From fabizs at yahoo.com Tue Dec 2 17:57:28 2014 From: fabizs at yahoo.com (Fabio Santos) Date: Tue, 2 Dec 2014 17:57:28 +0000 (UTC) Subject: [rancid] Fail on Solaris 10 Message-ID: <1321688158.2383019.1417543048080.JavaMail.yahoo@jws10067.mail.ne1.yahoo.com> Hi all, Someone can help me, how can I solve this? during make command... Making all in bin > gmake[1]: Entering directory `/tmp/rancid-3.0/bin' > gcc -DHAVE_CONFIG_H -I. -I../include ? ? -g -O0 -MT hpuifilter.o -MD -MP -MF .deps/hpuifilter.Tpo -c -o hpuifilter.o hpuifilter.c > mv -f .deps/hpuifilter.Tpo .deps/hpuifilter.Po > gcc ?-g -O0 ? -o hpuifilter hpuifilter.o > gcc -DHAVE_CONFIG_H -I. -I../include ? ? -g -O0 -MT par.o -MD -MP -MF .deps/par.Tpo -c -o par.o par.c > mv -f .deps/par.Tpo .deps/par.Po > gcc ?-g -O0 ? -o par par.o > Undefined ? ? ? ? ? ? ? ? ? ? ? first referenced > ?symbol ? ? ? ? ? ? ? ? ? ? ? ? ? ? in file > asprintf ? ? ? ? ? ? ? ? ? ? ? ? ? ?par.o > ld: fatal: Symbol referencing errors. No output written to par > gmake[1]: *** [par] Error 1 > gmake[1]: Leaving directory `/tmp/rancid-3.0/bin' > make: *** [all-recursive] Error 1 > bash-3.00# >? I put flags on Make file #CPPFLAGS += @PG_CPPFLAGS@ #INCLUDES += -I$(top_srcdir)/include @PG_CPPFLAGS@ #INCLUDES += -I$(top_srcdir)/include #CFLAGS += -g CFLAGS = -g -O0 -D__EXTENSIONS__ But i had same problem, any other idea? -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Dec 2 18:21:12 2014 From: heas at shrubbery.net (heasley) Date: Tue, 2 Dec 2014 18:21:12 +0000 Subject: [rancid] Fail on Solaris 10 In-Reply-To: <1321688158.2383019.1417543048080.JavaMail.yahoo@jws10067.mail.ne1.yahoo.com> References: <1321688158.2383019.1417543048080.JavaMail.yahoo@jws10067.mail.ne1.yahoo.com> Message-ID: <20141202182112.GG736@shrubbery.net> Tue, Dec 02, 2014 at 05:57:28PM +0000, Fabio Santos: > Hi all, > Someone can help me, how can I solve this? > during make command... do you have sunProCC? it builds fine for me with sunPro; I believe because gcc destroys the includes in its so-called fixincludes script. if not, i've added an emulation function for the next release, but i'd rather not spend time walking you through that if its not necessary. From gmourani at gmail.com Thu Dec 4 15:31:45 2014 From: gmourani at gmail.com (Gerhard Mourani) Date: Thu, 4 Dec 2014 10:31:45 -0500 Subject: [rancid] Foundry NetIron MLX MR Message-ID: <42DFEB0A-A3F3-488C-A4E9-27AE29DA0930@gmail.com> Hello Guys, I?ve a small problem with a Foundry NetIron MLX MR device. The backup is made correctly but message related to ?Uptime? is reported every time and because of this, I?ve a new backup every 2 hours. I would like to know what I can do to stop this kind of false report. Here the diff related to the line: !Switch Fabric Module 1 Up Time is 204 days 10 hours 17 minutes 8 seconds !Switch Fabric Module 1 Up Time is 204 days 12 hours 17 minutes 13 seconds Gerhard, From daniel.schmidt at wyo.gov Thu Dec 4 16:38:24 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Thu, 4 Dec 2014 09:38:24 -0700 Subject: [rancid] Foundry NetIron MLX MR In-Reply-To: <42DFEB0A-A3F3-488C-A4E9-27AE29DA0930@gmail.com> References: <42DFEB0A-A3F3-488C-A4E9-27AE29DA0930@gmail.com> Message-ID: Your francid have something like this? 180 next if (/^(The system |Crash time)/); 181 next if (/^(System|(Active|Standby) Management|LP Slot \d+|Switch Fabric Module \d+) (uptime|Up Time) is/); 182 # remove uptime on newer switches 183 s/(STACKID \d+)\s+system uptime is.*$/$1/; (Yer line numbers are probably different because I'm too busy/lazy to update my Rancid) On Thu, Dec 4, 2014 at 8:31 AM, Gerhard Mourani wrote: > Hello Guys, > > I?ve a small problem with a Foundry NetIron MLX MR device. The backup is > made correctly but message related to ?Uptime? is reported every time and > because of this, I?ve a new backup every 2 hours. I would like to know what > I can do to stop this kind of false report. > > Here the diff related to the line: > !Switch Fabric Module 1 Up Time is 204 days 10 hours 17 minutes 8 seconds > !Switch Fabric Module 1 Up Time is 204 days 12 hours 17 minutes 13 seconds > > Gerhard, > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From me at falz.net Thu Dec 4 21:24:21 2014 From: me at falz.net (Chris Wopat) Date: Thu, 4 Dec 2014 15:24:21 -0600 Subject: [rancid] Foundry/Brocade addition - show media Message-ID: I don't know the official way to submit a feature request/patch, so here goes via this list. This adds `show media` and `show media validation` to 'francid' which will give useful information about which optics are installed in a device. Tested on a Brocade ICX 6650 and Brocade CER 2024. http://falz.net/static/francid-media.diff --Chris From gmourani at gmail.com Fri Dec 5 14:24:51 2014 From: gmourani at gmail.com (Gerhard Mourani) Date: Fri, 5 Dec 2014 09:24:51 -0500 Subject: [rancid] Foundry NetIron MLX MR In-Reply-To: References: <42DFEB0A-A3F3-488C-A4E9-27AE29DA0930@gmail.com> Message-ID: <3E51E2EC-7507-405F-B9D7-1BB6CEC9464B@gmail.com> Hello Daniel, I use Rancid version 3.1 and there is no francid in this version! Gerhard, > On Dec 4, 2014, at 11:38 AM, Daniel Schmidt wrote: > > Your francid have something like this? > > 180 next if (/^(The system |Crash time)/); > 181 next if (/^(System|(Active|Standby) Management|LP Slot \d+|Switch Fabric Module \d+) (uptime|Up Time) is/); > 182 # remove uptime on newer switches > 183 s/(STACKID \d+)\s+system uptime is.*$/$1/; > > (Yer line numbers are probably different because I'm too busy/lazy to update my Rancid) > > On Thu, Dec 4, 2014 at 8:31 AM, Gerhard Mourani > wrote: > Hello Guys, > > I?ve a small problem with a Foundry NetIron MLX MR device. The backup is made correctly but message related to ?Uptime? is reported every time and because of this, I?ve a new backup every 2 hours. I would like to know what I can do to stop this kind of false report. > > Here the diff related to the line: > !Switch Fabric Module 1 Up Time is 204 days 10 hours 17 minutes 8 seconds > !Switch Fabric Module 1 Up Time is 204 days 12 hours 17 minutes 13 seconds > > Gerhard, > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From boni.br at gmail.com Wed Dec 3 21:36:52 2014 From: boni.br at gmail.com (Wagner Bonifacio Leite) Date: Wed, 3 Dec 2014 13:36:52 -0800 (PST) Subject: [rancid] Files by Enterasys switches available! Message-ID: <35848da9-e0ab-4aed-89d0-c9284db419a1@googlegroups.com> I come let my contribution to the project sending the files I'm currently using on my switches Enterasys I modified the files available in http://sobek.su/Projects/perl/rancid/ and I thanks those who maintains the site and provide the files. Take careful to rename the files appropriately and edit and insert the model in rancid-fe file. Regards, -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- #! /usr/bin/expect -- ## ## $Id: entlogin.in 4 2013-01-27 21:15:01Z hsdn $ ## ## rancid 2.3.8 ## Copyright (c) 1997-2011 by Terrapin Communications, Inc. ## All rights reserved. ## ## This code is derived from software contributed to and maintained by ## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan, ## Pete Whiting, Austin Schutz, and Andrew Fort. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: ## 1. Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## 2. Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## 3. All advertising materials mentioning features or use of this software ## must display the following acknowledgement: ## This product includes software developed by Terrapin Communications, ## Inc. and its contributors for RANCID. ## 4. Neither the name of Terrapin Communications, Inc. nor the names of its ## contributors may be used to endorse or promote products derived from ## this software without specific prior written permission. ## 5. It is requested that non-binding fixes and modifications be contributed ## back to Terrapin Communications, Inc. ## ## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS ## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS ## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ## POSSIBILITY OF SUCH DAMAGE. # # The expect login scripts were based on Erik Sherk's gwtn, by permission. # # entlogin - Enterasys switches login # # 27/01/2012 -- Initial changes for HSDN.ORG Project # Dmitry Shin -- dmitry.s at hsdn.org # # Misc notes # netscreen does not have the concept of "enable", once logged in, a # users permissions can not change. # Usage line set usage "Usage: $argv0 \[-dSV\] \[-c command\] \[-Evar=x\] \ \[-f cloginrc-file\] \[-p user-password\] \ \[-s script-file\] \[-t timeout\] \[-u username\] \ \[-v vty-password\] \[-x command-file\] \ \[-y ssh_cypher_type\] router \[router...\]\n" # env(CLOGIN) may contain: # x == do not set xterm banner or name # Password file set password_file $env(HOME)/.cloginrc # Default is to login to the router set do_command 0 set do_script 0 # The default is to look in the password file to find the passwords. This # tracks if we receive them on the command line. set do_passwd 1 set do_enapasswd 1 # Save config, if prompted set do_saveconfig 0 # Sometimes routers take awhile to answer (the default is 10 sec) set timeoutdflt 45 # set send_human {.4 .4 .7 .3 5} # Find the user in the ENV, or use the unix userid. if {[info exists env(CISCO_USER)]} { set default_user $env(CISCO_USER) } elseif {[info exists env(USER)]} { set default_user $env(USER) } elseif {[info exists env(LOGNAME)]} { set default_user $env(LOGNAME) } else { # This uses "id" which I think is portable. At least it has existed # (without options) on all machines/OSes I've been on recently - # unlike whoami or id -nu. if [catch {exec id} reason] { send_error "\nError: could not exec id: $reason\n" exit 1 } regexp {\(([^)]*)} "$reason" junk default_user } if {[info exists env(CLOGINRC)]} { set password_file $env(CLOGINRC) } # Process the command line for {set i 0} {$i < $argc} {incr i} { set arg [lindex $argv $i] switch -glob -- $arg { # Expect debug mode -d* { exp_internal 1 # Username } -u* { if {! [regexp .\[uU\](.+) $arg ignore user] } { incr i set username [lindex $argv $i] } # VTY Password } -p* { if {! [regexp .\[pP\](.+) $arg ignore userpasswd]} { incr i set userpasswd [lindex $argv $i] } set do_passwd 0 # ssh passphrase } -r* { # ignore -r # Environment variable to pass to -s scripts } -E* { if {[regexp .\[E\](.+)=(.+) $arg ignore varname varvalue]} { set E$varname $varvalue } else { send_user "\nError: invalid format for -E in $arg\n" exit 1 } # Command to run. } -c* { if {! [regexp .\[cC\](.+) $arg ignore command]} { incr i set command [lindex $argv $i] } set do_command 1 # Expect script to run. } -s* { if {! [regexp .\[sS\](.+) $arg ignore sfile]} { incr i set sfile [lindex $argv $i] } if { ! [file readable $sfile] } { send_user "\nError: Can't read $sfile\n" exit 1 } set do_script 1 # save config on exit } -S* { set do_saveconfig 1 # cypher type } -y* { if {! [regexp .\[eE\](.+) $arg ignore cypher]} { incr i set cypher [lindex $argv $i] } # alternate cloginrc file } -f* { if {! [regexp .\[fF\](.+) $arg ignore password_file]} { incr i set password_file [lindex $argv $i] } # Timeout } -t* { incr i set timeoutdflt [lindex $argv $i] # Command file } -x* { if {! [regexp .\[xX\](.+) $arg ignore cmd_file]} { incr i set cmd_file [lindex $argv $i] } if [catch {set cmd_fd [open $cmd_file r]} reason] { send_user "\nError: $reason\n" exit 1 } set cmd_text [read $cmd_fd] close $cmd_fd set command [join [split $cmd_text \n] \;] set do_command 1 # Version string } -V* { send_user "rancid 2.3.8\n" exit 0 # Does tacacs automatically enable us? } -autoenable { # ignore autoenable } -* { send_user "\nError: Unknown argument! $arg\n" send_user $usage exit 1 } default { break } } } # Process routers...no routers listed is an error. if { $i == $argc } { send_user "\nError: $usage" } # Only be quiet if we are running a script (it can log its output # on its own) if { $do_script } { log_user 0 } else { log_user 1 } # # Done configuration/variable setting. Now run with it... # # Sets Xterm title if interactive...if its an xterm and the user cares proc label { host } { global env # if CLOGIN has an 'x' in it, don't set the xterm name/banner if [info exists env(CLOGIN)] { if {[string first "x" $env(CLOGIN)] != -1} { return } } # take host from ENV(TERM) if [info exists env(TERM)] { if [regexp \^(xterm|vs) $env(TERM) ignore] { send_user "\033]1;[lindex [split $host "."] 0]\a" send_user "\033]2;$host\a" } } } # This is a helper function to make the password file easier to # maintain. Using this the password file has the form: # add password sl* pete cow # add password at* steve # add password * hanky-pie proc add {var args} { global int_$var ; lappend int_$var $args} proc include {args} { global env regsub -all "(^{|}$)" $args {} args if { [regexp "^/" $args ignore] == 0 } { set args $env(HOME)/$args } source_password_file $args } proc find {var router} { upvar int_$var list if { [info exists list] } { foreach line $list { if { [string match [lindex $line 0] $router] } { return [lrange $line 1 end] } } } return {} } # Loads the password file. Note that as this file is tcl, and that # it is sourced, the user better know what to put in there, as it # could install more than just password info... I will assume however, # that a "bad guy" could just as easy put such code in the clogin # script, so I will leave .cloginrc as just an extention of that script proc source_password_file { password_file } { global env if { ! [file exists $password_file] } { send_user "\nError: password file ($password_file) does not exist\n" exit 1 } file stat $password_file fileinfo if { [expr ($fileinfo(mode) & 007)] != 0000 } { send_user "\nError: $password_file must not be world readable/writable\n" exit 1 } if [catch {source $password_file} reason] { send_user "\nError: $reason\n" exit 1 } } # Log into the router. # returns: 0 on success, 1 on failure, -1 if rsh was used successfully proc login { router user userpswd passwd enapasswd cmethod cyphertype identfile } { global command spawn_id in_proc do_command do_script platform passphrase global prompt prompt_match u_prompt p_prompt e_prompt sshcmd set in_proc 1 set uprompt_seen 0 # try each of the connection methods in $cmethod until one is successful set progs [llength $cmethod] foreach prog [lrange $cmethod 0 end] { incr progs -1 if [string match "telnet*" $prog] { regexp {telnet(:([^[:space:]]+))*} $prog methcmd suffix port if {"$port" == ""} { set retval [catch {spawn telnet $router} reason] } else { set retval [catch {spawn telnet $router $port} reason] } if { $retval } { send_user "\nError: telnet failed: $reason\n" return 1 } } elseif [string match "ssh*" $prog] { # ssh to the router & try to login with or without an identfile. regexp {ssh(:([^[:space:]]+))*} $prog methcmd suffix port set cmd $sshcmd if {"$port" != ""} { set cmd "$cmd -p $port" } if {"$identfile" != ""} { set cmd "$cmd -i $identfile" } set retval [catch {eval spawn [split "$cmd -c $cyphertype -x -l $user $router" { }]} reason] if { $retval } { send_user "\nError: $cmd failed: $reason\n" return 1 } } elseif ![string compare $prog "rsh"] { if { ! $do_command } { if { [llength $cmethod] == 1 } { send_user "\nError: rsh is an invalid method for -x and " send_user "interactive logins\n" } if { $progs == 0 } { return 1 } continue; } set commands [split $command \;] set num_commands [llength $commands] set rshfail 0 for {set i 0} {$i < $num_commands && !$rshfail} { incr i} { log_user 0 set retval [catch {spawn rsh $user@$router [lindex $commands $i] } reason] if { $retval } { send_user "\nError: rsh failed: $reason\n" log_user 1; return 1 } send_user "$router# [lindex $commands $i]\n" # rcmd does not get a pager and no prompts, so we just have to # look for failures & lines. expect { "Connection refused" { catch {close}; catch {wait}; send_user "\nError: Connection\ Refused ($prog): $router\n" set rshfail 1 } -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { catch {close}; catch {wait}; send_user "\nError: Connection\ closed ($prog): $router\n" set rshfail 1 } "Host is unreachable" { catch {close}; catch {wait}; send_user "\nError: Host Unreachable:\ $router\n" set rshfail 1 } "No address associated with" { catch {close}; catch {wait}; send_user "\nError: Unknown host\ $router\n" set rshfail 1 } -re "\b+" { exp_continue } -re "\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } timeout { catch {close}; catch {wait}; send_user "\nError: TIMEOUT reached\n" set rshfail 1 } eof { catch {close}; catch {wait}; } } log_user 1 } if { $rshfail } { if { !$progs } { return 1 } else { continue } } # fake the end of the session for rancid. send_user "$router# exit\n" # return rsh "success" return -1 } else { send_user "\nError: unknown connection method: $prog\n" return 1 } sleep 0.3 # This helps cleanup each expect clause. expect_after { timeout { send_user "\nError: TIMEOUT reached\n" catch {close}; catch {wait}; if { $in_proc} { return 1 } else { continue } } eof { send_user "\nError: EOF received\n" catch {close}; catch {wait}; if { $in_proc} { return 1 } else { continue } } } # Here we get a little tricky. There are several possibilities: # the router can ask for a username and passwd and then # talk to the TACACS server to authenticate you, or if the # TACACS server is not working, then it will use the enable # passwd. Or, the router might not have TACACS turned on, # then it will just send the passwd. # if telnet fails with connection refused, try ssh expect { -re "(Connection refused|Secure connection \[^\n\r]+ refused)" { catch {close}; catch {wait}; if !$progs { send_user "\nError: Connection Refused ($prog): $router\n" return 1 } } -re "(Connection closed by|Connection to \[^\n\r]+ closed)" { catch {close}; catch {wait}; if !$progs { send_user "\nError: Connection closed ($prog): $router\n" return 1 } } eof { send_user "\nError: Couldn't login: $router\n"; wait; return 1 } -nocase "unknown host\r" { send_user "\nError: Unknown host $router\n"; catch {close}; catch {wait}; return 1 } "Host is unreachable" { send_user "\nError: Host Unreachable: $router\n"; catch {close}; catch {wait}; return 1 } "No address associated with name" { send_user "\nError: Unknown host $router\n"; catch {close}; catch {wait}; return 1 } -re "(Host key not found |The authenticity of host .* be established).* \\(yes/no\\)\\?" { send "yes\r" send_user "\nHost $router added to the list of known hosts.\n" exp_continue } -re "HOST IDENTIFICATION HAS CHANGED.* \\(yes/no\\)\\?" { send "no\r" send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" catch {close}; catch {wait}; return 1 } -re "HOST IDENTIFICATION HAS CHANGED\[^\n\r]+" { send_user "\nError: The host key for $router has changed. Update the SSH known_hosts file accordingly.\n" return 1 } -re "Offending key for .* \\(yes/no\\)\\?" { send "no\r" send_user "\nError: host key mismatch for $router. Update the SSH known_hosts file accordingly.\n" catch {close}; catch {wait}; return 1 } -re "(login:)" { sleep 1; send -- "$user\r" set uprompt_seen 1 exp_continue } -re "@\[^\r\n]+\[Pp]assword:" { # ssh pwd prompt sleep 1 send -- "$userpswd\r" exp_continue } "\[Pp]assword:" { sleep 1; if {$uprompt_seen == 1} { send -- "$userpswd\r" } else { send -- "$passwd\r" } exp_continue } -re "$prompt" { break; } } } set in_proc 0 return 0 } # Run commands given on the command line. proc run_commands { prompt command } { global do_saveconfig in_proc platform set in_proc 1 set reprompt $prompt log_user 0 set commands [split $command \;] set num_commands [llength $commands] for {set i 0} {$i < $num_commands} { incr i} { send -- "[subst -nocommands [lindex $commands $i]]\r" expect { -re "\b+" { exp_continue } -re "^\[^\n\r *]*$reprompt" { send_user -- "$expect_out(buffer)" } -re "^\[^\n\r]*$reprompt." { send_user -- "$expect_out(buffer)" exp_continue } -re "\[^\r\n]*\[\n\r]+" { send_user -- "$expect_out(buffer)" exp_continue } -re "^--More--.*" { send -- "c" exp_continue } } } log_user 1 sleep 0.1 send -- "logoff\r" expect { -re "\[\n\r]+" { exp_continue } timeout { catch {close}; catch {wait}; return 0 } eof { return 0 } } set in_proc 0 } # # For each router... (this is main loop) # source_password_file $password_file set in_proc 0 set exitval 0 foreach router [lrange $argv $i end] { set router [string tolower $router] send_user -- "$router\n" # device timeout set timeout [find timeout $router] if { [llength $timeout] == 0 } { set timeout $timeoutdflt } set prompt ">" # Figure out passwords if { $do_passwd || $do_enapasswd } { set pswd [find password $router] if { [llength $pswd] == 0 } { send_user -- "\nError: no password for $router in $password_file.\n" continue } set passwd [join [lindex $pswd 0] ""] set enapasswd [join [lindex $pswd 1] ""] } else { set passwd $userpasswd set enapasswd $enapasswd } # Figure out username if {[info exists username]} { # command line username set ruser $username } else { set ruser [join [find user $router] ""] if { "$ruser" == "" } { set ruser $default_user } } # Figure out username's password (if different from the vty password) if {[info exists userpasswd]} { # command line username set userpswd $userpasswd } else { set userpswd [join [find userpassword $router] ""] if { "$userpswd" == "" } { set userpswd $passwd } } # Figure out identity file to use set identfile [join [lindex [find identity $router] 0] ""] # Figure out cypher type if {[info exists cypher]} { # command line cypher type set cyphertype $cypher } else { set cyphertype [find cyphertype $router] if { "$cyphertype" == "" } { set cyphertype "3des" } } # Figure out connection method set cmethod [find method $router] if { "$cmethod" == "" } { set cmethod {{telnet} {ssh}} } # Figure out the SSH executable name set sshcmd [join [lindex [find sshcmd $router] 0] ""] if { "$sshcmd" == "" } { set sshcmd {ssh} } # Login to the router if {[login $router $ruser $userpswd $passwd $enapasswd $cmethod $cyphertype $identfile]} { incr exitval # if login failed, move on to the next device continue } # we are logged in, now figure out the full prompt send "\r" expect { -re "\[\r\n]+" { exp_continue; } -re "^(.+$prompt)" { set junk $expect_out(0,string); # if it has HA (high avail), the prompt will # be "something-(.)->" regsub -all "\[\]\)\(\[]" $junk {\\&} prompt; } } if { $do_command } { if {[run_commands $prompt $command]} { incr exitval continue } } elseif { $do_script } { send "set console page 0\r" expect -re $prompt {} source $sfile catch {close}; } else { label $router log_user 1 interact } # End of for each router catch {wait}; sleep 0.3 } exit $exitval -------------- next part -------------- #! /usr/bin/perl ## ## $Id: entrancid.in 2328 2013-01-27 21:57:20Z hsdn $ ## ## rancid 2.3.8 ## Copyright (c) 1997-2008 by Terrapin Communications, Inc. ## All rights reserved. ## ## This code is derived from software contributed to and maintained by ## Terrapin Communications, Inc. by Henry Kilmer, John Heasley, Andrew Partan, ## Pete Whiting, Austin Schutz, and Andrew Fort. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions ## are met: ## 1. Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## 2. Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## 3. All advertising materials mentioning features or use of this software ## must display the following acknowledgement: ## This product includes software developed by Terrapin Communications, ## Inc. and its contributors for RANCID. ## 4. Neither the name of Terrapin Communications, Inc. nor the names of its ## contributors may be used to endorse or promote products derived from ## this software without specific prior written permission. ## 5. It is requested that non-binding fixes and modifications be contributed ## back to Terrapin Communications, Inc. ## ## THIS SOFTWARE IS PROVIDED BY Terrapin Communications, INC. AND CONTRIBUTORS ## ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED ## TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ## PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COMPANY OR CONTRIBUTORS ## BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR ## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF ## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS ## INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN ## CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ## ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ## POSSIBILITY OF SUCH DAMAGE. # # Amazingly hacked version of Hank's rancid - this one tries to # deal with Enterasys. # # RANCID - Really Awesome New Cisco confIg Differ # # usage: rancid [-dV] [-l] [-f filename | hostname] # use Getopt::Std; getopts('dflV'); if ($opt_V) { print "rancid 2.3.8\n"; exit(0); } $log = $opt_l; $debug = $opt_d; $file = $opt_f; $host = $ARGV[0]; $clean_run = 0; $found_end = 0; # unused - Enterasys # lacks an end-of-config tag $timeo = 90; # entlogin timeout in seconds my(@commandtable, %commands, @commands);# command lists my($systeminfo) = 0; # show system-information # This routine is used to print out the router configuration sub ProcessHistory { my($new_hist_tag,$new_command,$command_string, at string) = (@_); if ((($new_hist_tag ne $hist_tag) || ($new_command ne $command)) && scalar(%history)) { print eval "$command \%history"; undef %history; } if (($new_hist_tag) && ($new_command) && ($command_string)) { if ($history{$command_string}) { $history{$command_string} = "$history{$command_string}@string"; } else { $history{$command_string} = "@string"; } } elsif (($new_hist_tag) && ($new_command)) { $history{++$#history} = "@string"; } else { print "@string"; } $hist_tag = $new_hist_tag; $command = $new_command; 1; } sub numerically { $a <=> $b; } # This is a sort routine that will sort numerically on the # keys of a hash as if it were a normal array. sub keynsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort numerically keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # keys of a hash as if it were a normal array. sub keysort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort keys(%lines)) { $sorted_lines[$i] = $lines{$key}; $i++; } @sorted_lines; } # This is a sort routine that will sort on the # values of a hash as if it were a normal array. sub valsort{ local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $key (sort values %lines) { $sorted_lines[$i] = $key; $i++; } @sorted_lines; } # This is a numerical sort routine (ascending). sub numsort { local(%lines) = @_; local($i) = 0; local(@sorted_lines); foreach $num (sort {$a <=> $b} keys %lines) { $sorted_lines[$i] = $lines{$num}; $i++; } @sorted_lines; } # This routine parses "show switch" sub ShowSwitch { print STDERR " In ShowSwitch: $_" if ($debug); while () { tr/\015//d; s/\x1b.*\x4b//; last if (/^$prompt/); next if (/^(\s*|\s*$cmd\s*)$/); #skip Thermal Threshold next if (/Thermal Threshold/); # skip sistem uptime strings s/sysUpTime:.*//; s/\s*Time\s.*.$//; next if (/UpTime/); next if (/5 min/); next if (/^(\d+) \(.*days.*\)$/); next if (/^(\d+) \(.*(\d+)\:(\d+)\:(\d+).*\)$/); return(1) if /^$prompt/i; ProcessHistory("COMMENTS","keysort","IO","# $_"); } return(0); } # This routine processes a "write term" sub WriteTerm { print STDERR " In WriteTerm: $_" if ($debug); while () { tr/\015//d; s/\x1b.*\x4b//; if (/$prompt.*logoff/i) { $clean_run=1; last; } last if(/^$prompt/); # the pager can not be disabled per-session s/^<-+ More -+>\s*//; s/^$/#/; # catch anything that wasnt match above. ProcessHistory("","","","$_"); } return(0); } # dummy function sub DoNothing {print STDOUT;} # Main @commandtable = ( {'show system' => 'ShowSwitch'}, {'show switch' => 'ShowSwitch'}, {'show interface' => 'ShowSwitch'}, {'show ip' => 'ShowSwitch'}, {'show vlan' => 'ShowSwitch'}, {'show config' => 'WriteTerm'}, ); # Use an array to preserve the order of the commands and a hash for mapping # commands to the subroutine and track commands that have been completed. @commands = map(keys(%$_), @commandtable); %commands = map(%$_, @commandtable); $cisco_cmds=join(";", at commands); $cmds_regexp = join("|", map quotemeta($_), @commands); if (length($host) == 0) { if ($file) { print(STDERR "Too few arguments: file name required\n"); exit(1); } else { print(STDERR "Too few arguments: host name required\n"); exit(1); } } open(OUTPUT,">$host.new") || die "Can't open $host.new for writing: $!\n"; select(OUTPUT); # make OUTPUT unbuffered if debugging if ($debug) { $| = 1; } if ($file) { print STDERR "opening file $host\n" if ($debug); print STDOUT "opening file $host\n" if ($log); open(INPUT,"<$host") || die "open failed for $host: $!\n"; } else { print STDERR "executing entlogin -t $timeo -c \"$cisco_cmds\" $host\n" if ($debug); print STDOUT "executing entlogin -t $timeo -c \"$cisco_cmds\" $host\n" if ($log); if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) { system "entlogin -t $timeo -c \"$cisco_cmds\" $host $host.raw 2>&1" || die "entlogin failed for $host: $!\n"; open(INPUT, "< $host.raw") || die "entlogin failed for $host: $!\n"; } else { open(INPUT,"entlogin -t $timeo -c \"$cisco_cmds\" $host ) { tr/\015//d; if (/$prompt.*logoff/i) { $clean_run=1; last; } if (/^Error:/) { print STDOUT ("$host clogin error: $_"); print STDERR ("$host clogin error: $_") if ($debug); $clean_run=0; last; } while (/>\s*($cmds_regexp)\s*$/) { $cmd = $1; if (!defined($prompt)) { $prompt = ($_ =~ /^([^>]+)/)[0]; $prompt =~ s/([][}{)(\\])/\\$1/g; $prompt .= "[#>]"; print STDERR ("PROMPT MATCH: $prompt\n") if ($debug); } print STDERR ("HIT COMMAND:$_") if ($debug); if (! defined($commands{$cmd})) { print STDERR "$host: found unexpected command - \"$cmd\"\n"; $clean_run = 0; last TOP; } $rval = &{$commands{$cmd}}; delete($commands{$cmd}); if ($rval == -1) { $clean_run = 0; last TOP; } } } print STDOUT "Done $logincmd: $_\n" if ($log); # Flush History ProcessHistory("","","",""); # Cleanup close(INPUT); close(OUTPUT); if (defined($ENV{NOPIPE}) && $ENV{NOPIPE} =~ /^YES/i) { unlink("$host.raw") if (! $debug); } # check for completeness if (scalar(%commands) || !$clean_run) { if (scalar(%commands)) { printf(STDOUT "$host: missed cmd(s): %s\n", join(',', keys(%commands))); printf(STDERR "$host: missed cmd(s): %s\n", join(',', keys(%commands))) if ($debug); } if (!$clean_run) { print STDOUT "$host: End of run not found\n"; print STDERR "$host: End of run not found\n" if ($debug); system("/usr/bin/tail -1 $host.new"); } unlink "$host.new" if (! $debug); } From roman.hochuli at nexellent.ch Tue Dec 9 08:51:16 2014 From: roman.hochuli at nexellent.ch (Roman Hochuli) Date: Tue, 9 Dec 2014 09:51:16 +0100 Subject: [rancid] Foundry/Brocade addition - show media In-Reply-To: References: Message-ID: <5486B804.1010700@nexellent.ch> Hello Chris > This adds `show media` and `show media validation` to 'francid' which > will give useful information about which optics are installed in a > device. Tested on a Brocade ICX 6650 and Brocade CER 2024. > > http://falz.net/static/francid-media.diff I like the idea of keeping track of optics. But what output should "show media validation" produce? I tried this on a bunch of devicetypes (rx/icx/fcx/fesx/mlxe/xmr) and none of them support that command. -- Best regards, Roman Hochuli Operations Manager nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent Imagination is the one weapon in the war against reality. -- Jules de Gaultier From Michael.Josten at hs-niederrhein.de Tue Dec 9 11:43:01 2014 From: Michael.Josten at hs-niederrhein.de (Josten, Michael) Date: Tue, 9 Dec 2014 12:43:01 +0100 Subject: [rancid] Foundry/Brocade addition - show media In-Reply-To: <5486B804.1010700@nexellent.ch> References: <5486B804.1010700@nexellent.ch> Message-ID: <9BDA0B754D62C64FBE6B0CFFA429C47A318950B4EC@prometheus> I checked the command on an icx 6610 device with fw version 8 and it exists. On a fcx switch with firmware version 7.2 it doesn't exist. Neither is this command available on fw version 7.4. I also checked an ICX7750 device with fw version 8 and the command is available. It is most likely that this command isn't available in firmware version below v.8 -----Urspr?ngliche Nachricht----- Von: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] Im Auftrag von Roman Hochuli Gesendet: Dienstag, 9. Dezember 2014 09:51 An: Chris Wopat Cc: Rancid-discuss at shrubbery.net Betreff: Re: [rancid] Foundry/Brocade addition - show media Hello Chris > This adds `show media` and `show media validation` to 'francid' which > will give useful information about which optics are installed in a > device. Tested on a Brocade ICX 6650 and Brocade CER 2024. > > http://falz.net/static/francid-media.diff I like the idea of keeping track of optics. But what output should "show media validation" produce? I tried this on a bunch of devicetypes (rx/icx/fcx/fesx/mlxe/xmr) and none of them support that command. -- Best regards, Roman Hochuli Operations Manager nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent Imagination is the one weapon in the war against reality. -- Jules de Gaultier _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss From roman.hochuli at nexellent.ch Wed Dec 10 10:11:15 2014 From: roman.hochuli at nexellent.ch (Roman Hochuli) Date: Wed, 10 Dec 2014 11:11:15 +0100 Subject: [rancid] Foundry/Brocade addition - show media In-Reply-To: <9BDA0B754D62C64FBE6B0CFFA429C47A318950B4EC@prometheus> References: <5486B804.1010700@nexellent.ch> <9BDA0B754D62C64FBE6B0CFFA429C47A318950B4EC@prometheus> Message-ID: <54881C43.7010007@nexellent.ch> Hello Michael > I checked the command on an icx 6610 device with fw version 8 and it exists. It seems you're right. I even found some documentation for it after digging into it: http://www.brocade.com/downloads/documents/html_product_manuals/FI_08010_ADMIN/GUID-DB102C16-80A4-4AAC-B400-DB564D79DACD.html Apparently really a new feature in FastIron firmware release 8. -- Best regards, Roman Hochuli Operations Manager nexellent ag Saegereistrasse 33 CH-8152 Glattbrugg Phone: +41 44 872 20 00 Fax: +41 44 872 20 01 URL: www.nexellent.ch X-NCC-RegID: ch.nexellent Imagination is the one weapon in the war against reality. -- Jules de Gaultier From me at falz.net Wed Dec 10 14:06:40 2014 From: me at falz.net (Chris Wopat) Date: Wed, 10 Dec 2014 08:06:40 -0600 Subject: [rancid] Foundry/Brocade addition - show media In-Reply-To: <5486B804.1010700@nexellent.ch> References: <5486B804.1010700@nexellent.ch> Message-ID: On Tue, Dec 9, 2014 at 2:51 AM, Roman Hochuli wrote: > > I like the idea of keeping track of optics. But what output should "show > media validation" produce? I tried this on a bunch of devicetypes > (rx/icx/fcx/fesx/mlxe/xmr) and none of them support that command. I have two devices to test on - ICX6550, CER2024F. It works on the ICX, not on the CER. ICX is running 8.x code. On CER, `show media` shows vendor information, but not on ICX which is why it was included. Here's some sample CER output: #show media validation Port Supported Vendor Type ---------------------------------------------------------------------- 1/1/2 Yes CISCO-MODULETEK 1G M-LX(SFP) 1/1/4 Yes MODULETEK 10GE LR 10km (SFP +) 1/1/31 Yes MODULETEK 10GE ER 40km (SFP+) 1/1/32 Yes Brocade 10GE ER 40km (SFP+) #show media | exclude EMPTY Port 1/1/1: Type : 1G M-TX(SFP) Port 1/1/2: Type : 1G M-LX(SFP) Port 1/1/4: Type : 10GE LR 10km (SFP +) Port 1/1/31: Type : 10GE ER 40km (SFP +) Port 1/1/32: Type : 10GE ER 40km (SFP +) --Chris From lsy.annie at gmail.com Wed Dec 10 01:09:59 2014 From: lsy.annie at gmail.com (Annie Lee) Date: Wed, 10 Dec 2014 12:09:59 +1100 Subject: [rancid] Rancid 2.3.8 with f5 11.5 and partitions Message-ID: Hi experts, I'm trying to include F5 (v11.5 with partitions) into my newly installed 2.3.8 rancid, searched for few days but cant find a detailed steps. (only found bits and pieces, tried and not working) Can anyone be kind enough to assist me ?? 1. Apply 2.3.8 patch ? How ? 2. Update the f5rancid file from github ? 3. amend the router.db file to include the f5 devices 4. rancid-run Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lsy.annie at gmail.com Thu Dec 11 02:11:56 2014 From: lsy.annie at gmail.com (Annie Lee) Date: Thu, 11 Dec 2014 13:11:56 +1100 Subject: [rancid] FW: Rancid 2.3.8 with f5 11.5 and partitions In-Reply-To: <0F94C3474BE7B148B3D03E90547E96FF29350F6D@SNMEXCH1.nsrc.private> References: <0F94C3474BE7B148B3D03E90547E96FF29350F6D@SNMEXCH1.nsrc.private> Message-ID: Hi All, Managed to get it work already :-) But might need additional help as we configured partitions and i snmp v3 and always get the diff emails for the snmpv3 encrypted password. Is there any fine-tuning can be done to ignore that ?? * sys-contact "Network Administrator" sys-location "US" traps { i10_1_1_1_1 {- auth-password-encrypted ",8j at T9LNVL`KXjE<4TZVKW63;`4S>GYOiD\\\?ac;q7\\]CT=b"+ auth-password-encrypted (VY9P=bgmYeP>dSQ\?E]ciXg4Z48 at p68RHW8.KeNV2/sVP3g auth-protocol sha host 10.1.1.1- privacy-password-encrypted AbX>2F2H=4 at snS=>e`@f5_X_^MA7R@[3dm:Eg[[[.NTmE2d+ privacy-password-encrypted MY*WZCNWVD>:VV9k8NBAiXKFH>^V>3vJOT7fMQF2)5apl5= privacy-protocol des* Thanks.. On Thu, Dec 11, 2014 at 4:47 AM, Michael Sloan < Michael.Sloan at nsrc.myflorida.com> wrote: > Hi ? > > > > We have several F5 devices running 11.4 here, and the only real issues I > encountered was finding a suitable F5 script, as the one installed here > when I started a year ago did not have v11 support. Aside from that, it was > pretty much like adding any other device to rancid ? edit the router.db and > specify the device type as ?f5?. If you don?t have the v11 scripts for F5, > I can send them to you, The obvious difference is the v10 F5 commands all > start with ?bigpipe? (e.g. bigpipe profile list), while the v11 commands > start with ?tmsh? (e.g. tmsh show sys hardware) > > > > Michael Sloan > > Network Systems Programmer II > > Northwood Shared Resource Center > > Agency for State Technology > > 1940 North Monroe Street > > Northwood Center, Suite 80 > > Tallahassee, FL 32399-0710 > > Phone: (850) 922-5476 > > Michael.Sloan at nsrc.myflorida.com > > [image: AST Logo 102x65] > > > > > > *From:* Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] *On > Behalf Of *Annie Lee > *Sent:* Tuesday, December 09, 2014 8:10 PM > *To:* rancid-discuss at shrubbery.net > *Subject:* [rancid] Rancid 2.3.8 with f5 11.5 and partitions > > > > Hi experts, > > I'm trying to include F5 (v11.5 with partitions) into my newly installed > 2.3.8 rancid, searched for few days but cant find a detailed steps. (only > found bits and pieces, tried and not working) > Can anyone be kind enough to assist me ?? > > 1. Apply 2.3.8 patch ? How ? > 2. Update the f5rancid file from github ? > 3. amend the router.db file to include the f5 devices > 4. rancid-run > > > Thanks in advance. > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 10308 bytes Desc: not available URL: From lsy.annie at gmail.com Thu Dec 11 02:27:28 2014 From: lsy.annie at gmail.com (Annie Lee) Date: Thu, 11 Dec 2014 13:27:28 +1100 Subject: [rancid] WLC - ignore 'rogue-ap' Message-ID: Hi Experts, Managed to add WLC to the list (with wlogin and ciscowlc5 added) But will get a diff email everytime with the below : *rogue adhoc alert 01:04:00:14:43:61* Anyway to ignore that ?? Thanks.. -------------- next part -------------- An HTML attachment was scrubbed... URL: From lsy.annie at gmail.com Thu Dec 11 03:31:35 2014 From: lsy.annie at gmail.com (Annie Lee) Date: Thu, 11 Dec 2014 14:31:35 +1100 Subject: [rancid] Ommiting chatty configuration entries on Cisco WLC Message-ID: Sorry to 'revive' an old thread.. just wondering did you get the right perl command to ignore rogue aps ? On 11/29/10, Nesbitt, Kevin > wrote: >* Hello Folks, *>>* I'm hoping one of you fine folks could point me in the direction of how to *>* add a line into the ciscowlc5 script that will omit any lines in the *>* configuration of a Cisco WLC starting with "rogue ap classify". *>>* I've added the following line into the ciscwlc5 script which clearly isn't *>* working. Then again, I'm quite the perl noob :) *>>* /\s+rogue ap classify+$/ && next; * It's not like I'm all that good w/ perl either, but try next if (/ rogue ap classify\s*$/); Lee ------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 11 15:59:46 2014 From: heas at shrubbery.net (heasley) Date: Thu, 11 Dec 2014 15:59:46 +0000 Subject: [rancid] WLC - ignore 'rogue-ap' In-Reply-To: References: Message-ID: <20141211155946.GA58377@shrubbery.net> Thu, Dec 11, 2014 at 01:27:28PM +1100, Annie Lee: > Hi Experts, > > Managed to add WLC to the list (with wlogin and ciscowlc5 added) > But will get a diff email everytime with the below : > > *rogue adhoc alert 01:04:00:14:43:61* > > Anyway to ignore that ?? shouldn't you fix that, not ignore it? isnt that a legitimate problem? From ryan.woerth at sonicfoundry.com Thu Dec 11 22:22:43 2014 From: ryan.woerth at sonicfoundry.com (Ryan Woerth) Date: Thu, 11 Dec 2014 22:22:43 +0000 Subject: [rancid] Cisco 2500 Message-ID: <6278FE63FDD91E478BC22DF853A8C993B84449@postal.sonicfoundry.net> Working with Rancid 2.3.6-2 on Ubuntu 12.04.5 and trying to back up a Cisco Wireless Controller running 7.4.121.0. I have wlogin and ciscowlc5 in the bin directory. I've added 'cisco-wlc' => 'ciscowlc' and 'cisco-wlc5' => 'ciscowlc5' as suggested in another thread here. Also, my .cloginrc is: add user device name add autoenable device 1 add password device pwd pwd Yes when I run it, it still tries to send the enable command after it's logged in. Any ideas? Ryan -------------- next part -------------- An HTML attachment was scrubbed... URL: From rancid at ale.cx Fri Dec 12 22:47:55 2014 From: rancid at ale.cx (Alex DEKKER) Date: Fri, 12 Dec 2014 22:47:55 +0000 Subject: [rancid] WLC - ignore 'rogue-ap' In-Reply-To: <20141211155946.GA58377@shrubbery.net> References: <20141211155946.GA58377@shrubbery.net> Message-ID: <548B709B.3090004@ale.cx> On 11/12/14 15:59, heasley wrote: > Thu, Dec 11, 2014 at 01:27:28PM +1100, Annie Lee: >> *rogue adhoc alert 01:04:00:14:43:61* >> >> Anyway to ignore that ?? > shouldn't you fix that, not ignore it? isnt that a legitimate problem? > IME these rogue alerts from WLCs are pointless - they're invariably someone walking down the street with a hotspot enabled on their phone, or an AP at the company next door, etc. The only time they would be of any use is if you can guarantee none of your APs would ever be able to hear such things outwith your premises. Malicious rogue [something with your SSID but not part of your network] alerts, on the other hand, are much more interesting. alexd From daniel.schmidt at wyo.gov Fri Dec 12 17:04:17 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Fri, 12 Dec 2014 10:04:17 -0700 Subject: [rancid] WLC - ignore 'rogue-ap' In-Reply-To: <20141211155946.GA58377@shrubbery.net> References: <20141211155946.GA58377@shrubbery.net> Message-ID: Everybody's got a hotspot on their phone. Somewhere around 169-ish if ( /^\s*rogue ap classify/ ) { $skipprocess=1; } if ( /^\s*rogue adhoc alert/ ) { $skipprocess=1; } On Thu, Dec 11, 2014 at 8:59 AM, heasley wrote: > > Thu, Dec 11, 2014 at 01:27:28PM +1100, Annie Lee: > > Hi Experts, > > > > Managed to add WLC to the list (with wlogin and ciscowlc5 added) > > But will get a diff email everytime with the below : > > > > *rogue adhoc alert 01:04:00:14:43:61* > > > > Anyway to ignore that ?? > > shouldn't you fix that, not ignore it? isnt that a legitimate problem? > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Prasad.Jadhav at alepo.com Fri Dec 12 06:05:01 2014 From: Prasad.Jadhav at alepo.com (Prasad Jadhav) Date: Fri, 12 Dec 2014 06:05:01 +0000 Subject: [rancid] terminal length 0 rancid Message-ID: Hi, I configured the rancid 3.1 on centos 7 but facing issue with CISCO switch When I ran clogin command getting following error [rancid at localhost bin]$ ./clogin -c "show version"sw1 sw1 spawn ssh -c 3des -x -l test sw1 test at sw1's password: SW1# SW1#terminal length 0 % Unrecognized command SW1# Please let me know how to resolve this. Regards, Prasad Jadhav ________________________________ This email (message and any attachment) is confidential and may be privileged. If you are not certain that you are the intended recipient, please notify the sender immediately by replying to this message, and delete all copies of this message and attachments. Any other use of this email by you is prohibited. ________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From dan.w.anderson at gmail.com Sat Dec 13 17:13:49 2014 From: dan.w.anderson at gmail.com (Dan Anderson) Date: Sat, 13 Dec 2014 12:13:49 -0500 Subject: [rancid] terminal length 0 rancid In-Reply-To: References: Message-ID: What model switch is it and what software version is running on it? On Fri, Dec 12, 2014 at 1:05 AM, Prasad Jadhav wrote: > > Hi, > > > > I configured the rancid 3.1 on centos 7 but facing issue with CISCO switch > > > > When I ran clogin command getting following error > > > > [rancid at localhost bin]$ ./clogin -c "show version"sw1 > > sw1 > > spawn ssh -c 3des -x -l test sw1 > > test at sw1's password: > > > > SW1# > > *SW1#terminal length 0* > > *% Unrecognized command* > > SW1# > > > > Please let me know how to resolve this. > > > > Regards, > > Prasad Jadhav > > > ------------------------------ > This email (message and any attachment) is confidential and may be > privileged. If you are not certain that you are the intended recipient, > please notify the sender immediately by replying to this message, and > delete all copies of this message and attachments. Any other use of this > email by you is prohibited. > ------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -- Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: From lsy.annie at gmail.com Sat Dec 13 18:11:57 2014 From: lsy.annie at gmail.com (Annie Lee) Date: Sun, 14 Dec 2014 05:11:57 +1100 Subject: [rancid] WLC - ignore 'rogue-ap' In-Reply-To: References: <20141211155946.GA58377@shrubbery.net> Message-ID: Hi Daniel, It worked ! Thank you very much for your help... Rgds... On Sat, Dec 13, 2014 at 4:04 AM, Daniel Schmidt wrote: > > Everybody's got a hotspot on their phone. Somewhere around 169-ish > > if ( /^\s*rogue ap classify/ ) { $skipprocess=1; } > if ( /^\s*rogue adhoc alert/ ) { $skipprocess=1; } > > > On Thu, Dec 11, 2014 at 8:59 AM, heasley wrote: > >> Thu, Dec 11, 2014 at 01:27:28PM +1100, Annie Lee: >> > Hi Experts, >> > >> > Managed to add WLC to the list (with wlogin and ciscowlc5 added) >> > But will get a diff email everytime with the below : >> > >> > *rogue adhoc alert 01:04:00:14:43:61* >> > >> > Anyway to ignore that ?? >> >> shouldn't you fix that, not ignore it? isnt that a legitimate problem? >> _______________________________________________ >> Rancid-discuss mailing list >> Rancid-discuss at shrubbery.net >> http://www.shrubbery.net/mailman/listinfo/rancid-discuss >> > E-Mail to and from me, in connection with the transaction > of public business, is subject to the Wyoming Public Records > Act and may be disclosed to third parties. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From chris at uminac.com Mon Dec 15 13:19:07 2014 From: chris at uminac.com (Christopher J. Umina) Date: Mon, 15 Dec 2014 08:19:07 -0500 Subject: [rancid] prefix-list random order bug Message-ID: Hi, Excuse me if somebody's solved this already, but I'm running into the same issue as described here: http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007630.html Has this been fixed? Thanks, -- Christopher J. Umina chris at uminac.com 781 354 0535 -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Mon Dec 15 14:48:57 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Mon, 15 Dec 2014 16:48:57 +0200 Subject: [rancid] prefix-list random order bug In-Reply-To: References: Message-ID: <548EF4D9.6090103@gmail.com> On 15/12/2014 15:19, Christopher J. Umina wrote: > Hi, > > Excuse me if somebody's solved this already, but I'm running into the > same issue as described here: > > http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007630.html > > Has this been fixed? If that's the one I think it is, I needed to do quite a few fixes to ACL handling - Cisco changed something in the output format in some OSes. The most common error is that the ACL ordering is still technically correct, but the exact sequence is somewhat random because rancid can't find the exact fields to sort on. Patches exist, search the archives for threads where I posted, especially threads I started. If you are running 2.3.8, try upgrading to the latest point version (heasley may have applied the patches). If not, apply them manually (they apply cleanly). I have changed jobs in the interim and no longer have access to my patches there, but a well-worded Google search will find them for you. -- Alan McKinnon alan.mckinnon at gmail.com From Prasad.Jadhav at alepo.com Mon Dec 15 03:57:37 2014 From: Prasad.Jadhav at alepo.com (Prasad Jadhav) Date: Mon, 15 Dec 2014 03:57:37 +0000 Subject: [rancid] terminal length 0 rancid In-Reply-To: References: Message-ID: Hi Dan, I am using rancid 3.1 version and small business SG300-52 52-Port Gigabit Managed Switch. Regards, Prasad Jadhav From: Dan Anderson [mailto:dan.w.anderson at gmail.com] Sent: 13 December 2014 22:44 To: Prasad Jadhav Cc: rancid-discuss at shrubbery.net Subject: Re: [rancid] terminal length 0 rancid What model switch is it and what software version is running on it? On Fri, Dec 12, 2014 at 1:05 AM, Prasad Jadhav > wrote: Hi, I configured the rancid 3.1 on centos 7 but facing issue with CISCO switch When I ran clogin command getting following error [rancid at localhost bin]$ ./clogin -c "show version"sw1 sw1 spawn ssh -c 3des -x -l test sw1 test at sw1's password: SW1# SW1#terminal length 0 % Unrecognized command SW1# Please let me know how to resolve this. Regards, Prasad Jadhav ________________________________ This email (message and any attachment) is confidential and may be privileged. If you are not certain that you are the intended recipient, please notify the sender immediately by replying to this message, and delete all copies of this message and attachments. Any other use of this email by you is prohibited. ________________________________ _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss -- Dan ________________________________ This email (message and any attachment) is confidential and may be privileged. If you are not certain that you are the intended recipient, please notify the sender immediately by replying to this message, and delete all copies of this message and attachments. Any other use of this email by you is prohibited. ________________________________ -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Mon Dec 15 19:02:53 2014 From: heas at shrubbery.net (heasley) Date: Mon, 15 Dec 2014 19:02:53 +0000 Subject: [rancid] prefix-list random order bug In-Reply-To: <548EF4D9.6090103@gmail.com> References: <548EF4D9.6090103@gmail.com> Message-ID: <20141215190253.GE3371@shrubbery.net> Mon, Dec 15, 2014 at 04:48:57PM +0200, Alan McKinnon: > On 15/12/2014 15:19, Christopher J. Umina wrote: > > Hi, > > > > Excuse me if somebody's solved this already, but I'm running into the > > same issue as described here: > > > > http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007630.html > > > > Has this been fixed? > > If that's the one I think it is, I needed to do quite a few fixes to ACL > handling - Cisco changed something in the output format in some OSes. > > The most common error is that the ACL ordering is still technically > correct, but the exact sequence is somewhat random because rancid can't > find the exact fields to sort on. > > Patches exist, search the archives for threads where I posted, > especially threads I started. If you are running 2.3.8, try upgrading to > the latest point version (heasley may have applied the patches). If not, > apply them manually (they apply cleanly). I have changed jobs in the > interim and no longer have access to my patches there, but a well-worded > Google search will find them for you. there are problems with sorting v6; which I nearly have corrected. there is a bug remaining, but i've had time due to travel. until that is available in 3.2, sorting can be disabled in rancid.conf. From chris at uminac.com Mon Dec 15 19:08:10 2014 From: chris at uminac.com (Christopher J. Umina) Date: Mon, 15 Dec 2014 14:08:10 -0500 Subject: [rancid] prefix-list random order bug In-Reply-To: <20141215190253.GE3371@shrubbery.net> References: <548EF4D9.6090103@gmail.com> <20141215190253.GE3371@shrubbery.net> Message-ID: Sorry, I should have clarified, I'm using the 100% default rancid.conf (except LIST_OF_GROUPS, of course), so ACLSORT is disabled. # uname -a > FreeBSD test.box 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 > 21:02:49 UTC 2014 root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC > amd64 > # pkg info perl\* rancid\* > perl5-5.18.4_10 > rancid3-3.1_1 This issue didn't occur until I upgraded to FreeBSD 10.1 and all packages were upgraded. Not sure what the original version of Perl was, but I have a feeling that's what broke things. Anything I can do to help here? On Mon, Dec 15, 2014 at 2:02 PM, heasley wrote: > > Mon, Dec 15, 2014 at 04:48:57PM +0200, Alan McKinnon: > > On 15/12/2014 15:19, Christopher J. Umina wrote: > > > Hi, > > > > > > Excuse me if somebody's solved this already, but I'm running into the > > > same issue as described here: > > > > > > http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007630.html > > > > > > Has this been fixed? > > > > If that's the one I think it is, I needed to do quite a few fixes to ACL > > handling - Cisco changed something in the output format in some OSes. > > > > The most common error is that the ACL ordering is still technically > > correct, but the exact sequence is somewhat random because rancid can't > > find the exact fields to sort on. > > > > Patches exist, search the archives for threads where I posted, > > especially threads I started. If you are running 2.3.8, try upgrading to > > the latest point version (heasley may have applied the patches). If not, > > apply them manually (they apply cleanly). I have changed jobs in the > > interim and no longer have access to my patches there, but a well-worded > > Google search will find them for you. > > there are problems with sorting v6; which I nearly have corrected. there > is > a bug remaining, but i've had time due to travel. until that is available > in > 3.2, sorting can be disabled in rancid.conf. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -- Christopher J. Umina chris at uminac.com 781 354 0535 -------------- next part -------------- An HTML attachment was scrubbed... URL: From adudek16 at gmail.com Mon Dec 15 22:32:43 2014 From: adudek16 at gmail.com (Aaron Dudek) Date: Mon, 15 Dec 2014 17:32:43 -0500 Subject: [rancid] terminal length 0 rancid In-Reply-To: References: Message-ID: What is the code on the switch? This switch doesn't run IOS or CatOS. It is a linksys switch with the Cisco label on it. I don't think Rancid has official support for it. You might want to check this out https://github.com/chrpinedo/rancid-cisco-sb On Sun, Dec 14, 2014 at 10:57 PM, Prasad Jadhav wrote: > > Hi Dan, > > > > I am using rancid 3.1 version and small business SG300-52 52-Port Gigabit > Managed Switch. > > > > Regards, > > Prasad Jadhav > > > > *From:* Dan Anderson [mailto:dan.w.anderson at gmail.com] > *Sent:* 13 December 2014 22:44 > *To:* Prasad Jadhav > *Cc:* rancid-discuss at shrubbery.net > *Subject:* Re: [rancid] terminal length 0 rancid > > > > What model switch is it and what software version is running on it? > > > > On Fri, Dec 12, 2014 at 1:05 AM, Prasad Jadhav > wrote: > > Hi, > > > > I configured the rancid 3.1 on centos 7 but facing issue with CISCO switch > > > > When I ran clogin command getting following error > > > > [rancid at localhost bin]$ ./clogin -c "show version"sw1 > > sw1 > > spawn ssh -c 3des -x -l test sw1 > > test at sw1's password: > > > > SW1# > > *SW1#terminal length 0* > > *% Unrecognized command* > > SW1# > > > > Please let me know how to resolve this. > > > > Regards, > > Prasad Jadhav > > > ------------------------------ > > This email (message and any attachment) is confidential and may be > privileged. If you are not certain that you are the intended recipient, > please notify the sender immediately by replying to this message, and > delete all copies of this message and attachments. Any other use of this > email by you is prohibited. > ------------------------------ > > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > > > > -- > > Dan > ------------------------------ > This email (message and any attachment) is confidential and may be > privileged. If you are not certain that you are the intended recipient, > please notify the sender immediately by replying to this message, and > delete all copies of this message and attachments. Any other use of this > email by you is prohibited. > ------------------------------ > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Tue Dec 16 11:33:09 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 16 Dec 2014 13:33:09 +0200 Subject: [rancid] prefix-list random order bug In-Reply-To: References: <548EF4D9.6090103@gmail.com> <20141215190253.GE3371@shrubbery.net> Message-ID: <54901875.2070201@gmail.com> On 15/12/2014 21:08, Christopher J. Umina wrote: > Sorry, I should have clarified, > > I'm using the 100% default rancid.conf (except LIST_OF_GROUPS, of > course), so ACLSORT is disabled. > > # uname -a > FreeBSD test.box 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue > Nov 11 21:02:49 UTC 2014 > root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > # pkg info perl\* rancid\* > perl5-5.18.4_10 > rancid3-3.1_1 > > > This issue didn't occur until I upgraded to FreeBSD 10.1 and all > packages were upgraded. Not sure what the original version of Perl was, > but I have a feeling that's what broke things. You might be right. Somewhere around perl 5.14 or 5.16 the implementation of associative arrays (hashes) was changed. The order of keys for a given hash were randomly distributed but consistent from one run to the next. The change made keys always come out in a random order. I had to fix a few in-house apps at the time. It's possible your version of rancid relies on the old behaviour. I don't have a working install handy to investigate, but thought it worth mentioning. > > Anything I can do to help here? > > > On Mon, Dec 15, 2014 at 2:02 PM, heasley > wrote: > > Mon, Dec 15, 2014 at 04:48:57PM +0200, Alan McKinnon: > > On 15/12/2014 15:19, Christopher J. Umina wrote: > > > Hi, > > > > > > Excuse me if somebody's solved this already, but I'm running into the > > > same issue as described here: > > > > > > http://www.shrubbery.net/pipermail/rancid-discuss/2014-May/007630.html > > > > > > Has this been fixed? > > > > If that's the one I think it is, I needed to do quite a few fixes to ACL > > handling - Cisco changed something in the output format in some OSes. > > > > The most common error is that the ACL ordering is still technically > > correct, but the exact sequence is somewhat random because rancid can't > > find the exact fields to sort on. > > > > Patches exist, search the archives for threads where I posted, > > especially threads I started. If you are running 2.3.8, try upgrading to > > the latest point version (heasley may have applied the patches). If not, > > apply them manually (they apply cleanly). I have changed jobs in the > > interim and no longer have access to my patches there, but a well-worded > > Google search will find them for you. > > there are problems with sorting v6; which I nearly have corrected. > there is > a bug remaining, but i've had time due to travel. until that is > available in > 3.2, sorting can be disabled in rancid.conf. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > > > > -- > Christopher J. Umina > chris at uminac.com > 781 354 0535 -- Alan McKinnon alan.mckinnon at gmail.com From JHumes at acs.on.ca Tue Dec 16 14:43:02 2014 From: JHumes at acs.on.ca (Jason Humes) Date: Tue, 16 Dec 2014 14:43:02 +0000 Subject: [rancid] Securing RANCID installation Message-ID: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> Hi Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc. Thanks for any advice! :) Cheers Jason From Douglas.Hughes at DEShawResearch.com Tue Dec 16 14:58:55 2014 From: Douglas.Hughes at DEShawResearch.com (Hughes, Doug) Date: Tue, 16 Dec 2014 14:58:55 +0000 Subject: [rancid] Securing RANCID installation In-Reply-To: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> Message-ID: 1) rancid already eliminates the passwords from the configs - that's pretty significant 2) define a rancid group. 3) make a rancid user that is part of that group 4) make the rancid writable directories be chmod g+s for that group, and make the umask 022 to prevent other people from reading the files (if so inclined - depending on your security needs) Optionally, store the versioned configs in a repository with restricted permissions for view (e.g. git+gerrit or just git or perforce or whatever) or use a local repository (again git, svn, cvs, whatever) that has permissions for the rancid group. If you use a web server that diffs these things for quick visual, colorized config audits, make sure you protect that with the same level of permissions. Define passwords or http access lists or whatever according to your needs. -----Original Message----- From: Rancid-discuss [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Jason Humes Sent: Tuesday, December 16, 2014 9:43 AM To: rancid-discuss at shrubbery.net Subject: [rancid] Securing RANCID installation Hi Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc. Thanks for any advice! :) Cheers Jason _______________________________________________ Rancid-discuss mailing list Rancid-discuss at shrubbery.net http://www.shrubbery.net/mailman/listinfo/rancid-discuss From rancid at gheek.net Tue Dec 16 14:55:50 2014 From: rancid at gheek.net (Lance Vermilion) Date: Tue, 16 Dec 2014 07:55:50 -0700 Subject: [rancid] Securing RANCID installation In-Reply-To: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> Message-ID: No one has access to the server running rancid unless necessary. Provide access via webpage. Attempts at encrypting the .cloginrc always seen fruitless because you provide a way to decrypt somewhere. You could ways look at doing ACLs to restrict and log who can see what. On Dec 16, 2014 7:43 AM, "Jason Humes" wrote: > Hi > Are there are tips or best practices for securing a RANCID > installation...the clogin files, the backed up configs, etc. > > Thanks for any advice! :) > > Cheers > > Jason > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -------------- next part -------------- An HTML attachment was scrubbed... URL: From howie at thingy.com Tue Dec 16 15:10:32 2014 From: howie at thingy.com (Howard Jones) Date: Tue, 16 Dec 2014 15:10:32 +0000 Subject: [rancid] Securing RANCID installation In-Reply-To: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> Message-ID: <54904B68.20902@thingy.com> On 16/12/2014 14:43, Jason Humes wrote: > Hi > Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc. > > Thanks for any advice! :) > > Don't tell anyone the account password who you don't trust! :-) Seriously, it's a bunch of scripts that run as a single non-privileged user, producing files owned by that user. Run everything as a dedicated 'rancid' user, and basic Unix file permissions will take care of that. Your most likely information leak is the diff e-mails. If you have a web UI for it, that's a whole different story, but that's not really part of RANCID either. We use mod_authnz_ldap against our AD, mod_python, mod_ssl and viewvc pointed to the RANCID svn files, and that seems to work well enough - you need to modify the group permissions for the svn files so that a group that apache and rancid both belong to can read them. Using AD (or individual htpasswd accounts) means we get audit logs of who accessed what in the webserver access logs. Cheers, Howard From rancid at ale.cx Tue Dec 16 18:08:42 2014 From: rancid at ale.cx (Alex DEKKER) Date: Tue, 16 Dec 2014 18:08:42 +0000 Subject: [rancid] terminal length 0 rancid In-Reply-To: References: Message-ID: <5490752A.3010304@ale.cx> On 15/12/14 22:32, Aaron Dudek wrote: > What is the code on the switch? > This switch doesn't run IOS or CatOS. It is a linksys switch with the > Cisco label on it. > I don't think Rancid has official support for it. > You might want to check this out > > https://github.com/chrpinedo/rancid-cisco-sb > The above works for me. It's not perfect, I edited it to remove temperature info, for example, and sometimes the entire config in CVS is replaced with an error saying the config couldn't be fetched. But it's better than nothing! alexd -------------- next part -------------- An HTML attachment was scrubbed... URL: From alan.mckinnon at gmail.com Tue Dec 16 19:55:10 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Tue, 16 Dec 2014 21:55:10 +0200 Subject: [rancid] Securing RANCID installation In-Reply-To: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> Message-ID: <54908E1E.4010608@gmail.com> On 16/12/2014 16:43, Jason Humes wrote: > Hi > Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc. > > Thanks for any advice! :) Others have explained well how to secure the data rancid produces to avoid information leakage. I would add that protecting .cloginrc is very very important as it contains login and enable passwords for the admin account on all your network devices. Make sure that only authorized sysadmins have login access to the rancid host, and that the rancid user's home directory is set with very restricted permissions (assuming a user called rancid): chown -R rancid ~rancid chmod -R go-rwx ~rancid Considering what can happen if .cloginrc leaks, it's a good idea to run rancid on a dedicated single-purpose host. Rancid is very light on resources, a basic VM with 1 cpu and 512M RAM does the job admirably -- Alan McKinnon alan.mckinnon at gmail.com From dan.w.anderson at gmail.com Tue Dec 16 20:30:12 2014 From: dan.w.anderson at gmail.com (Daniel Anderson) Date: Tue, 16 Dec 2014 15:30:12 -0500 Subject: [rancid] Securing RANCID installation In-Reply-To: <54908E1E.4010608@gmail.com> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> <54908E1E.4010608@gmail.com> Message-ID: <0978D88F-9568-4AC6-B3F7-C6EF5F8B1DC0@gmail.com> I would also recommend configuring/using a dedicated network (TACACS/RADIUS) account that only has permissions to run the commands that RANCID uses so that if someone does get the .cloginrc file somehow that it's harder for them to make config changes on the devices. -- Dan > On Dec 16, 2014, at 2:55 PM, Alan McKinnon wrote: > >> On 16/12/2014 16:43, Jason Humes wrote: >> Hi >> Are there are tips or best practices for securing a RANCID installation...the clogin files, the backed up configs, etc. >> >> Thanks for any advice! :) > > > Others have explained well how to secure the data rancid produces to > avoid information leakage. > > I would add that protecting .cloginrc is very very important as it > contains login and enable passwords for the admin account on all your > network devices. > > Make sure that only authorized sysadmins have login access to the rancid > host, and that the rancid user's home directory is set with very > restricted permissions (assuming a user called rancid): > > chown -R rancid ~rancid > chmod -R go-rwx ~rancid > > > Considering what can happen if .cloginrc leaks, it's a good idea to run > rancid on a dedicated single-purpose host. Rancid is very light on > resources, a basic VM with 1 cpu and 512M RAM does the job admirably > > > > -- > Alan McKinnon > alan.mckinnon at gmail.com > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss From heas at shrubbery.net Tue Dec 16 21:56:17 2014 From: heas at shrubbery.net (heasley) Date: Tue, 16 Dec 2014 21:56:17 +0000 Subject: [rancid] prefix-list random order bug In-Reply-To: <54901875.2070201@gmail.com> References: <548EF4D9.6090103@gmail.com> <20141215190253.GE3371@shrubbery.net> <54901875.2070201@gmail.com> Message-ID: <20141216215617.GU43105@shrubbery.net> Tue, Dec 16, 2014 at 01:33:09PM +0200, Alan McKinnon: > On 15/12/2014 21:08, Christopher J. Umina wrote: > > Sorry, I should have clarified, > > > > I'm using the 100% default rancid.conf (except LIST_OF_GROUPS, of > > course), so ACLSORT is disabled. It is not the default, unless fbsd changed it. > > # uname -a > > FreeBSD test.box 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue > > Nov 11 21:02:49 UTC 2014 > > root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > # pkg info perl\* rancid\* > > perl5-5.18.4_10 > > rancid3-3.1_1 > > > > > > This issue didn't occur until I upgraded to FreeBSD 10.1 and all > > packages were upgraded. Not sure what the original version of Perl was, > > but I have a feeling that's what broke things. > > You might be right. Somewhere around perl 5.14 or 5.16 the > implementation of associative arrays (hashes) was changed. The order of > keys for a given hash were randomly distributed but consistent from one > run to the next. The change made keys always come out in a random order. > I had to fix a few in-house apps at the time. > > It's possible your version of rancid relies on the old behaviour. I > don't have a working install handy to investigate, but thought it worth > mentioning. perhaps; my test boxes are all 5.14 and I do not see the problem. I'll investigate. thanks. From chris at uminac.com Tue Dec 16 22:11:33 2014 From: chris at uminac.com (Christopher J. Umina) Date: Tue, 16 Dec 2014 17:11:33 -0500 Subject: [rancid] prefix-list random order bug In-Reply-To: <20141216215617.GU43105@shrubbery.net> References: <548EF4D9.6090103@gmail.com> <20141215190253.GE3371@shrubbery.net> <54901875.2070201@gmail.com> <20141216215617.GU43105@shrubbery.net> Message-ID: Ah, that was confusing. I assumed since it was commented it was not enabled by default. It appears that explicitly setting it to NO has fixed the issue. So, it appears that ACLSORT is broken by the new Perl, not the other way around. Sorry I missed that and thank you for the help. On Tue, Dec 16, 2014 at 4:56 PM, heasley wrote: > > Tue, Dec 16, 2014 at 01:33:09PM +0200, Alan McKinnon: > > On 15/12/2014 21:08, Christopher J. Umina wrote: > > > Sorry, I should have clarified, > > > > > > I'm using the 100% default rancid.conf (except LIST_OF_GROUPS, of > > > course), so ACLSORT is disabled. > > It is not the default, unless fbsd changed it. > > > > # uname -a > > > FreeBSD test.box 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue > > > Nov 11 21:02:49 UTC 2014 > > > root at releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 > > > # pkg info perl\* rancid\* > > > perl5-5.18.4_10 > > > rancid3-3.1_1 > > > > > > > > > This issue didn't occur until I upgraded to FreeBSD 10.1 and all > > > packages were upgraded. Not sure what the original version of Perl > was, > > > but I have a feeling that's what broke things. > > > > You might be right. Somewhere around perl 5.14 or 5.16 the > > implementation of associative arrays (hashes) was changed. The order of > > keys for a given hash were randomly distributed but consistent from one > > run to the next. The change made keys always come out in a random order. > > I had to fix a few in-house apps at the time. > > > > It's possible your version of rancid relies on the old behaviour. I > > don't have a working install handy to investigate, but thought it worth > > mentioning. > > perhaps; my test boxes are all 5.14 and I do not see the problem. I'll > investigate. thanks. > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -- Christopher J. Umina chris at uminac.com 781 354 0535 -------------- next part -------------- An HTML attachment was scrubbed... URL: From bakers at canbytel.com Wed Dec 17 18:42:27 2014 From: bakers at canbytel.com (Scott Baker) Date: Wed, 17 Dec 2014 10:42:27 -0800 Subject: [rancid] Rancid + Adtran? Message-ID: <5491CE93.5030907@canbytel.com> Has anyone used Rancid with an Adtran gear? We're looking at using Rancid to backup the configs on our TA5000s. They're very Cisco like. I don't see Adtran as a "device type". -- Scott Baker - Canby Telcom Senior System Administrator - RHCE From dan.w.anderson at gmail.com Wed Dec 17 19:51:36 2014 From: dan.w.anderson at gmail.com (Dan Anderson) Date: Wed, 17 Dec 2014 14:51:36 -0500 Subject: [rancid] Rancid + Adtran? In-Reply-To: <5491CE93.5030907@canbytel.com> References: <5491CE93.5030907@canbytel.com> Message-ID: I cloned and butchered the "rancid" script from 2.3.6 back in the day to work with AOS devices (primarily NetVanta 3200s and 3300s). It worked in 2.3.8 from what I recall. I've attached it here if someone wants to clean it up and update it for 3.x. I don't have any Adtran devices to test with anymore. On Wed, Dec 17, 2014 at 1:42 PM, Scott Baker wrote: > > Has anyone used Rancid with an Adtran gear? We're looking at using > Rancid to backup the configs on our TA5000s. They're very Cisco like. > > I don't see Adtran as a "device type". > > -- > Scott Baker - Canby Telcom > Senior System Administrator - RHCE > > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > -- Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: nvrancid Type: application/octet-stream Size: 20599 bytes Desc: not available URL: From daniel.schmidt at wyo.gov Wed Dec 17 22:22:05 2014 From: daniel.schmidt at wyo.gov (Daniel Schmidt) Date: Wed, 17 Dec 2014 15:22:05 -0700 Subject: [rancid] Securing RANCID installation In-Reply-To: <0978D88F-9568-4AC6-B3F7-C6EF5F8B1DC0@gmail.com> References: <5711d189f6f64e83aa5c768863d7ae48@ACSMAIL.acs.local> <54908E1E.4010608@gmail.com> <0978D88F-9568-4AC6-B3F7-C6EF5F8B1DC0@gmail.com> Message-ID: I wrote an article on tacacs.org on security rancid. However, tacacs.org appears to be gone. Pretty easy to lock down with do_auth. As for local passwords, if tacacs is properly configured, they are useless. On Tue, Dec 16, 2014 at 1:30 PM, Daniel Anderson wrote: > > I would also recommend configuring/using a dedicated network > (TACACS/RADIUS) account that only has permissions to run the commands that > RANCID uses so that if someone does get the .cloginrc file somehow that > it's harder for them to make config changes on the devices. > > -- > Dan > > > On Dec 16, 2014, at 2:55 PM, Alan McKinnon > wrote: > > > >> On 16/12/2014 16:43, Jason Humes wrote: > >> Hi > >> Are there are tips or best practices for securing a RANCID > installation...the clogin files, the backed up configs, etc. > >> > >> Thanks for any advice! :) > > > > > > Others have explained well how to secure the data rancid produces to > > avoid information leakage. > > > > I would add that protecting .cloginrc is very very important as it > > contains login and enable passwords for the admin account on all your > > network devices. > > > > Make sure that only authorized sysadmins have login access to the rancid > > host, and that the rancid user's home directory is set with very > > restricted permissions (assuming a user called rancid): > > > > chown -R rancid ~rancid > > chmod -R go-rwx ~rancid > > > > > > Considering what can happen if .cloginrc leaks, it's a good idea to run > > rancid on a dedicated single-purpose host. Rancid is very light on > > resources, a basic VM with 1 cpu and 512M RAM does the job admirably > > > > > > > > -- > > Alan McKinnon > > alan.mckinnon at gmail.com > > > > _______________________________________________ > > Rancid-discuss mailing list > > Rancid-discuss at shrubbery.net > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > _______________________________________________ > Rancid-discuss mailing list > Rancid-discuss at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/rancid-discuss > E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Thu Dec 18 01:17:48 2014 From: heas at shrubbery.net (heasley) Date: Thu, 18 Dec 2014 01:17:48 +0000 Subject: [rancid] prefix-list random order bug In-Reply-To: <20141216215617.GU43105@shrubbery.net> References: <548EF4D9.6090103@gmail.com> <20141215190253.GE3371@shrubbery.net> <54901875.2070201@gmail.com> <20141216215617.GU43105@shrubbery.net> Message-ID: <20141218011748.GF49680@shrubbery.net> > Tue, Dec 16, 2014 at 01:33:09PM +0200, Alan McKinnon: > > You might be right. Somewhere around perl 5.14 or 5.16 the > > implementation of associative arrays (hashes) was changed. The order of > > keys for a given hash were randomly distributed but consistent from one > > run to the next. The change made keys always come out in a random order. > > I had to fix a few in-house apps at the time. > > > > It's possible your version of rancid relies on the old behaviour. I > > don't have a working install handy to investigate, but thought it worth > > mentioning. FWIW, I've looked at the code and tested it with perl 5.18 to be sure, I do not think there is a problem due to the way rancid handles the hashes. Any issues are likely due to the ip sorting problem, which i expect to either be ipv6 related or a problem that existed with using the right key with IOS-XR. But, LMK if anyone finds an issue. Also, the previous behavior seems be attainable by setting the environment variables PERL_PERTURB_KEYS=0 and PERL_HASH_SEED=0. Which could be done in rancid.conf. From tony at lavanauts.org Sun Dec 28 02:30:42 2014 From: tony at lavanauts.org (Antonio Querubin) Date: Sat, 27 Dec 2014 16:30:42 -1000 (HST) Subject: [rancid] vyatta/vyos Message-ID: I've cobbled together support for VyOS from some previous efforts by various people for Vyatta (see the git log). I'm assuming VyOS is still close enough to Vyatta so that this should continue to work for Vyatta as well. I don't have access to real Vyatta routers so I'd appreciate any feedback from those that do. https://bitbucket.org/aquerubin/rancid-vyatta There's only a vyos branch. Antonio Querubin e-mail: tony at lavanauts.org xmpp: antonioquerubin at gmail.com From heas at shrubbery.net Tue Dec 30 16:30:09 2014 From: heas at shrubbery.net (heasley) Date: Tue, 30 Dec 2014 16:30:09 +0000 Subject: [rancid] rancid 3.2 alpha/candidate Message-ID: <20141230163009.GD35851@shrubbery.net> RANCiD users, Making an alpha version of 3.2 available for testing and welcome bug reports/fixes. ftp://ftp.shrubbery.net/pub/rancid/alpha/rancid-3.1.99.tar.gz Caveats are that wlogin for Cisco WLC support does not work reliably. I had access to a WLC for awhile, but didnt get the problem resolved in time. There is also a minor mail feature we would like to add, that is not included here. The Changes since 3.1: 3.1.99 add support for git. See the UPGRADING file. Based on Jeffrey C. Ollie's patch & thanks Dan Lowe, Job Snijders and a number of folks on rancid-discuss. rancid-cvs: add -f option dell.pm: filter up time from show switch control_rancid: svn cleanup after collection commits iosxr.pm: access-list/prefix-list sorting regex fixes ios.pm: access-list/prefix-list sorting regex fixes nxos.pm: filter ASIC/INTAKE cycling temps - Vincent Aniello panos.pm: convert panrancid to a module panlogin, panrancid: import palo alto network script from Doug Hughes jlogin: set tty width to 132 to avoid problems with cli complete-on-space, which fixes problems occuring when hostnames are longer iosxr.pm: access-list regex truncating lines - Peter Jackson rancid.pm: improve IP sorting, esp for IPv6 ios.pm: filter show flash & dir bytes free better ciscowlc: add filters for oscillating config & env o/p - Daniel Schmidt ciscowlc: convert Cisco WLC scripts to library import Cisco WLC scripts from http://www.shrubbery.net/pipermail/rancid-discuss/2010-February/004652.html *login.in; fix handling of empty lines in -x input - reported by lee.e.rian nxos.pm: recognize invalid command in ShowFex - lee.e.rian nxos.pm: does not set $proc - lee.e.rian nxrancid: convert nexus to module nxos.pm ios.pm: save "next reload" template - lee.e.rian tntlogin, tntrancid: remove TNT support par, hpuifilter: type fixes for Raspian compatibility - thanks Dan Anderson slogin: add switching login ios.pm: filter timestamp and size from filename "syslog" configure: complain if sendmail is not found control_rancid: DIR set too early clogin,ios.pm,iosxr.pm: escape plus (+) regex atom in prompt handling foundry.pm: remove rogue newline in regex - from P. R. Wilson Note Allied Telesis AW+ devices support, works as type 'cisco' according to Allied Telesis Employees fix handling of absent sendmail in configure script From ssaner at hubris.net Tue Dec 30 21:35:49 2014 From: ssaner at hubris.net (Steven Saner) Date: Tue, 30 Dec 2014 15:35:49 -0600 Subject: [rancid] Adtran Support Message-ID: <54A31AB5.2050400@hubris.net> Hi all: I have been using RANCID for years now with Cisco gear. I would like to also use it with some Adtran gear that we have, including the TA5000, TA90x IADs, and Netvanta EFM cpe. I'm working with the most recent version and I see what appears to be the beginnings of support for Adtran gear in /etc/rancid.types.base. But there doesn't seem to be any adtran.pm module. I also see a comment from a few months ago in the list archives about someone that once created an nvrancid script to handle some Netvanta gear. My question is this. Is there any effort underway to finish up the Adtran support in the current version, and if so, can I be of any help? If not, I would like to embark on the project myself and contribute any work that I'm able to accomplish. Steve -- -------------------------------------------------------------------------- Steven Saner Voice: 316-858-3000 Director of Network Operations Fax: 316-858-3001 Hubris Communications http://www.hubris.net From scott.brynen at visioncritical.com Tue Dec 30 22:23:03 2014 From: scott.brynen at visioncritical.com (Scott Brynen) Date: Tue, 30 Dec 2014 22:23:03 +0000 Subject: [rancid] Contributions to Rancid Message-ID: How do you submit updates to Shrubbery/Rancid and get them in the distro? I sent an email ages (1+ yr ago) offering up my ironport module for rancid and never heard anything back. I know a few people here are using my module, but what the official way back into the source tree? From bakers at canbytel.com Wed Dec 31 16:20:15 2014 From: bakers at canbytel.com (Scott Baker) Date: Wed, 31 Dec 2014 08:20:15 -0800 Subject: [rancid] Adtran Support In-Reply-To: <54A31AB5.2050400@hubris.net> References: <54A31AB5.2050400@hubris.net> Message-ID: <54A4223F.6020104@canbytel.com> I'm looking to do the same thing you are. We have several TA5000s I'd like to version using Rancid. There is not an "adtran" module that I can see, so I just set them as Cisco and it works 90%. The first time it fails trying to run a bunch of Cisco specific commands, but it does get the config which is all I care about. I wish there was a way to say JUST get the config, since that would work for most platforms. If you find any more information on that TA5000 let me know, maybe between the two of us we can get it working? On 12/30/2014 01:35 PM, Steven Saner wrote: > Hi all: > > I have been using RANCID for years now with Cisco gear. I would like to > also use it with some Adtran gear that we have, including the TA5000, > TA90x IADs, and Netvanta EFM cpe. > > I'm working with the most recent version and I see what appears to be > the beginnings of support for Adtran gear in /etc/rancid.types.base. But > there doesn't seem to be any adtran.pm module. I also see a comment from > a few months ago in the list archives about someone that once created an > nvrancid script to handle some Netvanta gear. > > My question is this. Is there any effort underway to finish up the > Adtran support in the current version, and if so, can I be of any help? > > If not, I would like to embark on the project myself and contribute any > work that I'm able to accomplish. > > Steve > -- Scott Baker - Canby Telcom Senior System Administrator - RHCE From alan.mckinnon at gmail.com Wed Dec 31 17:40:32 2014 From: alan.mckinnon at gmail.com (Alan McKinnon) Date: Wed, 31 Dec 2014 19:40:32 +0200 Subject: [rancid] Adtran Support In-Reply-To: <54A4223F.6020104@canbytel.com> References: <54A31AB5.2050400@hubris.net> <54A4223F.6020104@canbytel.com> Message-ID: <54A43510.7020806@gmail.com> On 31/12/2014 18:20, Scott Baker wrote: > I'm looking to do the same thing you are. We have several TA5000s I'd > like to version using Rancid. There is not an "adtran" module that I can > see, so I just set them as Cisco and it works 90%. The first time it > fails trying to run a bunch of Cisco specific commands, but it does get > the config which is all I care about. > > I wish there was a way to say JUST get the config, since that would work > for most platforms. If you find any more information on that TA5000 let > me know, maybe between the two of us we can get it working? That would be nice, but it's problematic to implement. Network devices tend not to have a somehow special way to just get config. You run "show run" or some variant which as far as rancid is concerned is just another command and in now way different from "show " One would have to somehow tag the command-getting commands in the list of commands and then implement an option to ignore everything else in the list. Which immediately introduces two problems: 1. What constitutes "config" for these purposes? Folk will disagree 2. What about devices that have two or more commands that return what most would consider to be "config". I found the easiest way was to fork all the rancid modules and rename them to something local. Edit @commandtable to remove everything except "show run"-like commands, that worked for me > > On 12/30/2014 01:35 PM, Steven Saner wrote: >> Hi all: >> >> I have been using RANCID for years now with Cisco gear. I would like to >> also use it with some Adtran gear that we have, including the TA5000, >> TA90x IADs, and Netvanta EFM cpe. >> >> I'm working with the most recent version and I see what appears to be >> the beginnings of support for Adtran gear in /etc/rancid.types.base. But >> there doesn't seem to be any adtran.pm module. I also see a comment from >> a few months ago in the list archives about someone that once created an >> nvrancid script to handle some Netvanta gear. >> >> My question is this. Is there any effort underway to finish up the >> Adtran support in the current version, and if so, can I be of any help? >> >> If not, I would like to embark on the project myself and contribute any >> work that I'm able to accomplish. >> >> Steve >> > > -- Alan McKinnon alan.mckinnon at gmail.com