-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
346 lines (290 loc) · 15.8 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
Rancid is a "Really Awesome New Cisco confIg Differ" developed to
maintain CVS (or Subversion or git) controlled copies of router configs.
*** The Following Information is Very Important ****
Rancid 3.0 converts several device scripts (the remaining will follow) to
libraries used by the single script, named rancid, to parse device output.
It also requires perl 5.10 minimum. Also see the UPGRADING file.
Rancid 2.3 introduces a new directory layout. It has been changed to more
closely follow the standard path hierarchy, which is defined by the FHS
standard and autoconf, and/or make these locations more easily configurable
within rancid.
The obvious advantage of this is making rancid more easily packagable; i.e.:
NetBSD pkgsrc, FreeBSD port, Linux RPM, etc.
Please please please please read the UPGRADING file for more information.
**********
The following is the packing list for Rancid, excluding files supporting
configure (autoconf) and make. .in is stripped from the files below by
configure as substitutions are completed:
README This file.
README.lg Information about the Looking Glass.
BUGS Bug list.
CHANGES List of changes to Rancid.
COPYING RANCID license.
FAQ Frequently Asked Questions
Todo Partial list of what needs to be done.
UPGRADING Notes on upgrading rancid to a new version.
cloginrc.sample TCL commands to set passwords, usernames etc. used by clogin
and jlogin. See cloginrc(5)
etc/
lg.conf.sample Sample Looking Glass configuration
rancid.conf.sample Sample RANCID configuration
rancid.types.base RANCID default device type configuration
rancid.types.conf RANCID user-defined device type configuration
bin/
control_rancid.in
Builds router list, calls rancid on each router and
handles cvs routines.
hpuifilter.c HP procurve login filter - see hlogin(1).
par.c Parallel processing of commands - any commands.
rancid-cvs.in Creates all of the CVS and config directories.
rancid-fe.in Used by crontrol_rancid to determine script rancid used
rancid-run.in Script designed to be run from cron.
rancid.in Generic wrapper for the rancid for the rancid libraries
that runs commands on their respective device types as
defined in etc/rancid.types.* and processes the output.
agmrancid.in Version of rancid.in for Cisco Anomaly Guard Module (AGM)
arancid.in Version of rancid.in for Alteon switches.
arrancid.in Version of rancid.in for Arista Networks devices.
avorancid.in Version of rancid.in for Avocent appliances.
brancid.in Version of rancid.in for baynet/nortel routers.
cat5rancid.in Version of rancid.in for Cisco Catalyst switches.
cssrancid.in Version of rancid.in for Cisco CSS switches.
erancid.in Version of rancid.in for ADC EZ-T3 muxes.
f10rancid.in Version of rancid.in for Force10 routers.
f5rancid.in Version of rancid.in for F5 BigIPs.
fnrancid.in Version of rancid.in for Fortinet Firewalls.
hrancid.in Version of rancid.in for HP Procurve switches.
htrancid.in Version of rancid.in for Hitatchi routers.
jerancid.in Version of rancid.in for Juniper E-series routers.
mrancid.in Version of rancid.in for MRT daemons.
mtrancid.in Version of rancid.in for Microtik routers.
nrancid.in Version of rancid.in for Netscreen firewalls.
nsrancid.in Version of rancid.in for Netscalars.
prancid.in Version of rancid.in for Procket routers.
rivancid.in Version of rancid.in for Cabletron, Riverstone and
Enterasys routers.
rrancid.in Version of rancid.in for Redback routers.
rtftpcopy.in Copy configs from tftpboot within rancid.
srancid.in Version of rancid.in for SMC switches.
trancid.in Version of rancid.in for Netopia routers.
xirancid.in Version of rancid.in for Xirrus arrays.
zrancid.in Version of rancid.in for Zebra routers.
a10login.in Version of clogin.in for A10 load balancers.
alogin.in Version of clogin.in for Alteon switches.
anlogin.in Version of clogin.in for Arbor Networks appliances.
avologin.in Version of clogin.in for Avocent appliances.
blogin.in Version of clogin.in for baynet/Nortel routers.
clogin.in Expect script that logs into routers and either presents
an interactive shell, runs a set of commands, or runs
another expect script. It handles Cisco, Extreme,
Force10, Juniper E-series, Procket, Redback, Zebra/MRT.
complogin.in Version of clogin.in for Compass Networks routers.
dllogin.in Version of clogin.in for D-Link devices.
elogin.in Version of clogin.in for ADC EZ-T3 muxes.
flogin.in Version of clogin.in for Foundry switches. If foundry
cleaned-up their bloody UI, clogin should do the job.
fnlogin.in Version of clogin.in for Fortinet Firewalls.
hlogin.in Version of clogin.in for HP procurve switches.
htlogin.in Version of clogin.in for Hitatchi routers.
jlogin.in Version of clogin.in for Juniper routers.
login_top.in Common login code included in all login scripts.
mtlogin.in Version of clogin.in for Microtik routers.
nlogin.in Version of clogin.in for Netscreen firewalls.
nslogin.in Version of clogin.in for Netscalars.
panlogin.in Version of clogin.in for Palo Alto Networks devices.
plogin.in Poly-login version of clogin.in; it uses router.db
and router.types.* configuration files to determine the
login script to use for a device.
rblogin.in Version of clogin.in for Riverbed Steelhead routers.
rivlogin.in Version of clogin.in for Riverstone routers.
tlogin.in Version of clogin.in for Netopia devices.
wlogin.in Version of clogin.in for Cisco Wireless Lan Controllers.
xlogin.in Version of clogin.in for Extreme devices.
xilogin.in Version of clogin.in for Xirrus arrays.
lib/
acos.pm.in rancid library for A10 Networks appliances.
arbor.pm.in rancid library for Arbor Networks appliances.
ciscowlc.pm.in rancid library for some Cisco Wireless Lan Controllers.
dell.pm.in rancid library for some Dell D-Link models.
eos.pm.in rancid library for Compass EOS.
exos.in rancid library for Extreme switches.
foundry.pm.in rancid library for Foundry (Brocade) switches.
ios.pm.in rancid library for Cisco IOS and IOS-XE.
iosxr.pm.in rancid library for Cisco IOS-XR.
junos.pm.in rancid library for Juniper JunOS.
mrv.pm.in rancid library for MRV MCS.
nxos.pm.in rancid library for Cisco NX-OS.
panos.pm.in rancid library for Palo Alto Networks devices.
rancid.pm.in rancid global functions.
rbt.pm.in rancid library for Riverbed Steelhead.
man/ man pages
share/ Readmes, samples, utilities, contribs, etc
include/ Include files and rancid's version.h
Also see rancid_intro(1), rancid(1), and clogin(1).
The following (non-exhaustive list) are included as part of the installation
and configuration tools:
Makefile.am processed by automake to produce Makefile.in
Makefile.in processed by configure to produce Makefile
acinclude.m4 sets some GNU autoconf options
aclocal.m4 Output of GNU autoconf script
configure GNU autoconf script
configure.in Input file for autoconf to procide configure
depcomp part of GNU autoconf
install-sh GNU autoconf shell script to simulate BSD style install
missing part of GNU autoconf
mkinstalldirs GNU autoconf shell script to make installation directories
rancid will also need to have the following packages:
gnudiff gnudiff provides the uni-diff (-u) option. If you do not have
a diff that supports -u, configure will set-up rancid to use
'diff -c' or 'diff -C'.
perl5 perl version 5.10 or greater available from www.cpan.org
expect http://expect.nist.gov/ We highly suggest that you stick to
expect 5.24.1 (or so). This seems to work best. Note that
you need to have the accompanying tcl &/ tk.
tcl Required by expect.
and, rancid will also need to have one of the following packages; your choice:
cvs Code revision system available from prep.ai.mit.edu:/pub/gnu
git Code revision system, an alternative to cvs. Use the configure
option --with-git to configure for git.
svn Code revision system, an alternative to cvs. Available from
http://subversion.tigris.org/tarballs/. Use the configure
option --with-svn to configure for Subversion.
To convert from CVS to SVN, find the cvs2svn python script,
then:
cd ~rancid
cvs2svn --trunk= --trunk-only -s `pwd`/.svn --keywords-off \
`pwd`/CVS
sh -c '. /path/to/etc/rancid.conf ; for g in $LIST_OF_GROUPS; \
do svn co file://`pwd`/.svn/$g; done'
Bill Fenner (now maintained by others) has a cgi script for interacting
with CVS repositories via a web interface. This provides a great way to
view rancid diffs and full configs, especially for those unfamiliar with
cvs. There are similar tools for Subversion and git. The package is not
included, but can be found here:
http://www.freebsd.org/projects/cvsweb.html
Quick Installation Guide (an example):
1) ./configure [--prefix=<basedir>]
By default, rancid will be installed under /usr/local/rancid (the default
"prefix"). This can be overridden with the --prefix option. E.g.:
./configure --prefix=/home/rancid
Rancid uses autoconf's "localstatedir" as the location of it's logs,
CVS, Subversion or git respository, and directories where it's groups are
placed. The user who will run rancid (from cron, etc) will need write
access to these directories. By default, this is <prefix>/var, or
/home/rancid/var following the example above.
We realize that this is not optimal, but it follows the standards. We
suggest that this be altered to include the package name, like so:
./configure --prefix=/home/rancid \
--localstatedir=/home/rancid/var/rancid
The user who will run rancid must have write permission in "localstatedir".
See ./configure --help for other configure options, including which SCM
should use. Now is the time to choose the SCM..
2) make install
If rancid is being installed in system locations, then the install will
likely need to be done as root. eg:
make; sudo make install
3) Modify <sysconfdir>/rancid.conf (e.g.: <basedir>/etc/rancid.conf). The
variable LIST_OF_GROUPS is a space delimited list of router "groups".
E.g.:
LIST_OF_GROUPS="backbone aggregation switches"
4) Put .cloginrc in the home directory of the user who will run rancid.
.cloginrc must be not be readable/writable/executable by "others",
i.e.: .cloginrc must be mode 0600 or 0640.
5) Modify .cloginrc.
Test to make sure that you can log into every router. The login scripts
support options m and M to help debug the .cloginrc; see clogin(1).
Note: the JunOS that user you use *must* log into a cli shell (which
is the default on a juniper), not a unix shell.
See the file cloginrc.sample, located in <datadir> (<basedir>/share/rancid),
for examples and a good starting point. Also take a look at the cloginrc
manual page, 'man -M <basedir>/man cloginrc'.
6) Modify /etc/aliases
Rancid sends the diffs and other administrative emails to rancid-<GROUP>
and problems to rancid-admin-<GROUP>, where <GROUP> is the "GROUP" of
routers. This way you can separate your backbone routers from your
access routers or separate based upon network etc... Different router
uses forced different people being interested in router "groups" -
thus this setup. Make sure email to rancid-<GROUP> works. /etc/aliases
can be maintainable by Majordomo or another maillist software or may just
forward to a remote machine, but make sure the user that runs rancid can
post to the list.
The Precedence header set to bulk or junk and setting the other RFC3834
auto-responder headers *hopefully* avoids replies from auto-responders and
other vacation type mail filters.
The --enable-mail-plus option to configure will set each of the "rancid-"
addresses mentioned above to "rancid+". See sendmail's operation manual
for more information on handling of '+'.
The --enable-adminmail-plus configure option will set each of the
"rancid-admin-" addresses mentioned above to "rancid-admin+". If this
option is not used, the value of --enable-mail-plus is assumed. That is,
the addresses will be "rancid+", if it is specified.
There are also several mail-related options in rancid.conf.
7) Run rancid-cvs.
This creates all of the necessary directories and config files for
each of the groups in LIST_OF_GROUPS and imports them into CVS (or
Subversion or git). This will also be run each time a new group is added.
Do not create the directories or CVS repository manually, allow rancid-cvs
to do it. Also see 'man -M <basedir>/man rancid-cvs'.
8) For each "group", modify the router.db file in the group directory.
The file is of the form "router;mfg;state" where "router" is
the name (we use FQDN) of the router, mfg is the manufacturer
from the set of (cat5|cisco|juniper) (see router.db.5 for a complete
list and description), and "state" is either up or down. Each router
listed as "up" will have the configuration grabbed. Note: manufacturer
cat5 is intended only for cisco catalyst switches running catalyst (not
IOS) code.
e.g.: <localstatedir>/<group>/router.db:
cisco-router.domain.com;cisco;up
adc-mux.domain.com;ezt3;up
foundry-switch-router.domain.com;foundry;up
juniper-router.domain.com;juniper;up
redback-dsl-router.domain.com;redback;down
extreme-switch.domain.com;extreme;down
9) For first-time users or new installations, run bin/rancid-run (with no
arguments) and check the resulting log file(s) (in logs/*) for errors.
Repeat until there are no errors.
10) Put rancid-run in cron to be called however often you want it to
run for each group (rancid-run [<GROUP>]). If you run it less
often than once/hour, check the setting of OLDTIME in etc/rancid.conf.
E.g.:
# run config differ hourly
1 * * * * <BASEDIR>/bin/rancid-run
# clean out config differ logs
50 23 * * * /usr/bin/find <localstatedir>/logs -type f -mtime +2 -exec rm {} \;
11) Note: If you are using any of these programs (other than rancid-run) out
of cron or from a shell, make sure that you set your $PATH correctly so
that they work. E.g.: if you are using clogin, it can call id, telnet,
ssh, and/or rsh.
configure already makes sure that $PATH is set correctly in
etc/rancid.conf for rancid-run, so you could use the $PATH from there. e.g.:
50 23 * * * . <sysconfdir>/rancid.conf; clogin -c 'sh vers' router
12) Send any bugs, suggestions or updates to rancid@shrubbery.net.
See the web page at http://www.shrubbery.net/rancid. We have
created the standard mailing lists for those interested;
rancid-announce@shrubbery.net and rancid-discuss@shrubbery.net.
Subscribe by sending an email whose body contains "subscribe
rancid-<announce or discuss>" to majordomo@shrubbery.net.
If you are reporting problems, please include the version of rancid,
expect, and your OS in the email.
Problem with clogin/telnet hanging within rancid or scripts?
If you have experienced rancid (or more precisely, telnet) hanging on a
solaris 2.6 box; check to be sure you have the following two o/s patches
installed (see showrev -p). There may be more recent versions of these
patches and they are likely included with 2.7 and 2.8:
Patch-ID# 105529-08
Keywords: security tcp rlogin TCP ACK FIN packet listen
Synopsis: SunOS 5.6: /kernel/drv/tcp patch
Patch-ID# 105786-11
Keywords: security ip tcp_priv_stream routing ip_enable_group_ifs ndd
Synopsis: SunOS 5.6: /kernel/drv/ip patch
Another contributor to rancid "hanging", with or without the o/s patches
mentioned above, is a bug in expect/tcl. We've noticed that expect (from
5.24.1 forward), and whatever tcl happens to compile with it, exhibits a
problem on Linux and Solaris where rancid's scripts hang waiting for input
from the device. Patches to expect are available on the rancid web page.
Also, for rancid 2.3 and later, changes were made to the login scripts
which use some more elaborate regexes that have failed with expect versions
prior to 5.40. While 5.40 works, it still seems to need the patch offered
on the rancid web page for Linux and Solaris.
See www.shrubbery.net/rancid for additional notes on this. Also the
UPGRADING file that comes with the distribution.