[rancid] Re: Rancid stopped working for my HP switches
Per-Olof Olsson
peo at chalmers.se
Tue Apr 13 07:56:08 UTC 2010
john heasley wrote:
> Tue, Apr 06, 2010 at 10:41:35AM +0200, Per-Olof Olsson:
>> john heasley wrote:
>>> Sat, Apr 03, 2010 at 07:59:18AM +0200, Per-Olof Olsson:
>>>> I
>>>>
>>>> There is some update for code using ssh!. Isn't there missing the
>>>> "hpuifilter" to clean some terminal escape codes.
>>>>
>>>> After adding "hpuifilter --" I start to get output/updates in files.
>>>>
>>>>
>>>> < set retval [ catch {eval spawn [split "$cmd -c $cyphertype -x -l $user
>>>> $router" { }]} reason ]
>>>>
>>>>> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
>>>> -----------------------------------------^^^^^^^^^^^^^^
>>>>
>>>>
>>>> ## $Id: hlogin.in 2162 2010-03-15 21:20:31Z heas $
>>>> ----------------------------------------------------
>>>> ---> diff hlogin.in.ORG hlogin.in
>>>> 220,222c220,221
>>>> < # hp does not autoenable
>>>> < #set autoenable 1
>>>> < #set avenable 0
>>>> ---
>>>>> set autoenable 1
>>>>> set avenable 0
>>>> 316c315
>>>> < proc login { router user userpswd passwd enapasswd cmethod cyphertype } {
>>>> ---
>>>>> proc login { router user userpswd passwd enapasswd cmethod cyphertype identfile } {
>>>> 342c341,344
>>>> < set retval [ catch {eval spawn [split "$cmd -c $cyphertype
>>>> -x -l $user $router" { }]} reason ]
>>>> ---
>>>>> if {"$identfile" != ""} {
>>>>> set cmd "$cmd -i $identfile"
>>>>> }
>>>>> set retval [ catch {eval spawn [split "hpuifilter -- $cmd -c $cyphertype -x -l $user $router" { }]} reason ]
>>>> 603a606,608
>>>>> # device identfile for ssh public key login
>>>>> set identfile [join [lindex [find identity $router] 0] ""]
>>>>>
>>>> 720c725
>>>> < if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod
>>>> $cyphertype]} {
>>>> ---
>>>>> if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $identfile]} {
>>>> -----------------------------------------------------
>>>>
>>>> Comment:
>>>> For new switches hp do autoenable
>>>> Also used to add loggin via ssh public/private keys in my hlogin
>>>> (No password/passphrase in .cloin. Part of code copyed from jlogin.)
>>> Is it now possible to store a per-user ssh public key in the HP config?
>>> And, as peo@ mentions, I presume hpuifilter is still necessary. And,
>>> older models will still need to enable.
>>>
>> ssh login per-user?
>> No. For old switches like 2500 and 4100. Only to operator level login
>> when using ssh key.
>>
>> Yes. New switches like 2600/2610, 2800, 2910 you install public keys for
>> operator and/or manager level login. I think up to 10 keys each.
>
> cool. please try the attached hlogin; I've imported the identity file
> handling from jlogin in its entirety.
hlogin is working but still need some tuning/fixes:
1:
When running rancid-run using ssh passphrase I get about randomly 15-20%
of switches to timeout during login doing some login retry.
Don't know vhy.
Is it:
- switch working more when login via ssh passphrase
- buffering, cleaning terminal escape codes in hpuifilter
- timeout when switch try to get/set window size
- or ?
I exteded the sleep from 1 to 2s and then only 1-2% of switches randmoly
show up the login timeout (rancid-run do login retry so you get your
info and config from the switch but it's looks cleaner, to not have,
that much login timeouts/retry).
2:
Do you like use the command line option "-autoenable" to hlogin command
when testing/debugging?
Update code to do some variable settings by option args.
3:
I also notice that the hlogin -S option (save running config on exit) is
not working!
There was a security issue about that operator was able to save config
file...
If you like to get to the "save current configuration"-question, you
have to run "logout" from manager level.
---------------------------------------------------------------
diff -c hlogin.in.ORG+1 hlogin.in
*** hlogin.in.ORG+1 Mon Apr 12 07:54:40 2010
--- hlogin.in Mon Apr 12 16:36:15 2010
***************
*** 221,229 ****
set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
! # hp does not autoenable
! #set autoenable 1
! #set avenable 0
} -* {
send_user "\nError: Unknown argument! $arg\n"
send_user $usage
--- 221,228 ----
set avenable 0
# Does tacacs automatically enable us?
} -autoenable {
! set avautoenable 1
! set avenable 0
} -* {
send_user "\nError: Unknown argument! $arg\n"
send_user $usage
***************
*** 432,438 ****
}
-re "Enter passphrase.*: " {
# sleep briefly to allow time for stty -echo
! sleep 1
send -- "$passphrase\r"
exp_continue
}
--- 431,437 ----
}
-re "Enter passphrase.*: " {
# sleep briefly to allow time for stty -echo
! sleep 2
send -- "$passphrase\r"
exp_continue
***************
*** 564,570 ****
}
}
log_user 1
! send -h "exit\r"
expect {
"Do you want to save current configuration" {
if {$do_saveconfig} {
--- 563,569 ----
}
}
log_user 1
! send -h "logout\r"
expect {
"Do you want to save current configuration" {
if {$do_saveconfig} {
if {$do_saveconfig} {
------------------------------------------
>
>> ---------------------------------------------------------
>> hp_switch# copy tftp pub-key-file 1.1.1.1 manager_key
>> append Add the key(s) for operator access.
>> manager Replace the key(s) for manager access; follow with the
>> 'append' option to add the key(s).
>> operator Replace the key(s) for operator access (default); follow
>> with the 'append' option to add the key(s).
>> <cr>
>> hp_switch#
>> ---------------------------------------------------------
>>
>> ----.cloginrc----------------
>> add method hp_switch ssh
>> add password hp_switch x x
>> add identity hp_switch <path>/.ssh/key-to-HP
>> add autoenable hp_switch 1
add passphrase hp_switch <passphrase>
>>
>> add method old_hp_switch ssh
>> add password old_hp_switch x <enabler_password>
>> add identity old_hp_switch <path>/.ssh/key-to-HP-rsa1
>> add autoenable old_hp_switch 0
add passphrase old_hp_switch <passphrase>
>> ------------------------------
>> (Username config on switches left blank)
>>
>> Hp count each test for a ssh-key as a login. Default is that you have 3
>> try to login (by ssh key or user/password). It's not working to add a
>> long list of keys in ssh config files. Thats why I like to point out key
>> files to each switch in the .cloginrc.
>>
>> Its not secure to not use ssh keys without passphrases. But if you have
>> to type it down in .cloginrc...
>> Thats why, passphrase settings not in .cloginrc.
>>
>>
>>
>> Is't it time to do some updates on hrancid. Grab some more information
>> from hp switches. There is info about config files and inventory of
>> sfp's for new switches.
>>
>> Useful?
>
> sure; please share the diffs and example i/o.
>
This updates in hrancid.in was included in previous mail but if you like
it in diff format...
--------------------------------
diff -c hrancid.in.ORG hrancid.in
*** hrancid.in.ORG Wed Mar 24 00:33:51 2010
--- hrancid.in Tue Mar 30 10:06:17 2010
***************
*** 223,232 ****
if (/memory\s+-\s+total\s+:\s+(\S+)/i) {
my($mem) = $1;
$mem =~ s/,//g;
$mem /= (1024 * 1024);
! ProcessHistory("COMMENTS","keysort","B0",";Memory: " .
int($mem) .
! "M\n");
next;
}
/serial\s+number\s+:\s+(\S+)/i &&
--- 223,233 ----
if (/memory\s+-\s+total\s+:\s+(\S+)/i) {
my($mem) = $1;
+ my($mem_peo) = $1;
$mem =~ s/,//g;
$mem /= (1024 * 1024);
! ProcessHistory("COMMENTS","keysort","B0",";Memory: " .
$mem_peo .
! " (" . int($mem) . "M)\n");
next;
}
/serial\s+number\s+:\s+(\S+)/i &&
***************
*** 283,288 ****
--- 284,326 ----
return(0);
}
+ # This routine parses "show tech transceivers"
+ sub ShowTransceivers {
+ print STDERR " In ShowTransceivers: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/\015//d;
+ last if (/^$prompt/);
+ next if (/^(\s*|\s*$cmd\s*|transceivers\s*)$/);
+ return(-1) if (/command authorization failed/i);
+ return(1) if /^(Invalid|Ambiguous) input:/i;
+
+ s/ Technical Information//i;
+
+ ProcessHistory("COMMENTS","keysort","G0",";$_");
+
+ }
+ return(0);
+ }
+
+ # This routine parses "show config files"
+ sub ShowConfigFiles {
+ print STDERR " In ShowConfigFiles: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/\015//d;
+ last if (/^$prompt/);
+ next if (/^(\s*|\s*$cmd\s*)$/);
+ return(-1) if (/command authorization failed/i);
+ return(1) if /^(Invalid|Ambiguous) input:/i;
+
+ ProcessHistory("COMMENTS","keysort","H0",";$_");
+
+ }
+ return(0);
+ }
+
+
# This routine processes a "write term"
sub WriteTerm {
print STDERR " In WriteTerm: $_" if ($debug);
***************
*** 291,299 ****
tr/\015//d;
last if(/^$prompt/);
return(-1) if (/command authorization failed/i);
- # the pager can not be disabled per-session on the PIX
s/^<-+ More -+>\s*//;
! s/^$/;/;
# skip the crap
/^running configuration:/i && next;
--- 329,337 ----
tr/\015//d;
last if(/^$prompt/);
return(-1) if (/command authorization failed/i);
s/^<-+ More -+>\s*//;
! # don't touch emty lines /Peo
! # s/^$/;/;
# skip the crap
/^running configuration:/i && next;
***************
*** 302,307 ****
--- 340,346 ----
s/\$(Revision|Id):/ $1:/;
/^; (\S+) configuration editor;/i &&
ProcessHistory("COMMENTS","keysort","A0",";Chassis type:
$1\n") &&
+ ProcessHistory("","","",";\n;Running config file:\n$_") &&
next;
# order logging statements - doesnt appear to do syslog as of
right now
***************
*** 474,479 ****
--- 513,520 ----
{'show system information' => 'ShowSystem'},
{'show module' => 'ShowModule'},
{'show stack' => 'ShowStack'},
+ {'show tech transceivers' => 'ShowTransceivers'},
+ {'show config files' => 'ShowConfigFiles'},
{'write term' => 'WriteTerm'}
);
# Use an array to preserve the order of the commands and a hash for
mapping
***************
*** 539,545 ****
ProcessHistory("COMMENTS","keysort","D0",";\n"); # showflash
ProcessHistory("COMMENTS","keysort","E0",";\n"); # showmodule
ProcessHistory("COMMENTS","keysort","F0",";\n"); # showstack
! ProcessHistory("COMMENTS","keysort","G0",";\n");
TOP: while(<INPUT>) {
tr/\015//d;
if (/$prompt\s*exit\s*$/i) {
--- 580,589 ----
ProcessHistory("COMMENTS","keysort","D0",";\n"); # showflash
ProcessHistory("COMMENTS","keysort","E0",";\n"); # showmodule
ProcessHistory("COMMENTS","keysort","F0",";\n"); # showstack
! ProcessHistory("COMMENTS","keysort","G0",";\n"); #
showtechtransceivers
! ProcessHistory("COMMENTS","keysort","H0",";\n"); # showconfigfiles
! ProcessHistory("COMMENTS","keysort","I0",";\n");
!
TOP: while(<INPUT>) {
tr/\015//d;
if (/$prompt\s*exit\s*$/i) {
------------------------------------------------------------------
Also send you the raw output sample, cut/paste from "vi" showing some
extra control characters.
----------my_switch.raw------------------------
...
^Mmy_switch# show tech transceivers^M^M
^M
^Mtransceivers^M
^M^M
^MTransceiver Technical Information: ^M
^M Port # | Type | Prod # | Serial # | Part # ^M
^M -------+-----------+--------+------------------+----------^M
^M 51 | 1000SX | J4858B | XXXXXX | ^M
^M^M
^M^M
^Mmy_switch# show config files^M^M
^M
^MConfiguration files:^M
^M^M
^M id | act pri sec | name^M
^M ---+-------------+------------------------------------------------^M
^M 1 | * * * | config1^M
^M 2 | | ^M
^M 3 | | ^M
^M^M
^Mmy_switch#
...
-------------------------
>> Rancid output to switch file from "show tech transceivers" and "show
>> config files" commands
>> ...
>> ;Transceiver:
>> ; Port # | Type | Prod # | Serial # | Part #
>> ; -------+-----------+--------+------------------+----------
>> ; 51 | 1000SX | J4858B | PXXXXX |
>> ;
>> ;Configuration files:
>> ; id | act pri sec | name
>> ; ---+-------------+------------------------------------------------
>> ; 1 | * * * | config1
>> ; 2 | |
>> ; 3 | |
>> ;
>> ...
>>
>>
>> Updated to rancid 2.3.3 this morning and it run nicely on about 200 hp
>> switches using included hrancid.in and hlogin.in.
/Peo
----------------------------------------------------------
Per-Olof Olsson Email: peo at chalmers.se
Chalmers tekniska högskola IT-service
Hörsalsvägen 5 412 96 Göteborg
Tel: 031/772 6738 Fax: 031/772 8660
----------------------------------------------------------
More information about the Rancid-discuss
mailing list