) { ProcessHistory("","","","!$1 \n"); next; } last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowConfig Data: $_" if ($debug); ProcessHistory("","","","$_"); } } } $clean_run=1; print STDERR " Exiting ShowConfig: $_" if ($debug); return(0); } # This routine parses single command's that return no required info sub ShowVersion { print STDERR " In ShowVersion: $_" if ($debug); ProcessHistory("","","","!\n!IPS Show Version Start\n"); while () { tr/\015//d; $skipprocess=0; if ( /^Sensor up-time/ ) { $skipprocess=1; } if ( ( /using.*bytes of available/i ) ) { $skipprocess=1; } last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowVersion Data: $_" if ($debug); ProcessHistory("","","","! $_"); } } } ProcessHistory("","","","!\n!IPS Show Version End\n"); print STDERR " Exiting ShowVersion: $_" if ($debug); return(0) } # This routine parses single command's that return no required info sub ShowUsersAll { print STDERR " In ShowUsersAll: $_" if ($debug); ProcessHistory("","","","!\n!IPS User Database Start\n"); while () { tr/\015//d; $skipprocess=0; s/^ CLI ID //g; s/^ //g; s/^\* +[0-9]+ +//g; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); if ( ! /^$prompt/) { if ( ! $skipprocess ) { print STDOUT " ShowUsersAll Data: $_" if ($debug); ProcessHistory("","","","!$_"); } } } ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); print STDERR " Exiting ShowUsersAll: $_" if ($debug); return(0) } # dummy function sub DoNothing {print STDOUT;} # Main @commandtable = ( {'show version' => 'ShowVersion'}, {'show users all' => 'ShowUsersAll'}, {'show configuration' => 'ShowConfig'} ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @commands = map(keys(%$_), @commandtable); %commands = map(%$_, @commandtable); $cisco_cmds=join(";", at commands); $cmds_regexp=join("|", at commands); open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } # The IPS doesn't like the TERM of network so we must change it if ( $ENV{TERM} eq 'network' ) { $ENV{TERM} = 'vt100?; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE})) { system "clogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "clogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; } else { open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; #strip out the stupid spinning running-config progress thingy s/Generating current config: \.*[\|\/\-\\]//gi; if (/^.*logout$/) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host clogin error: $_"); print STDERR ("$host clogin error: $_") if ($debug); $clean_run=0; last; } while (/($cmds_regexp)/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^#]+#)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); } print STDERR ("IPS COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE})) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run ) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run ) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } On Wed, Nov 12, 2008 at 11:53 PM, john heasley wrote: > Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: >> I don't understand what this is meaning. i have searched around but >> still can't figure out what the # sign is used for in perl regex like >> it is being used here. >> >> while (/#\s*($cmds_regexp)\s*$/) { > > the # is a #, the end of the enabled user's prompt. > >> >> If I can figure this out then I will have the IPS module working for >> rancid using the default clogin/rancid with only minor tweaks. >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From heas at shrubbery.net Thu Nov 13 23:07:33 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 13 Nov 2008 15:07:33 -0800 Subject: [rancid] force10 support Message-ID: <20081113230733.GK10825@shrubbery.net> I'm considering not supporting SFTOS, the pre-FTOS O/S for Force10. SFTOS is EOL and AFAICT FTOS is supported on all of the hardware. The differences are slight but annoying enough and I'm not convinced its worth the effort. For some that means upgrading, which may not be easy for them. Who can honestly say that they can't upgrade and really need SFTOS support? From heas at shrubbery.net Fri Nov 14 00:32:13 2008 From: heas at shrubbery.net (john heasley) Date: Thu, 13 Nov 2008 16:32:13 -0800 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <41BBAE5132ABA54BB2BA8716254F03D601156AF2@1104MILPEV.corp.hydroone.com> References: <41BBAE5132ABA54BB2BA8716254F03D601156AF2@1104MILPEV.corp.hydroone.com> Message-ID: <20081114003213.GT10825@shrubbery.net> Wed, Nov 12, 2008 at 01:33:42PM -0500, Atif.SIDDIQUI at HydroOne.com: > Mike, > > Thanks for the help here. This is the exact solution I was looking for. Are you confirming that this works reliably? > Atif > > -----Original Message----- > From: Skinner, Michael [mailto:Michael.Skinner at virginmedia.co.uk] > Sent: Wednesday, November 12, 2008 5:37 AM > To: rancid-discuss at shrubbery.net > Cc: john heasley; SIDDIQUI Atif > Subject: RE: [rancid] Re: Netscreen: nlogin file 'set console page 0' > > It is possible for rancid to deal with the pager on netscreens. In my > infrastructure rancid has read only accounts on devices, so has no > ability to edit the console page, it gets on fine... admittedly I had to > hack the code a bit, as the build in read-only support was broken. > > Problem and fix when originally discovered: > http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002224.html > > Paul Zimmerman took the trouble to tidy this up further, details at > bottom of email > > There is no reason this method couldn't be used for read/write accounts. > > Mike > > > [rancid at caillez ~/local/libexec/rancid]$ sccs diffs -C8 -r1.2 nrancid > > ------- nrancid ------- > *** - Mon Jul 23 09:20:57 2007 > --- nrancid Mon Jul 23 09:17:18 2007 > *************** > *** 141,160 **** > } > > # This routine parses "get system" > sub GetSystem { > print STDERR " In GetSystem: $_" if ($debug); > > while () { > tr/\015//d; > next if /^\s*$/; > last if(/$prompt/); > - # throw away the pager lines > - next if /^--- more ---/; > > /^Serial Number: (\d+), Control Number: \d+$/ && > ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; > /^Product Name: (\S+)$/ && > ProcessHistory("SYSTEM","","", "!Product: $1\n") && > next; > /^Hardware Version: (\S+), / && > ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; > /^Software Version: (\S+), Type: (\S+)$/ && > --- 141,160 ---- > } > > # This routine parses "get system" > sub GetSystem { > print STDERR " In GetSystem: $_" if ($debug); > > while () { > tr/\015//d; > + # throw away the pager text > + s/^--- more ---( \x08|\x08)*//; > next if /^\s*$/; > last if(/$prompt/); > > /^Serial Number: (\d+), Control Number: \d+$/ && > ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; > /^Product Name: (\S+)$/ && > ProcessHistory("SYSTEM","","", "!Product: $1\n") && > next; > /^Hardware Version: (\S+), / && > ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; > /^Software Version: (\S+), Type: (\S+)$/ && > *************** > *** 179,199 **** > ProcessHistory("FILE","","","!\n"); > return(0); > } > > sub GetConf { > print STDERR " In GetConf: $_" if ($debug); > while () { > tr/\015//d; > next if /^\s*$/; > next if /^Total Config.+$/i; > last if(/$prompt/); > - # throw away the pager lines > - next if /^--- more ---/; > > if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin name > \n"); > next; > } > if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin password > \n"); > next; > --- 179,199 ---- > ProcessHistory("FILE","","","!\n"); > return(0); > } > > sub GetConf { > print STDERR " In GetConf: $_" if ($debug); > while () { > tr/\015//d; > + # throw away the pager text > + s/^--- more ---( \x08|\x08)*//; > next if /^\s*$/; > next if /^Total Config.+$/i; > last if(/$prompt/); > > if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin name > \n"); > next; > } > if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin password > \n"); > next; > > > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > Sent: 12 November 2008 02:01 > To: Atif.SIDDIQUI at HydroOne.com > Cc: rancid-discuss at shrubbery.net > Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' > > Tue, Nov 11, 2008 at 05:57:41PM -0500, Atif.SIDDIQUI at HydroOne.com: > > I found this patch: config change; > > > > > > > > but we should be able to put in the page only for that vty sessionnot > > > affecting all the users and config; > > > > As RANCID does not save the config after doing the following steps; > > other users always get a message to save the config or not; even > > though they have not change anything; it was because RANCID added "set > > > console 0" then unset it cause the config changes. Can we have a > workaround. > > That does not seem to be a very good fix. If another user happens to be > logged-in when rancid runs, the pager will be disabled AND if another > user re-enables the pager it will confuse nlogin, possibly causing it to > hang (thus more emails about problems collecting...). > > A better fix, assuming this is still a global knob, is to deal with the > pager, if possible. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > ------------------------------------------------------------------------ > ------ > Save Paper - Do you really need to print this e-mail? > > Visit www.virginmedia.com for more information, and more fun. > > This email and any attachments are or may be confidential and legally > privileged > and are sent solely for the attention of the addressee(s). If you have > received this > email in error, please delete it from your system: its use, disclosure > or copying is > unauthorised. Statements and opinions expressed in this email may not > represent > those of Virgin Media. Any representations or commitments in this email > are > subject to contract. Please note that we are migrating our email > addresses to a > company wide address of "@virginmedia.co.uk". If you are sending to a > Telewest or > ntl email address your email will be re-directed. > > Registered office: 160 Great Portland Street, London W1W 5QA. > Registered in England and Wales with number 2591237 > ======================================================================== > ====== From CBell at thig.com Fri Nov 14 01:35:01 2008 From: CBell at thig.com (Chris Bell) Date: Thu, 13 Nov 2008 20:35:01 -0500 Subject: [rancid] Re: force10 support In-Reply-To: <20081113230733.GK10825@shrubbery.net> Message-ID: If it matters - we have been slowly upgrading our S50V switches from SFTOS to FTOS. We run them in stacks. Running SFTOS, I cannot run RANCID against them with all the bugs concerning SSH. I despise TELNET, but I guess that would be an option. We have an E1200 at the core that has been RANCID friendly for several years. Upgrading the closet S50V's to also be RANCID friendly is worth any headache it may cause in my book... I can also say (for those who are interested) that we've had few problems running the new 7.7.1.1 code on our S50V's than we have ever had running SFTOS. -----Original Message----- From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley Sent: Thursday, November 13, 2008 6:08 PM To: rancid-discuss at shrubbery.net Subject: [rancid] force10 support I'm considering not supporting SFTOS, the pre-FTOS O/S for Force10. SFTOS is EOL and AFAICT FTOS is supported on all of the hardware. The differences are slight but annoying enough and I'm not convinced its worth the effort. For some that means upgrading, which may not be easy for them. Who can honestly say that they can't upgrade and really need SFTOS support? _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From Atif.SIDDIQUI at HydroOne.com Fri Nov 14 03:13:04 2008 From: Atif.SIDDIQUI at HydroOne.com (Atif.SIDDIQUI at HydroOne.com) Date: Thu, 13 Nov 2008 22:13:04 -0500 Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' In-Reply-To: <20081114003213.GT10825@shrubbery.net> References: <41BBAE5132ABA54BB2BA8716254F03D601156AF2@1104MILPEV.corp.hydroone.com> <20081114003213.GT10825@shrubbery.net> Message-ID: <41BBAE5132ABA54BB2BA8716254F03D60119ED19@1104MILPEV.corp.hydroone.com> Yes. Atleast ths issue I was having is resolved. RANCID is making changes to the config and does not save it. It sets page console to '0' exits without saving. 2 problems: - console settings do not have page limit - Other user logs in and out of NS gets a config save confirmation message; even though no change has been made The modified 'nrancid' and 'nlogin' provided by Mike does not change configs by setting soncole to page 0 hence no config save message appear. RO user account can be used by RANCID to back up the config. -----Original Message----- From: john heasley [mailto:heas at shrubbery.net] Sent: Thursday, November 13, 2008 7:32 PM To: SIDDIQUI Atif Cc: Michael.Skinner at virginmedia.co.uk; rancid-discuss at shrubbery.net Subject: Re: [rancid] Re: Netscreen: nlogin file 'set console page 0' Wed, Nov 12, 2008 at 01:33:42PM -0500, Atif.SIDDIQUI at HydroOne.com: > Mike, > > Thanks for the help here. This is the exact solution I was looking for. Are you confirming that this works reliably? > Atif > > -----Original Message----- > From: Skinner, Michael [mailto:Michael.Skinner at virginmedia.co.uk] > Sent: Wednesday, November 12, 2008 5:37 AM > To: rancid-discuss at shrubbery.net > Cc: john heasley; SIDDIQUI Atif > Subject: RE: [rancid] Re: Netscreen: nlogin file 'set console page 0' > > It is possible for rancid to deal with the pager on netscreens. In my > infrastructure rancid has read only accounts on devices, so has no > ability to edit the console page, it gets on fine... admittedly I had to > hack the code a bit, as the build in read-only support was broken. > > Problem and fix when originally discovered: > http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002224.html > > Paul Zimmerman took the trouble to tidy this up further, details at > bottom of email > > There is no reason this method couldn't be used for read/write accounts. > > Mike > > > [rancid at caillez ~/local/libexec/rancid]$ sccs diffs -C8 -r1.2 nrancid > > ------- nrancid ------- > *** - Mon Jul 23 09:20:57 2007 > --- nrancid Mon Jul 23 09:17:18 2007 > *************** > *** 141,160 **** > } > > # This routine parses "get system" > sub GetSystem { > print STDERR " In GetSystem: $_" if ($debug); > > while () { > tr/\015//d; > next if /^\s*$/; > last if(/$prompt/); > - # throw away the pager lines > - next if /^--- more ---/; > > /^Serial Number: (\d+), Control Number: \d+$/ && > ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; > /^Product Name: (\S+)$/ && > ProcessHistory("SYSTEM","","", "!Product: $1\n") && > next; > /^Hardware Version: (\S+), / && > ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; > /^Software Version: (\S+), Type: (\S+)$/ && > --- 141,160 ---- > } > > # This routine parses "get system" > sub GetSystem { > print STDERR " In GetSystem: $_" if ($debug); > > while () { > tr/\015//d; > + # throw away the pager text > + s/^--- more ---( \x08|\x08)*//; > next if /^\s*$/; > last if(/$prompt/); > > /^Serial Number: (\d+), Control Number: \d+$/ && > ProcessHistory("SYSTEM","","", "!SN: $1\n") && next; > /^Product Name: (\S+)$/ && > ProcessHistory("SYSTEM","","", "!Product: $1\n") && > next; > /^Hardware Version: (\S+), / && > ProcessHistory("SYSTEM","","", "!HW: $1\n") && next; > /^Software Version: (\S+), Type: (\S+)$/ && > *************** > *** 179,199 **** > ProcessHistory("FILE","","","!\n"); > return(0); > } > > sub GetConf { > print STDERR " In GetConf: $_" if ($debug); > while () { > tr/\015//d; > next if /^\s*$/; > next if /^Total Config.+$/i; > last if(/$prompt/); > - # throw away the pager lines > - next if /^--- more ---/; > > if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin name > \n"); > next; > } > if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin password > \n"); > next; > --- 179,199 ---- > ProcessHistory("FILE","","","!\n"); > return(0); > } > > sub GetConf { > print STDERR " In GetConf: $_" if ($debug); > while () { > tr/\015//d; > + # throw away the pager text > + s/^--- more ---( \x08|\x08)*//; > next if /^\s*$/; > next if /^Total Config.+$/i; > last if(/$prompt/); > > if (/^set admin name "(\S+)"$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin name > \n"); > next; > } > if (/^set admin password (\S+)$/ && $filter_pwds >= 1) { > ProcessHistory("ADMIN","","","!set admin password > \n"); > next; > > > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > Sent: 12 November 2008 02:01 > To: Atif.SIDDIQUI at HydroOne.com > Cc: rancid-discuss at shrubbery.net > Subject: [rancid] Re: Netscreen: nlogin file 'set console page 0' > > Tue, Nov 11, 2008 at 05:57:41PM -0500, Atif.SIDDIQUI at HydroOne.com: > > I found this patch: config change; > > > > > > > > but we should be able to put in the page only for that vty sessionnot > > > affecting all the users and config; > > > > As RANCID does not save the config after doing the following steps; > > other users always get a message to save the config or not; even > > though they have not change anything; it was because RANCID added "set > > > console 0" then unset it cause the config changes. Can we have a > workaround. > > That does not seem to be a very good fix. If another user happens to be > logged-in when rancid runs, the pager will be disabled AND if another > user re-enables the pager it will confuse nlogin, possibly causing it to > hang (thus more emails about problems collecting...). > > A better fix, assuming this is still a global knob, is to deal with the > pager, if possible. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > ------------------------------------------------------------------------ > ------ > Save Paper - Do you really need to print this e-mail? > > Visit www.virginmedia.com for more information, and more fun. > > This email and any attachments are or may be confidential and legally > privileged > and are sent solely for the attention of the addressee(s). If you have > received this > email in error, please delete it from your system: its use, disclosure > or copying is > unauthorised. Statements and opinions expressed in this email may not > represent > those of Virgin Media. Any representations or commitments in this email > are > subject to contract. Please note that we are migrating our email > addresses to a > company wide address of "@virginmedia.co.uk". If you are sending to a > Telewest or > ntl email address your email will be re-directed. > > Registered office: 160 Great Portland Street, London W1W 5QA. > Registered in England and Wales with number 2591237 > ======================================================================== > ====== From gregoryzill at solutionary.com Fri Nov 14 14:18:24 2008 From: gregoryzill at solutionary.com (Gregory W Zill) Date: Fri, 14 Nov 2008 08:18:24 -0600 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> Message-ID: <491D88B0.3030108@solutionary.com> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/1f0fface/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: email-logo-170.jpg Type: image/jpeg Size: 3560 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/1f0fface/attachment.jpg From rancid at gheek.net Fri Nov 14 15:32:13 2008 From: rancid at gheek.net (Lance Vermilion) Date: Fri, 14 Nov 2008 08:32:13 -0700 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <491D88B0.3030108@solutionary.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> <491D88B0.3030108@solutionary.com> Message-ID: <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> Gregory, You need to set autoenable for that device inside your ".cloginrc". The IP puts you in privilege 15 when you login. I am guessing you do not have that specified so rancid is trying to enable. 2008/11/14 Gregory W Zill : > I get what appears to be a second user inputted somehow. Have you seen this? > How might I fix? This is a 4215 IPS. > > $ clogin test_cisco_ips6 > test_cisco_ips6 > spawn ssh -c 3des -x -l cisco test_cisco_ips6 > > Password: > Last login: Fri Nov 14 09:07:54 2008 from 10.1.1.107 > > cisco > test_cisco_ips6# cisco > ^ > % Invalid input detected at '^' marker > > > BTW, the ipsrancid is great -- thank you > > Thx Max and John. > > As for making rancid work with IPS modules I have found that the post > from Jeremy M. Guthrie > "http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002209.html" > does very well and doesn't require making a lot of changes to rancid > to handle the errors that happen if you run too many commands that are > invalid commands. I also eliminated the need for his ipslogin. I > simply just had perl set the TERM to vt100 before it ran clogin and > then set the TERM back to network after it was finished running > clogin. I also fixed some typo's he had where it was the work "at" > instead of "@". I fixed what should be skipped for the ShowVersion as > it had some extra stuff that can change. > > Here is a copy of what I put on my webpage. http://www.gheek.net/?p=78 > > In order to get rancid to collect the config from an IPS module you > will need to make sure you have the correct login creds in the rancid > users ".cloginrc", add the type of ips to "rancid-fe" and you also > need to create the "ipsrancid" script. > > Changes required for "rancid-fe" > 'ips' => 'ipsrancid', > > Create the "ipsrancid" script as "/bin/ipsrancid". Make > sure you "chmod 755 /bin/ipsrancid" and "chown > : /bin/ipsrancid". > #! /usr/bin/perl > ## > ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. > ## All rights reserved. > ## > ## This software may be freely copied, modified and redistributed > ## without fee for non-commerical purposes provided that this license > ## remains intact and unmodified with any RANCID distribution. > ## > ## There is no warranty or other guarantee of fitness of this software. > ## It is provided solely "as is". The author(s) disclaim(s) all > ## responsibility and liability with respect to this software's usage > ## or its effect upon hardware, computer systems, other software, or > ## anything else. > ## > ## Except where noted otherwise, rancid was written by and is maintained by > ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin > Schutz. > ## > # > # hacked version of Hank's rancid - this one tries to deal with Hitachi's. > # > # Modified again by Lance Vermilion (11/13/08) > # Modified from htrancid by Jeremy M. Guthrie > # Created on 5/4/2007 > # > # This is meant to try handle Cisco's IPS V5.X line and on > # > # RANCID - Really Awesome New Cisco confIg Differ > # > # usage: ipsrancid [-d] [-l] [-f filename | $host] > use Getopt::Std; > getopts('dfl'); > $log = $opt_l; > $debug = $opt_d; > $file = $opt_f; > $host = $ARGV[0]; > $clean_run = 0; > $found_end = 0; > $timeo = 90; # clogin timeout in seconds > my(@commandtable, %commands, @commands);# command lists > my(%filter_pwds); # password filtering mode > > # This routine is used to print out the router configuration > sub ProcessHistory { > > ($new_hist_tag,$new_command,$command_string, @string) = (@_); > if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) > && defined %history) { > print eval "$command \%history"; > undef %history; > } > if (($new_hist_tag) && ($new_command) && ($command_string)) { > if ($history{$command_string}) { > $history{$command_string} = "$history{$command_string}@string"; > } else { > $history{$command_string} = "@string"; > } > } elsif (($new_hist_tag) && ($new_command)) { > $history{++$#history} = "@string"; > } else { > print "@string"; > } > $hist_tag = $new_hist_tag; > $command = $new_command; > 1; > } > > sub numerically { $a <=> $b; } > > # This is a sort routine that will sort numerically on the > # keys of a hash as if it were a normal array. > sub keynsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort numerically keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # keys of a hash as if it were a normal array. > sub keysort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # values of a hash as if it were a normal array. > sub valsort{ > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort values %lines) { > $sorted_lines[$i] = $key; > $i++; > } > @sorted_lines; > } > > # This is a numerical sort routine (ascending). > sub numsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $num (sort {$a <=> $b} keys %lines) { > $sorted_lines[$i] = $lines{$num}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # ip address when the ip address is anywhere in > # the strings. > sub ipsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $addr (sort sortbyipaddr keys %lines) { > $sorted_lines[$i] = $lines{$addr}; > $i++; > } > @sorted_lines; > } > > # These two routines will sort based upon IP addresses > sub ipaddrval { > my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); > $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); > } > sub sortbyipaddr { > &ipaddrval($a) <=> &ipaddrval($b); > } > > # This routine parses "show config" > sub ShowConfig { > print STDERR " In ShowConfig: $_" if ($debug); > > $firstexit=0; > > while () { > tr/\015//d; > tr/\020//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > $skipprocess=0; > > #sometimes an 'exit' appears at the top of the config, we > don't want them > if ( (/^exit/) && ( ! $firstexit ) ) { > $firstexit=1; > $skipprocess=1; > } > > #remove spaces left over from lame spinning progress thingy > if ( /^\s+! ??????????/ ) { > s/^\s+!/!/g > } > > if (/^(read-only-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(read-write-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(trap-community-name) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(password) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowConfig Data: $_" if > ($debug); > ProcessHistory("","","","$_"); > } > } > } > $clean_run=1; > print STDERR " Exiting ShowConfig: $_" if ($debug); > return(0); > } > > # This routine parses single command's that return no required info > sub ShowVersion { > print STDERR " In ShowVersion: $_" if ($debug); > ProcessHistory("","","","!\n!IPS Show Version Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > if ( /^Sensor up-time/ ) { $skipprocess=1; } > if ( ( /using.*bytes of available/i ) ) { $skipprocess=1; } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowVersion Data: $_" if > ($debug); > ProcessHistory("","","","! $_"); > } > } > } > ProcessHistory("","","","!\n!IPS Show Version End\n"); > print STDERR " Exiting ShowVersion: $_" if ($debug); > return(0) > } > > # This routine parses single command's that return no required info > sub ShowUsersAll { > print STDERR " In ShowUsersAll: $_" if ($debug); > ProcessHistory("","","","!\n!IPS User Database Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > s/^ CLI ID //g; > s/^ //g; > s/^\* +[0-9]+ +//g; > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowUsersAll Data: $_" if > ($debug); > ProcessHistory("","","","!$_"); > } > } > } > ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); > print STDERR " Exiting ShowUsersAll: $_" if ($debug); > return(0) > } > > # dummy function > sub DoNothing {print STDOUT;} > > # Main > @commandtable = ( > {'show version' => 'ShowVersion'}, > {'show users all' => 'ShowUsersAll'}, > {'show configuration' => 'ShowConfig'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @commands = map(keys(%$_), @commandtable); > %commands = map(%$_, @commandtable); > > $cisco_cmds=join(";", at commands); > $cmds_regexp=join("|", at commands); > > open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; > select(OUTPUT); > # make OUTPUT unbuffered if debugging > if ($debug) { $| = 1; } > > # The IPS doesn't like the TERM of network so we must change it > if ( $ENV{TERM} eq 'network' ) { > $ENV{TERM} = 'vt100?; > } > if ($file) { > print STDERR "opening file $host\n" if ($debug); > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($debug); > print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > system "clogin -t $timeo -c \"$cisco_cmds\" $host > $host.raw 2>&1" || die "clogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; > } else { > open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host > } > } > # Change the TERM back to network > if ( $ENV{TERM} eq 'vt100? ) { > $ENV{TERM} = 'network'; > } > > # determine password filtering mode > if ($ENV{"FILTER_PWDS"} =~ /no/i) { > $filter_pwds = 0; > } elsif ($ENV{"FILTER_PWDS"} =~ /all/i) { > $filter_pwds = 2; > } else { > $filter_pwds = 1; > } > > ProcessHistory("","","","!RANCID-CONTENT-TYPE: ipsrancid\n!\n"); > TOP: while() { > tr/\015//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > > if (/^.*logout$/) { > $clean_run=1; > last; > } > if (/^Error:/) { > print STDOUT ("$host clogin error: $_"); > print STDERR ("$host clogin error: $_") if ($debug); > $clean_run=0; > last; > } > while (/($cmds_regexp)/) { > $cmd = $1; > if (!defined($prompt)) { > $prompt = ($_ =~ /^([^#]+#)/)[0]; > $prompt =~ s/([][}{)(\\])/\\$1/g; > print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); > } > print STDERR ("IPS COMMAND:$_") if ($debug); > if (! defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > $clean_run = 0; > last TOP; > } > $rval = &{$commands{$cmd}}; > delete($commands{$cmd}); > if ($rval == -1) { > $clean_run = 0; > last TOP; > } > } > } > print STDOUT "Done $logincmd: $_\n" if ($log); > # Flush History > ProcessHistory("","","",""); > # Cleanup > close(INPUT); > close(OUTPUT); > > if (defined($ENV{NOPIPE})) { > unlink("$host.raw") if (! $debug); > } > > # check for completeness > if (scalar(%commands) || !$clean_run ) { > if (scalar(%commands)) { > printf(STDOUT "$host: missed cmd(s): %s\n", join(',', > keys(%commands))); > printf(STDERR "$host: missed cmd(s): %s\n", join(',', > keys(%commands))) if ($debug); > } > if (!$clean_run ) { > print STDOUT "$host: End of run not found\n"; > print STDERR "$host: End of run not found\n" if ($debug); > system("/usr/bin/tail -1 $host.new"); > } > unlink "$host.new" if (! $debug); > } > > On Wed, Nov 12, 2008 at 11:53 PM, john heasley wrote: > > > Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: > > > I don't understand what this is meaning. i have searched around but > still can't figure out what the # sign is used for in perl regex like > it is being used here. > > while (/#\s*($cmds_regexp)\s*$/) { > > > the # is a #, the end of the enabled user's prompt. > > > > If I can figure this out then I will have the IPS module working for > rancid using the default clogin/rancid with only minor tweaks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > -- > > Gregory W Zill, MBA, CISSP > Information Security Engineer > Phone: 402-361-3066 > Email: gregoryzill at solutionary.com > Making Security Manageable > ________________________________ > ActiveGuard(R) and SecurCompass(R) are recognized excellence award winners by SC > Magazine and InfoSecurity Products Guide. > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, > you are hereby notified that any dissemination, distribution, use or copying > of the information contained herein is strictly prohibited. If you have > received this communication in error, please immediately contact us by > telephone at 402.361.3000 or e-mail security at solutionary.com. Thank you. > > Copyright 2000-2008, Solutionary, Inc. All rights reserved. ActiveGuard, > SecurCompass, Solutionary and the Solutionary logo are registered marks of > Solutionary, Inc. SecurComply is a service mark of Solutionary, Inc. From gregoryzill at solutionary.com Fri Nov 14 15:44:00 2008 From: gregoryzill at solutionary.com (Gregory W Zill) Date: Fri, 14 Nov 2008 09:44:00 -0600 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> <491D88B0.3030108@solutionary.com> <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> Message-ID: <491D9CC0.2040005@solutionary.com> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/ca035040/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: email-logo-170.jpg Type: image/jpeg Size: 3560 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/ca035040/attachment.jpg From smurphy at calarts.edu Fri Nov 14 17:03:03 2008 From: smurphy at calarts.edu (Sean Murphy) Date: Fri, 14 Nov 2008 09:03:03 -0800 Subject: [rancid] Re: force10 support In-Reply-To: References: Message-ID: <491DAF47.70009@calarts.edu> Unfortunately not all Force10 Switches can be upgraded to FTOS from SFTOS I checked with Force10 support and the switches that we have running are S50 Originals. I have included an email from Force10. I would hate to see support go for SFTOS as we rely heavily on RANCID as part of our network equipment toolkit. Unfortunately I don't have much experience with programing but I do have the Force10 equipment and will be able to test updates for the RANCID team if thats what you need. Sean, The switch in question over here is an S50-Classic, and I am afraid FTOS is not supported on these switches. Let me know if you have any questions. Thanks, Pranav Chris Bell wrote: > If it matters - we have been slowly upgrading our S50V switches from > SFTOS to FTOS. We run them in stacks. Running SFTOS, I cannot run > RANCID against them with all the bugs concerning SSH. I despise TELNET, > but I guess that would be an option. > > We have an E1200 at the core that has been RANCID friendly for several > years. Upgrading the closet S50V's to also be RANCID friendly is worth > any headache it may cause in my book... > > I can also say (for those who are interested) that we've had few > problems running the new 7.7.1.1 code on our S50V's than we have ever > had running SFTOS. > > -----Original Message----- > From: rancid-discuss-bounces at shrubbery.net > [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of john heasley > Sent: Thursday, November 13, 2008 6:08 PM > To: rancid-discuss at shrubbery.net > Subject: [rancid] force10 support > > I'm considering not supporting SFTOS, the pre-FTOS O/S for Force10. > SFTOS is EOL and AFAICT FTOS is supported on all of the hardware. The > differences are slight but annoying enough and I'm not convinced its > worth the effort. > For some that means upgrading, which may not be easy for them. > > Who can honestly say that they can't upgrade and really need SFTOS > support? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From smunzani at comcast.net Fri Nov 14 17:07:51 2008 From: smunzani at comcast.net (Sam Munzani) Date: Fri, 14 Nov 2008 11:07:51 -0600 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> Message-ID: <491DB067.2050007@comcast.net> John, Can we get a new beta revision out with this included? I think somebody had made Cisco MDS9000 switches work after the last beta. Thanks, sam > Thx Max and John. > > As for making rancid work with IPS modules I have found that the post > from Jeremy M. Guthrie > "http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002209.html" > does very well and doesn't require making a lot of changes to rancid > to handle the errors that happen if you run too many commands that are > invalid commands. I also eliminated the need for his ipslogin. I > simply just had perl set the TERM to vt100 before it ran clogin and > then set the TERM back to network after it was finished running > clogin. I also fixed some typo's he had where it was the work "at" > instead of "@". I fixed what should be skipped for the ShowVersion as > it had some extra stuff that can change. > > Here is a copy of what I put on my webpage. http://www.gheek.net/?p=78 > > In order to get rancid to collect the config from an IPS module you > will need to make sure you have the correct login creds in the rancid > users ".cloginrc", add the type of ips to "rancid-fe" and you also > need to create the "ipsrancid" script. > > Changes required for "rancid-fe" > 'ips' => 'ipsrancid', > > Create the "ipsrancid" script as "/bin/ipsrancid". Make > sure you "chmod 755 /bin/ipsrancid" and "chown > : /bin/ipsrancid". > #! /usr/bin/perl > ## > ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. > ## All rights reserved. > ## > ## This software may be freely copied, modified and redistributed > ## without fee for non-commerical purposes provided that this license > ## remains intact and unmodified with any RANCID distribution. > ## > ## There is no warranty or other guarantee of fitness of this software. > ## It is provided solely "as is". The author(s) disclaim(s) all > ## responsibility and liability with respect to this software's usage > ## or its effect upon hardware, computer systems, other software, or > ## anything else. > ## > ## Except where noted otherwise, rancid was written by and is maintained by > ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin Schutz. > ## > # > # hacked version of Hank's rancid - this one tries to deal with Hitachi's. > # > # Modified again by Lance Vermilion (11/13/08) > # Modified from htrancid by Jeremy M. Guthrie > # Created on 5/4/2007 > # > # This is meant to try handle Cisco's IPS V5.X line and on > # > # RANCID - Really Awesome New Cisco confIg Differ > # > # usage: ipsrancid [-d] [-l] [-f filename | $host] > use Getopt::Std; > getopts('dfl'); > $log = $opt_l; > $debug = $opt_d; > $file = $opt_f; > $host = $ARGV[0]; > $clean_run = 0; > $found_end = 0; > $timeo = 90; # clogin timeout in seconds > my(@commandtable, %commands, @commands);# command lists > my(%filter_pwds); # password filtering mode > > # This routine is used to print out the router configuration > sub ProcessHistory { > > ($new_hist_tag,$new_command,$command_string, @string) = (@_); > if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) > && defined %history) { > print eval "$command \%history"; > undef %history; > } > if (($new_hist_tag) && ($new_command) && ($command_string)) { > if ($history{$command_string}) { > $history{$command_string} = "$history{$command_string}@string"; > } else { > $history{$command_string} = "@string"; > } > } elsif (($new_hist_tag) && ($new_command)) { > $history{++$#history} = "@string"; > } else { > print "@string"; > } > $hist_tag = $new_hist_tag; > $command = $new_command; > 1; > } > > sub numerically { $a <=> $b; } > > # This is a sort routine that will sort numerically on the > # keys of a hash as if it were a normal array. > sub keynsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort numerically keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # keys of a hash as if it were a normal array. > sub keysort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # values of a hash as if it were a normal array. > sub valsort{ > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort values %lines) { > $sorted_lines[$i] = $key; > $i++; > } > @sorted_lines; > } > > # This is a numerical sort routine (ascending). > sub numsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $num (sort {$a <=> $b} keys %lines) { > $sorted_lines[$i] = $lines{$num}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # ip address when the ip address is anywhere in > # the strings. > sub ipsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $addr (sort sortbyipaddr keys %lines) { > $sorted_lines[$i] = $lines{$addr}; > $i++; > } > @sorted_lines; > } > > # These two routines will sort based upon IP addresses > sub ipaddrval { > my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); > $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); > } > sub sortbyipaddr { > &ipaddrval($a) <=> &ipaddrval($b); > } > > # This routine parses "show config" > sub ShowConfig { > print STDERR " In ShowConfig: $_" if ($debug); > > $firstexit=0; > > while () { > tr/\015//d; > tr/\020//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > $skipprocess=0; > > #sometimes an 'exit' appears at the top of the config, we > don't want them > if ( (/^exit/) && ( ! $firstexit ) ) { > $firstexit=1; > $skipprocess=1; > } > > #remove spaces left over from lame spinning progress thingy > if ( /^\s+! ??????????/ ) { > s/^\s+!/!/g > } > > if (/^(read-only-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(read-write-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(trap-community-name) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(password) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowConfig Data: $_" if ($debug); > ProcessHistory("","","","$_"); > } > } > } > $clean_run=1; > print STDERR " Exiting ShowConfig: $_" if ($debug); > return(0); > } > > # This routine parses single command's that return no required info > sub ShowVersion { > print STDERR " In ShowVersion: $_" if ($debug); > ProcessHistory("","","","!\n!IPS Show Version Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > if ( /^Sensor up-time/ ) { $skipprocess=1; } > if ( ( /using.*bytes of available/i ) ) { $skipprocess=1; } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowVersion Data: $_" if ($debug); > ProcessHistory("","","","! $_"); > } > } > } > ProcessHistory("","","","!\n!IPS Show Version End\n"); > print STDERR " Exiting ShowVersion: $_" if ($debug); > return(0) > } > > # This routine parses single command's that return no required info > sub ShowUsersAll { > print STDERR " In ShowUsersAll: $_" if ($debug); > ProcessHistory("","","","!\n!IPS User Database Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > s/^ CLI ID //g; > s/^ //g; > s/^\* +[0-9]+ +//g; > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowUsersAll Data: $_" if ($debug); > ProcessHistory("","","","!$_"); > } > } > } > ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); > print STDERR " Exiting ShowUsersAll: $_" if ($debug); > return(0) > } > > # dummy function > sub DoNothing {print STDOUT;} > > # Main > @commandtable = ( > {'show version' => 'ShowVersion'}, > {'show users all' => 'ShowUsersAll'}, > {'show configuration' => 'ShowConfig'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @commands = map(keys(%$_), @commandtable); > %commands = map(%$_, @commandtable); > > $cisco_cmds=join(";", at commands); > $cmds_regexp=join("|", at commands); > > open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; > select(OUTPUT); > # make OUTPUT unbuffered if debugging > if ($debug) { $| = 1; } > > # The IPS doesn't like the TERM of network so we must change it > if ( $ENV{TERM} eq 'network' ) { > $ENV{TERM} = 'vt100?; > } > if ($file) { > print STDERR "opening file $host\n" if ($debug); > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($debug); > print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > system "clogin -t $timeo -c \"$cisco_cmds\" $host > $host.raw 2>&1" || die "clogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; > } else { > open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host > } > } > # Change the TERM back to network > if ( $ENV{TERM} eq 'vt100? ) { > $ENV{TERM} = 'network'; > } > > # determine password filtering mode > if ($ENV{"FILTER_PWDS"} =~ /no/i) { > $filter_pwds = 0; > } elsif ($ENV{"FILTER_PWDS"} =~ /all/i) { > $filter_pwds = 2; > } else { > $filter_pwds = 1; > } > > ProcessHistory("","","","!RANCID-CONTENT-TYPE: ipsrancid\n!\n"); > TOP: while() { > tr/\015//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > > if (/^.*logout$/) { > $clean_run=1; > last; > } > if (/^Error:/) { > print STDOUT ("$host clogin error: $_"); > print STDERR ("$host clogin error: $_") if ($debug); > $clean_run=0; > last; > } > while (/($cmds_regexp)/) { > $cmd = $1; > if (!defined($prompt)) { > $prompt = ($_ =~ /^([^#]+#)/)[0]; > $prompt =~ s/([][}{)(\\])/\\$1/g; > print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); > } > print STDERR ("IPS COMMAND:$_") if ($debug); > if (! defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > $clean_run = 0; > last TOP; > } > $rval = &{$commands{$cmd}}; > delete($commands{$cmd}); > if ($rval == -1) { > $clean_run = 0; > last TOP; > } > } > } > print STDOUT "Done $logincmd: $_\n" if ($log); > # Flush History > ProcessHistory("","","",""); > # Cleanup > close(INPUT); > close(OUTPUT); > > if (defined($ENV{NOPIPE})) { > unlink("$host.raw") if (! $debug); > } > > # check for completeness > if (scalar(%commands) || !$clean_run ) { > if (scalar(%commands)) { > printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); > printf(STDERR "$host: missed cmd(s): %s\n", join(',', > keys(%commands))) if ($debug); > } > if (!$clean_run ) { > print STDOUT "$host: End of run not found\n"; > print STDERR "$host: End of run not found\n" if ($debug); > system("/usr/bin/tail -1 $host.new"); > } > unlink "$host.new" if (! $debug); > } > > On Wed, Nov 12, 2008 at 11:53 PM, john heasley wrote: > >> Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: >> >>> I don't understand what this is meaning. i have searched around but >>> still can't figure out what the # sign is used for in perl regex like >>> it is being used here. >>> >>> while (/#\s*($cmds_regexp)\s*$/) { >>> >> the # is a #, the end of the enabled user's prompt. >> >> >>> If I can figure this out then I will have the IPS module working for >>> rancid using the default clogin/rancid with only minor tweaks. >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/f67baa1b/attachment.html From rancid at gheek.net Fri Nov 14 18:37:23 2008 From: rancid at gheek.net (Lance Vermilion) Date: Fri, 14 Nov 2008 11:37:23 -0700 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <491D9CC0.2040005@solutionary.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> <491D88B0.3030108@solutionary.com> <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> <491D9CC0.2040005@solutionary.com> Message-ID: <8423e7bb0811141037m1705ba98v74e4317f2ae54fb9@mail.gmail.com> Are you running the IPS on a 6500 or on a ASA? 2008/11/14 Gregory W Zill : > Lance, > I originally had "autoenable...0" and from there I went to "noenable" -- > upon your suggestion I just tried "autoenable...1" all have just about the > same result. However, the "autoenable...1" with clogin does allow me to > interact with the IPS, whereas the other settings freeze once logged in and > I end up timing out back to the rancid host. > > Gregory, > > You need to set autoenable for that device inside your ".cloginrc". > The IP puts you in privilege 15 when you login. I am guessing you do > not have that specified so rancid is trying to enable. > > 2008/11/14 Gregory W Zill : > > > I get what appears to be a second user inputted somehow. Have you seen this? > How might I fix? This is a 4215 IPS. > > $ clogin test_cisco_ips6 > test_cisco_ips6 > spawn ssh -c 3des -x -l cisco test_cisco_ips6 > > Password: > Last login: Fri Nov 14 09:07:54 2008 from 10.1.1.107 > > cisco > test_cisco_ips6# cisco > ^ > % Invalid input detected at '^' marker > > > BTW, the ipsrancid is great -- thank you > > Thx Max and John. > > As for making rancid work with IPS modules I have found that the post > from Jeremy M. Guthrie > "http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002209.html" > does very well and doesn't require making a lot of changes to rancid > to handle the errors that happen if you run too many commands that are > invalid commands. I also eliminated the need for his ipslogin. I > simply just had perl set the TERM to vt100 before it ran clogin and > then set the TERM back to network after it was finished running > clogin. I also fixed some typo's he had where it was the work "at" > instead of "@". I fixed what should be skipped for the ShowVersion as > it had some extra stuff that can change. > > Here is a copy of what I put on my webpage. http://www.gheek.net/?p=78 > > In order to get rancid to collect the config from an IPS module you > will need to make sure you have the correct login creds in the rancid > users ".cloginrc", add the type of ips to "rancid-fe" and you also > need to create the "ipsrancid" script. > > Changes required for "rancid-fe" > 'ips' => 'ipsrancid', > > Create the "ipsrancid" script as "/bin/ipsrancid". Make > sure you "chmod 755 /bin/ipsrancid" and "chown > : /bin/ipsrancid". > #! /usr/bin/perl > ## > ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. > ## All rights reserved. > ## > ## This software may be freely copied, modified and redistributed > ## without fee for non-commerical purposes provided that this license > ## remains intact and unmodified with any RANCID distribution. > ## > ## There is no warranty or other guarantee of fitness of this software. > ## It is provided solely "as is". The author(s) disclaim(s) all > ## responsibility and liability with respect to this software's usage > ## or its effect upon hardware, computer systems, other software, or > ## anything else. > ## > ## Except where noted otherwise, rancid was written by and is maintained by > ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin > Schutz. > ## > # > # hacked version of Hank's rancid - this one tries to deal with Hitachi's. > # > # Modified again by Lance Vermilion (11/13/08) > # Modified from htrancid by Jeremy M. Guthrie > # Created on 5/4/2007 > # > # This is meant to try handle Cisco's IPS V5.X line and on > # > # RANCID - Really Awesome New Cisco confIg Differ > # > # usage: ipsrancid [-d] [-l] [-f filename | $host] > use Getopt::Std; > getopts('dfl'); > $log = $opt_l; > $debug = $opt_d; > $file = $opt_f; > $host = $ARGV[0]; > $clean_run = 0; > $found_end = 0; > $timeo = 90; # clogin timeout in seconds > my(@commandtable, %commands, @commands);# command lists > my(%filter_pwds); # password filtering mode > > # This routine is used to print out the router configuration > sub ProcessHistory { > > ($new_hist_tag,$new_command,$command_string, @string) = (@_); > if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) > && defined %history) { > print eval "$command \%history"; > undef %history; > } > if (($new_hist_tag) && ($new_command) && ($command_string)) { > if ($history{$command_string}) { > $history{$command_string} = "$history{$command_string}@string"; > } else { > $history{$command_string} = "@string"; > } > } elsif (($new_hist_tag) && ($new_command)) { > $history{++$#history} = "@string"; > } else { > print "@string"; > } > $hist_tag = $new_hist_tag; > $command = $new_command; > 1; > } > > sub numerically { $a <=> $b; } > > # This is a sort routine that will sort numerically on the > # keys of a hash as if it were a normal array. > sub keynsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort numerically keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # keys of a hash as if it were a normal array. > sub keysort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # values of a hash as if it were a normal array. > sub valsort{ > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort values %lines) { > $sorted_lines[$i] = $key; > $i++; > } > @sorted_lines; > } > > # This is a numerical sort routine (ascending). > sub numsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $num (sort {$a <=> $b} keys %lines) { > $sorted_lines[$i] = $lines{$num}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # ip address when the ip address is anywhere in > # the strings. > sub ipsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $addr (sort sortbyipaddr keys %lines) { > $sorted_lines[$i] = $lines{$addr}; > $i++; > } > @sorted_lines; > } > > # These two routines will sort based upon IP addresses > sub ipaddrval { > my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); > $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); > } > sub sortbyipaddr { > &ipaddrval($a) <=> &ipaddrval($b); > } > > # This routine parses "show config" > sub ShowConfig { > print STDERR " In ShowConfig: $_" if ($debug); > > $firstexit=0; > > while () { > tr/\015//d; > tr/\020//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > $skipprocess=0; > > #sometimes an 'exit' appears at the top of the config, we > don't want them > if ( (/^exit/) && ( ! $firstexit ) ) { > $firstexit=1; > $skipprocess=1; > } > > #remove spaces left over from lame spinning progress thingy > if ( /^\s+! ??????????/ ) { > s/^\s+!/!/g > } > > if (/^(read-only-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(read-write-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(trap-community-name) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(password) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowConfig Data: $_" if > ($debug); > ProcessHistory("","","","$_"); > } > } > } > $clean_run=1; > print STDERR " Exiting ShowConfig: $_" if ($debug); > return(0); > } > > # This routine parses single command's that return no required info > sub ShowVersion { > print STDERR " In ShowVersion: $_" if ($debug); > ProcessHistory("","","","!\n!IPS Show Version Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > if ( /^Sensor up-time/ ) { $skipprocess=1; } > if ( ( /using.*bytes of available/i ) ) { $skipprocess=1; } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowVersion Data: $_" if > ($debug); > ProcessHistory("","","","! $_"); > } > } > } > ProcessHistory("","","","!\n!IPS Show Version End\n"); > print STDERR " Exiting ShowVersion: $_" if ($debug); > return(0) > } > > # This routine parses single command's that return no required info > sub ShowUsersAll { > print STDERR " In ShowUsersAll: $_" if ($debug); > ProcessHistory("","","","!\n!IPS User Database Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > s/^ CLI ID //g; > s/^ //g; > s/^\* +[0-9]+ +//g; > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowUsersAll Data: $_" if > ($debug); > ProcessHistory("","","","!$_"); > } > } > } > ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); > print STDERR " Exiting ShowUsersAll: $_" if ($debug); > return(0) > } > > # dummy function > sub DoNothing {print STDOUT;} > > # Main > @commandtable = ( > {'show version' => 'ShowVersion'}, > {'show users all' => 'ShowUsersAll'}, > {'show configuration' => 'ShowConfig'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @commands = map(keys(%$_), @commandtable); > %commands = map(%$_, @commandtable); > > $cisco_cmds=join(";", at commands); > $cmds_regexp=join("|", at commands); > > open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; > select(OUTPUT); > # make OUTPUT unbuffered if debugging > if ($debug) { $| = 1; } > > # The IPS doesn't like the TERM of network so we must change it > if ( $ENV{TERM} eq 'network' ) { > $ENV{TERM} = 'vt100?; > } > if ($file) { > print STDERR "opening file $host\n" if ($debug); > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($debug); > print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > system "clogin -t $timeo -c \"$cisco_cmds\" $host > $host.raw 2>&1" || die "clogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; > } else { > open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host > } > } > # Change the TERM back to network > if ( $ENV{TERM} eq 'vt100? ) { > $ENV{TERM} = 'network'; > } > > # determine password filtering mode > if ($ENV{"FILTER_PWDS"} =~ /no/i) { > $filter_pwds = 0; > } elsif ($ENV{"FILTER_PWDS"} =~ /all/i) { > $filter_pwds = 2; > } else { > $filter_pwds = 1; > } > > ProcessHistory("","","","!RANCID-CONTENT-TYPE: ipsrancid\n!\n"); > TOP: while() { > tr/\015//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > > if (/^.*logout$/) { > $clean_run=1; > last; > } > if (/^Error:/) { > print STDOUT ("$host clogin error: $_"); > print STDERR ("$host clogin error: $_") if ($debug); > $clean_run=0; > last; > } > while (/($cmds_regexp)/) { > $cmd = $1; > if (!defined($prompt)) { > $prompt = ($_ =~ /^([^#]+#)/)[0]; > $prompt =~ s/([][}{)(\\])/\\$1/g; > print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); > } > print STDERR ("IPS COMMAND:$_") if ($debug); > if (! defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > $clean_run = 0; > last TOP; > } > $rval = &{$commands{$cmd}}; > delete($commands{$cmd}); > if ($rval == -1) { > $clean_run = 0; > last TOP; > } > } > } > print STDOUT "Done $logincmd: $_\n" if ($log); > # Flush History > ProcessHistory("","","",""); > # Cleanup > close(INPUT); > close(OUTPUT); > > if (defined($ENV{NOPIPE})) { > unlink("$host.raw") if (! $debug); > } > > # check for completeness > if (scalar(%commands) || !$clean_run ) { > if (scalar(%commands)) { > printf(STDOUT "$host: missed cmd(s): %s\n", join(',', > keys(%commands))); > printf(STDERR "$host: missed cmd(s): %s\n", join(',', > keys(%commands))) if ($debug); > } > if (!$clean_run ) { > print STDOUT "$host: End of run not found\n"; > print STDERR "$host: End of run not found\n" if ($debug); > system("/usr/bin/tail -1 $host.new"); > } > unlink "$host.new" if (! $debug); > } > > On Wed, Nov 12, 2008 at 11:53 PM, john heasley wrote: > > > Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: > > > I don't understand what this is meaning. i have searched around but > still can't figure out what the # sign is used for in perl regex like > it is being used here. > > while (/#\s*($cmds_regexp)\s*$/) { > > > the # is a #, the end of the enabled user's prompt. > > > > If I can figure this out then I will have the IPS module working for > rancid using the default clogin/rancid with only minor tweaks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > -- > > Gregory W Zill, MBA, CISSP > Information Security Engineer > Phone: 402-361-3066 > Email: gregoryzill at solutionary.com > Making Security Manageable > ________________________________ > ActiveGuard(R) and SecurCompass(R) are recognized excellence award winners > by SC > Magazine and InfoSecurity Products Guide. > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, > you are hereby notified that any dissemination, distribution, use or copying > of the information contained herein is strictly prohibited. If you have > received this communication in error, please immediately contact us by > telephone at 402.361.3000 or e-mail security at solutionary.com. Thank you. > > Copyright 2000-2008, Solutionary, Inc. All rights reserved. ActiveGuard, > SecurCompass, Solutionary and the Solutionary logo are registered marks of > Solutionary, Inc. SecurComply is a service mark of Solutionary, Inc. > > > -- > > Gregory W Zill, MBA, CISSP > Information Security Engineer > Phone: 402-361-3066 > Email: gregoryzill at solutionary.com > Making Security Manageable > ________________________________ > ActiveGuard(R) and SecurCompass(R) are recognized excellence award winners by SC > Magazine and InfoSecurity Products Guide. > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, > you are hereby notified that any dissemination, distribution, use or copying > of the information contained herein is strictly prohibited. If you have > received this communication in error, please immediately contact us by > telephone at 402.361.3000 or e-mail security at solutionary.com. Thank you. > > Copyright 2000-2008, Solutionary, Inc. All rights reserved. ActiveGuard, > SecurCompass, Solutionary and the Solutionary logo are registered marks of > Solutionary, Inc. SecurComply is a service mark of Solutionary, Inc. From ecables at gmail.com Fri Nov 14 18:33:16 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 14 Nov 2008 10:33:16 -0800 Subject: [rancid] FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? Message-ID: I've been running into this problem quite frequently, about once a week or so rancid will hang for no apparent reason, and until I kill the process it will remain hung. I've read in the archives that Linux & Solaris have a problem with expect that requires a patch, but does this also include FreeBSD? -- Eric Cables -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/dcb0bb9b/attachment.html From heas at shrubbery.net Fri Nov 14 19:18:08 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 14 Nov 2008 11:18:08 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: References: Message-ID: <20081114191808.GB2748@shrubbery.net> Fri, Nov 14, 2008 at 10:33:16AM -0800, Eric Cables: > I've been running into this problem quite frequently, about once a week or > so rancid will hang for no apparent reason, and until I kill the process it > will remain hung. I've read in the archives that Linux & Solaris have a > problem with expect that requires a patch, but does this also include > FreeBSD? Yes, some combinations of recent tcl / expect seem to have trouble on fbsd. I'm not sure why, but the expect was pulled from distribution site for defects. the problem is that rolling back (via ports) seems to resurrect an old problem which itself had been correct in ports by rolling back, IIRC. I do not use freebsd and haven't had time to debug the problem. ports is, imho, too anxious to move forward with new tcl/expect versions and both are too delicate for that. From ecables at gmail.com Fri Nov 14 19:25:29 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 14 Nov 2008 11:25:29 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: <20081114191808.GB2748@shrubbery.net> References: <20081114191808.GB2748@shrubbery.net> Message-ID: Are there any debugging options available to try and isolate the root cause of the problem? I could probably write up a shell script that finds hung processes and kills them, but that's certainly not the best option. :-) -- Eric Cables On Fri, Nov 14, 2008 at 11:18 AM, john heasley wrote: > Fri, Nov 14, 2008 at 10:33:16AM -0800, Eric Cables: > > I've been running into this problem quite frequently, about once a week > or > > so rancid will hang for no apparent reason, and until I kill the process > it > > will remain hung. I've read in the archives that Linux & Solaris have a > > problem with expect that requires a patch, but does this also include > > FreeBSD? > > Yes, some combinations of recent tcl / expect seem to have trouble on fbsd. > I'm not sure why, but the expect was pulled from distribution site for > defects. the problem is that rolling back (via ports) seems to resurrect > an old problem which itself had been correct in ports by rolling back, > IIRC. > > I do not use freebsd and haven't had time to debug the problem. ports is, > imho, too anxious to move forward with new tcl/expect versions and both are > too delicate for that. > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/6f052911/attachment.html From rancid at gheek.net Fri Nov 14 19:49:24 2008 From: rancid at gheek.net (Lance Vermilion) Date: Fri, 14 Nov 2008 12:49:24 -0700 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <491DC718.8030208@solutionary.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> <491D88B0.3030108@solutionary.com> <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> <491D9CC0.2040005@solutionary.com> <8423e7bb0811141037m1705ba98v74e4317f2ae54fb9@mail.gmail.com> <491DC718.8030208@solutionary.com> Message-ID: <8423e7bb0811141149k4c2cbe75w7c94df95a6fd770e@mail.gmail.com> it looks like you have some windows inserted control characters. I would run a perl -c ipsrancid to see if it is all ok. I think what your issue is. getopts('dfl').....something like this line. Those should be single ticks (1 key left of enter on a US keyboard). 2008/11/14 Managed Devices : > This is a Cisco 4215 chassis IPS. > > I have checked the logs and noticed another item since I may be getting a > little further along with "autoenable...1" > > ===================================== > Getting missed routers: round 4. > Unrecognized character \xE2 at /home/mdrancid/bin/ipsrancid line 32. > > -------- Original Message -------- > > Are you running the IPS on a 6500 or on a ASA? > > 2008/11/14 Gregory W Zill : > > > Lance, > I originally had "autoenable...0" and from there I went to "noenable" -- > upon your suggestion I just tried "autoenable...1" all have just about the > same result. However, the "autoenable...1" with clogin does allow me to > interact with the IPS, whereas the other settings freeze once logged in and > I end up timing out back to the rancid host. > > Gregory, > > You need to set autoenable for that device inside your ".cloginrc". > The IP puts you in privilege 15 when you login. I am guessing you do > not have that specified so rancid is trying to enable. > > 2008/11/14 Gregory W Zill : > > > I get what appears to be a second user inputted somehow. Have you seen this? > How might I fix? This is a 4215 IPS. > > $ clogin test_cisco_ips6 > test_cisco_ips6 > spawn ssh -c 3des -x -l cisco test_cisco_ips6 > > Password: > Last login: Fri Nov 14 09:07:54 2008 from 10.1.1.107 > > cisco > test_cisco_ips6# cisco > ^ > % Invalid input detected at '^' marker > > > BTW, the ipsrancid is great -- thank you > > Thx Max and John. > > As for making rancid work with IPS modules I have found that the post > from Jeremy M. Guthrie > "http://www.shrubbery.net/pipermail/rancid-discuss/2007-May/002209.html" > does very well and doesn't require making a lot of changes to rancid > to handle the errors that happen if you run too many commands that are > invalid commands. I also eliminated the need for his ipslogin. I > simply just had perl set the TERM to vt100 before it ran clogin and > then set the TERM back to network after it was finished running > clogin. I also fixed some typo's he had where it was the work "at" > instead of "@". I fixed what should be skipped for the ShowVersion as > it had some extra stuff that can change. > > Here is a copy of what I put on my webpage. http://www.gheek.net/?p=78 > > In order to get rancid to collect the config from an IPS module you > will need to make sure you have the correct login creds in the rancid > users ".cloginrc", add the type of ips to "rancid-fe" and you also > need to create the "ipsrancid" script. > > Changes required for "rancid-fe" > 'ips' => 'ipsrancid', > > Create the "ipsrancid" script as "/bin/ipsrancid". Make > sure you "chmod 755 /bin/ipsrancid" and "chown > : /bin/ipsrancid". > #! /usr/bin/perl > ## > ## Copyright (C) 1997-2004 by Terrapin Communications, Inc. > ## All rights reserved. > ## > ## This software may be freely copied, modified and redistributed > ## without fee for non-commerical purposes provided that this license > ## remains intact and unmodified with any RANCID distribution. > ## > ## There is no warranty or other guarantee of fitness of this software. > ## It is provided solely "as is". The author(s) disclaim(s) all > ## responsibility and liability with respect to this software's usage > ## or its effect upon hardware, computer systems, other software, or > ## anything else. > ## > ## Except where noted otherwise, rancid was written by and is maintained by > ## Henry Kilmer, John Heasley, Andrew Partan, Pete Whiting, and Austin > Schutz. > ## > # > # hacked version of Hank's rancid - this one tries to deal with Hitachi's. > # > # Modified again by Lance Vermilion (11/13/08) > # Modified from htrancid by Jeremy M. Guthrie > # Created on 5/4/2007 > # > # This is meant to try handle Cisco's IPS V5.X line and on > # > # RANCID - Really Awesome New Cisco confIg Differ > # > # usage: ipsrancid [-d] [-l] [-f filename | $host] > use Getopt::Std; > getopts('dfl'); > $log = $opt_l; > $debug = $opt_d; > $file = $opt_f; > $host = $ARGV[0]; > $clean_run = 0; > $found_end = 0; > $timeo = 90; # clogin timeout in seconds > my(@commandtable, %commands, @commands);# command lists > my(%filter_pwds); # password filtering mode > > # This routine is used to print out the router configuration > sub ProcessHistory { > > ($new_hist_tag,$new_command,$command_string, @string) = (@_); > if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) > && defined %history) { > print eval "$command \%history"; > undef %history; > } > if (($new_hist_tag) && ($new_command) && ($command_string)) { > if ($history{$command_string}) { > $history{$command_string} = "$history{$command_string}@string"; > } else { > $history{$command_string} = "@string"; > } > } elsif (($new_hist_tag) && ($new_command)) { > $history{++$#history} = "@string"; > } else { > print "@string"; > } > $hist_tag = $new_hist_tag; > $command = $new_command; > 1; > } > > sub numerically { $a <=> $b; } > > # This is a sort routine that will sort numerically on the > # keys of a hash as if it were a normal array. > sub keynsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort numerically keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # keys of a hash as if it were a normal array. > sub keysort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort keys(%lines)) { > $sorted_lines[$i] = $lines{$key}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # values of a hash as if it were a normal array. > sub valsort{ > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $key (sort values %lines) { > $sorted_lines[$i] = $key; > $i++; > } > @sorted_lines; > } > > # This is a numerical sort routine (ascending). > sub numsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $num (sort {$a <=> $b} keys %lines) { > $sorted_lines[$i] = $lines{$num}; > $i++; > } > @sorted_lines; > } > > # This is a sort routine that will sort on the > # ip address when the ip address is anywhere in > # the strings. > sub ipsort { > local(%lines) = @_; > local($i) = 0; > local(@sorted_lines); > foreach $addr (sort sortbyipaddr keys %lines) { > $sorted_lines[$i] = $lines{$addr}; > $i++; > } > @sorted_lines; > } > > # These two routines will sort based upon IP addresses > sub ipaddrval { > my(@a) = ($_[0] =~ m#^(\d+)\.(\d+)\.(\d+)\.(\d+)$#); > $a[3] + 256 * ($a[2] + 256 * ($a[1] +256 * $a[0])); > } > sub sortbyipaddr { > &ipaddrval($a) <=> &ipaddrval($b); > } > > # This routine parses "show config" > sub ShowConfig { > print STDERR " In ShowConfig: $_" if ($debug); > > $firstexit=0; > > while () { > tr/\015//d; > tr/\020//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > $skipprocess=0; > > #sometimes an 'exit' appears at the top of the config, we > don't want them > if ( (/^exit/) && ( ! $firstexit ) ) { > $firstexit=1; > $skipprocess=1; > } > > #remove spaces left over from lame spinning progress thingy > if ( /^\s+! ??????????/ ) { > s/^\s+!/!/g > } > > if (/^(read-only-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(read-write-community) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(trap-community-name) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(ntp-keys \d+ md5-key) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > if (/^(password) / && $filter_pwds >= 1) { > ProcessHistory("","","","!$1 \n"); next; > } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowConfig Data: $_" if > ($debug); > ProcessHistory("","","","$_"); > } > } > } > $clean_run=1; > print STDERR " Exiting ShowConfig: $_" if ($debug); > return(0); > } > > # This routine parses single command's that return no required info > sub ShowVersion { > print STDERR " In ShowVersion: $_" if ($debug); > ProcessHistory("","","","!\n!IPS Show Version Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > if ( /^Sensor up-time/ ) { $skipprocess=1; } > if ( ( /using.*bytes of available/i ) ) { $skipprocess=1; } > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowVersion Data: $_" if > ($debug); > ProcessHistory("","","","! $_"); > } > } > } > ProcessHistory("","","","!\n!IPS Show Version End\n"); > print STDERR " Exiting ShowVersion: $_" if ($debug); > return(0) > } > > # This routine parses single command's that return no required info > sub ShowUsersAll { > print STDERR " In ShowUsersAll: $_" if ($debug); > ProcessHistory("","","","!\n!IPS User Database Start\n"); > > while () { > tr/\015//d; > > $skipprocess=0; > > s/^ CLI ID //g; > s/^ //g; > s/^\* +[0-9]+ +//g; > > last if (/^$prompt/); > next if (/^(\s*|\s*$cmd\s*)$/); > if ( ! /^$prompt/) { > if ( ! $skipprocess ) { > print STDOUT " ShowUsersAll Data: $_" if > ($debug); > ProcessHistory("","","","!$_"); > } > } > } > ProcessHistory("","","","!\n!IPS User Database End\n!\n!\n"); > print STDERR " Exiting ShowUsersAll: $_" if ($debug); > return(0) > } > > # dummy function > sub DoNothing {print STDOUT;} > > # Main > @commandtable = ( > {'show version' => 'ShowVersion'}, > {'show users all' => 'ShowUsersAll'}, > {'show configuration' => 'ShowConfig'} > ); > # Use an array to preserve the order of the commands and a hash for mapping > # commands to the subroutine and track commands that have been completed. > @commands = map(keys(%$_), @commandtable); > %commands = map(%$_, @commandtable); > > $cisco_cmds=join(";", at commands); > $cmds_regexp=join("|", at commands); > > open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; > select(OUTPUT); > # make OUTPUT unbuffered if debugging > if ($debug) { $| = 1; } > > # The IPS doesn't like the TERM of network so we must change it > if ( $ENV{TERM} eq 'network' ) { > $ENV{TERM} = 'vt100?; > } > if ($file) { > print STDERR "opening file $host\n" if ($debug); > print STDOUT "opening file $host\n" if ($log); > open(INPUT,"<$host") || die "open failed for $host: $!\n"; > } else { > print STDERR "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($debug); > print STDOUT "executing clogin -t $timeo -c\"$cisco_cmds\" > $host\n" if ($log); > if (defined($ENV{NOPIPE})) { > system "clogin -t $timeo -c \"$cisco_cmds\" $host > $host.raw 2>&1" || die "clogin failed for $host: $!\n"; > open(INPUT, "< $host.raw") || die "clogin failed for $host: $!\n"; > } else { > open(INPUT,"clogin -t $timeo -c \"$cisco_cmds\" $host > } > } > # Change the TERM back to network > if ( $ENV{TERM} eq 'vt100? ) { > $ENV{TERM} = 'network'; > } > > # determine password filtering mode > if ($ENV{"FILTER_PWDS"} =~ /no/i) { > $filter_pwds = 0; > } elsif ($ENV{"FILTER_PWDS"} =~ /all/i) { > $filter_pwds = 2; > } else { > $filter_pwds = 1; > } > > ProcessHistory("","","","!RANCID-CONTENT-TYPE: ipsrancid\n!\n"); > TOP: while() { > tr/\015//d; > > #strip out the stupid spinning running-config progress thingy > s/Generating current config: \.*[\|\/\-\\]//gi; > > if (/^.*logout$/) { > $clean_run=1; > last; > } > if (/^Error:/) { > print STDOUT ("$host clogin error: $_"); > print STDERR ("$host clogin error: $_") if ($debug); > $clean_run=0; > last; > } > while (/($cmds_regexp)/) { > $cmd = $1; > if (!defined($prompt)) { > $prompt = ($_ =~ /^([^#]+#)/)[0]; > $prompt =~ s/([][}{)(\\])/\\$1/g; > print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); > } > print STDERR ("IPS COMMAND:$_") if ($debug); > if (! defined($commands{$cmd})) { > print STDERR "$host: found unexpected command - \"$cmd\"\n"; > $clean_run = 0; > last TOP; > } > $rval = &{$commands{$cmd}}; > delete($commands{$cmd}); > if ($rval == -1) { > $clean_run = 0; > last TOP; > } > } > } > print STDOUT "Done $logincmd: $_\n" if ($log); > # Flush History > ProcessHistory("","","",""); > # Cleanup > close(INPUT); > close(OUTPUT); > > if (defined($ENV{NOPIPE})) { > unlink("$host.raw") if (! $debug); > } > > # check for completeness > if (scalar(%commands) || !$clean_run ) { > if (scalar(%commands)) { > printf(STDOUT "$host: missed cmd(s): %s\n", join(',', > keys(%commands))); > printf(STDERR "$host: missed cmd(s): %s\n", join(',', > keys(%commands))) if ($debug); > } > if (!$clean_run ) { > print STDOUT "$host: End of run not found\n"; > print STDERR "$host: End of run not found\n" if ($debug); > system("/usr/bin/tail -1 $host.new"); > } > unlink "$host.new" if (! $debug); > } > > On Wed, Nov 12, 2008 at 11:53 PM, john heasley wrote: > > > Wed, Nov 12, 2008 at 05:36:50PM -0700, Lance Vermilion: > > > I don't understand what this is meaning. i have searched around but > still can't figure out what the # sign is used for in perl regex like > it is being used here. > > while (/#\s*($cmds_regexp)\s*$/) { > > > the # is a #, the end of the enabled user's prompt. > > > > If I can figure this out then I will have the IPS module working for > rancid using the default clogin/rancid with only minor tweaks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > -- > > Gregory W Zill, MBA, CISSP > Information Security Engineer > Phone: 402-361-3066 > Email: gregoryzill at solutionary.com > Making Security Manageable > ________________________________ > ActiveGuard(R) and SecurCompass(R) are recognized excellence award winners > by SC > Magazine and InfoSecurity Products Guide. > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, > you are hereby notified that any dissemination, distribution, use or copying > of the information contained herein is strictly prohibited. If you have > received this communication in error, please immediately contact us by > telephone at 402.361.3000 or e-mail security at solutionary.com. Thank you. > > Copyright 2000-2008, Solutionary, Inc. All rights reserved. ActiveGuard, > SecurCompass, Solutionary and the Solutionary logo are registered marks of > Solutionary, Inc. SecurComply is a service mark of Solutionary, Inc. > > > -- > > Gregory W Zill, MBA, CISSP > Information Security Engineer > Phone: 402-361-3066 > Email: gregoryzill at solutionary.com > Making Security Manageable > ________________________________ > ActiveGuard(R) and SecurCompass(R) are recognized excellence award winners > by SC > Magazine and InfoSecurity Products Guide. > > Confidentiality Notice: The content of this communication, along with any > attachments, is covered by federal and state law governing electronic > communications and may contain confidential and legally privileged > information. If the reader of this message is not the intended recipient, > you are hereby notified that any dissemination, distribution, use or copying > of the information contained herein is strictly prohibited. If you have > received this communication in error, please immediately contact us by > telephone at 402.361.3000 or e-mail security at solutionary.com. Thank you. > > Copyright 2000-2008, Solutionary, Inc. All rights reserved. ActiveGuard, > SecurCompass, Solutionary and the Solutionary logo are registered marks of > Solutionary, Inc. SecurComply is a service mark of Solutionary, Inc. > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > -- > > ---------------------------- > Gregory W Zill, MBA, CISSP > Managed Device Team > Solutionary, Inc. > "Making security manageable" > ---------------------------- > From heas at shrubbery.net Fri Nov 14 23:26:00 2008 From: heas at shrubbery.net (john heasley) Date: Fri, 14 Nov 2008 15:26:00 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: References: <20081114191808.GB2748@shrubbery.net> Message-ID: <20081114232600.GC801@shrubbery.net> I have no idea what the problem is. I expect it'l require a mix of ktrace, gcore/gdb, and tcpdump to figure out what is causing tcl/expect to hang. Fri, Nov 14, 2008 at 11:25:29AM -0800, Eric Cables: > Are there any debugging options available to try and isolate the root cause > of the problem? I could probably write up a shell script that finds hung > processes and kills them, but that's certainly not the best option. :-) > > -- > Eric Cables > > > On Fri, Nov 14, 2008 at 11:18 AM, john heasley wrote: > > > Fri, Nov 14, 2008 at 10:33:16AM -0800, Eric Cables: > > > I've been running into this problem quite frequently, about once a week > > or > > > so rancid will hang for no apparent reason, and until I kill the process > > it > > > will remain hung. I've read in the archives that Linux & Solaris have a > > > problem with expect that requires a patch, but does this also include > > > FreeBSD? > > > > Yes, some combinations of recent tcl / expect seem to have trouble on fbsd. > > I'm not sure why, but the expect was pulled from distribution site for > > defects. the problem is that rolling back (via ports) seems to resurrect > > an old problem which itself had been correct in ports by rolling back, > > IIRC. > > > > I do not use freebsd and haven't had time to debug the problem. ports is, > > imho, too anxious to move forward with new tcl/expect versions and both are > > too delicate for that. > > From ecables at gmail.com Fri Nov 14 23:47:39 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 14 Nov 2008 15:47:39 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: <20081114232600.GC801@shrubbery.net> References: <20081114191808.GB2748@shrubbery.net> <20081114232600.GC801@shrubbery.net> Message-ID: Is this something I can do when I discover the process is hung, or something that has to be prepared before it hangs? For example, if I come back into the office on Monday to find RANCID hung, is there anything I can do to collect forensics as to what caused it to hang? -- Eric Cables On Fri, Nov 14, 2008 at 3:26 PM, john heasley wrote: > I have no idea what the problem is. I expect it'l require a mix of > ktrace, gcore/gdb, and tcpdump to figure out what is causing tcl/expect > to hang. > > Fri, Nov 14, 2008 at 11:25:29AM -0800, Eric Cables: > > Are there any debugging options available to try and isolate the root > cause > > of the problem? I could probably write up a shell script that finds hung > > processes and kills them, but that's certainly not the best option. :-) > > > > -- > > Eric Cables > > > > > > On Fri, Nov 14, 2008 at 11:18 AM, john heasley > wrote: > > > > > Fri, Nov 14, 2008 at 10:33:16AM -0800, Eric Cables: > > > > I've been running into this problem quite frequently, about once a > week > > > or > > > > so rancid will hang for no apparent reason, and until I kill the > process > > > it > > > > will remain hung. I've read in the archives that Linux & Solaris > have a > > > > problem with expect that requires a patch, but does this also include > > > > FreeBSD? > > > > > > Yes, some combinations of recent tcl / expect seem to have trouble on > fbsd. > > > I'm not sure why, but the expect was pulled from distribution site for > > > defects. the problem is that rolling back (via ports) seems to > resurrect > > > an old problem which itself had been correct in ports by rolling back, > > > IIRC. > > > > > > I do not use freebsd and haven't had time to debug the problem. ports > is, > > > imho, too anxious to move forward with new tcl/expect versions and both > are > > > too delicate for that. > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/ce9196c8/attachment.html From manageddevices at solutionary.com Fri Nov 14 18:44:40 2008 From: manageddevices at solutionary.com (Managed Devices) Date: Fri, 14 Nov 2008 12:44:40 -0600 Subject: [rancid] Re: Understand some regex used in rancid In-Reply-To: <8423e7bb0811141037m1705ba98v74e4317f2ae54fb9@mail.gmail.com> References: <8423e7bb0811121636w6a29d667obde0cc2ba10afb6c@mail.gmail.com> <20081113065310.GA2916@shrubbery.net> <8423e7bb0811131311v701685f7l101fea93501881e7@mail.gmail.com> <491D88B0.3030108@solutionary.com> <8423e7bb0811140732r4eba2009u8bac4aa9e3aa4ab0@mail.gmail.com> <491D9CC0.2040005@solutionary.com> <8423e7bb0811141037m1705ba98v74e4317f2ae54fb9@mail.gmail.com> Message-ID: <491DC718.8030208@solutionary.com> An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081114/4e56ef80/attachment.html From bwindle at fint.org Mon Nov 17 18:21:14 2008 From: bwindle at fint.org (Burton Windle) Date: Mon, 17 Nov 2008 13:21:14 -0500 (EST) Subject: [rancid] help with rancid w/ Dell patch Message-ID: I am running rancid 2.3.2~a7-2 (Ubuntu), and am attempting to integrate the Dell (dlogin/drancid) patches from rickyninja.net I've got dlogin working (just "./dlogin 192.168.220.10"), but if rancid tries to send any commands (dlogin -c"show version" 192.168.220.10"), the dlogin process seems to freeze after it sends the 'exit' command (or just wait forever). It seems to be that my Dell switch doesn't like the 'exit' command; sending 'exit' (when at the enable prompt) simply takes it down to normal exec, rather then closing the session (like 'quit' does). The account I am using to log into the switches drops directly to enable. I tried to monkey around with the dlogin script, to have it send 'quit' instead of 'exit', but then it was complaining about not seeing a clean_run.* Has anybody else seen this? I don't know the internals of rancid well enough to hack this out at the moment. (I emailed the author of the patch a few days ago and haven't heard from them) *The rancid log shows: opened network stream from 192.168.220.10 if () at /usr/lib/rancid/bin/drancid line 267. FOUND PROMPT: WH-ClientSW-1# found_end = 1, clean_run = 0 192.168.220.10: End of run not found end -- Burton Windle bwindle at fint.org From jonathan at 23andme.com Mon Nov 17 18:29:21 2008 From: jonathan at 23andme.com (Jonathan Hansen) Date: Mon, 17 Nov 2008 10:29:21 -0800 Subject: [rancid] Re: help with rancid w/ Dell patch In-Reply-To: References: Message-ID: <183A9040-C606-42F6-B6B5-07E33F8BAC77@23andme.com> I had the same problem... here are my fixed files. -------------- next part -------------- A non-text attachment was scrubbed... Name: dlogin Type: application/octet-stream Size: 21437 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081117/2432875a/attachment.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: drancid Type: application/octet-stream Size: 12630 bytes Desc: not available Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081117/2432875a/attachment-0001.obj -------------- next part -------------- On Nov 17, 2008, at 10:21 AM, Burton Windle wrote: > I am running rancid 2.3.2~a7-2 (Ubuntu), and am attempting to > integrate > the Dell (dlogin/drancid) patches from rickyninja.net > > I've got dlogin working (just "./dlogin 192.168.220.10"), but if > rancid > tries to send any commands (dlogin -c"show version" > 192.168.220.10"), the > dlogin process seems to freeze after it sends the 'exit' command (or > just > wait forever). > > It seems to be that my Dell switch doesn't like the 'exit' command; > sending 'exit' (when at the enable prompt) simply takes it down to > normal > exec, rather then closing the session (like 'quit' does). The > account I > am using to log into the switches drops directly to enable. > > I tried to monkey around with the dlogin script, to have it send > 'quit' > instead of 'exit', but then it was complaining about not seeing a > clean_run.* > > Has anybody else seen this? I don't know the internals of rancid well > enough to hack this out at the moment. > > (I emailed the author of the patch a few days ago and haven't heard > from > them) > > > *The rancid log shows: > opened network stream from 192.168.220.10 if () at /usr/lib/rancid/ > bin/drancid line 267. > FOUND PROMPT: WH-ClientSW-1# > found_end = 1, clean_run = 0 > 192.168.220.10: End of run not found > end > > > -- > Burton Windle bwindle at fint.org > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From ecables at gmail.com Mon Nov 17 17:39:14 2008 From: ecables at gmail.com (Eric Cables) Date: Mon, 17 Nov 2008 09:39:14 -0800 Subject: [rancid] Ignoring certain diffs Message-ID: I went through the archives, and implemented one of the solutions for ignoring diffs (such as call-forward, etc.). I implemented it as follows in control_rancid: <-- snippit --> if [ $RCSSYS = "cvs" ] ; then DIFFSUPPRESS="-I '.*call-forward.*' -I '.*Flash.*nvram.*'" cvs -f diff -u -4 -ko $DIFFSUPPRESS \ | sed -e '/^RCS file: /d' -e '/^--- /d' \ -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff else svn diff | sed -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff <-- snippit --> Unfortunately this doesn't seem to have worked. I checked my RANCID e-mail this morning and it shows the following: Index: configs/ =================================================================== retrieving revision 1.4 diff -u -4 -I ''\''.*call-forward.*'\''' -I ''\''.*Flash.*nvram.*'\''' -r1.4 @@ -26,16 +26,16 @@ !Flash: nvram: Directory of nvram:/ - !Flash: nvram: 230 -rw- 7166 startup-config + !Flash: nvram: 230 -rw- 7127 startup-config !Flash: nvram: 231 ---- 3867 private-config - !Flash: nvram: 232 -rw- 7166 underlying-config + !Flash: nvram: 232 -rw- 7127 underlying-config It looks like it should have ignored any lines with "Flash: nvram", yet they are still showing up. Can anyone please provide a second set of eyes and help me figure out what I've done wrong? Thanks, -- Eric Cables -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081117/1d7bac60/attachment.html From heas at shrubbery.net Tue Nov 18 19:27:30 2008 From: heas at shrubbery.net (john heasley) Date: Tue, 18 Nov 2008 11:27:30 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: References: <20081114191808.GB2748@shrubbery.net> <20081114232600.GC801@shrubbery.net> Message-ID: <20081118192730.GD12936@shrubbery.net> Fri, Nov 14, 2008 at 03:47:39PM -0800, Eric Cables: > Is this something I can do when I discover the process is hung, or something > that has to be prepared before it hangs? For example, if I come back into > the office on Monday to find RANCID hung, is there anything I can do to > collect forensics as to what caused it to hang? I don't believe so. Looking back, Randy has already provided enough to identify the problem and access to his machine. So, I need to find the time to debug it. If anyone with the knowledge to debug it wants to work on it; my notes indicate that we found that globs are broken. since, there may have been other changes with fbsd ports that have changed that. From smunzani at comcast.net Tue Nov 18 19:35:52 2008 From: smunzani at comcast.net (Sam Munzani) Date: Tue, 18 Nov 2008 13:35:52 -0600 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: <20081118192730.GD12936@shrubbery.net> References: <20081114191808.GB2748@shrubbery.net> <20081114232600.GC801@shrubbery.net> <20081118192730.GD12936@shrubbery.net> Message-ID: <49231918.70401@comcast.net> I had similar issues a few months ago. Instead of spending time on debug, I chose to use the source from shruberry.net(2.3.2a7 version) instead of ports and used expect version 5.44.1.7. Everything seems to work with this combination. Thanks, Sam > Fri, Nov 14, 2008 at 03:47:39PM -0800, Eric Cables: > >> Is this something I can do when I discover the process is hung, or something >> that has to be prepared before it hangs? For example, if I come back into >> the office on Monday to find RANCID hung, is there anything I can do to >> collect forensics as to what caused it to hang? >> > > I don't believe so. Looking back, Randy has already provided enough to > identify the problem and access to his machine. So, I need to find the > time to debug it. > > If anyone with the knowledge to debug it wants to work on it; my notes > indicate that we found that globs are broken. since, there may have been > other changes with fbsd ports that have changed that. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081118/bd817b7b/attachment.html From ecables at gmail.com Tue Nov 18 21:17:59 2008 From: ecables at gmail.com (Eric Cables) Date: Tue, 18 Nov 2008 13:17:59 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: <49231918.70401@comcast.net> References: <20081114191808.GB2748@shrubbery.net> <20081114232600.GC801@shrubbery.net> <20081118192730.GD12936@shrubbery.net> <49231918.70401@comcast.net> Message-ID: Well, given the alert on expect's homepage, I'm not sure upgrading is the best option.. Alert: Version 5.44 of Expect has been recalled due to unresolved problems. Please use 5.43.0. All links below point to 5.43.0 - Don On Tue, Nov 18, 2008 at 11:35 AM, Sam Munzani wrote: > > I had similar issues a few months ago. Instead of spending time on debug, I chose to use the source from shruberry.net(2.3.2a7 version) instead of ports and used expect version 5.44.1.7. Everything seems to work with this combination. > > Thanks, > Sam > > Fri, Nov 14, 2008 at 03:47:39PM -0800, Eric Cables: > > > Is this something I can do when I discover the process is hung, or something > that has to be prepared before it hangs? For example, if I come back into > the office on Monday to find RANCID hung, is there anything I can do to > collect forensics as to what caused it to hang? > > > I don't believe so. Looking back, Randy has already provided enough to > identify the problem and access to his machine. So, I need to find the > time to debug it. > > If anyone with the knowledge to debug it wants to work on it; my notes > indicate that we found that globs are broken. since, there may have been > other changes with fbsd ports that have changed that. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From ecables at gmail.com Wed Nov 19 17:09:34 2008 From: ecables at gmail.com (Eric Cables) Date: Wed, 19 Nov 2008 09:09:34 -0800 Subject: [rancid] Re: Ignoring certain diffs In-Reply-To: References: Message-ID: Anyone? On Mon, Nov 17, 2008 at 9:39 AM, Eric Cables wrote: > I went through the archives, and implemented one of the solutions for > ignoring diffs (such as call-forward, etc.). > > I implemented it as follows in control_rancid: > <-- snippit --> > if [ $RCSSYS = "cvs" ] ; then > DIFFSUPPRESS="-I '.*call-forward.*' -I '.*Flash.*nvram.*'" > > cvs -f diff -u -4 -ko $DIFFSUPPRESS \ > | sed -e '/^RCS file: /d' -e '/^--- /d' \ > -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > else > svn diff | sed -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff > <-- snippit --> > > > Unfortunately this doesn't seem to have worked. I checked my RANCID e-mail > this morning and it shows the following: > > Index: configs/ > =================================================================== > retrieving revision 1.4 > diff -u -4 -I ''\''.*call-forward.*'\''' -I ''\''.*Flash.*nvram.*'\''' -r1.4 > @@ -26,16 +26,16 @@ > !Flash: nvram: Directory of nvram:/ > - !Flash: nvram: 230 -rw- 7166 > startup-config > + !Flash: nvram: 230 -rw- 7127 > startup-config > !Flash: nvram: 231 ---- 3867 > private-config > - !Flash: nvram: 232 -rw- 7166 > underlying-config > + !Flash: nvram: 232 -rw- 7127 > underlying-config > > It looks like it should have ignored any lines with "Flash: nvram", yet they > are still showing up. > > Can anyone please provide a second set of eyes and help me figure out what > I've done wrong? > > Thanks, > > > -- > Eric Cables > From rancid at gheek.net Wed Nov 19 17:47:52 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 19 Nov 2008 10:47:52 -0700 Subject: [rancid] Re: Ignoring certain diffs In-Reply-To: References: Message-ID: <8423e7bb0811190947n3c67e175h4c9db07d8826f754@mail.gmail.com> If you don't want the flash stuff you could always very simply remove it from the collection. Most people that I have seen ask that question do that. open the corresponding rancid file "for cisco open: /bin/rancid" and then search for "commandtable". Comment out the commands you don't really care for. A much more ideal solution would be some nice regex during the collection period that would remove the file size or date/time stamp. I don't have time at the moment to look at that, but maybe someone else does and they can offer it up to John to include. -Lance On Wed, Nov 19, 2008 at 10:09 AM, Eric Cables wrote: > Anyone? > > On Mon, Nov 17, 2008 at 9:39 AM, Eric Cables wrote: >> I went through the archives, and implemented one of the solutions for >> ignoring diffs (such as call-forward, etc.). >> >> I implemented it as follows in control_rancid: >> <-- snippit --> >> if [ $RCSSYS = "cvs" ] ; then >> DIFFSUPPRESS="-I '.*call-forward.*' -I '.*Flash.*nvram.*'" >> >> cvs -f diff -u -4 -ko $DIFFSUPPRESS \ >> | sed -e '/^RCS file: /d' -e '/^--- /d' \ >> -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff >> else >> svn diff | sed -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff >> <-- snippit --> >> >> >> Unfortunately this doesn't seem to have worked. I checked my RANCID e-mail >> this morning and it shows the following: >> >> Index: configs/ >> =================================================================== >> retrieving revision 1.4 >> diff -u -4 -I ''\''.*call-forward.*'\''' -I ''\''.*Flash.*nvram.*'\''' -r1.4 >> @@ -26,16 +26,16 @@ >> !Flash: nvram: Directory of nvram:/ >> - !Flash: nvram: 230 -rw- 7166 >> startup-config >> + !Flash: nvram: 230 -rw- 7127 >> startup-config >> !Flash: nvram: 231 ---- 3867 >> private-config >> - !Flash: nvram: 232 -rw- 7166 >> underlying-config >> + !Flash: nvram: 232 -rw- 7127 >> underlying-config >> >> It looks like it should have ignored any lines with "Flash: nvram", yet they >> are still showing up. >> >> Can anyone please provide a second set of eyes and help me figure out what >> I've done wrong? >> >> Thanks, >> >> >> -- >> Eric Cables >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From djohnson50000 at gmail.com Wed Nov 19 18:20:29 2008 From: djohnson50000 at gmail.com (D J) Date: Wed, 19 Nov 2008 11:20:29 -0700 Subject: [rancid] How to stop notifications for an ACL change on a Cisco ASA? Message-ID: <93df13430811191020s429da0cbn200a130eb1fc28d5@mail.gmail.com> I have a cisco ASA firewall which has an access-list that changes many times a day programatically. I do not wish to receive e-mail notifications of these changes, but don't mind (and would like) to log them into CVS if possible. What is the best method to tell Rancid to not notify on a change which contains a certain value -- like "access-list 1234"? Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081119/6b9c4e92/attachment.html From quagga at muntinternet.nl Fri Nov 21 11:40:25 2008 From: quagga at muntinternet.nl (Jeroen) Date: Fri, 21 Nov 2008 12:40:25 +0100 Subject: [rancid] problem with procurve 2900-24g and new firmware version (T13.23 Message-ID: <49269E29.90701@muntinternet.nl> Hi Group, I'm a long time user of rancid but never had problems I couldn't solve myself with a bit of googling, I'm currently using rancid-2.3.2a8. Problems started when I upgraded one of the many HP procurves we have from T12.13 to firmware version T13.23. Rancid started complaining about not being able to fetch the config. I've tried debugging this by logging in from the console: bin/hlogin -f /home/rancid/.cloginrc however, this is working fine as far as I can tell; it's logging in, gives me a prompt and I'm able to give commands and everything. Is someone able to point me to the right direction, or may be even has a patch already to make this work? Kind regards, Jeroen From quagga at muntinternet.nl Fri Nov 21 19:42:22 2008 From: quagga at muntinternet.nl (Jeroen) Date: Fri, 21 Nov 2008 20:42:22 +0100 Subject: [rancid] Re: problem with procurve 2900-24g and new firmware version (T13.23 In-Reply-To: <20081121185215.GG22496@shrubbery.net> References: <49269E29.90701@muntinternet.nl> <20081121185215.GG22496@shrubbery.net> Message-ID: <49270F1E.3020205@muntinternet.nl> john heasley wrote: > probably because some commands have changed. try the attached. > > Hi John, Thank you for your prompt answer but unfortunately this doesn't help. Still the same problem. Kind regards, Jeroen > Fri, Nov 21, 2008 at 12:40:25PM +0100, Jeroen: > >> Hi Group, >> >> I'm a long time user of rancid but never had problems I couldn't solve >> myself with a bit of googling, I'm currently using rancid-2.3.2a8. >> >> Problems started when I upgraded one of the many HP procurves we have >> from T12.13 to firmware version T13.23. >> >> Rancid started complaining about not being able to fetch the config. >> >> I've tried debugging this by logging in from the console: >> >> bin/hlogin -f /home/rancid/.cloginrc >> >> however, this is working fine as far as I can tell; it's logging in, >> gives me a prompt and I'm able to give commands and everything. >> >> Is someone able to point me to the right direction, or may be even has a >> patch already to make this work? >> >> Kind regards, >> >> Jeroen >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> From quagga at muntinternet.nl Fri Nov 21 19:55:10 2008 From: quagga at muntinternet.nl (Jeroen) Date: Fri, 21 Nov 2008 20:55:10 +0100 Subject: [rancid] Re: problem with procurve 2900-24g and new firmware version (T13.23 In-Reply-To: <49270F1E.3020205@muntinternet.nl> References: <49269E29.90701@muntinternet.nl> <20081121185215.GG22496@shrubbery.net> <49270F1E.3020205@muntinternet.nl> Message-ID: <4927121E.1070600@muntinternet.nl> Jeroen wrote: > john heasley wrote: > >> probably because some commands have changed. try the attached. >> >> >> > Hi John, > > Thank you for your prompt answer but unfortunately this doesn't help. > Still the same problem. > > > Kind regards, > > Jeroen > > > Hi all, me again; problem fixed ! after I got the message from John I found out that: show system-information had to be changed to: show system information here is the patch: @@ -461,7 +461,7 @@ @commandtable = ( {'show version' => 'ShowVersion'}, {'show flash' => 'ShowFlash'}, - {'show system-information' => 'ShowSystem'}, + {'show system information' => 'ShowSystem'}, {'show module' => 'ShowModule'}, {'show stack' => 'ShowStack'}, {'write term' => 'WriteTerm'} Have a nice weekend ! Kind regards, Jeroen > >> Fri, Nov 21, 2008 at 12:40:25PM +0100, Jeroen: >> >> >>> Hi Group, >>> >>> I'm a long time user of rancid but never had problems I couldn't solve >>> myself with a bit of googling, I'm currently using rancid-2.3.2a8. >>> >>> Problems started when I upgraded one of the many HP procurves we have >>> from T12.13 to firmware version T13.23. >>> >>> Rancid started complaining about not being able to fetch the config. >>> >>> I've tried debugging this by logging in from the console: >>> >>> bin/hlogin -f /home/rancid/.cloginrc >>> >>> however, this is working fine as far as I can tell; it's logging in, >>> gives me a prompt and I'm able to give commands and everything. >>> >>> Is someone able to point me to the right direction, or may be even has a >>> patch already to make this work? >>> >>> Kind regards, >>> >>> Jeroen >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> >>> > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From smunzani at comcast.net Fri Nov 21 20:08:42 2008 From: smunzani at comcast.net (Sam Munzani) Date: Fri, 21 Nov 2008 14:08:42 -0600 Subject: [rancid] Re: problem with procurve 2900-24g and new firmware version (T13.23 In-Reply-To: <49269E29.90701@muntinternet.nl> References: <49269E29.90701@muntinternet.nl> Message-ID: <4927154A.5060606@comcast.net> Where did you find the 2.3.2a8 version? I don't see such version posted on rancid page. http://www.shrubbery.net/rancid/ Thanks, sam > Hi Group, > > I'm a long time user of rancid but never had problems I couldn't solve > myself with a bit of googling, I'm currently using rancid-2.3.2a8. > > Problems started when I upgraded one of the many HP procurves we have > from T12.13 to firmware version T13.23. > > Rancid started complaining about not being able to fetch the config. > > I've tried debugging this by logging in from the console: > > bin/hlogin -f /home/rancid/.cloginrc > > however, this is working fine as far as I can tell; it's logging in, > gives me a prompt and I'm able to give commands and everything. > > Is someone able to point me to the right direction, or may be even has a > patch already to make this work? > > Kind regards, > > Jeroen > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > From quagga at muntinternet.nl Fri Nov 21 20:16:03 2008 From: quagga at muntinternet.nl (Jeroen) Date: Fri, 21 Nov 2008 21:16:03 +0100 Subject: [rancid] Re: problem with procurve 2900-24g and new firmware version (T13.23 In-Reply-To: <4927154A.5060606@comcast.net> References: <49269E29.90701@muntinternet.nl> <4927154A.5060606@comcast.net> Message-ID: <49271703.7050409@muntinternet.nl> Sam Munzani wrote: > Where did you find the 2.3.2a8 version? I don't see such version > posted on rancid page. > > http://www.shrubbery.net/rancid/ > Hi Sam, It's on the rancid ftp-server lftp ftp.shrubbery.net:/pub/rancid> ls rancid-2.3.2a8.tar.gz -r--r--r-- 1 7053 rancid 316677 Feb 8 2008 rancid-2.3.2a8.tar.gz kind regards, Jeroen > Thanks, > sam >> Hi Group, >> >> I'm a long time user of rancid but never had problems I couldn't >> solve myself with a bit of googling, I'm currently using rancid-2.3.2a8. >> >> Problems started when I upgraded one of the many HP procurves we have >> from T12.13 to firmware version T13.23. >> >> Rancid started complaining about not being able to fetch the config. >> >> I've tried debugging this by logging in from the console: >> >> bin/hlogin -f /home/rancid/.cloginrc >> >> however, this is working fine as far as I can tell; it's logging in, >> gives me a prompt and I'm able to give commands and everything. >> >> Is someone able to point me to the right direction, or may be even >> has a patch already to make this work? >> >> Kind regards, >> >> Jeroen >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> >> > From quagga at muntinternet.nl Fri Nov 21 20:21:47 2008 From: quagga at muntinternet.nl (Jeroen) Date: Fri, 21 Nov 2008 21:21:47 +0100 Subject: [rancid] Re: problem with procurve 2900-24g and new firmware version (T13.23 In-Reply-To: <20081121200616.GJ22496@shrubbery.net> References: <49269E29.90701@muntinternet.nl> <20081121185215.GG22496@shrubbery.net> <49270F1E.3020205@muntinternet.nl> <4927121E.1070600@muntinternet.nl> <20081121200616.GJ22496@shrubbery.net> Message-ID: <4927185B.8060205@muntinternet.nl> john heasley wrote: > Fri, Nov 21, 2008 at 08:55:10PM +0100, Jeroen: > >> Jeroen wrote: >> >>> john heasley wrote: >>> >>> >>>> probably because some commands have changed. try the attached. >>>> >>>> >>>> >>>> >>> Hi John, >>> >>> Thank you for your prompt answer but unfortunately this doesn't help. >>> Still the same problem. >>> >>> >>> Kind regards, >>> >>> Jeroen >>> >>> >>> >>> >> Hi all, >> >> me again; problem fixed ! >> after I got the message from John I found out that: >> >> show system-information >> > > what i sent to you had a fix for this. why didnt it work? > > Hi John, I'm sorry, I really don't know; only that it didn't. Might be in the way it tries to find out to either use 'system-information' or 'system information' ? Kind regards, Jeroen >> had to be changed to: >> >> show system information >> >> here is the patch: >> >> >> @@ -461,7 +461,7 @@ >> @commandtable = ( >> {'show version' => 'ShowVersion'}, >> {'show flash' => 'ShowFlash'}, >> - {'show system-information' => 'ShowSystem'}, >> + {'show system information' => 'ShowSystem'}, >> {'show module' => 'ShowModule'}, >> {'show stack' => 'ShowStack'}, >> {'write term' => 'WriteTerm'} >> >> >> >> >> Have a nice weekend ! >> >> Kind regards, >> >> Jeroen >> >>> >>> >>>> Fri, Nov 21, 2008 at 12:40:25PM +0100, Jeroen: >>>> >>>> >>>> >>>>> Hi Group, >>>>> >>>>> I'm a long time user of rancid but never had problems I couldn't solve >>>>> myself with a bit of googling, I'm currently using rancid-2.3.2a8. >>>>> >>>>> Problems started when I upgraded one of the many HP procurves we have >>>>> from T12.13 to firmware version T13.23. >>>>> >>>>> Rancid started complaining about not being able to fetch the config. >>>>> >>>>> I've tried debugging this by logging in from the console: >>>>> >>>>> bin/hlogin -f /home/rancid/.cloginrc >>>>> >>>>> however, this is working fine as far as I can tell; it's logging in, >>>>> gives me a prompt and I'm able to give commands and everything. >>>>> >>>>> Is someone able to point me to the right direction, or may be even has a >>>>> patch already to make this work? >>>>> >>>>> Kind regards, >>>>> >>>>> Jeroen >>>>> _______________________________________________ >>>>> Rancid-discuss mailing list >>>>> Rancid-discuss at shrubbery.net >>>>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>>>> >>>>> >>>>> >>> _______________________________________________ >>> Rancid-discuss mailing list >>> Rancid-discuss at shrubbery.net >>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >>> >>> >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> From heas at shrubbery.net Sat Nov 22 08:27:18 2008 From: heas at shrubbery.net (john heasley) Date: Sat, 22 Nov 2008 00:27:18 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: <49231918.70401@comcast.net> References: <20081114191808.GB2748@shrubbery.net> <20081114232600.GC801@shrubbery.net> <20081118192730.GD12936@shrubbery.net> <49231918.70401@comcast.net> Message-ID: <20081122082718.GA17060@shrubbery.net> Tue, Nov 18, 2008 at 01:35:52PM -0600, Sam Munzani: > I had similar issues a few months ago. Instead of spending time on > debug, I chose to use the source from shruberry.net(2.3.2a7 version) > instead of ports and used expect version 5.44.1.7. Everything seems to > work with this combination. I find that confusing. I wouldn't expect (pun not intended) that the version of rancid would matter here, unless you'd gone back quite far. I suspect it may have found a different version of expect/tcl. To answer eric, there was a "normal" and devel version of the expect fbsd port. Neither version worked properly. I haven't looked at them recently, so they may have changed. > Thanks, > Sam > >Fri, Nov 14, 2008 at 03:47:39PM -0800, Eric Cables: > > > >>Is this something I can do when I discover the process is hung, or > >>something > >>that has to be prepared before it hangs? For example, if I come back into > >>the office on Monday to find RANCID hung, is there anything I can do to > >>collect forensics as to what caused it to hang? > >> > > > >I don't believe so. Looking back, Randy has already provided enough to > >identify the problem and access to his machine. So, I need to find the > >time to debug it. > > > >If anyone with the knowledge to debug it wants to work on it; my notes > >indicate that we found that globs are broken. since, there may have been > >other changes with fbsd ports that have changed that. > >_______________________________________________ > >Rancid-discuss mailing list > >Rancid-discuss at shrubbery.net > >http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > > > From publicdropbox at gmail.com Sat Nov 22 17:20:49 2008 From: publicdropbox at gmail.com (Drop Box) Date: Sat, 22 Nov 2008 09:20:49 -0800 Subject: [rancid] control characters appearing and disappearing from saved configs Message-ID: Hi, After adding a lot of lines to our HP switch configurations, I'm now seeing rancid diffs like the one below one or two dozen times a day, on various switches: ----------------------------------------------------------------------------------------- - -- configs/switch.example.com. (revision 103454) @@ -47,7 +47,7 @@ ip address dhcp-bootp exit ip authorized-managers a.b.c.d 255.0.0.0 - ip authorized-managers w.x.y.z 255.255.248.0 + ip authorized-managers w.x.y.z 255.255.248.0 [...] ----------------------------------------------------------------------------------------- - -- configs/switchexample.com. (revision 103525) @@ -47,7 +47,7 @@ ip address dhcp-bootp exit ip authorized-managers a.b.c.d 255.0.0.0 - ip authorized-managers w.x.y.z 255.255.248.0 + ip authorized-managers w.x.y.z 255.255.248.0 [...] ----------------------------------------------------------------------------------------- The various configs I see this for have slight variations in length, but the control character appears and disappears on the same line ("ip authorized-managers w.x.y.z 255.255.248.0"), so it's not that the problem always appears at line N. I've checked out an "offending" revision and verified that the control character is there. I ran hrancid by hand maybe 20 times, and the control character showed up twice. Does anyone have any ideas why this might be happening? I'm using rancid 2.3.2a6 with expect 5.42.1. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081122/1e7b4e75/attachment.html From heas at shrubbery.net Sat Nov 22 19:19:58 2008 From: heas at shrubbery.net (john heasley) Date: Sat, 22 Nov 2008 11:19:58 -0800 Subject: [rancid] Re: control characters appearing and disappearing from saved configs In-Reply-To: References: Message-ID: <20081122191958.GB474@shrubbery.net> I think I've fixed this problem already; I'll give you an image in a later email. Sat, Nov 22, 2008 at 09:20:49AM -0800, Drop Box: > Hi, > > After adding a lot of lines to our HP switch configurations, I'm now seeing > rancid diffs like the one below one or two dozen times a day, on various > switches: > > ----------------------------------------------------------------------------------------- > > - -- configs/switch.example.com. (revision 103454) > @@ -47,7 +47,7 @@ > ip address dhcp-bootp > exit > ip authorized-managers a.b.c.d 255.0.0.0 > - ip authorized-managers w.x.y.z 255.255.248.0 > + ip authorized-managers w.x.y.z 255.255.248.0 > [...] > > ----------------------------------------------------------------------------------------- > > - -- configs/switchexample.com. (revision 103525) > @@ -47,7 +47,7 @@ > ip address dhcp-bootp > exit > ip authorized-managers a.b.c.d 255.0.0.0 > - ip authorized-managers w.x.y.z 255.255.248.0 > + ip authorized-managers w.x.y.z 255.255.248.0 > [...] > > ----------------------------------------------------------------------------------------- > > The various configs I see this for have slight variations in length, but the > control character appears and disappears on the same line ("ip > authorized-managers w.x.y.z 255.255.248.0"), so it's not that the problem > always appears at line N. I've checked out an "offending" revision and > verified that the control character is there. I ran hrancid by hand maybe > 20 times, and the control character showed up twice. > > Does anyone have any ideas why this might be happening? I'm using rancid > 2.3.2a6 with expect 5.42.1. > > Thanks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss From ecables at gmail.com Mon Nov 24 18:02:12 2008 From: ecables at gmail.com (Eric Cables) Date: Mon, 24 Nov 2008 10:02:12 -0800 Subject: [rancid] Re: Ignoring certain diffs In-Reply-To: <8423e7bb0811190947n3c67e175h4c9db07d8826f754@mail.gmail.com> References: <8423e7bb0811190947n3c67e175h4c9db07d8826f754@mail.gmail.com> Message-ID: Here is what the e-mail looks like from RANCID, can anyone look at the syntax and help me figure out what's wrong? Obviously the -I statements are having no effect (-I '.*Flash.*nvram.*' for example) diff -u -4 -I ''\''.*call-forward.*'\''' -I ''\''.*Flash.*nvram.*'\''' -I ''\''.*VTP.*Revision'\''' -I ''\''.*VTP.*MD5'\''' -I ''\''.*Cryptochecksum.*'\''' -r1.3 @@ -27,15 +27,15 @@ ! !Flash: nvram: Directory of nvram:/ - !Flash: nvram: 469 -rw- 7395 startup-config + !Flash: nvram: 469 -rw- 7516 startup-config !Flash: nvram: 470 ---- 1934 private-config - !Flash: nvram: 471 -rw- 7395 underlying-config + !Flash: nvram: 471 -rw- 7516 underlying-config !Flash: nvram: 1 ---- 4 rf_cold_starts !Flash: nvram: 2 -rw- 1922 ifIndex-table !Flash: nvram: 3 ---- 12 persistent-data - !Flash: nvram: 491512 bytes total (478035 bytes free) + !Flash: nvram: 491512 bytes total (477914 bytes free) Here's the snippit of control_rancid that calls the -I statements: -- DIFFSUPPRESS="-I '.*call-forward.*' -I '.*Flash.*nvram.*' -I '.*VTP.*Revision' - I '.*VTP.*MD5' -I '.*Cryptochecksum.*'" cvs -f diff -u -4 -ko $DIFFSUPPRESS \ | sed -e '/^RCS file: /d' -e '/^--- /d' \ -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff -- -- Eric Cables On Wed, Nov 19, 2008 at 9:47 AM, Lance Vermilion wrote: > If you don't want the flash stuff you could always very simply remove > it from the collection. Most people that I have seen ask that question > do that. > > open the corresponding rancid file "for cisco open: > /bin/rancid" and then search for "commandtable". Comment > out the commands you don't really care for. > > A much more ideal solution would be some nice regex during the > collection period that would remove the file size or date/time stamp. > I don't have time at the moment to look at that, but maybe someone > else does and they can offer it up to John to include. > > -Lance > > On Wed, Nov 19, 2008 at 10:09 AM, Eric Cables wrote: >> Anyone? >> >> On Mon, Nov 17, 2008 at 9:39 AM, Eric Cables wrote: >>> I went through the archives, and implemented one of the solutions for >>> ignoring diffs (such as call-forward, etc.). >>> >>> I implemented it as follows in control_rancid: >>> <-- snippit --> >>> if [ $RCSSYS = "cvs" ] ; then >>> DIFFSUPPRESS="-I '.*call-forward.*' -I '.*Flash.*nvram.*'" >>> >>> cvs -f diff -u -4 -ko $DIFFSUPPRESS \ >>> | sed -e '/^RCS file: /d' -e '/^--- /d' \ >>> -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff >>> else >>> svn diff | sed -e '/^+++ /d' -e 's/^\([-+ ]\)/\1 /' >$TMP.diff >>> <-- snippit --> >>> >>> >>> Unfortunately this doesn't seem to have worked. I checked my RANCID e-mail >>> this morning and it shows the following: >>> >>> Index: configs/ >>> =================================================================== >>> retrieving revision 1.4 >>> diff -u -4 -I ''\''.*call-forward.*'\''' -I ''\''.*Flash.*nvram.*'\''' -r1.4 >>> @@ -26,16 +26,16 @@ >>> !Flash: nvram: Directory of nvram:/ >>> - !Flash: nvram: 230 -rw- 7166 >>> startup-config >>> + !Flash: nvram: 230 -rw- 7127 >>> startup-config >>> !Flash: nvram: 231 ---- 3867 >>> private-config >>> - !Flash: nvram: 232 -rw- 7166 >>> underlying-config >>> + !Flash: nvram: 232 -rw- 7127 >>> underlying-config >>> >>> It looks like it should have ignored any lines with "Flash: nvram", yet they >>> are still showing up. >>> >>> Can anyone please provide a second set of eyes and help me figure out what >>> I've done wrong? >>> >>> Thanks, >>> >>> >>> -- >>> Eric Cables >>> >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From raj at csub.edu Mon Nov 24 18:11:10 2008 From: raj at csub.edu (Russell Jackson) Date: Mon, 24 Nov 2008 10:11:10 -0800 Subject: [rancid] Re: FreeBSD 7.0 + Expect 5.43.0 -- Do I need to patch expect? In-Reply-To: References: Message-ID: <492AEE3E.7040501@csub.edu> Eric Cables wrote: > I've been running into this problem quite frequently, about once a week or > so rancid will hang for no apparent reason, and until I kill the process it > will remain hung. I've read in the archives that Linux & Solaris have a > problem with expect that requires a patch, but does this also include > FreeBSD? > I've been running rancid on FreeBSD 6.2 without issue for some time. I haven't had any hangs with respect to expect. I haven't tried it on FreeBSD 7.0 yet. $ uname -a FreeBSD svn.csub.edu 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jul 13 19:38:42 PDT 2000 rjackson3 at thor.csub.edu:/usr/obj/usr/src/sys/THOR i386 $ pkg_info | egrep 'tcl|rancid' expect-nox11-5.44.1.7 A sophisticated scripter based on tcl/tk rancid-local-2.3.2a7_1 Really Awesome New Cisco confIg Differ tcl-8.4.19,1 Tool Command Language I'm running a locally patched version of the rancid port to silence cisco diff noise (STP costs et al). $ diff -ur net-mgmt/rancid-devel local/rancid Only in local/rancid: .svn diff -ur net-mgmt/rancid-devel/Makefile local/rancid/Makefile --- net-mgmt/rancid-devel/Makefile Mon Dec 31 06:28:08 2007 +++ local/rancid/Makefile Mon Feb 25 15:56:16 2008 @@ -10,7 +10,6 @@ PORTREVISION= 1 CATEGORIES= net-mgmt MASTER_SITES= ftp://ftp.shrubbery.net/pub/rancid/ -PKGNAMESUFFIX= -devel MAINTAINER= janos.mohacsi at bsd.hu COMMENT= Really Awesome New Cisco confIg Differ Only in local/rancid/files: .svn Only in local/rancid/files: patch-bin::cat5rancid.in Only in local/rancid/files: patch-bin::clogin.in Only in local/rancid/files: patch-bin::rancid.in Only in local/rancid: pkg-message -- Russell A. Jackson Network Analyst California State University, Bakersfield The greatest productive force is human selfishness. -- Robert Heinlein -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081124/0aea438c/attachment.bin From hina at hina.fr Tue Nov 25 16:10:43 2008 From: hina at hina.fr (hina) Date: Tue, 25 Nov 2008 17:10:43 +0100 Subject: [rancid] cisco problem with rancid Message-ID: <20081125161043.GB1749@hina.fr> Hi all, I m using Rancid for a while. But i have a new problem with a new cisco (3750), I can t get the configuration. When Im using clogin.. no probleme to connect When Im using clogin -c "show run" IP ... it can connect but no command are sent When I m using rancid -d IP .. the executing is timeout when I m using rancid-run ... the executing is timeout And If I m using strace to fellow the rancid -d (debug mode) ... : ead(5, "Trying 10.4.33.6...\r\nConnected t"..., 4096) = 73 read(5, "\r\n\r\nUser Access Verification\r\n\r\n"..., 4096) = 42 read(5, "b", 4096) = 1 read(5, "a", 4096) = 1 read(5, "c", 4096) = 1 read(5, "k", 4096) = 1 read(5, "u", 4096) = 1 read(5, "p", 4096) = 1 read(5, "\r\nPassword: ", 4096) = 12 read(5, "\r\nPOP-Switch-3750G-Stack#", 4096) = 25 but not command are sent. I just moved my testing rancid to the product one .. and maybe I forgot something in the configuration when I did it. I m always using the rancid user to use this binary. If you have any idea, will be great Many thanks Hina From ssaalliimmsurani at yahoo.com Tue Nov 25 07:06:54 2008 From: ssaalliimmsurani at yahoo.com (Salim Surani) Date: Mon, 24 Nov 2008 23:06:54 -0800 (PST) Subject: [rancid] Fortigate and Cisco VPN Concentrator Backup Message-ID: <135765.66047.qm@web51408.mail.re2.yahoo.com> Hi, Has anyone managed to use Rancid to backup Cisco VPN Concentrator and Fortigate configurations. Please guide with step by step instructions use Rancid to backup these devices. Thank you and Regards Salim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081124/3d359313/attachment.html From rancid at gheek.net Tue Nov 25 20:27:30 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 25 Nov 2008 13:27:30 -0700 Subject: [rancid] Re: Rancid with a cisco In-Reply-To: <20081125153733.GA1749@hina.fr> References: <20081125153733.GA1749@hina.fr> Message-ID: <8423e7bb0811251227u6c16d9bcy709db249da98c5c8@mail.gmail.com> When you login do you go straight to enable mode? I so your problem is likely an issue with autoenable. By default rancid assumes you have to enable to get to priv mode. On Tue, Nov 25, 2008 at 8:37 AM, hina wrote: > Hi > I have some difficulties on a new cisco. > I had it on my cloginrc with the same configuration than others cisco. > and clogin can connect > but with the rancid-run , I have on the log : TIMEOUT > with the debug mod : rancid -d 10.4.33.6 > it can connect but after TIMEOUT ... > I guess I had already this problem before and I fixed it.. but how I did that ... i can t remember. > The path is correct (with the binary of rancid) and the user is rancid > Do you have any idea ? > Many thanks > Ludivine > > > From rancid at gheek.net Tue Nov 25 20:28:47 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 25 Nov 2008 13:28:47 -0700 Subject: [rancid] Re: cisco problem with rancid In-Reply-To: <20081125161043.GB1749@hina.fr> References: <20081125161043.GB1749@hina.fr> Message-ID: <8423e7bb0811251228u6fa56763yab323148e2c9e10f@mail.gmail.com> you must set autoenable in you .cloginrc On Tue, Nov 25, 2008 at 9:10 AM, hina wrote: > Hi all, > I m using Rancid for a while. But i have a new problem > with a new cisco (3750), I can t get the configuration. > When Im using clogin.. no probleme to connect > When Im using clogin -c "show run" IP ... it can connect but no command are sent > When I m using rancid -d IP .. the executing is timeout > when I m using rancid-run ... the executing is timeout > And If I m using strace to fellow the rancid -d (debug mode) ... : > ead(5, "Trying 10.4.33.6...\r\nConnected t"..., 4096) = 73 > read(5, "\r\n\r\nUser Access Verification\r\n\r\n"..., 4096) = 42 > read(5, "b", 4096) = 1 > read(5, "a", 4096) = 1 > read(5, "c", 4096) = 1 > read(5, "k", 4096) = 1 > read(5, "u", 4096) = 1 > read(5, "p", 4096) = 1 > read(5, "\r\nPassword: ", 4096) = 12 > read(5, "\r\nPOP-Switch-3750G-Stack#", 4096) = 25 > but not command are sent. > I just moved my testing rancid to the product one .. and maybe I forgot something in the configuration when I did it. > I m always using the rancid user to use this binary. > If you have any idea, will be great > Many thanks > Hina > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Tue Nov 25 20:30:31 2008 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 25 Nov 2008 13:30:31 -0700 Subject: [rancid] Re: Fortigate and Cisco VPN Concentrator Backup In-Reply-To: <135765.66047.qm@web51408.mail.re2.yahoo.com> References: <135765.66047.qm@web51408.mail.re2.yahoo.com> Message-ID: <8423e7bb0811251230r3f5d6d78hf7c0779c9148e90a@mail.gmail.com> See this post for the vpn 3000 concentrator http://www.shrubbery.net/pipermail/rancid-discuss/2006-October/001784.html On Tue, Nov 25, 2008 at 12:06 AM, Salim Surani wrote: > Hi, > > Has anyone managed to use Rancid to backup Cisco VPN Concentrator and > Fortigate configurations. Please guide with step by step instructions use > Rancid to backup these devices. > > Thank you and Regards > Salim > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Wed Nov 26 21:27:44 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 26 Nov 2008 14:27:44 -0700 Subject: [rancid] Re: Rancid with a cisco In-Reply-To: <20081126081743.GB4455@hina.fr> References: <20081125153733.GA1749@hina.fr> <8423e7bb0811251227u6c16d9bcy709db249da98c5c8@mail.gmail.com> <20081126081743.GB4455@hina.fr> Message-ID: <8423e7bb0811261327y58787fa2h567141f07273b77f@mail.gmail.com> Does it work with "clogin 10.4.33.6" does that allow you to be logged in and run commands manually? If so try clogin -c "show run" 10.4.33.6 If that works then make sure you run the commands as the user "backup" as specified in your .cloginrc On Wed, Nov 26, 2008 at 1:17 AM, hina wrote: > No. I m not login straight enable. > I m using the option autoenable 1 : > # 10.4.33.6 - cisco > add user 10.4.33.6 backup > add password 10.4.33.6 XXXX XXXX > add method 10.4.33.6 telnet > add autonenable 10.4.33.6 1 > > it s like that I m doing the backup of all my cisco. It s the same configuration for all of them. And just this new one (the new one on the production machine instead of test machine) doesn t work. > I dont really understand. > Maybe I missed some rights on a . somewhere ? > Any clue except the autoenable ? > many thanks Lance > Hina > > On Tue, Nov 25, 2008 at 01:27:30PM -0700, Lance Vermilion wrote: >> When you login do you go straight to enable mode? I so your problem is >> likely an issue with autoenable. By default rancid assumes you have to >> enable to get to priv mode. >> >> On Tue, Nov 25, 2008 at 8:37 AM, hina wrote: >> > Hi >> > I have some difficulties on a new cisco. >> > I had it on my cloginrc with the same configuration than others cisco. >> > and clogin can connect >> > but with the rancid-run , I have on the log : TIMEOUT >> > with the debug mod : rancid -d 10.4.33.6 >> > it can connect but after TIMEOUT ... >> > I guess I had already this problem before and I fixed it.. but how I did that ... i can t remember. >> > The path is correct (with the binary of rancid) and the user is rancid >> > Do you have any idea ? >> > Many thanks >> > Ludivine >> > >> > >> > >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Wed Nov 26 21:32:21 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 26 Nov 2008 14:32:21 -0700 Subject: [rancid] Re: same problem In-Reply-To: <20081126151519.GC4455@hina.fr> References: <20081126151519.GC4455@hina.fr> Message-ID: <8423e7bb0811261332y463f0aadgcdaee560dcc8e21c@mail.gmail.com> Move your statements for 10.4.33.6 to the top of your .cloginrc before any other statement you may have specified before. I presume rancid is matching a previous statement. On Wed, Nov 26, 2008 at 8:15 AM, hina wrote: > > Hi > just to let u know ... > 1/ all my cisco are configure like that : > #10.4.10.22 - cisco > add user 10.4.10.22 backup > add password 10.4.10.22 passwd passwd > add method 10.4.10.22 telnet > add autoenable 10.4.10.22 1 > > 2/ clogin alone is working > but if I m using clogin -c "cmd" I can t see the cmd after the prompt. > > 3/ If I m using clogin to connect, AND I tape by myself, the commande show run, I can t see the result in the term/ > ancid at Argus:~/var/logs$ clogin 10.4.33.6 > 10.4.33.6 > spawn telnet 10.4.33.6 > Trying 10.4.33.6... > Connected to 10.4.33.6. > Escape character is '^]'. > > > User Access Verification > > Username: backup > Password: > POP-Switch-3750G-Stack#show run > > Error: TIMEOUT reached > > 4/ As telnet : no probleme > 5/ My user is configure like that : > > username backup privilege 15 password 7 XXXXXXXXXXXXX > > > Do you have any idea of rules somewhere I missed ? > Many thanks > hina > > > > From jinzhe_927 at hotmail.com Thu Nov 27 02:01:13 2008 From: jinzhe_927 at hotmail.com (JinZhou) Date: Thu, 27 Nov 2008 02:01:13 +0000 Subject: [rancid] Set different collection scheduler by groups Message-ID: Hi, I am using Rancid to maintain Cisco routers and switches configuration. Currently, I collect information from HQ and branch hourly. By using # 0 * * * * rancid /home/rancid/bin/rancid-run -m XXXX at YYY.comBut I want to collect data from HQ hourly and from branch daily. So I create two GROUPs to contain HQ and Branch's switches # LIST_OF_GROUP="HQ BRANCH" (In /etc/rancid/rancid.conf) Then use# 0 * * * * rancid /home/rancid/bin/rancid-run -r # 0 23 * * * rancid /home/rancid/bin/rancid-run -r Is it correct? The other questing is if I only collect one switch?s configuration from HQ group, use # 0 * * * * rancid /home/rancid/bin/rancid-run -r / Is it correct and what will happen in /var/lib/rancid/logs/? Now, I got (group name).20081127.140001. Thanks for your help. Regards, David _________________________________________________________________ MSN ???????????????????? http://cn.msn.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20081127/2cc30753/attachment.html From rancid at gheek.net Thu Nov 27 02:31:12 2008 From: rancid at gheek.net (Lance Vermilion) Date: Wed, 26 Nov 2008 19:31:12 -0700 Subject: [rancid] Re: Set different collection scheduler by groups In-Reply-To: References: Message-ID: <8423e7bb0811261831t2423d83cp5ec9989d2de920a2@mail.gmail.com> You have that correct. Have you tried to do it like this yet? On Wed, Nov 26, 2008 at 7:01 PM, JinZhou wrote: > Hi, > > I am using Rancid to maintain Cisco routers and switches configuration. > Currently, I collect information from HQ and branch hourly. By using > # 0 * * * * rancid /home/rancid/bin/rancid-run -m XXXX at YYY.com > But I want to collect data from HQ hourly and from branch daily. So I create > two GROUPs to contain HQ and Branch's switches > # LIST_OF_GROUP="HQ BRANCH" (In /etc/rancid/rancid.conf) > Then use > # 0 * * * * rancid /home/rancid/bin/rancid-run -r > # 0 23 * * * rancid /home/rancid/bin/rancid-run -r > > Is it correct? > > > > The other questing is if I only collect one switch's configuration from HQ > group, use > > # 0 * * * * rancid /home/rancid/bin/rancid-run -r / > > Is it correct and what will happen in /var/lib/rancid/logs/? > > Now, I got (group name).20081127.140001. > > > > Thanks for your help. > > Regards, > David > > ________________________________ > ????????MSN???????? ????? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > From rancid at gheek.net Thu Nov 27 18:40:28 2008 From: rancid at gheek.net (Lance Vermilion) Date: Thu, 27 Nov 2008 11:40:28 -0700 Subject: [rancid] Re: Set different collection scheduler by groups In-Reply-To: References: <8423e7bb0811261831t2423d83cp5ec9989d2de920a2@mail.gmail.com> Message-ID: <8423e7bb0811271040t201282a4ga13b7575b761473f@mail.gmail.com> Each group will have its own log directory. The same should be for each device configuration and router.db What is your directory structure? On Wed, Nov 26, 2008 at 7:54 PM, JinZhou wrote: > Hi, > > > I tried those two things yesterday. In terms of HQ and Branch, they have > been collected data in same time. For example, I tried to collect HQ at > 9:30, Branch at 9:45. But HQ and Branch's log both appear at 9:30 and 9:45 > in /var/lib/rancid/logs. I was just wondering if you can figure out what's > going on here. May be about the definition about group? > > > > For the individual device, it doesn't take shot. Nothing happen. Should I > see log file like (device name).(group name).20081127.140001? > > > Cheers, > David > >> Date: Wed, 26 Nov 2008 19:31:12 -0700 >> From: rancid at gheek.net >> To: rancid-discuss at shrubbery.net >> Subject: [rancid] Re: Set different collection scheduler by groups > >> >> You have that correct. Have you tried to do it like this yet? >> >> On Wed, Nov 26, 2008 at 7:01 PM, JinZhou wrote: >> > Hi, >> > >> > I am using Rancid to maintain Cisco routers and switches configuration. >> > Currently, I collect information from HQ and branch hourly. By using >> > # 0 * * * * rancid /home/rancid/bin/rancid-run -m XXXX at YYY.com >> > But I want to collect data from HQ hourly and from branch daily. So I >> > create >> > two GROUPs to contain HQ and Branch's switches >> > # LIST_OF_GROUP="HQ BRANCH" (In /etc/rancid/rancid.conf) >> > Then use >> > # 0 * * * * rancid /home/rancid/bin/rancid-run -r >> > # 0 23 * * * rancid /home/rancid/bin/rancid-run -r >> > >> > Is it correct? >> > >> > >> > >> > The other questing is if I only collect one switch's configuration from >> > HQ >> > group, use >> > >> > # 0 * * * * rancid /home/rancid/bin/rancid-run -r / >> > >> > Is it correct and what will happen in /var/lib/rancid/logs/? >> > >> > Now, I got (group name).20081127.140001. >> > >> > >> > >> > Thanks for your help. >> > >> > Regards, >> > David >> > >> > ________________________________ >> > ????????MSN???????? ????? >> > _______________________________________________ >> > Rancid-discuss mailing list >> > Rancid-discuss at shrubbery.net >> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss >> > >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss > > > ________________________________ > ????? Windows Live Messenger ???????? ?????